can biometrics revolutionise mobile payment security?
TRANSCRIPT
Jean-Noël Georges– Global Program Director, ICT in Financial Services and Digital Identification
“50 Years of Growth, Innovation & Leadership”
Can Biometrics Revolutionise Mobile Payment Security?
Can Biometrics Revolutionise Mobile Payment Security?ICT Beat
© 2013 Frost & Sullivan Page 2
Mobile phones are designed in accordance with the latest security standards. New security
features continuously emerge to correct potential threats and hacks. But with the appearance
of new usages, new security mechanisms or features are implemented. Payment services
probably demand the most important level of security.
With the explosion of smartphone adoption, the number of people making purchases via a
mobile device has increased significantly over recent years. As eCommerce became
mCommerce, payment security became an area of considerable focus. During a ‘card not
present’ payment process, a personal account number (PAN), expiration date, and card
validation code (CVC) are not enough to completely secure the transaction. However, new
mechanisms such as 3Dsecure appear to increase the confidence of both consumers and
eMerchants.
Figure 1: Mobile Payment Security
Still, protecting a mobile device itself is necessary to ensure that only the owner is able to
use it. Although a simple mechanism such as a personal identification number (PIN) can do
the job, in 2011, more than 60% of smartphone users were not using a PIN to protect their
mobile access.
However, these security mechanisms are not sufficient to mitigate against advanced cyber
threats. One approach towards a solution is to develop levels of security for different use
cases: lower levels of security for simple applications, medium security for applications that
include more sensitive data, and, finally, a stronger security level for critical applications such
as those used for payment and identification. Such an approach will help protect the device
from most threats. But, for some applications, a standard PIN will still be required. Before the
deployment of single sign-on (SSO) services, many PIN requests will continue to be required
for basic utilisation.
Expecting users to remember a number of PINs to access devices/applications generates
another potential risk: many people use the same PIN number out of convenience, making a
Trust Environment
Biometric
SMS and Private Question
Secure Element
Password
Source: Frost & Sullivan
hacker’s job all the easier. Indeed, when faced with the complexity of managing a plethora of
PINs, users often forgo all security mechanisms in favour of simplicity.
Could Biometrics Answer Part of the Security Problem?
Over the past decade, many biometric projects have emerged with the aim of enabling user
identification on mobile devices. Mobile biometric identification was created to address
specific needs. It started with government institutions looking for a wireless device that could
identify citizens during police (or army) control. Then, biometric identification systems (BISs)
were designed to answer specific mobility requirements for the criminal justice and civilian
markets. In the 2000s, two major biometric technologies were preferred, fingerprint and facial
recognition. Captured information, such as fingerprints, can also be verified against data
embedded within a contactless ID card. These solutions were designed for dedicated mobile
devices.
Two verification mechanisms can be used for biometric identification, depending on use cases.
The first is to have an embedded biometric solution: enciphered personal data stored in a SIM,
chip, or card. This solution allows a match-on-card (MOC) verification mechanism without a
network requirement. However, a second mechanism – remote biometry - could also be
necessary during a mobile identity control. In such cases, a centralised database allows
comparing collected and stored data.
In Europe, the MOBIO (Mobile Biometry) project is noteworthy. The concept behind the
project was to select the best biometric technical solution in order to develop biometric
authentication usages for personal mobile devices (e.g., handset mobiles and tablets). With the
help of existing technologies already embedded within these devices (e.g., headphone,
microphone, and camera), the final solution included voice and facial recognition—and, of
course, bi-modal authentication. Fingerprint recognition was not considered a relevant
biometric solution as few, if any, mainstream mobile devices possess fingerprint reading
capabilities.
Finally, it seems that biometrics could prove an excellent solution for identity access
management (IAM) to enable mobile device security. But what about specific or sensitive use
cases such as mobile payments?
Is a Biometric Solution the Perfect Answer for Payment Requirements?
Biometric technology is not a recent phenomenon; for example, JCB International Credit Card
Co. was testing a biometric authentication solution for mobile payments over 10 years ago.
The biometric technology used was fingerprint recognition on a dedicated NTT DoCoMo
mobile phone. The pilot involved a few JCB employees. At that time, the technology was
innovative; 10 years on, sizable commercial roll-outs have not arrived. Although, other
products based on voice recognition have launched. For example, InAuth, a product that uses
voice characteristics such as pitch and rhythm to uniquely identify the user, was introduced in
2012.
Can Biometrics Revolutionise Mobile Payment Security?ICT Beat
© 2013 Frost & Sullivan Page 3
The time is now right for biometric technology to emerge as a secure solution for mobile use
cases that require high levels of security, namely payment. From a pure-payment security point
of view, biometrics has already delivered significant advantages. Certainly, point-of-sale (POS)
payment terminals are critical during the payment process. Consumers often do not feel
comfortable in front of keyboards and screens, or they get confused with various payments
and loyalty cards. Indeed, the payment experience is a sensitive process wherein personal
perception is critical. The need to have a simple and intuitive payment solution precedes
success. Natural Security, for example, developed a biometric POS solution based on
fingerprint (veins or digital) recognition. The fingerprint reader connects to a contactless
object (contactless card) to verify that the identified personal data match the information
stored on the card. This is a practically effortless payment mechanism that does not require a
PIN or card, providing a great customer experience. Pay By Touch developed a similar solution
before it was acquired by Phoenix Check Cashing in 2008.
One potential mobile development could have a huge impact on biometric security solutions.
Rumours persist that the next iPhone might include a fingerprint sensor. Given that Apple
acquired Authentec (with its TouchChip product family) in 2012, this is a certain possibility.
When will Biometrics Replace Other Identification and Authentication
Mechanisms?
Biometrics can provide high levels of security and an intuitive customer experience. Finally,
the user is the unique key to device, application, and payment security. Remembering PINs
could become a thing of the past. But even if these technologies are ready, the cost and the
complexity of integrating them into mobile devices make widespread rollout a huge challenge.
Plus, the end user will need time to accept this new way of interacting with his or her device.
Other projects have already appeared that use an individual’s personal magnetic field as an
identifying signature. Expect to see biometrics becoming increasingly prevalent over the
course of the next 3-4 years, driven by a desire among vendors and consumers alike to be
better protected when accessing mobile services.
Can Biometrics Revolutionise Mobile Payment Security?ICT Beat
About Frost & Sullivan
Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to
leverage visionary innovation that addresses the global challenges and related growth
opportunities that will make or break today’s market participants. For more than 50 years,
we have been developing growth strategies for the Global 1000, emerging businesses, the
public sector and the investment community. Is your organisation prepared for the next
profound wave of industry convergence, disruptive technologies, increasing competitive
intensity, Mega Trends, breakthrough best practices, changing customer dynamics and
emerging economies?
Contact Us: Start the discussion
CONTACT US +44 (0) 20 7343 8383 • [email protected] • www.frost.com