YOU ARE AT:OpinionReader Forum: Better authentication methods for mobile payment security

Reader Forum: Better authentication methods for mobile payment security

Editor’s Note: Welcome to our weekly Reader Forum section. In an attempt to broaden our interaction with our readers we have created this forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but we maintain some editorial control to keep it free of commercials or attacks. Please send along submissions for this section to our editors at: dmeyer@rcrwireless.com.
Why don’t consumers wholeheartedly embrace the ease and convenience of mobile payments? Quite simply, they are worried about the security risk. That’s understandable, given that trust in the security of personal data under-girds adoption of this technology. An EMV card as a physical asset is cryptographically secure. The goal is to replicate that kind of physical security with a virtual asset.
Host card emulation has come onto the industry radar in terms of securing customer payment credentials. Before HCE, providers could either use Card On File credentials in the cloud or store credentials in a specialist security chip (Secure Element) in the phone. The COF method merely stores payment information in the cloud, whereas the SE model essentially acts as an EMV card chip.
Now that HCE has arrived, an exact software likeness of the credit card does not need to be stored on a physical chip, eliminating the need for SE and the battle for ownership of the previously all-important SE, and lowering the barrier to market entry for new players.
Moving stored card data from the chip to a secure cloud environment is problematic. In order to complete a transaction, your phone will have to connect to the Internet, wait for the crypto to be carried out and receive a response. Even at the best of times, this will be difficult to complete in the time required by card schemes. Of course, with no signal it would be impossible. The solution that is being proposed to combat this uses a concept called “tokenization.” Instead of having to connect to the Internet every time you spend, limited use virtual cards would be stored on your phone.
The security ramifications are significant, as identity thieves need only lie in wait in order to get the sensitive information they seek. There is the potential for criminals to clone the phone and request the card information, or even write malware to reside on the phone that will send the virtual card to the thief in the blink of an eye.
Getting ‘smart about authentication methods
Payment security will only be as strong as the authentication mechanism, whether it is physical or “virtual.” We must be able to bind the identity of the user to the authorization of the transaction. While banks are extremely familiar with data protection requirements, challengers with less data handling experience will need to be extremely mindful of authentication and risk assessment.
To both authenticate the user and contribute to the risk assessment of the transaction, we must use the “smart” in smartphone. Features such as GPS data, 3G location, proximity to Wi-Fi locations and the number and type of applications on the device build a unique fingerprint for each phone. Although not bullet proof, they can constitute a valuable asset to determine the likelihood of a fraudulent transaction. This also brings the potential to streamline the consumer experience in-store, lowering authentication barriers if it’s very likely that it’s the approved user, and introducing barriers to disrupt the payment journey if in doubt.
Security challenges don’t end, though, when creating a risk-based authentication scenario like this. All this analysis depends on data – reams of personal data that represents an attractive target for malicious hackers, and must be protected against attack. Protecting all this stored personal data goes well beyond the usual password database problem in terms of both volume and sensitivity – authentication is moving from being a “password problem” to a “big data problem.” Information must be carefully encrypted, to neutralize it and minimize the impact of its loss or theft.
HCE has turned the mobile payment ecosystem upside down and will continue to spur its evolution. The digitally connected world we live in demands that we do everything within our power to provide mobile payments that are simple and easy to use – and above all, secure. Once the litmus test of trust has been passed, widespread adoption of mobile payments is just around the corner.

ABOUT AUTHOR