As the first non-bank to issue a MasterCard logo prepaid card in Turkey, Papara hit the ground running upon launch in 2016 and is now a MasterCard, Visa and Interbank Card Center member. Millions of users take advantage of Papara’s services each day and the company has quickly become a significant player in the Turkish financial services scene.
It has been a driving principle within Papara that the financial services we offer should be available to everyone, in an easily adoptable form, with the convenience that customers expect from mobile apps. However, as we quickly discovered, this has significant implications for platform security.
Emre Kenci, CTO, Papara
Shortly after launching their digital banking and payments service, Papara discovered that fraudsters were using automated systems to open multiple accounts using their mobile APIs. These activities, among them fake account creation, existing account takeover and automated account transfers, directly led to increased processing costs to the company, in addition to impacting revenue growth. The costs generated by the fraudsters threatened to upset the company’s financial balance in spite of its phenomenal growth.
Equivalent to the way they used Google’s ReCaptcha services to protect their web channel, Papara wanted to ensure that only their mobile apps could access their backend services. If such a solution could be found, fraudulent automated traffic could be blocked while maintaining a frictionless experience for legitimate customers.
Since Approov verifies that a genuine and unmodified instance of the mobile app is present when each API request is made, it prevents scripts and bots which spoof mobile app traffic from accessing the Papara API. Approov enables the blocking of illegitimate API requests that did not originate from the official app.
Integrating Approov into Papara’s Android and iOS apps took 7 days after which the apps were released to the app stores and downloaded by customers. The Approov token check was monitored but not switched on for another 21 days. Once the testing phase was complete, any API requests with no Approov tokens or with invalid tokens were blocked. Instantaneously, all phishing activities stopped and the vast majority of automated onboarding and transfers stopped, resulting in a dramatic drop in operating costs.
Emre sums up his experience:
We are very happy with Approov. It works well and matches exactly to the use cases we were initially concerned about. Blocking so much fraudulent traffic from scripts and automators significantly lifts the pressure on Papara's systems as well as on our finances. We have also found the Approov team to be very flexible and proactive with respect to managing our service.