No Friction Solutions – an essential part of the winning formula for mobile payment security

As anyone who was at the Mobile World Congress in Barcelona last month will tell you, there's no escaping mobile payments. Just recently we've seen RBS and Natwest beginning to pilot a mobile payments tool that lets customers send money to anyone with a Visa card and a UK phone number. Intuit has just made its mobile device-based card payment service, Intuit Pay, available in the UK, and PayPal announced that it would be bringing its own mobile payment service (Here) to the UK later this year, writes Pat Carroll

As anyone who was at the Mobile World Congress in Barcelona last month will tell you, there’s no escaping mobile payments. Just recently we’ve seen RBS and Natwest beginning to pilot a mobile payments tool that lets customers send money to anyone with a Visa card and a UK phone number. Intuit has just made its mobile device-based card payment service, Intuit Pay, available in the UK, and PayPal announced that it would be bringing its own mobile payment service (Here) to the UK later this year, writes Pat Carroll

Despite this level of activity, however, there’s still so much uncertainty and the market is so fragmented. We’re beginning to see a little collaboration between a few telcos and other parties such as issuers or merchants, but in general the market is becoming more and more crowded and increasingly competitive. This creates challenges because depending on whether a system is based on the SIM, the handset or in the cloud, collaboration is going to be needed between different parties – and not just on the running of the system, but in terms of responsibility – who looks after what? It’s certainly an exciting time for practitioners in this industry, but it also could hardly be more uncertain.

As a security company, we see one certainty as fraud, and judging by the time and space given over to discussions on this topic at the BAI Payment Connect conference held in Phoenix recently, we’re not alone. Fraud is only just beginning to hit the mobile channel, but experts agree that it will continue to grow as mobile adoption and mobile payment capabilities increase. Mobile is a less sophisticated environment than a PC, and hence it’s easier to exploit. This isn’t scaremongering, it’s fact! If you look at historic fraud figures and the trend in which fraud moved from card to online, it’s easy to understand why mobile will be the next target. This is why it’s so important that security is considered holistically, from the outset of any project.

Last year a high street bank in the UK had to withdraw an app that allowed customers to get cash from an ATM with their mobile but without their card, because fraudsters found they could exploit the enrolment process since it was only protected by relatively easily obtained knowledge data. Two-factor authentication at enrolment could have prevented this exploit, but whilst many banks use strong authentication for Internet banking, the hardware-based style of strong authentication does not readily lend itself to the mobile App paradigm.

Coming to the fore now are security solutions that are fit-for-purpose for the mobile world as they are telecommunications-based. These solutions utilise a combination of visible and invisible security checks that provide the customer with a "low/no" friction model, commensurate with the risk of the mobile transactions or Apps. Provided the enrolment/activation is secure (there is no room for compromise here) there are ways to reduce the friction factor thereafter whilst still providing very strong protection against fraud.

This is why I have long been an advocate of using telephony based techniques, and in particular voice biometrics for the purpose of authentication on the smart-phone. Not only is it natural to speak into a phone, but certain voice biometric solutions can plug into Apps and don’t even require a telephone call to authenticate; they can take advantage of the always-on data channel. Voice biometrics are dynamic, intuitive, tuned for short duration speech and can both protect the genuine customer and identify known fraudsters or duplicate registrations which can indicate a future fraudster.

What may have previously appeared to be a dichotomy between security and convenience is only perception. The highest level of security can also provide the lowest level of friction and in a totally privacy sensitive manner. The future of mobile payments seems assured. Analysts at Juniper Research estimate that $670bn of mobile payments will be made by 2015, but there’s still everything to play for in terms of how we reach such numbers and who comes out top. Let’s make sure it’s not the fraudster!