Mobile Authentication: Exceeding Card Present Security?

Looking at this as objectively as I can (given my current career focus), I fail to see how the sheer number of authentication factors a mobile devices is capable of doesn’t make authentication of card-not-present transactions at least as, if not more secure than card present transactions.

Well, they SHOULD be more secure, the technology is available, but the payments and mobile industries cannot seem to get out of their own way.

Let’s examine the card present transaction: I walk into a shop, choose my items, then go the counter. The shop assistant rings in my stuff, I place my chip & PIN card into the terminal, enter my PIN and I’m done.

The only things ‘guaranteeing’ that I’m an authorised user of the card is that I have the card in my possession, and a 4 digit PIN number. Yes, some cards have photos on them, but they are few and far between, so the real security in a card present environment is the difficulty of obtaining the card and the PIN from the true owner. I will not underestimate just how difficult this is, but other that the true owner finding the card missing and reporting it, there are very few checks and balances.

Now let’s consider what you currently have to do to buy something online, and everything a mobile phone COULD be doing to provide security. Traditionally:

  1. To create a new account with most e-commerce retailers, you just need a valid email address – May or may not require confirmation from email address used.
  2. To add a payment card you need a valid billing address, and a mobile phone number – May or may not be validated in the back-end.
  3. To make a purchase, you log into your account, choose your stuff, then go to the checkout. You select the saved payment card you wish to use, then enter your CVV2 code and / or your 3-D Secure password.

All of this is far easier to fake / bypass than in card present environments, hence the higher rates of fraud.

Now, imagine a scenario where you have registered your mobile phone and tied it to the payment card in question. At your disposal you have all of these available to you;

  1. PIN / Password – the most ubiquitous form of authentication on the planet, and while it’s not the best, it most certainly adds a significant layer of complexity for the bad guys.
  2. Fingerprint – If you have an iPhone 5/6 or a later version of Samsung, you have fingerprint biometrics. This facility will only increase as time goes on.
  3. Voice Recognition – Nowhere near as prevalent as fingerprint, but gaining ground.
  4. Retina / Face Recognition – Combine these two because they both use the camera in a very similar way. Not a huge fan of these so far, they are rather ungainly.
  5. Geo-Fencing – a transaction request comes in from a Nigeria-based IP address and your phone is in Wandsworth, is that legit?
  6. Social Media Profiling – Not common at all …yet, but you could choose to add your social media profile to the purchase decision. e.g. you’re a rabid Arsenal (UK folks) / Redskins (US folks) fan, would you really be buying Spurs or Eagles merchandise respectively? Maybe, but I assume only to burn it.
  7. Reputation Profiling – Again, not common, but another growing form of identity management.
  8. Device Profiling – App layouts and such.

…and so on.

The vast majority of these will require an initial set-up and configuration, but will then be largely invisible to the user during use. Innovation without practical use is just a dream, and in this case practical use means that everyone can use it without inconvenience.

Done correctly, the integration of all of these factors during a transaction will take no more effort than a user expends in the normal use of their mobile device, but so far the individual vendors of each service and mobile device are trying to corner the market for themselves.

Digital transactions account for trillions of €/£/$ annually, there is room for everyone in the EVOLUTION (not revolution) of payments from Plastic & PIN to Mobile & Multi-Factor, and disruptive innovation will do nothing but delay the end goal;

Frictionless and ultra-secure mobile payments.

[If you liked this article, please share! Want more like it, subscribe!]

Biometrics Hype

Anyone Else Getting Sick of Biometrics Hype?

I am in no way against biometrics, they are absolutely intrinsic to the future of non-cash payments and the implementation of true identity management in general. What I’m completely sick of is the “Password is dead, biometrics is here!” hype perpetrated by those with a blatant self-interest.

If the password was dead, we would not have a multi-TRILLION £/$/€ industry currently predicated on the 4 digit PIN; the branded payment card. Organisations up and down the payment card food chain, from the schemes to the end merchants would not be spending billions on the perpetuation of the technology if the password was actually dead.

The payments industry is not trying to reach the < two billion people with biometric-enabled smartphones, they are  trying to reach the SEVEN billion people with money, half of whom have no access whatsoever to formalised banking as we know it, let alone a £400 mobile device.

Yes, there are ongoing fraud issues, and yes there are viable alternatives, but ask the average person on the street if they need mobile payments authorised through some form of biometrics and they will simply ask what’s wrong with their credit card? Too many biometrics companies are trying to change the world without applying common sense to the real issues. They are not solving a problem, they are trying to create a demand.

The challenges the payments industry face are myriad, and include;

  • Enormously complex and expensive infrastructure geared towards current payment methods and protocols – [There’s no starting over from scratch]
  • Global acceptance of current operational standards by all country’s financial authorities – [Requires amendments to most laws and regulation]
  • Older technology that does not port securely onto consumer controlled mobile devices – [You cannot exclude the card brands from this move.]
  • Difficult transition path from legacy infrastructure to new – [Where do you start, and what direction do you go in?]
  • Increasing pressure from retail to provide improved customer journey / experience –[Retail and consumers expect more.]
  • …and so on.

Fraud due to poor authentication is not the problem, it’s an inconvenience, the real problem is that payments are heading from ‘plastic & PIN’ to ‘mobile and multi-factor’ whether we like it or not, and the only practical and secure way of doing so is to do it properly from the beginning. This will be an industry wide effort or it will fail, and no biometrics company on the planet has the answers alone.

Battling fraud is not just about proving that you are the one attempting a transaction, it’s about being able to attribute your entire identity into the desired result. Just because I can prove I’m trying to buy a TV does not mean I have any intention of paying back the loan I took out to get it.

So smart phones have the ability to turn the industry standard Personal Identification Number (PIN) into a Personal Identification Vector (PIV), one that is not only TRULY personal (i.e. fully consumer customisable) but builds in a multitude of other authenticators into each transaction. It is here that biometrics really comes into its own; being able to seamlessly add the something-you-are authentication factor to EXISTING processes.

Biometrics tells us what you are, is does not define WHO you are, and it’s the who-of-you that defines the future of your payment options.

[If you liked this article, please share! Want more like it, subscribe!]

Shopping Cart Abandonment, Authentication to the Rescue

According to Business Insider, approximately $4 TRILLION worth of merchandise will be abandoned in online shopping carts this year, of which only 63% is recoverable for those retailers with the necessary “savvy”.

The reasons behind this abandonment are as myriad as the individuals making the purchases, but to truly understand the root cause, you must examine the people themselves. From an online purchasing perspective, they fall roughly into these 5 categories:

  1. Mind-Changers – People change their minds all the time, which is much easier when you’re online than when you’re face-to-face with a sales rep. The longer the purchase process, the more time retailers are leaving open for this category to have second thoughts;
    o
  2. Distractors – For those who don’t really care about their purchase, the slightest distraction will cause them move on. Long and complicated check-out processes will see these folks following the next shiny thing;
    o
  3. Impatient – Again, long check-out processes will see the impatient group give up fairly quickly even though it means starting again. The issue is that they will undoubtedly start again on a competitor’s site;
    o
  4. Private – Asking a significant number of questions unrelated to the transaction itself, or forcing them to create an account first is not an option for this category.; and
    o
  5. Frustrated – Too many steps and customers become frustrated and lose interest in purchasing the item.

Other reasons include hidden fees, unreasonable shipping & handling cost, loss of bandwidth and a multitude of others, but these are mostly issues with the merchant, not with the buyer.

The simplest and quickest checkout process helps mitigate these all-too-common behavioural flaws. However, it’s just not that easy when both the merchant and their underpinning acquiring bank(s) have responsibilities that go far beyond customer convenience.

Anti-fraud, anti-money laundering, and significant numbers of industry specific regulations mean that sellers must be reasonably sure that the purchaser is who they say they are. Currently this is performed by authentication; payment card details including the Card Verification Value (CVV) etc.

However, as a direct result of increasing online fraud rates banks now require digital shoppers to prove who they are with more than just their card details. For example, 3D Secure was introduced in 2005 to help combat this fraud by adding another layer of authentication, but the oft-quoted “significant abandonment rates” experienced as a direct result have forced many e-commerce retailers to turn the service off during peak seasons (e.g. Christmas), or even cancel the service altogether.

So far the uncertain balance between convenience and security has only been good for the bad guys.

The Holy Grail of digital commerce is a frictionless checkout. This is only possible if the many disparate inputs are seamlessly integrated and made invisible to the consumer. The only device that has a chance to combine all of this into a process that basically mirrors the every-day behaviour of the consumer is the mobile device. It also just happens to be the one thing that can combine many forms of authentication that far exceed every regulation in the industry.

No-one doubts that e-commerce and m-commerce will continue to enjoy enormous growth, but it is only by getting the convenience vs. security balance right that the full potential of these markets can be reached.

Only authentication holds all the cards.

[If you liked this article, please share! Want more like it, subscribe!]

[Ed. Written in collaboration with www.myPINpad.com]

Mobile Fraud is on the Rise. Are You Actually Surprised?

Each day we are bombarded with headlines about successful attacks against mobile payments and the massive rise in mobile payments fraud in general. Yet none of this should be a surprise, and the reasons are simple.

First, we need to understand that the reason we read so much about the losses in the press is that negativity is often the only thing that makes the news. When was the last time you saw the headline; “Mobile Applications Work, Hackers Thwarted!”

The fact remains that for every transaction lost, thousands or even millions of transactions work just fine. However, this sells neither newspapers nor security products.

That said, mobile applications are notoriously insecure. Some of the weaknesses are entirely avoidable and others will be resolved only with a significant shift in both payment methods and the capability of authentication and identity mechanisms.

Avoidable challenges include:

  1. Poor Business Needs Analysis: Too many Fintech organisations follow the latest trends and buzz-phrases without performing both a proper business needs analysis and its subsequent risk assessment. The implementation of every new process or function must meet established business goals, and not be a result of competitive fear or a CEO’s desire for shiny things and ‘game changers’.
    o
  2. Swiss Army Approach: The second symptom of poorly defined business needs is the desire to build in as much functionality as possible, hoping that the ‘feature rich’ app will become some kind of de facto standard. The vulnerabilities in an application are directly proportional to the complexity of it, and simple is almost always better.
    o
  3. Insecure Coding: Often a follow-on from 1., if the business needs aren’t properly defined, it’s unlikely that the application’s function(s) will be either. When the race to market is the number one priority, things like robust software development life cycles and secure coding techniques tend to fall by the wayside.
    o
  4. Acceptance of Payment Details: The ‘more’ secure mobile payment apps never actually touch the payment details. However, it’s still very common for apps to accept full cardholder data (credit card number, etc.) through the app itself. The better apps will only process a transaction when an e-wallet or equivalent is available in the back-end.

Unavoidable challenges include:

  1. Older Payment Technologies: There’s no getting away from this one any time soon, we have had these technologies for decades and they will be around for a while longer. The only thing to be done is to ease the transition from these technologies into the innovations of the present slowly and securely. There is little room for total disruption in the payments space.
    o
  2. Inadequate Authentication of Identity: Last, but certainly not least, Identity Management and Authentication represents not only the limiting factor in almost all current mobile payment methods, but holds the key to supporting everything to come. There is no silver bullet, no single-function remedy, the only way to resolve this challenge is to build as many authentication factors into every transaction as possible, ideally without creating friction in the payment process.

Secure authentication of identity is the key to reducing mobile fraud, but no solution will be accepted that gets in the way of people actually using it. Only by ‘bridging’ the established with the new, implementing new technologies seamlessly behind/alongside old ones, and making room for everything to come can we stay ahead of the thieves.

[Ed. Written in collaboration with www.myPINpad.com]

Biometrics Is Only PART of the Answer!

The time will come when you will be able to walk into any shop, chose what you want, pay for it where you are standing, and walk out with it without having to go through the nonsense of lining up. The same will apply to getting through airport security/immigration, into a concert, onto public transportation and so on. Each of these ‘transactions’ will happen in the background.

The time will also come when whom you are is enough to make all of these transactions happen almost seamlessly, and biometrics will be an enormous part of that. However, WHAT you are does not equal WHO you are, and that’s where biometrics vendors miss the point. No form of static authentication (of which biometrics is one, same as passwords) can encompass your entire identity. Your likes, dislikes, hopes, fears, ambitions, friends & family interactions, even your reputation. The things that make you human, and 100% unique.

Also, what biometrics cannot do is replace every other form of authentication in the near term. Certainly not the authentication of payments for example when you consider that all payment card schemes globally are united behind the PIN.

“But that’s already happening!” you may say, and you’re right, you can authenticate payments with a fingerprint via your mobile device (Apple Pay for example). Then again, I can spend £20 (£30 from this September) at a time with my Visa / MasterCard contactless card with typically no authentication at all.

Ultimately, what we’re trying to get to is the universal demonstration of the one thing upon which all the transactions above rely; trust.

No single form of authentication (biometrics included) is going to get you a car loan, or a mortgage, but it WILL get you a cup of coffee, because authentication is just a sub-set of the overarching principle related to the demonstration of trust; Identity Management. The who you are, or more to the point, who you have been, is what gets you the mortgage, all your face is going to do is give the lender reasonable assurance that they are talking to the right person.

Authentication is not the answer that addresses the trust challenges we face today in a distributed world. Trust is not built on how you authenticate, it’s built on a irrefutable representation of your life; your credit history, criminal record, work history, references, social media profile, public statements of opinion (blogs, etc.) and so on. You are not going to place trust in someone you will likely never meet in person until you are reasonably satisfied that they will keep their end of the bargain.

Even multi-factor authentication is only going to give more certainty that the person you’re dealing with is the person you expect, it does nothing to ensure that your transaction will go as planned. Only identity can give you that kind of assurance.

Every transaction in the future will be a combination of identity management and authentication, and how much you need of each will be agreed by both sides, up front. This is a complete departure from today where trust is mostly one way, and should address the majority of the current challenges we have related to fraud.

[Ed. Written in collaboration with www.myPINpad.com]