Can Biometrics Revolutionise Mobile Payment Security?


Published on

New security features continuously emerge to correct potential threats and hacks. But with the appearance of new usages, new security mechanisms or features are implemented. Payment services probably demand the most important level of security. With the explosion of smartphone adoption, the number of people making purchases via a mobile device has increased significantly over recent years. Could Biometrics Answer Part of the Security Problem?

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Can Biometrics Revolutionise Mobile Payment Security?

  1. 1. Can Biometrics Revolutionise Mobile Payment Security? Jean-Noël Georges– Global Program Director, ICT in Financial Services and Digital Identification “50 Years of Growth, Innovation & Leadership”
  2. 2. Can Biometrics Revolutionise Mobile Payment Security? ICT Beat Mobile phones are designed in accordance with the latest security standards. New security features continuously emerge to correct potential threats and hacks. But with the appearance of new usages, new security mechanisms or features are implemented. Payment services probably demand the most important level of security. With the explosion of smartphone adoption, the number of people making purchases via a mobile device has increased significantly over recent years. As eCommerce became mCommerce, payment security became an area of considerable focus. During a ‘card not present’ payment process, a personal account number (PAN), expiration date, and card validation code (CVC) are not enough to completely secure the transaction. However, new mechanisms such as 3Dsecure appear to increase the confidence of both consumers and eMerchants. Figure 1: Mobile Payment Security Secure Element Password Biometric Trust Environment SMS and Private Question Source: Frost & Sullivan Still, protecting a mobile device itself is necessary to ensure that only the owner is able to use it. Although a simple mechanism such as a personal identification number (PIN) can do the job, in 2011, more than 60% of smartphone users were not using a PIN to protect their mobile access. However, these security mechanisms are not sufficient to mitigate against advanced cyber threats. One approach towards a solution is to develop levels of security for different use cases: lower levels of security for simple applications, medium security for applications that include more sensitive data, and, finally, a stronger security level for critical applications such as those used for payment and identification. Such an approach will help protect the device from most threats. But, for some applications, a standard PIN will still be required. Before the deployment of single sign-on (SSO) services, many PIN requests will continue to be required for basic utilisation. Expecting users to remember a number of PINs to access devices/applications generates another potential risk: many people use the same PIN number out of convenience, making a © 2013 Frost & Sullivan Page 2
  3. 3. Can Biometrics Revolutionise Mobile Payment Security? ICT Beat hacker’s job all the easier. Indeed, when faced with the complexity of managing a plethora of PINs, users often forgo all security mechanisms in favour of simplicity. Could Biometrics Answer Part of the Security Problem? Over the past decade, many biometric projects have emerged with the aim of enabling user identification on mobile devices. Mobile biometric identification was created to address specific needs. It started with government institutions looking for a wireless device that could identify citizens during police (or army) control. Then, biometric identification systems (BISs) were designed to answer specific mobility requirements for the criminal justice and civilian markets. In the 2000s, two major biometric technologies were preferred, fingerprint and facial recognition. Captured information, such as fingerprints, can also be verified against data embedded within a contactless ID card. These solutions were designed for dedicated mobile devices. Two verification mechanisms can be used for biometric identification, depending on use cases. The first is to have an embedded biometric solution: enciphered personal data stored in a SIM, chip, or card. This solution allows a match-on-card (MOC) verification mechanism without a network requirement. However, a second mechanism – remote biometry - could also be necessary during a mobile identity control. In such cases, a centralised database allows comparing collected and stored data. In Europe, the MOBIO (Mobile Biometry) project is noteworthy. The concept behind the project was to select the best biometric technical solution in order to develop biometric authentication usages for personal mobile devices (e.g., handset mobiles and tablets). With the help of existing technologies already embedded within these devices (e.g., headphone, microphone, and camera), the final solution included voice and facial recognition—and, of course, bi-modal authentication. Fingerprint recognition was not considered a relevant biometric solution as few, if any, mainstream mobile devices possess fingerprint reading capabilities. Finally, it seems that biometrics could prove an excellent solution for identity access management (IAM) to enable mobile device security. But what about specific or sensitive use cases such as mobile payments? Is a Biometric Solution the Perfect Answer for Payment Requirements? Biometric technology is not a recent phenomenon; for example, JCB International Credit Card Co. was testing a biometric authentication solution for mobile payments over 10 years ago. The biometric technology used was fingerprint recognition on a dedicated NTT DoCoMo mobile phone. The pilot involved a few JCB employees. At that time, the technology was innovative; 10 years on, sizable commercial roll-outs have not arrived. Although, other products based on voice recognition have launched. For example, InAuth, a product that uses voice characteristics such as pitch and rhythm to uniquely identify the user, was introduced in 2012. © 2013 Frost & Sullivan Page 3
  4. 4. Can Biometrics Revolutionise Mobile Payment Security? ICT Beat The time is now right for biometric technology to emerge as a secure solution for mobile use cases that require high levels of security, namely payment. From a pure-payment security point of view, biometrics has already delivered significant advantages. Certainly, point-of-sale (POS) payment terminals are critical during the payment process. Consumers often do not feel comfortable in front of keyboards and screens, or they get confused with various payments and loyalty cards. Indeed, the payment experience is a sensitive process wherein personal perception is critical. The need to have a simple and intuitive payment solution precedes success. Natural Security, for example, developed a biometric POS solution based on fingerprint (veins or digital) recognition. The fingerprint reader connects to a contactless object (contactless card) to verify that the identified personal data match the information stored on the card. This is a practically effortless payment mechanism that does not require a PIN or card, providing a great customer experience. Pay By Touch developed a similar solution before it was acquired by Phoenix Check Cashing in 2008. One potential mobile development could have a huge impact on biometric security solutions. Rumours persist that the next iPhone might include a fingerprint sensor. Given that Apple acquired Authentec (with its TouchChip product family) in 2012, this is a certain possibility. When will Biometrics Replace Other Identification and Authentication Mechanisms? Biometrics can provide high levels of security and an intuitive customer experience. Finally, the user is the unique key to device, application, and payment security. Remembering PINs could become a thing of the past. But even if these technologies are ready, the cost and the complexity of integrating them into mobile devices make widespread rollout a huge challenge. Plus, the end user will need time to accept this new way of interacting with his or her device. Other projects have already appeared that use an individual’s personal magnetic field as an identifying signature. Expect to see biometrics becoming increasingly prevalent over the course of the next 3-4 years, driven by a desire among vendors and consumers alike to be better protected when accessing mobile services. About Frost & Sullivan Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today’s market participants. For more than 50 years, we have been developing growth strategies for the Global 1000, emerging businesses, the public sector and the investment community. Is your organisation prepared for the next profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and emerging economies? Contact Us: CONTACT US Start the discussion +44 (0) 20 7343 8383 • •