Me, myself and my ID
Going beyond two factor ID to find a third element to security, could help solve concerns over mobile money.
No matter how secure the system, there will always be fraudsters who dupe consumers into surrendering their details. So how do we protect users from their own vulnerability? The answer may be ‘multi-factor’ authentication.
Gene Spafford, professor of computer science at Purdue University once said about IT security: “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards — and even then I have my doubts.” It’s a pretty dramatic and pessimistic statement. However, there are powerful arguments to suggest that, in the absence of concrete, we can turn to strong authentication to keep people’s identities safe.
There’s no doubt that the most vulnerable part of the chain when it comes to mobile payments is the user. According to a Verizon/Secret Service data breach study, 86% of records breached across all industries were the results of stolen login credentials. In today’s connected world, stealing IDs is more serious than stealing payment details because it enables criminals to set up multiple scams. Typically fraudsters steal IDs using ‘social engineering’ — by developing a fake app that records key presses or sending a bogus charity appeal that requests personal details — and their scams get more and more sophisticated as consumers wise up. So what can the industry do to protect users from themselves?
First off, be realistic. There’s always a balance to be struck between convenience and security because — obviously — the more layers of protection you put in, the more friction there will be for the user. In this sense, it all comes down to context. A consumer using Gmail, for example, will probably implement minimal protection because they wouldn’t send high security information through it and they know that Google is tracking them anyway.
But for mobile payments, a much stronger form of security is needed. Typically, mobile payment systems are processed using a single PIN or password. And this is where the vulnerability comes in, since people often use guessable passwords such as, well, ‘password’. Moreover, the speed with which criminal’s computers can crunch through millions of combinations makes even apparently secure passwords vulnerable to attack too. A much safer form of protection, then, is two factor authentication using a one-time password (OTP). Here, the service in question pushes the OTP to the user’s phone, and he or she types that password into the system. This makes the authentication process a blend of what you know (the password) and what you have (the phone).
It’s a powerful combination, as the criminal cannot use the stolen card details unless they have the phone too. This immediately prevents industrial level harvesting of card data. The technique can also return some control back to the user, who can vary the level of friction based on their own preferences. So, for example, a consumer could request an OTP notification whenever they are outside of pre-defined locations or when they’re abroad. Mobile OTPs allow you to quickly and cost-effectively strengthen your security with strong authentication, especially for remote users accessing cloud services. But we need to evolve to stronger forms of authentication and always be thinking that the more layers of security you can implement, the better.
So how can the industry go beyond two-factor authentication? The answer is by adding a third element to something you know and something you have: something you are.
The obvious candidates here are biometrics, such as face recognition, fingerprint or iris. All parties in the mobile money value chain are appraising these technologies. It’s noteworthy that Apple made a corporate swoop for biometrics specialist Authentec in 2012. Still, none of these concepts is perfect. Biometrics are interesting but the tech is at an early stage. Take face recognition. There are question marks over how well it works in low-level light. And what about using it while driving? That’s hardly practical.
For these reasons Gemalto is carefully tracking another concept that’s almost ‘hardwired’ into the phone itself: device fingerprinting. Every phone is unique. It has its own serial numbers, but more than that it comprises a certain amount of memory, music files, photographs and so on. These details may change, though not dramatically — taken together they provide a powerfully unique identity.
But there’s more. A significant and complementary security technology could be the trusted execution environment, which buries encryption inside the chipset of the device rather than inside a download app or in the OS. In this instance, when a user wants to authenticate a transaction they retrieve their details from an encrypted area in the microprocessor, which is virtually impossible for criminals to break into.
Gemalto is leading this drive as one of the partners in Trustonic, a JV promoting ARM’s Trust Zone technology. Taken together, all these ideas could make mobile money — the subject of so much fear and caution among consumers — far safer than online or even plastic transactions.
The fact is, people have their plastic cards cloned, and they still use them. People will get used to mobile payments, and they’ll get past their security fears as they realise that their mobile identities can protect them better than anything that came before. It’s up to the industry to make mobile payments seamless and secure. I am confident that the industry has the will to make this happen too. You’d have to be foolish not to believe that mobile will be at the centre of people’s financial lives. The VC money pouring into the space proves it, and every financial services company has a mobile strategy now. They know it’s coming, and they’re preparing for it.
Ray Wizbowski is VP of strategic marketing for enterprises Identity & Access Management at Gemalto.