Onebip sells a car for the first time

The Toyota Yaris sold through Onebip

This brand new Toyota Yaris is the first car sold directly from a dealership through the Onebip payment service. Despite the Italian regulations normally blocking transactions involving physical objects (while allowing digital content), Onebip has recently duly licensed itself as a Luxembourg credit institution in order to legally process this kind of sales.

The buyer, Guglielmo Dimostrandi, is an Italian dairy food tycoon who was looking to buy a car on impulse while surfing on the web last week, and has opted for a Toyota as a fan of the Lean principles that run his companies. When interviewed, Mr. Dimostrandi told us that he has accumulated a lot of credit on his Vodafone SIM card over the last few years: the souce of funds was a a pay-as-you-go plan including bonuses for receiving calls from his former fiancée. His troubled relationship, which cost him many sleepless nights, resulted in a large amount of credit that has now found a good use.

Onebip’s Sensei Jacopo Romei is satisfied with the deal, happening just three months after his arrival in the product team. “Lean principles has brought Toyota on the top as the world’s first automaker” he declared, “and now to sell a car on an online micropayment service for the first time.” The Toyota Yaris was indeed built Just-In-Time after the buyer’s purchase click. Onebip is proud to be reducing the cycle time from the customer idea to buy to the delivery of the goods by attacking the longest phase for car makers: the customer’s reflection time before buying.

When reached by our corporate communication team, Head of Onebip Massimiliano Silenzi commented “We want to think big. As always, we are perfectionists. I shouldn’t really tell you this, but we are talking to a large ocean liner shipyard right now to expand this business area.”

Meanwhile, the new Vodafone APIs that have allowed the billing of arbitrary large amounts of money has sparked some controversy in Italy as another carrier billing company,, has been suspected of committing fraud. Observers have noticed the olympic-size swimming pool built in Arrivederci’s offices in Rome, but the thing that gave away something fishy was going on was the pearl strings used to divide the swimming lanes.

Thesis: Automated build of Onebip’s documentation

By Giorgio Sironi, Onebip Tech Team

We are proud to announce the first Computer Science thesis started and completed inside the Onebip team. Daniele (from the Onebip Tech team) has finished his internship and is graduating at the end of February (2014) with a Bachelor in Computer Science at the Università degli studi in Milan, Italy. We’d like to thank professor Carlo Bellettini of Italian Agile Day’s fame for letting Daniele work with us.

Daniele's thesis in Onebip title page

His work of several months in Onebip has been to automate the generation of documentation, mainly of the mechanism we use to update technical PDF documents for merchants that need to integrate us. The documents’ contents run from sample API calls and code to textual descriptions and tables describing the possible notifications made by our systems.

We started from Word .doc files that need to be checked out of a repository by one person at a time, with an exclusive lock. Once the developer has finished updating the relevant paragraph and fighting Word, he had to export manually a PDF version of it and check in on the repository.

After re-engineering this process, a developer can now update the documentation without exiting his development environment (from Vim or his preferred IDE). Documentation is written in GitHub Flavored Markdown, little more than plain text and HTML, and is versioned ,in a repository identical to the ones used by all other Onebip projects.

We now have the tools that:

1. Check out automatically the latest version of documentation source code from its repository.
2. Build it transforming Markdown in a PDF file virtually identical to what was manually exported before.
3. Upon manual approval, publish the result on a public URL that can be linked to from Onebip’s corporate website.

The friction for developers is reduced to a minimum, as they work on the documentation in the same way as the source code; we’re targeting an update cycle time of an hour that comprehends checking out, editing, checking in and publishing. This will ensure merchant can get an up-to-date documentation.

No more fighting with Microsoft Word for developers (not even opening it). No more manually syntax highlighting of the code samples, or copying and pasting them from external tools. No more versioning in names as in filename_1.3.4.

Are you a Computer Science or Computer Engineering student near Milan and want to work on a thesis in an Agile environment? Want to learn something you can’t find inside the university? Want to build something cool and useful instead of slaving away on your professors’ research projects? Contact us!

How Onebip has addressed web security measures for insecure content

Tips of the month

Editor’s note: This is part of a monthly blog series by Gokmen Atak, Onebip’s Product Offer & Quality Specialist.  Gokmen aims to share his “Tips of the month” which includes product features and updates that Onebip partners can take advantage of to improve their mobile payment offering.  Please feel free to add your comments at the end of the post.

In this “Tip of the Month” I will focus on a security measure which has recently been introduced by the major web browsers to reduce the threat of man-in-the-middle attacks and improve the online security for users browsing on the web which eventually made the Onebip team review our connections over which we are processing thousands of transactions every day as an online payment processor.

I’d like to take this opportunity to explain what these new web security measures are all about and how Onebip has taken the steps to make sure that our content is confirmed as secure in the eyes of the web browsers to ensure that our payments are processed as usual.

Security measures 
This security measure is about websites served over HTTPS which include HTTP content inside (i.e. a content loaded from a remote site) also called “mixed content”. As you may already know, HTTPS means a secure connection encrypted and protected to attacks while HTTP, since it is not encrypted, is open to online threats like man-in-the-middle attacks which can change the content of the website. At that point, the recent version of the major web browsers, for example Firefox (with the version 23 introduced on 2013-08-06) and Chrome (with the version 30.0.1599.69 introduced on 2013-10-01) have decided to block those requests that can actively modify the page such as scripts, CSS and frames, so called “mixed active content*” which by default is now considered insecure. Starting a trend, we will eventually see all web browsers blocking all insecure HTTP requests made from a secure HTTPS page.


Firefox V23 notes

Impact on developers and site owners 
Although from an end-user perspective these are must-have security measures in today’s web, for developers and site owners they may create some issues that need to be overcome by them or by the third parties which whom they rely on to run their websites. As an online mobile billing payment processor, connected to hundreds of mobile networks and hundreds of online publishers in order to process thousands of transactions every day, we investigated if this security measure had ever affected our business. Well, the results were interesting.

We realized that many of our online publishers had HTTP requests on their HTTPS websites, and HTTP redirections made by their third parties in a “frame” which they usually use as a payment interface to sell their products and services where the users make the payment, was being considered as insecure content and blocked by Firefox and Chrome. As a result, their customers browsing with these web browsers who were willing to pay and buy their services in a frame were never able to get their payment completed because of the broken frame at a certain point of the payment process. Of course, this problem was not so visible to them since it was happening only for Firefox and Chrome users and only if their customers were on their HTTPS version of their website.

Onebip addresses consequences of new security measures 
The fact that we are a payment processor where online publishers are using us as a payment solution in a payment frame, we carefully analysed every HTTP and HTTPS request made from and to our servers by our online publishers and updated all the requests according to the HTTPS and HTTP websites with a complex algorithm in order not to create any request which can be considered as an insecure content by any web browser. When its possible we try to use the browsers’ “bugs” to circumvent the problem. For example, Firefox is still allowing HTTPS to HTTP server side redirections. Otherwise, we provide a courtesy page to open the insecure HTTP link in another window which becomes a completely new context allowed by all the web browsers. Our analyses and end-user experience tests showed that after applying our algorithm we didn’t create any insecure content and as a result, we didn’t create any broken frames and finally we were able to overcome the consequences of this security measure.

*To find out more about blocked content you can read this blog post by Tanvi Vyas blog from Mozilla


“Pull, don’t push” principle applied to Onebip’s subscription services

Simonluca Landi photo

Using feedback control techniques to build better systems

By Simonluca Landi, Onebip Product Quality and Innovation Senior Manager

One of the most attractive features of the Onebip platform is the ability to support subscription services, which can be explained with a user story like this:

“As a merchant, I want to sell a service to my customers with recurring billing, so that I will have a steady flow of revenue”

It’s easy to implement – all you need is a “scheduling engine” to push the recurring billing system every week, right? Well, actually wrong. Continue reading this post to find out why this “naive” solution just can’t work, and what I would suggest is the best solution.

The story

The very first implementation of the recurring billing system on the Onebip platform followed the easy and “naive” solution, as everyone would have done.

But, since the Onebip platform is built on well defined “application contexts”, we’ve been able to build an additional and separated block – a “subscription engine” that implements the required scheduling mechanism to push the billing every week. This is how the flow works today:

– Every minute a “job” selects the users that should receive their weekly billing, and sends a billing request to our “core platform”, where transactions are recorded, something like “Hey core platform, it’s time to renew the subscription for this user!

– The core platform puts the billing requests in an internal queue, and replies to the subscription engine “Ok, I’ll do my best and let you know

– The core platform sends a billing request to a “connectivity layer”: “hey, connectivity layer, I want to bill this guy, please do it and let me know

– The connectivity layer implements the different carriers protocols, executes the required actions to bill the user and eventually returns the outcome of the billing request to the previous modules in the chain (core platform and subscription engine)

As you can see, we adopt the mantra “everything is asynchronous”, which helps the system to scale up well, but… Read more

Business time: how Onebip time travels to test its services


By Giorgio Sironi, Onebip Tech Team

Business time is a concept we learned from the book Specification by example written by Gojko Adzic, one of the influencers in the Behavior-Driven Development field.

Business time definition

Specification by example aims to build a living documentation system where the scenarios describing how the system should behave can also be run as automated test.

In Onebip, we use BDD to specify and test the integration between the different subsystem:

Scenario: purchase completed with success with an operator flow
    Given I am in FR
    And I am a new SFR user
    And I am on the website of
    When I purchase a new service which has the price 1.50 EUR
    Then I am billed
    And the merchant is notified of BILLING_COMPLETED

This is a textual documentation that can be read after months from its creation to find out how Onebip is working in production. But is also an automated test that can run in a few seconds and in parallel with several dozen others. Read more