During a 'card not present' process, a personal account number (PAN), expiration date, and card validation code (CVC) are not enough to completely secure a transaction. Biometrics that provide high levels of security and an intuitive customer experience might be the solution for secure mobile payments.
"Protecting the mobile device itself is a first step, necessary to secure mobile payments. Although a PIN can do the job, in 2011 more than 60 percent of smartphone users were not using a PIN to protect their mobile access," noted Frost & Sullivan Global Program Director, ICT in Financial Services, Jean-Noel Georges.
Over the past decade many biometric projects have emerged with the aim of enabling user identification on mobile devices. In Europe, the MOBIO (Mobile Biometry) project is noteworthy, with the aim to develop advanced biometric tech solutions for authentication on personal mobile devices. Leveraging the existing technologies embedded within these devices (e.g. headphone, microphone and camera), the optimal solutions included voice and facial recognition, and bi-modal authentication.
"The time is now right for biometric technology to emerge as a secure solution for mobile applications that require high levels of security, particularly payment," said Mr. Georges. "From a pure-payment security point of view, biometrics has already delivered significant advantages."
The need to have a simple and intuitive payment solution precedes success. Natural Security, for example, developed a biometric point of sale (POS) solution based on fingerprint (veins or digital) recognition. The fingerprint reader connects to a contactless object (contactless card) to verify that the identified personal data matches the information stored on the card. This is a practically effortless payment mechanism that does not require a PIN or card and provides a great customer experience.
"One potential mobile development could have a huge impact on biometric security solutions; rumors persist that the next iPhone will include a fingerprint sensor. Given that Apple acquired Authentec – with its TouchChip product family – in 2012, this is a strong possibility," added Mr. Georges.
Remembering PINs could become soon a thing of the past. With biometrics the user is the unique key to device, application, and payment security, making it a high rank of protection. But even if these technologies are ready, the cost and complexity of integrating them into mobile devices make widespread rollout a huge challenge.
Moreover, the end user will need time to accept this new way of interacting with his or her device. Other projects have already appeared that use an individual's personal magnetic field as an identifying signature. "We expect to see biometrics becoming increasingly prevalent over the course of the next 3-4 years, driven by a desire among vendors and consumers alike to be better protected when accessing mobile services," summarised Mr. Georges.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.