The Green Sheet Online Edition
October 14, 2013 • Issue 13:10:01
Mobile security and the rule of thumb
The payments industry is on the verge of a dramatic change in how mobile payments are secured. Experts agree that cardholder authentication via user name and PIN or pass code is a broken system. It is safe to say that some type of individually unique biometric marker – be it a fingerprint, the veins of the iris or the inflections of a voice – will take its place. But what the preferred biometric will be, and how it will interact with payment systems, is still in the proof of concept stage.
A glimpse into the future was provided at the 2013 NFC Solutions Summit held in May 2013 in Burlingame, Calif. In one discussion, Dr. Siva Narendra, co-founder and Chief Executive Officer of mobile security firm Tyfone Inc., reinforced what is increasingly apparent: digital identities and sensitive financial data are secured with weak and cumbersome passwords and easily hackable four-digit PINs.
The 280 million passwords reportedly breached in the United States over the last 18 months represent only a tip of the iceberg, Narendra said. He cited FBI data that concluded 94 percent of all breaches go unreported. With more and more people paying for purchases via mobile phones, it makes sense to take advantage of technology added to those devices to improve security.
Narendra doesn't believe centrally stored identity authentication should be abandoned. "It just needs to be augmented," he said. "And we need to augment it with ID stored in secured hardware locally in the consumer's hand." Tyfone's Connected Smart Card technology is a "bring your own body" (BYOB) solution, an example of which is incorporating a digital copy of a thumbprint into a plastic card, microSD processing chip or mobile device.
A thumbprint has the advantage of being physically part of the individual and does not have to be remembered, like a password, Narendra said. But he noted that because the biometric is unique to the individual and represents highly sensitive data, it is even more vulnerable than a password if it is centrally stored in the cloud; a password can be changed following a hack, but once a one-of-a-kind thumbprint is stolen, it is gone for good.
In March 2013, Jerome Svigals - the self-proclaimed "Father of the Magstripe" for his pioneering work with IBM in the 1960s in developing the magnetic stripe technology that underscores all physical bankcard transactions in the United States today - patented a near field communication (NFC) -based application called SPARC, short for Secure Process for Applications and Remote Control.
Svigals, now retired from IBM and Director of the Smart Card Institute in Silicon Valley, said SPARC employs a key fob-type "security key" that communicates via NFC with smartphones to authenticate users and allow legitimate transactions to proceed. When a consumer initiates a smartphone payment, the key notifies the user of whether to accept or decline the transaction. A thumbprint button on the key would both authenticate the user and send the transaction through for processing.
Svigals said his system accomplishes three things: prevents fraudulent transactions before the fact; foils fraudsters because account numbers are tokenized; and protects malware from being downloaded to smartphones.
Robert Martin, Senior Vice President of Attendant Merchant Solutions at wireless POS device specialist Apriva LLC, said SPARC could be effective in preventing fraudsters from accessing stolen smartphones, even if they steal the biometric dongle with the car keys. But he asked two simple questions: "Is that preferred? I don't know. What is the cardholder willing to do?"
Martin believes it is the job of the payments industry to ensure that consumers do as little as possible. He said the industry could effectively lock down mobile devices with high-grade security, but it would be "incredibly onerous and incredibly painful" for consumers, and ultimately self defeating. For consumers to adopt a security procedure, it must be easy.
"Consumers care about security the moment they see that their account has been hit," Martin said. "It is our responsibility in the industry to make it so that they don't have to think about security."
But even if the winning solution proves to be biometrics, it will not make or break a mobile payment scheme. Martin likened the current state of mobile payments to that of e-commerce back in the 1990s. "If you look at e-commerce when it first came out, people were very concerned about using their card numbers online," he said. "Then once they saw sufficient value in e-commerce and sufficient protection in terms of fund protection, fraud protection for the consumer, then they got over it."
Breaking the rules
As a mobile parking payment app developer, the Pango app operates beneath the first layer of password/PIN security. Dani Shavit, CEO of Israel-based Pango Mobile Parking Ltd., said if a biometric marker makes up the first layer, that does not mean fraudsters won't find a way to circumvent it.
Shavit noted that the new Galaxy S4 smartphone manufactured by Samsung, which earned the seal of approval from the Pentagon for its security, was unlocked within a week of its release. "As technology enhances, the highjackers also enhance [their techniques]," he said.
That is why biometrics should not be viewed as a foolproof solution in itself. Biometrics may thus provide a somewhat illusory sense of security for consumers. Shavit said the main thing is that "the user has the feeling that he's in control. It's all about feeling. It's not a real thing."
Mobile security is not about eliminating fraud anyway, but reducing risk, according to Shavit. The way that is accomplished is through a layered approach to security. "If you succeed in penetrating the first layer, you will be blocked from the second," he said. "If you succeed in penetrating the second, you will be blocked from the third."
Shavit believes the dongle approach to mobile security might work as an intermediate step, but it is not an ultimate solution because it runs counter to the fundamental direction technology is headed – toward simplified, seamless solutions. "Which means you don't want to use any other device apart from your cell phone," he said. "So if you have another device, you are breaking the rule of a seamless solution."
Biometrics and geotagging
If biometrics alone is no security panacea, biometrics coupled with the geo-location feature of smartphones promises to be a potent one-two combination. The biometric authenticates the smartphone user; then the phone's integrated geo-location (geotagging) technology locates the user at his or her residence, for example, or at the physical business where the transaction is taking place, adding an extra dimension to customer verification.
"If you could verify somebody's location when the transaction was processed physically and you can verify that by biometrics, and then transactions that are not within that area, I think that it adds a whole new parameter to that solution," said Ben Hurley, Director of Mobile Products for AprivaPay.
Martin pointed out that mobile payments are currently considered card-not-present (CNP) transactions. Because CNP payments are deemed more risky by the card brands, interchange rates are higher on those transactions. But adding geotagging to the equation, and increasing the likelihood that smartphone users are who they say they are, could move mobile payments into the less risky card present category, with those transactions qualifying for lower interchange rates
The discussion about biometrics and geotagging touches on a fundamental issue involving the future of mobile security: where will biometric data be stored? The addition of geotagging to biometrics steers mobile security to a cloud-based as opposed to a device-centric model, according to Martin.
In the cloud-based model, biometric credentials would be stored in central servers and accessed online, and the geotagging feature would correspondingly be cloud-based. The alternate model would have biometrics stored in the secure element of the phone itself, or in a companion device, such as a dongle or card, and with geotagging embedded into the physical POS terminals that phones communicate with in NFC scenarios.
However, the radio frequency antenna built into terminals that allows smartphones to communicate with POS devices in order to conduct NFC payments has a range of only a few inches. In this setting, the geotagging feature would only work if the phone were that close to the reader, making such a scheme impractical.
But once in the cloud, geotagging takes on another dimension. "When you get into geotagging, and some of the other things, that's making cloud payments even more secure than noncloud-based payments," Martin said.
But there's another argument to be made. At the NFC conference in May, The Green Sheet asked Sebastian Taveau, Chief Technology Officer at biometric security firm Validity Inc. and Chair of the technology working group at the FIDO Alliance, to comment on what providers learned from the most prominent biometric security failure to date, that of Pay By Touch Inc.
The now defunct company offered biometric technology that allowed consumers to pay for purchases at the POS with fingerprints. At its height in the mid 2000s, Pay By Touch had installed biometric readers in 2,400 supermarket locations nationally and even scored capital investments from former NFL quarterbacks Drew Bledsoe and Rick Mirer. But the company abruptly ceased operations in 2008, the casualty of internal turmoil and a faulty business model.
"Pay By Touch tried to be a payment network – bad idea," Taveau said. With fraudsters focused on hacking into large databases to steal financial information, Pay By Touch's method of storing consumers' fingerprint data in centralized servers was a security disaster waiting to happen.
"No service provider in their sane mind wants to manage millions of fingerprint templates in the cloud or on the back end," Taveau added.
This gives ammunition to proponents of the device-centric philosophy, which is apparently being adopted by Apple Inc. The tech giant's iPhone 5S, released in September 2013, comes equipped with a fingerprint scanner called TouchID. Apple stressed that fingerprint data is stored in a secure area of the phone's A7 chip, walled off from all other software, and untouchable even by Apple itself. However, hackers successfully accessed the secure area shortly after the phone's release.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.