The future of payments is undoubtedly mobile and digital, as this week’s go-live of the Apple Pay service hopes to prove out. The idea is to enable frictionless, cardless commerce, and to do it in an ultimately more secure way than our existing magnetic stripes and password-based authentication mechanisms would offer today. Biometrics are a key part of enabling this, and, many say, the ultimate linchpin in establishing a trusted m-pay ecosystem.
On the back of the new iPhone 6 and the smartwatch, Apple made a splash last month with its Apple Pay announcement. The feature turns an iPhone into a digital wallet, which can store credit and debit cards, and enable the use of near-field communications (NFC) for payment. Instead of swiping a card, users can pay by waving or tapping the phone using a sensor—for a transaction that takes about 10 seconds, the company said.
Apple estimates that 83 percent of all credit card purchases will be compatible with the service (though for now, only 1 percent of retailers support it today, and you can only leverage it on an iPhone 6). Initial participating retailers include McDonald's, Uber, Whole Foods, Babies R Us, Macy's, Walgreens, Disney, Nike, Staples, Subway, Panera and Sephora; and on the card processing side, Visa, Mastercard and American Express (News - Alert) are all on board. Bank of America even sent emails en masse to its customers alerting them to the fact that the capability is now live.
As a security measure, checking out requires users to touch their finger to the iPhone's fingerprint sensor to approve the transaction; the card stored on the phone will then be charged automatically. The information on the phone itself is protected by something that Apple calls “the Secure Element,” which is its own version of a trusted platform module (TPM)—that is, a secure cryptoprocessor designed to secure hardware from within. Account numbers meanwhile are not sent to any Apple servers or shared with retailers, who instead get a proxy account number. And, each of these data-in-transit transactions is protected by a one-time code. In case of loss or theft, users can disable Apple Pay via iCloud's “Find My iPhone” feature. That’s key considering that Americans lose their phones once every 3.5 seconds, according to Lookout Security.
It’s the biometric aspect that really makes the proposition work, according to security researchers. Google Wallet for example has been around for a while, but lacks a hardware integration strategy that makes the service more personal, and therefore trustworthy.
Biometrics on the other hand offer a high level of authentication, and, crucially for consumers, eliminate the need to have-to-remember passwords, which may be shared or observed. In the payments scenario, biometrics combined with digital wallet approaches means that cards are no longer part of the mix; given that most major data breaches, from Target (News - Alert) to Home Depot, have hinged on hackers lifting card data from point-of-sale machines, this would seem to be an attractive aspect.
Terry Hartmann, vice president of security solutions at Unisys (News - Alert), told me at the company’s Universe summit last week that moves like Apple Pay enable a culture of trust in a way that is reminiscent of small-town America.
“It used to be that everyone in town knew you, so if you went to the corner store, and wrote a check, that was automatically trusted because people knew you, knew your handwriting, and it was unequivocally you,” he explained. “Biometrics, by linking a person, and only that person, to a device, does much the same thing by creating a personalization that just isn’t there with the physical plastic that you carry around in your wallet. I’d much rather have everything stored on my phone, in an environment that only I can access, just by virtue of physically being me.”
Biometrics Beyond Apple
This could become a commonplace approach to payments, and soon, especially considering that Apple won’t be alone in the fingerprint sensor arena for long. Samsung (News - Alert) announced back in April that it will use the S3 Authentication Suite from Nok Nok Labs to make the Galaxy S5 smartphone Fast IDentification Online (FIDO)-enabled. The FIDO set of specifications will support a full range of authentication technologies, including biometrics such as fingerprint, eye and iris scanners, voice and facial recognition, as well as further enabling existing solutions and communications standards, such as trusted platform modules (TPM), USB security tokens, embedded secure elements (eSE), smart cards, Bluetooth low energy (BLE) and near field communication (NFC). The open specifications are being designed to be extensible and to accommodate future innovation, as well as protect existing investments.
Samsung is already teaming with Alipay, the largest third-party online payment provider in China, to soon enable secure online payments via the fingerprint sensor (FPS)/biometric technology on the Samsung Galaxy S5 smartphone. The end result will be that customers who make purchases and transfers in Alipay’s mobile application, Alipay Wallet, no longer need to enter a password. Instead, they provide their fingerprint.
Other biometrics-enabled rollouts should be coming soon: The Nok Nok solution was delivered in partnership with device giant Lenovo Group, a founding member of the FIDO Alliance, and PayPal (News - Alert) also recently announced that it too would deploy FIDO standards using Nok Nok and support for the Galaxy 5 in the mobile payments market.
Is Biometrics Enough?
While the fingerprint sensor unequivocally links an individual to a transaction or event, there are hacks available to get around physical security—a thief can take a photograph of a person’s fingers, or lift a fingerprint off of a stolen device, and use 3D printing to create a rubber replica that the phone will accept.
While that’s a process, and fingerprints remain hard to forge even in that scenario, some say that cybercriminals are bound to test Apple Pay’s security structures to the limit, giving the market object lessons along the way.
For instance, “users add credit cards to their iPhones by taking pictures of them,” Daniel Ingevaldson, CTO at EasySolutions, told me in an email. “As Jennifer Lawrence and others can attest to, Apple’s ability to securely store and transmit those photos remains to be answered. Depending on how they are being stored and transmitted, it would not be surprising to see malware developed around this mechanism.”
There is a learning curve for everybody - merchant, consumer and hacker alike, he added. “With such an attractive, potentially lucrative target at stake, it is only a matter of time before these systems are found to be vulnerable,” he said. “The only question is, who will find the vulnerability first?”
There are also looming security concerns—will banks also start paying more attention to device health? “Visibility into the status of a device, potentially malicious apps running on it, etc. is going to be more important going forward,” Ingevaldson said.
All of this will prompt a faster adoption of a multilayered approach—a layered security framework with many authentication methods—according to Hartmann.
That’s a ways off from coming into use, “as financial transactions get more personalized and safer with biometrics, banks can start looking at a scalable identity and biometrics framework that integrates fingerprint, face, iris and signature for identification, verification and watch lists,” he explained. “The system works by combining the biometric, biographic and account data and matching it to arrive at one unique identity.”
For instance, the system establishes a level of trust for a user and transaction requested from a smartphone based on contextual information such as GPS, type of transaction, date/time and historical trend. A risk score is then calculated for the transaction and the user by interfacing with an existing risk management system. If the confidence level is adequate for the risk level then the request is approved, else the system asks for biometrics such as face or voice or both.
With so many questions surrounding the safety of mobile commerce, Dodi Glenn, the senior director of security intelligence and research labs at ThreatTrack Security, offered us some security tips: