An infographic published by Dynatrace reveals just how pervasive mobile usage has become. For instance, mobile app downloads are expected to rise to 200 billion by 2017 – a 185% jump from 2013. A statistic of particular interest for merchants is that mobile users are four times more engaged than those using a Web browser.
Consumers have quickly adopted mobile devices and mobile commerce because of the convenience (the mobile device is always at hand) and the ease (just a few clicks) of this modality, which naturally led to the creation and adoption of mobile wallets. The most notable recent example is Apple Pay, launched last year, which forced the conversation concerning mobile payments.
Merchants stand to benefit from the popularity of the mobile channel – and so do cyber criminals. Fraudsters are constantly updating their attack methods and exploiting every vulnerability they can find. The newer and more untested a technology, the greater its potential vulnerability. So it is with mobile wallets.
Security focus is lacking
Security is top of mind in light of frequent, calamitous data breaches that have plagued marquee retailers. Despite these eye-opening events, though, organizations of all kinds repeatedly fail to secure data as it transitions to the cloud.
Regrettably, merchants are more focused right now on how to manage the complexity of mobile payment types than about security, according to “The Mobile Payments & Fraud: 2015 Report.” While it is a complex topic, the shift in focus on payments’ variety, novelty and convenience has reduced the focus on risk management. Organizations concerned about managing fraud risk as the greatest obstacle to mobile adoption fell to 11% from 20% last year.
The reality is that merchants should view the complexity of mobile payment types as a clarion call to shift their focus to security. As vendors rush their mobile wallets to market, absent any industry standards in place, there is no guarantee that security best practices are being implemented.
Authentication challenges
Verifying that someone sitting at a computer is who they claim to be has always been challenging, and these days it is becoming increasingly difficult. Authentication in the age of the “Internet of Things,” “bring-your-own-device” and cloud services introduces challenges unaddressed by usernames, passwords or tokens. As the demands for remote login and flexibility continue to rise, organizations are struggling to find and deploy authentication methods that are effective, easy to use, impervious to theft and scalable. Until recently, those methods have been difficult to find.
An early authentication method was hardware tokens, which enjoyed popularity when they first came to market 20 years ago; they implement time-based security codes and public key infrastructure. But when it comes to the consumer market, which comprises the majority of online users, hardware tokens are a poor fit.
In search of greater security
For decades, authentication relied on usernames and passwords. Only recently have additional measures, such as enforcing increased password complexity or adding a second layer of protection – known as two-factor authentication – increased in usage as security breaches become more prevalent and sophisticated. These newer methods of authentication have been slow to gain traction with everyday consumers because they are fragmented in nature, with no widely accepted standard.
It’s common knowledge that it’s safer to have passwords containing a long string of random numbers, letters and symbols, but this best practice is often ignored for the sake of convenience. Many users choose easy-to-remember passwords and reuse them for all of their applications. With the rise of mobile computing, inputting complex passwords is onerous and often results in users choosing easy-to-type passwords that hackers find easy to guess.
To overcome this rational, user-side security hurdle, providers created 2FA software-based solutions such as text messaging codes and time-based software token applications. While these solutions have gained some traction, they have been shown to be vulnerable to malware attacks that plague many user devices. Two-factor authentication schemes fail to address the security problem they are trying to overcome by performing on-device authentication, which is still susceptible to the same attack vectors as passwords. Two-factor authentication hardware tokens are a usability nightmare; software-based 2FA solutions are inconvenient and vulnerable to malware. In short, 2FA solutions do not provide sufficient security for organizations that require an end-to-end security solution.
The inherent advantage of biometric authentication
Usernames and passwords have run their course, even overstayed their welcome, and 2FA is untenable. However, one recent trend in security is showing significant promise. On-device biometrics are becoming commonplace. The latest Apple and Samsung mobile phones – as well as late-model computers – are being shipped with embedded biometric readers, often in the form of a fingerprint sensor. Google made headlines recently when it announced at Google I/O that Android M would support fingerprint scanning for its upcoming Android Pay service. These devices also include a trusted platform module or trusted execution environment that handle the verification of biometric information separately from the primary device’s core operating systems, which are susceptible to malware.
This is a significant shift, as until recently mobile devices lacked the capacity to evaluate biometric information easily. Equipped with biometric sensors, these new devices have the ability to change the way users authenticate services they use every day such as e-mail, social media and banking. More importantly, with these devices now widely available, the platforms providing the services have a major incentive to make biometric-based authentication available as a benefit to their users.
The benefit of biometric authentication is inherent. It is a conclusive, logical way to prove one’s identity because a biometric signature is unique to each person. However, users must exercise caution, as using biometrics is not a panacea for the security problem. Organizations should implement a security program that uses biometrics as one tool for proving user identity and ensures that sensitive data is only accessible by the individual to whom it biologically belongs. This means TPMs and TEEs are where a person’s unique biometric signature should be stored, and other security tools should include robust encryption and tokenization schemes.
A new take on security
Technology operates in a cycle of innovation and obsolescence. In the case of authentication, providers innovate a solution that works well for a while – until cyber criminals learn how to circumvent it, making the solution obsolete. Then it’s back to the white board for another innovation. Such is the case with usernames and passwords, hard tokens and 2FA. But when it comes to mobile wallets, trial and error is extraordinarily risky; organizations need convenient, scalable security measures from the start. The genius of biometric authentication lies in the fact that it does not rely on something abstract or something that can be lost or stolen. Instead, it relies on each user’s individual biological markers. As part of a well-designed security plan, biometric authentication takes us far away from border-access and central booking uses. It creates and offers a safer mobile wallet experience.
A former webmaster, George Avetisov has been interested in improving the Internet experience since building his first website at the age of 11 – a fan page dedicated to his favorite childhood anime. At the age of 19, he co-founded an online store, which generated over $6 million in annual revenue at the time of his departure. Armed with years of experience in cyberfraud and e-commerce, coupled with a strong drive to build a secure Internet ecosystem, Avetisov now focuses on his position as co-founder and CEO of Hypr Corp.
Editor’s Note: The RCR Wireless News Reality Check section is where C-level executives and advisory firms from across the mobile industry share unique insights and experiences.