Rethinking Security in the Age of Mobile Wallets

The global transaction value of mobile payments has skyrocketed in the last few years, from $171.5 billion in 2012 to a projected $490.9 billion in 2015. M-commerce sales in the U.S. during this period have jumped from $11.6 billion to a forecasted $31 billion – almost tripling in four years’ time.

Clearly, mobile payments are popular, and they’re here to stay. Mobile commerce is so popular, in fact, that it has revived interest in the mobile wallet. The mobile channel holds great potential for merchants who support it. The flipside, however, is that cyber criminals see its potential as well. Fraudsters are constantly updating their attack methods and exploiting every vulnerability they can find. The newer and more untested the technology, the greater its potential vulnerability. So it is with mobile wallets.

Complexity or Security?

In the aftermath of last year’s tsunami of big-name data breaches, the critical nature of security is now salient. But a disconnect still exists: organizations repeatedly fail to secure data as it transitions to the cloud.

Here’s an example of that disconnect. Merchants are currently more concerned about how to manage the complexity of mobile payment types today than they are attentive to security, according to The Mobile Payments & Fraud: 2015 Report. The number of organizations that consider this landscape’s intricacy the greatest obstacle to mobile adoption more than doubled from last year and has nearly tripled since 2012. The shift in focus on payments has reduced the focus on risk management. Organizations concerned about managing fraud risk as the greatest obstacle to mobile adoption fell to 11 percent from 20 percent last year.

But if merchants would pause and take a longer view, they would realize that the complexity of mobile payment types provides plenty of incentive to focus on security. As vendors rush their mobile wallets to market, absent industry standards in place, there is no guarantee that security best practices are being implemented.

Past Solutions are Inadequate

Authentication in the age of IoT, BYOD (Bring Your Own Device), and cloud services introduces challenges unaddressed by usernames, passwords or tokens. As the demand for remote login and flexibility continue to rise, organizations are struggling to find and deploy authentication methods that are effective, easy to use, impervious to theft and scalable. Until recently, those methods have been difficult to find.

Twenty years ago, hardware tokens arrived on the scene and were a big hit with enterprises; they implement time-based security codes and Public Key Infrastructure (PKI). But when it comes to the consumer market, which comprises the bulk of online users, hardware tokens are an odd fit.

Why Passwords Aren’t Sufficient Anymore

Our younger generations have grown up using usernames and passwords; it’s almost in their DNA. This combination has been used to authenticate access to digital assets for decades. Only recently have additional measures, such as enforcing increased password complexity or adding a second layer of protection, known as two-factor authentication (2FA), increased in usage as security breaches become more prevalent and sophisticated. These newer methods of authentication have stalled among everyday consumers because these systems are fragmented in nature, with no widely accepted standard.

By now users know that they should be creating strong passwords with some combination of lowercase and uppercase letters, numbers, and symbols in a long string. In reality, many users choose easy-to-remember passwords and reuse them for all of their applications. Efforts to increase password complexity have failed because most people use the same common characters to fulfill these complex password requirements. With the rise of mobile computing, inputting complex passwords is onerous and often results in users choosing easy-to-type passwords that fraudsters discover are easy to guess.

SMS codes and time-based software token applications are two of the 2FA software-based solutions that have gained some traction, but they have shown to be vulnerable to malware attacks that plague many devices. 2FA schemes fail to address the security problem they are trying to overcome by performing on-device authentication, which is still susceptible to the same attack vectors as passwords. 2FA hardware tokens are a usability nightmare; software-based 2FA solutions are inconvenient and vulnerable to malware. In short, 2FA solutions do not provide sufficient security for organizations that require an end-to-end security solution.

Out of the Spy Novel, Into Your Hand

So, what else is there? Recent technological advances have made on-device biometrics a viable option. The latest Apple and Samsung (News - Alert) mobile phones—as well as modern computers—contain embedded biometric sensors, often in the form of a fingerprint reader. These devices also include a Trusted Platform Module (TPM) or Trusted Execution Environment (TEE) that handle the verification of biometric information separately from the primary device’s core operating system, which is susceptible to malware.

This option has only recently been possible, because the mobile devices that came before lacked enough power to evaluate biometric information easily. Equipped with biometric sensors, newer devices have the ability to change the way that users authenticate to services they use every day such as email, social media and banking. More importantly, with such devices becoming widely available, online service providers have a major incentive to make biometric-based authentication available as a key benefit to their users.

What makes this form of authentication so compelling is the simple fact that a biometric signature is unique to each person. However, users must exercise caution, as using biometrics is not a panacea for the security problem. Organizations should implement a security program that uses biometrics as one tool for proving user identity and ensures that sensitive data is only accessible by the individual to whom it biologically belongs.  This means TPMs and TEEs are where a person’s unique biometric signature should be stored, and other security tools should include robust encryption and tokenization schemes.

A Better Way Forward

Tech innovators continue to create new devices and applications that need security and, therefore, user authentication. Mobile wallets are an excellent example. As eager as consumers are to use them, cyber criminals are eager to exploit them. That’s disappointingly easy these days as security measures lag behind today’s m-commerce  popularity and as consumers rebuff guidance concerning strong passwords.

Two-factor hardware tokens are impractical for consumer use, and they have their own vulnerabilities – as do software-based 2FA solutions. In today’s complex ecosystem of mobile devices and mobile wallets, biometric-based authentication is gaining ground, albeit only as fast as devices with embedded sensors permit. Though not a cure-all, biometrics makes sense as one aspect of a comprehensive plan for securing your agile, mobile environment.

A former webmaster, George Avetisov has been interested in improving the Internet experience since building his first website at the age of 11 - a fan page dedicated to his favorite childhood anime. At the age of 19,  he cofounded an online store generating over $6m in annual revenue at the time of his departure. Armed with years of experience in cyber fraud and e-commerce, coupled with a strong drive to build a secure internet ecosystem, George now focuses on his position as co-founder and CEO of HYPR Corp.