With each new mobile-payment function developers create for smartphones, a correlating new security risk arises.
The riskiest aspect for merchants, issuers and consumers remains the initial phase — when consumers enroll for a product, says John Petersen, global head of business development for data security provider ValidSoft Ltd.
Petersen highlighted data security threats in the mobile environment through a Nov. 29 webinar with the Electronic Transaction Association titled "Industry Challenges as Payments Go Mobile."
"A secure enrollment process is everything, because that is where the issuer mitigates the main risk of fraud," Petersen says.
A prominent bank in the United Kingdom pulled its mobile wallet application from the market when it was discovered that anyone with access to a consumer's bank account number could download the app and start withdrawing money from an ATM, Petersen says.
Petersen did not mention the bank in his presentation, but in October, ValidSoft released a statement applauding National Westminster Bank Plc, or NatWest, for suspending its Get Cash App for using a mobile phone to obtain money from an ATM after discovering fraudulent attacks.
"This was not an example of high-tech fraud, it was low-tech," Petersen says. "But it was all about the enrollment process and why it is the weakest link in the chain."
ValidSoft encourages a process in which the consumer enrolls for a mobile wallet with an account number and a voice biometric confirmation call to the bank, prior to establishing a four-digit PIN and choosing a correlating "partial key" image that initiates a "handshake" with a server at the bank, Petersen says.
The handshake creates an "encrypted tunnel" through which all authentication will take place, while also addressing the problem a fraudulent "man in the middle" attack, Petersen adds.
"This type of process would create friction if the customer had to call the bank each time they made a purchase, but with this, you only call once [for the biometrics check] when enrolling," he says.
Mobile commerce may generate new marketing opportunities for merchants and issuers, but it also brings a new set of privacy and data-protection issues to the table, Petersen says.
"Generally, issuers are more aware of security because they are the ones who are able to make changes and they know the various fraud vectors out there," he adds.
Offlay, Ireland-based ValidSoft, a unit of Netherlands-based Elephant Talk Communications Inc., has long pitched its multi-pronged data security services, of which voice biometrics is just one element. Biometrics can be bundled with location data and a user-provided PIN to provide further layers of authentication.
While the development of mobile commerce represents a fuzzy picture for issuers, merchants and consumers alike, it has not stopped "the stampede for mind and market share," with new mobile-pay systems being announced daily, Petersen says.
"There is no one single definition of what mobile payments means, and the hype about mobile wallets allowing you to leave plastic cards at home is not reality," Petersen says.
"Plastic cards were supposed to allow you to leave cash at home, and that never happened."