Mobile Authentication: Exceeding Card Present Security?

Looking at this as objectively as I can (given my current career focus), I fail to see how the sheer number of authentication factors a mobile devices is capable of doesn’t make authentication of card-not-present transactions at least as, if not more secure than card present transactions.

Well, they SHOULD be more secure, the technology is available, but the payments and mobile industries cannot seem to get out of their own way.

Let’s examine the card present transaction: I walk into a shop, choose my items, then go the counter. The shop assistant rings in my stuff, I place my chip & PIN card into the terminal, enter my PIN and I’m done.

The only things ‘guaranteeing’ that I’m an authorised user of the card is that I have the card in my possession, and a 4 digit PIN number. Yes, some cards have photos on them, but they are few and far between, so the real security in a card present environment is the difficulty of obtaining the card and the PIN from the true owner. I will not underestimate just how difficult this is, but other that the true owner finding the card missing and reporting it, there are very few checks and balances.

Now let’s consider what you currently have to do to buy something online, and everything a mobile phone COULD be doing to provide security. Traditionally:

  1. To create a new account with most e-commerce retailers, you just need a valid email address – May or may not require confirmation from email address used.
  2. To add a payment card you need a valid billing address, and a mobile phone number – May or may not be validated in the back-end.
  3. To make a purchase, you log into your account, choose your stuff, then go to the checkout. You select the saved payment card you wish to use, then enter your CVV2 code and / or your 3-D Secure password.

All of this is far easier to fake / bypass than in card present environments, hence the higher rates of fraud.

Now, imagine a scenario where you have registered your mobile phone and tied it to the payment card in question. At your disposal you have all of these available to you;

  1. PIN / Password – the most ubiquitous form of authentication on the planet, and while it’s not the best, it most certainly adds a significant layer of complexity for the bad guys.
  2. Fingerprint – If you have an iPhone 5/6 or a later version of Samsung, you have fingerprint biometrics. This facility will only increase as time goes on.
  3. Voice Recognition – Nowhere near as prevalent as fingerprint, but gaining ground.
  4. Retina / Face Recognition – Combine these two because they both use the camera in a very similar way. Not a huge fan of these so far, they are rather ungainly.
  5. Geo-Fencing – a transaction request comes in from a Nigeria-based IP address and your phone is in Wandsworth, is that legit?
  6. Social Media Profiling – Not common at all …yet, but you could choose to add your social media profile to the purchase decision. e.g. you’re a rabid Arsenal (UK folks) / Redskins (US folks) fan, would you really be buying Spurs or Eagles merchandise respectively? Maybe, but I assume only to burn it.
  7. Reputation Profiling – Again, not common, but another growing form of identity management.
  8. Device Profiling – App layouts and such.

…and so on.

The vast majority of these will require an initial set-up and configuration, but will then be largely invisible to the user during use. Innovation without practical use is just a dream, and in this case practical use means that everyone can use it without inconvenience.

Done correctly, the integration of all of these factors during a transaction will take no more effort than a user expends in the normal use of their mobile device, but so far the individual vendors of each service and mobile device are trying to corner the market for themselves.

Digital transactions account for trillions of €/£/$ annually, there is room for everyone in the EVOLUTION (not revolution) of payments from Plastic & PIN to Mobile & Multi-Factor, and disruptive innovation will do nothing but delay the end goal;

Frictionless and ultra-secure mobile payments.

[If you liked this article, please share! Want more like it, subscribe!]

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.