While consumers are taking to m-commerce like a duck to water, online and offline, threats against mobile devices are becoming increasingly sophisticated and multifaceted. Criminals access a mobile wallet by stealing the device; trick the user into downloading malicious software; exploit vulnerabilities in the operating system; or hijack a mobile transaction to steal information and commit payment fraud. Gartner predicts that worldwide mobile payment transactions are expected to reach $235.4 billion in 2013, a 44 percent increase from 2012 values of $163.1 billion. Undoubtedly, this makes mobile devices a money-spinning channel and the new frontier for cyber criminals.
Currently, a majority of banks employ a Personal Account Number (PAN), credit card expiration date, Personal Identification Number (PIN), and Card Validation Code (CVC) to secure a transaction that is made via a mobile app or a browser. Contactless payments, which use Near-Field Communications (NFC) technology, wirelessly secure a transaction at NFC-enabled point-of-sale counters. However, these measures are less advanced and most security solutions collapse before carefully designed cyber-attacks.
So, the big question is – How can banks and payment providers offer front-line security to secure mobile payments? As a Frost & Sullivan report puts it, biometrics that provide high levels of security and an intuitive customer experience may be the solution for secure mobile payments. It is little surprise then that Apple’s latest iPhone 5S is packed with an integrated fingerprint identity sensor, where a Touch ID allows the user to buy from the iTunes store and the App Store by simply swiping a finger on the sensor.
Moving Beyond Biometrics
Securing devices using biometrics technology is not new. Laptops and mobile devices already come with built-in fingerprint scanners to prevent any unauthorized access to a device or replace passwords completely. Typically, the user is required to swipe a finger over a one-dimensional scanner or a reader. The system then matches the user data to a previously stored digital template. Similarly, for authenticating mobile payments, the user becomes the unique key.
However, the use of biometrics technology alone for authorizing system access or payments has also posed new security risks. A case in point is the attack on iPhone 5S where hackers took photograph of a fingerprint from a glass surface, and then constructed a “fake fingerprint” to unlock the phone. This could also mean granting hackers permanent access to the unique user data i.e., fingerprints which cannot be changed or deleted.
The questions then are: Can we offer safer ways to authenticate mobile payments at all? How can we augment traditional modes of security such as Passwords and PINs and enhance the ‘security quotient’ of monetary transactions? The answer lies in multi-factor authentication (MFA). Here, more than one form of authentication is used to validate the legitimacy of a transaction. It combines two or three unique factors: what the user knows (knowledge-based authentication e.g., password or PIN), what the user has (ID card or security token), and what the user is (biometric application e.g., fingerprints or facial recognition). The technology provides the third factor in the standard authentication model, adding an additional layer of security in establishing the user identity to authenticate a transaction.
These measures allow customers to enjoy the convenience of online shopping with minimal risk. After all, adding an extra code is far more convenient than a trek to the store.