Mobile Authentication: Exceeding Card Present Security?
Considering the sheer number of authentication factors of which a mobile device is capable, card-not-present transactions should be at least, if not more, secure than card-present transactions.
In reality, they can be as the technology is available, but the payments and mobile industries cannot seem to get out of their own way to actually utilise the technology to its full extent.
Let’s examine the card-present transaction: I walk into a shop, choose my items, then go the counter. The shop assistant rings up my stuff, I place my chip & PIN card into the terminal, enter my PIN and I’m done.
The only things ‘guaranteeing’ that I’m an authorised user of the card is that I have the card in my possession, and a 4-digit PIN number. Yes, some cards have photos on them, but they are few and far between, so the real security in a card-present environment is the difficulty of obtaining the card and the PIN from the true owner. I will not underestimate just how difficult this is, but other than the owner finding the card missing and reporting it, there are very few checks and balances.
Now let’s consider what you currently have to do to buy something online, and everything a mobile phone COULD be doing to provide security. Traditionally:
- To create a new account with most e-commerce retailers, you just need an email address – may or may not require confirmation of the email address used.
- To add a payment card you need a valid billing address, and a mobile phone number – may or may not be validated in the back-end.
- To make a purchase, you log into your account, choose your stuff, then go to the checkout. You select the saved payment card you wish to use and enter your CVV2 code and / or your 3-D Secure password (if you can remember it!).
All of this is far easier to fake than in card-present environments, hence the higher rates of fraud and resulting interchange.
Now, imagine a scenario where you have registered your mobile phone and tied it to the payment card in question. At your disposal you have all of the following available to you (and they can work in combination with each other):
- PIN – the most ubiquitous form of authentication in payments today, trusted by consumers, and easy to remember for most people
- Password/Passphrase – the most widely-used form of authentication on the planet, and while it’s not the best, it adds a layer of complexity for the fraudsters.
- Geo-Fencing – a transaction request comes in from a Nigeria-based IP address and your phone is in Wandsworth, is that legit?
- Fingerprint – If you have an iPhone 5/6 or a later version of Samsung, you have fingerprint biometrics. This facility will only increase as time goes on.
- Voice Recognition – Nowhere near as prevalent as fingerprint, but gaining ground.
- Retina / Face Recognition – Combine these two because they both use the camera in a very similar way. Not a huge fan of these so far, they are rather ungainly.
- Social Media Profiling – Not common at all …yet, but you could choose to add your social media profile to the purchase decision. e.g. you’re a rabid Arsenal (UK folks) / Redskins (US folks) fan, would you really be buying Spurs or Eagles merchandise respectively? Maybe, but I assume only to burn it.
- Reputation Profiling – Again, not common, but another growing form of identity management for consumers with ‘thin files’ in terms of alternate forms of ID.
- Device Profiling – OS configuration, app layouts and such.
…and so on.
The vast majority of these will require set-up and configuration (which can often be streamlined), but whose use will then be largely invisible to the user during use. Innovation without practical use is just a dream, and in this case practical use means that everyone can use it without inconvenience.
Done correctly, the integration of all of these factors during a transaction will take no more effort than a user expends in the normal use of their mobile device, but so far the individual vendors of each service and mobile device are trying to corner the market for themselves.
Digital transactions account for trillions of €/£/$ annually, there is room for everyone in the EVOLUTION (not revolution) of payments from Plastic & PIN to Mobile & Multi-Factor, disruptive innovation will do nothing but delay the end goal;
Frictionless and ultra-secure mobile payments.