Académique Documents
Professionnel Documents
Culture Documents
Mobile Payments
Security 101
How merchants and mobile payment
service providers can protect their
users against mobile payments fraud.
DEVELOPED AND PUBLISHED BY:
CONTE NTS
Page 3 Executive Summary Page 27 Chapter 6 | Overview of
Solutions Providers
Page 4 Chapter 1 | Introduction Alaric
Mobile payment methods Bell ID
Mobile wallets Carta Worldwide
Cybera
Page 8 Chapter 2 | Mobile Payments DeviceAuthority
Transaction Volume FIS
Apple Pay InAuth
Rival services Ingenico Mobile Solutions
Jumio
Page 13 Chapter 3 | Threats Kaspersky Lab
Mobile malware MagTek
Jailbreaking and rooting Omlis
Native apps OneVisage
Mobile payments fraud Payfone
The Association for Authentify acquisition
Financial Professionals ThreatMetrix
Apple Pay fraud ValidSoft
Veridu
Page 19 Chapter 4 | PCI Compliance Verifone
mPOS devices WiseSec
Mobile and other connected devices are fast becoming the leading way
for users to access commerce and banking services, said Vanita Pandey,
senior director of strategy and product marketing at San Jose, California-
based ThreatMetrix. Mobile is the biggest emerging opportunity and risk for
businesses and financial institutions trying to deliver frictionless experiences
to their customers. Continued growth of mobile payments and banking will
lead to stricter rules and regulations to secure these transactions.
MPOS
MPOS transactions involve customers swiping or inserting their card into a
card reader attached to a smartphone or tablet that connects to a payment
network through a wireless link.
NFC
In an NFC transaction, an NFC-enabled smartphone communicates via
an RFID link with a contactless transmitter attached to a POS device. The
cardholder pays using a card held in digital form in a mobile wallet, which is
stored either in a secure element on their smartphones SIM card or in the
cloud using a technology called Host Card Emulation (HCE).
At checkout, the consumer tells the clerk that he or she wishes to pay using
a smartphone. The consumer opens the mobile wallet, selects the desired
card and then taps the smartphone on the merchants contactless POS
The advantage of HCE over secure element-based NFC is that, since HCE
is supported by Googles Android KitKat 4.4 operating system, it can run on
any Android-based smartphone, not just on NFC-enabled smartphones.
Bluetooth
Bluetooth low energy (BLE) is a protocol that enables Bluetooth-based
smartphones and other mobile devices to communicate with BLE-
based wireless transmitters known as Beacons. On entering a store, the
consumers m-payment app senses a BLE Beacon and checks in to alert
the retailers POS of the consumers presence. At checkout, the consumer
tells the clerk to post the sale to his or her m-payment account, which
is visible on the clerks POS terminal. The clerk verifies the consumers
identity and completes the transaction.
QR codes
As an alternative to NFC, some m-payment service providers such as
Starbucks and LevelUp offer QR code-based systems that store payment
information in the cloud instead of the handset and can be executed on any
smartphone.
The LevelUp mobile app for iPhone and Android allows registered users
to link their payment card to a unique QR code displayed within the app.
To pay with LevelUp, users scan the QR code on their phone at LevelUp
terminals located at LevelUp-accepting merchants. In addition, LevelUp
also supports NFC and Apples BLE-based iBeacons.
Cloud-based apps
Several mobile payment providers such as PayPal offer apps that
communicate in the cloud with retailers at the point of sale without users
scanning QR codes or tapping their smartphones on a POS terminal.
Mobile wallets
Mobile wallets serve an array of functions. According to Mobile Payments
Todays Mobile Wallet Comparison Guide 2015, they provide a place where
consumers store and organize coupons, loyalty programs, payment cards,
tickets and any other kind of paper items that can be digitized.
Both Visa and MasterCard offer digital wallets for their issuing banks
cardholders.
U.K.-based telco Vodafone said in March 2015 that its customers soon will
be able to add bank cards to their Vodafone Wallets and use smartphones
to pay for goods and services at contactless terminals (http://www.
mobilepaymentstoday.com/news/vodafone-partners-with-visa-carta-
worldwide-for-contactless-m-payments/).Following agreements with Visa
and payments processor Carta Worldwide (see Chapter 6, Carta Worldwide,
page 27), bank card payments via Vodafone Wallet will be enabled in
European markets from the second quarter of 2015 onward.
The service, which requires a Vodafone NFC-enabled SIM card, will be
supported on a wide range of Android smartphones.To use the service,
customers will:
input their bank cards to the Vodafone Wallet app, where an alias of
each card is stored securely in the Vodafone NFC-enabled SIM card;
confirm ownership of the card using Verified by Visa authentication;
pay by tapping their phones against a contactless POS terminal; and
Payments are debited automatically from the selected bank cards, which
are protected with a four-digit PIN for higher-value payments.
2015 will be the year of Apple Pay. The quest for security
Apple Pay will influence every discussion of mobile payments through 2015,
Carrington wrote. Apple Pay will motivate competitors to completely rethink
will dominate the U.S.
their mobile payment strategies.Apple Pay will be the catalyst for new debates payments marketplace
on balancing data privacy with customer engagement and loyalty.Apple Pay will throughout 2015.
also be the standard-bearer for the best use of tokenization to secure payments
and biometrics to combat fraud.In fact, the quest for security will dominate the Dene Carrington, Forrester Research senior analyst
U.S. payments marketplace throughout 2015.
Apple Pay
Apple launched its Apple Pay NFC-based m-payment service in October
2014 for the iPhone 6 and the Apple Watch. Users also can make Apple
Pay purchases within participating apps on the iPhone6, iPad Air2 and
iPadmini3.
To pay with Apple Pay, iPhone 6 users hold their iPhone near the merchants
contactless card reader with their finger on Touch ID. Apple Pay also can be
used to pay with a single touch in apps.
Actual payment card numbers arent stored on Apple servers, nor are they
shared with merchants or transmitted with payments, Apple says. Users can
add payment cards to Apples Passbook from their iTunes account or by us-
ing the iPhone 6s camera to capture card information.
If an iPhone 6 is lost or stolen, the Find My iPhone feature can be used to put
the device in Lost Mode so nothing is accessible, or the iPhone can be wiped
completely clean.
Rival services
In response to Apple Pay, Samsung announced Samsung Pay in March
2015. Samsung Pay, which will launch in summer 2015, will use proprietary
contactless payments technology developed by LoopPay, which Samsung
acquired in February 2015.
In February 2015, Google bought U.S. mobile wallet scheme Softcard from
AT&T, Verizon and T-Mobile and partnered with the telcos to preload Google
Wallet on their Android-based handsets running KitKat 4.4 or higher.
In May 2015, Google announced Android Pay, with American Express, Mas-
terCard, Visa and retailers such as McDonald's, Panera, Whole Foods, and
Uber announcing support for the new mobile payment system. Google Wallet
will live on as a dedicated person-to-person mobile app for both Android and
iOS devices.
Android Pay is due to arrive on handsets later this year to coincide with
Google's launch of an updated mobile operating system, which at the mo-
ment is referred to as Android M, and will eventually become a standard
feature on future AT&T, Verizon and T-Mobile smartphones thanks to the
Softcard acquisition.
CurrentC will offer customers the choice of paying with a variety of financial
accounts, including checking accounts, merchant gift cards and select
merchant-branded credit and debit accounts.
Mobile malware
According to a report by Alcatel-Lucents Motive Security Labs division, mobile
malware infections increased by 25 percent globally in 2014 compared to a
20 percent increase in 2013.
Six of the reports mobile malware top 20 list are mobile spyware. Those
are apps used to spy on the smartphones owner by tracking the phones
location, monitoring ingoing and outgoing calls and text messages,
monitoring email and tracking the victims Web browsing.
The infections identified in the report were split 50/50 between Android
devices and Windows/PCs (connected to mobile networks via dongles and
mobile Wi-Fi devices or tethered through smartphones), with under 1 percent
coming from other smartphones such as the iPhone and BlackBerry.
said. Consumers need to be aware when they are providing personal Mobile spyware is definitely
information that makes them vulnerable to attacks through an app. You dont on the increase.
want to download anything that makes you vulnerable to keylogging when
Motive Security Labs Malware Report H2 2014
doing mobile payments or mobile banking.
When you root or jailbreak a smartphone, you circumvent the controls, said
Jeremy Gumbley, chief technology officer for m-payments gateway provider
Creditcall. This means you dont have to go to the official Google app store
or the Apple App Store to get apps, and can install any apps you like.
Jailbreaking can lead to a malicious app being installed on the device, which
spies on the user and steals credentials and unencrypted information, says
Tom Karren, CEO of mobile security firm MokiMobility.
And if a user roots a device, anything that happens on that device could
be compromised, says Jared Blake, Mokis chief technology officer. For
example, if you use fingerprint authentication on a smartphone which has
been rooted, then malware could steal a copy of your fingerprint.
Native apps
A large percentage of mobile transactions are completed by using native
mobile apps instead of by using mobile browsers. Crime associated with
their use has increased correspondingly, resulting in a critical need to detect
and prevent fraud related to their malicious use, says the ThreatMetrix white
paper Fraud Protection for Mobile Applications.
The rise in app-related fraud is due largely to the fact that mobile apps
seldom have the infrastructure necessary to enable adequate mobile device
identification and profiling, ThreatMetrix says. Additionally, implementing
these features requires skills far beyond those of most mobile app
developers, it says. As a result, mobile apps frequently lack a number of
security features, and its difficult for fraud-prevention systems to determine
if the device in question is being used legitimately creating a prime
opportunity for fraudsters.
Unless the mobile app is upgraded and equipped with the necessary
infrastructure and intelligence, trust cannot be properly established, and the
user may experience rejection or stepped-up authentication, ThreatMetrix
says. Unfortunately, adding the necessary technology and controls requires
a great deal of work and very specific knowledge, both of which are generally
outside the experience of most mobile app developers.
isNexis 2014 True Cost of Fraud Mobile Study says that, as merchants flock
to the mobile channel, so too are fraudsters.
Revenue that U.S. mobile commerce merchants lost to fraud rose 70 percent
in 2014 to 1.36 percent compared to 0.80 percent in 2013, the study says. By
comparison, all U.S. merchants lost 0.68 percent of revenue to fraud in 2014
in comparison to 0.51 percent in 2013.
For their study, LexisNexis and Javelin surveyed 1,142 risk and fraud
decision-makers and influencers at U.S. retailers and conducted interviews
with five U.S. financial institutions.
The inability to confidently verify the identity of a customer and his or her
device leads to friendly fraud, which is defined as fraud perpetrated by family
members or close associates. The study found that 24 percent of fraudulent
mobile transactions are due to friendly fraud. We expect this percentage to
drop, as more m-commerce merchants adopt mobile-channel specific fraud-
prevention tools, Becker said.
For B2B transactions, the mobile payment option has yet to break any par-
ticular ground, said
More than three-quarters (78 percent) of survey participants said they believe
concerns about security are keeping consumers from embracing mobile pay-
ments, the AFP said.
at 6 percent, compared with a traditional credit card fraud rate of 10 cents for
every $100 spent.
Bloomberg reported that some U.S. banks have begun to make changes in
how they activate customers card accounts to use Apple Pay.
While Apple Pay has been hailed as one of the most secure mobile pay-
ment options because of its use of tokenization and biometric authentica-
tion, there is a weak link in the chain that has caused a surge in fraudulent
transactions, David Divitt, product marketing manager for Alaric, said in a
blog published on ATM Marketplace. As ever in payments, criminals adore a
weak link, especially in a system that is otherwise very secure this makes
it all the more likely their fraud will go unnoticed.
Avivah Litan, vice president and distinguished analyst for Gartner, explained
in a blog how fraudsters are exploiting a vulnerability in banks Apple Pay
verification processes to bridge the gap between card-present transactions
and the card-not-present world.
The bad guys are loading iPhones with stolen card-not-present card infor-
mation (which is much easier to steal than card-present mag-stripe data) and
essentially turning that data into a physical card la Apple Pay, Litan said.
According to Litan, the responsibility for the fraud lies not with Apple Pay but
with the card issuers who must be able to prove Apple Pay cardholders are
legitimate customers with valid cards.
Apple does provide the issuer with information to help inform that decision,
Litan wrote in her blog. This data includes information on a customers
device and iTunes account such as: device name; its current location; and
whether or not the customer has a long history of transactions within iTunes.
information (PII) that has been compromised by the crooks and increas- While Apple Pay has been
ing reliance on dynamic data such as reputation, behavior and relationships hailed as one of the most
between non-PII data elements.
secure mobile payment
Litan warned that the problem of stolen card number fraud experienced options because of its use of
by Apple Pay is only going to get worse as Samsung/LoopPay and MCX/ tokenization and biometric
CurrentC release their mobile payment systems, without the customer data
advantages Apple has in its relatively closed environment.
authentication, there is a
weak link in the chain that has
caused a surge in fraudulent
transactions.
David Divitt, product marketing manager for Alaric.
The PCI SSC is an open forum that develops and manages the PCI DSS and
related payment card data security standards. Merchants, processors, card
issuers and technology vendors are required to comply with those standards.
Entities that are non-compliant with PCI DSS or that suffer breaches face
substantial fines from the card schemes as well as potential liability for the
cost of fraud.
MPOS devices
When a mobile device is transformed into a POS terminal for a merchant to
accept card account data, there is a responsibility to protect that information,
the PCI SSC says. Thus PCI standards begin to apply when a mobile device
is used for payment card acceptance.
In July 2014, the PCI SSC updated two guidance documents it originally
issued in February 2013: The PCI Mobile Payment Acceptance Security
Guidelines for Merchants as End-Users and Accepting Mobile Payments
with a Smartphone or Tablet.
The PCI SSC warns that, as merchants mobile devices arent used only as
POS tools but also to carry out other functions, they introduce new security
risks. By design, almost any mobile application could access account data
stored in or passing through the mobile device, it says.
MPOS card readers can be used not just inside stores but at remote loca-
tions such as customers homes or farmers markets. A key risk to merchants
is the ease with which criminals can steal an mPOS device, modify it so they
can intercept cardholder data and return it without anyone realizing it was
gone, the PCI SSC says.
The PCI SSC guidelines have three objectives covering the main risks as-
sociated with m-payment transactions:
Prevent account data from being intercepted when entered into
a mobile device;
The PCI SSC says that merchants deploying mPOS payments should use a
PIN-entry device (PED), encrypting PIN pad (EPP) or secure card reader that
complies with its Payment Card Industry PIN Transaction Security Point of
Interaction (PCI PTS POI) standard.
Merchants should not implement solutions that permit PIN entry directly into
the mobile device. If the system incorporates PIN-entry capability, it should
occur only through a PCI-approved PED or EPP, the PCI SSC says.
Merchants should look for an indication of a secure state in their mPOS app
for example, through a displayed secure state icon provided by their app
vendor. If no indication is present, the payment app shouldnt be used, the
PCI SSC recommends.
According to the Mobile Payments Today report Mobile Banking and Pay-
ments Security, merchants should check regularly that their mPOS devices
havent been physically tampered with for example, by the insertion of a
card skimmer.
The table below outlines each best practice described within the PCI Mobile
Payment Acceptance Security Guidelines for Merchants as End-Users document
along with who should be responsible for its implementation. The definitions of
those entities that are responsible for the best practices are:
Merchant as an End-User (M): Any entity that uses the mobile payment-
acceptance solution to accept payments.
Mobile Payment-Acceptance Solution Provider (SP): The entity that integrates
all pieces in the mobile payment-acceptance solution and is responsible for
the back-end administration of the solution. This includes the merchant as
a solution provider.
Best
practice M SP
1. Prevent account data from being intercepted when entered
into a mobile device. X X
2. Prevent account data from compromise while processed
or stored within the mobile device. X X
3. Prevent account data from interception upon transmission
out of the mobile device. X
4. Prevent unauthorized physical device access. X
5. Protect mobile device from malware. X X
6. Ensure the device is in a secure state. X
7. Disable unnecessary device functions. X X
8. Detect loss of theft. X X
9. Ensure the secure desposal of the device. X
10. Implement secure soutions. X X
11. Ensure the secure use of the payment-acceptance soution. X
12. Prefer online transactions. X
13. Prevent unauthorized use. X
14. Inspect system logs and reports. X X
15. Ensure that customers can validate the merchant/transaction X
16. Issue secure receipts. X
Source: PCI Security Standards Council, PCI Mobile Payment Acceptance Security Guidelines
for Merchants as End-Users.
The PCI SSC mPOS guidelines (see Chapter 4, mPOS devices, page 18)
state that the best option for merchants using mPOS is to use a PCI-validat-
ed and approved point-to-point encryption (PCI P2PE) solution.
The PCI SSCs PCI P2PE standard provides a specification for the use
of strong encryption to achieve point-to-point encryption, where clear-text
card data is removed from the payments environment. This is achieved by
encrypting data from the point of interaction (where cards are swiped or
dipped) until the data reaches the P2PE solution providers secure decryp-
tion environment.
With P2PE, the card number is encrypted in the card reader with a key that
isnt known to the merchant, and the card number can be decrypted only by
the processor or the issuer. By using a PCI-compliant P2PE solution, mer-
chants potentially can reduce their PCI compliance obligations.
We encrypt the card data at the point of acceptance both for Bluetooth-con-
nected PIN pads and for card readers connecting via a smartphones audio
jack, he said. The encrypted data is then sent to the acquirer.
Visa Europe requires that mPOS solutions deployed by its acquirers are
Small merchants such as coffee shops that use mPOS technology should
ensure the Wi-Fi connection they use for their mPOS device is separate from
the Wi-Fi network they provide for customers to use in their store. The mPOS
Wi-Fi connection should be on a secure network that is segmented from a
public Wi-Fi network.
Tokenization
Tokenization is a security technology that involves a one-time number be-
ing used to represent an actual credit- or debit-card number in a payment
transaction. That token has zero value to criminals, as it can be detokenized
only by the tokenization service provider. The cardholders primary account
number (PAN) is stored only on the tokenization service providers system.
First, website tokenization occurs when a customer enters his or her full
PAN on a merchants website, but the merchant never sees the PAN as it is
tokenized immediately by the processor in a software vault.
the users mobile device or in an HCE cloud-based software vault. Mobile In the mobile
payment services such as Apple Pay and Samsung Pay use this type of net-
work tokenization, said Hitesh Anand, Verifones vice president of commerce environment, tokenization
enablement and mobile. involves replacing the
According to a Mobile Payments Today blog by Experians Abraham, both cardholders PAN with
Visa and MasterCards HCE platforms involve tokenization. a token that is linked to
Tokenization helps simplify consumers purchasing experience, as it elimi- a specific device such
nates the need to enter and re-enter their account numbers when shopping as their smartphone and
on mobile devices, tablets or PC, Visas Meirelles says. In addition, tokens
eliminate the need for merchants to store payment card account numbers. stored in the smartphones
This increases transaction security, reduces the risk of fraud in digital chan- SIM card secure element
nels such as e-commerce and further enhances issuers ability to manage
or in an HCE cloud-based
risk and provide customer support.
software vault.
Tokenization works well in combination with P2PE, Boudier says. You
Benoit Boudier, vice president of international sales at
encrypt the transaction message including the cardholders token and then Ingenico Mobile Solutions
send it to the acquirer and the card network in encrypted form.
In March 2014, EMVCo the EMV chip card standards body jointly owned
by American Express, Discover, JCB, MasterCard, UnionPay and Visa
published TheEMV Payment Tokenisation Specification Technical Frame-
work v1.0. The document is designed to help merchants, acquirers, issuers
and mobile and digital payments providers develop globally interoperable
tokenization solutions in online or mobile environments.
Visa said in February 2015 that it plans to tokenize all online transactions
initiated using Visa Checkout through its Visa Token Service.
NFC World quoted MasterCard CEO Ajay Banga as telling analysts during
the card networks 2014 year-end earnings call that it plans to incorporate
tokenization technology into its MasterPass digital wallet in the near future.
We are very focused on tokenization; its a very important aspect of where
were going for safety and security, Banga said.
EMV
From October 1, 2015, U.S. merchants who havent upgraded their POS
terminals to accept EMV chip card payments will become liable for fraudu-
lent misuse of EMV cards occurring on their terminals, under a liability shift
imposed by MasterCard, Visa and the other card networks.
EMV cards are ubiquitous across Europe and will become widely adopted in
the U.S. because of the October 1 liability shift.
Any U.S. mPOS provider which doesnt already offer EMV capability or
doesnt plan to offer EMV in the next six months should be of concern to
merchants, said Thad Peterson, a senior analyst for U.S.-based consultancy
Aite Group. The big mPOS providers such as Verifone and Ingenico already
support EMV, and Square will launch an EMV card reader in spring 2015.
Authentication technologies
A number of authentication technologies can be deployed to enhance mobile
payments security.
For example, Payfone (see Chapter 6, Payfone, page 32) provides the
Identity Certainty solution, which assigns each mobile user in its database
with a unique tokenized ID based on the mobile subscribers phone number,
SIM card and account number. Fraud detection and monitoring systems from
vendors such as ThreatMetrix (see Chapter 6, ThreatMetrix, page 34) look at
customer history and behavior to determine whether a transaction is genuine
or fraudulent.
Biometric technologies such as voice prints, facial recognition or fingerprint Device fingerprinting
scans provide an additional layer of authentication over and above login
methods such as passwords, PINs and security challenges requesting users
is among the best-suited
to supply previously registered personal data. solutions for mobile device
A report by Juniper Research, Human Interface & Biometric Devices:
authentication. It has the
Emerging Ecosystems, Opportunities & Forecasts 2014-2019,predicts that benefit of being invisible
more than 770 million biometric authentication applications will be download- to the consumer, adding
ed per year by 2019, up from 6 million in 2015, dramatically reducing depen-
dence on alphanumeric passwords in the mobile phone market. no friction to the
checkout process.
Juniper says several high-profile deployments of biometric authentication
techniques such as Apple Pays combination of Touch ID authentication LexisNexis 2014 True Cost of Fraud Mobile Study
Bell ID
Bell ID develops software that enables banks and enterprises to issue
and manage credentials on NFC-enabled mobile devices and EMV-based
smart cards.
tokenization management
Bell ID said in March 2015 that it isenabling the launch of ANZ New Zea-
lands upgraded goMoney mobile app, which is set to feature a cloud-based
HCE NFC wallet. The project, for ANZ Banks New Zealand division, will bring
contactless mobile payments to 120,000 ANZ customers smartphones.
The ANZ goMoney wallet usesBell IDs Secure Elementin the Cloud
platform, whichremoves the need for a separate app or SIM card upgrade
for customers.
Carta Worldwide
Toronto, Canada-based processor Carta Worldwide launched itsCloud Suite
1.0 for mobile payments, a full-service cloud-based payments and EMVCo-
compliant tokenization productfor banks and wallet service providers, in
February 2015.
Cybera
Franklin, Tennessee-based Cybera offers the Cybera ONE for Mobility ap-
plications solution,which enables retailers to secure cloud-based mobile
wallet point-of-sale purchases in their stores. The solution ensures that,
when a customer visits a store and buys a product on the Web by using a
smartphone, the specific store receives the revenues to cover the cost of
the product.
Cybera says its managed software cloud and virtual application network
securely connect the retailers mobile payment application to the local store
POS system where inventory is being redeemed. This allows the local store
site to settle the transaction and account for the inventory being sold.
Using Cyberas solution, retailers can accept mobile payments without the
cost of upgrading their POS system. Additionally, utilizing a secure cloud
ensures that payment information will be delivered safely from the mobile
cloud application to the POS system at the specific store site without jeop-
ardizing the integrity of the card data environment, Greg Tennant, Cyberas
senior vice president of marketing and strategy, wrote in a Mobile Payments
Today blog.
DeviceAuthority
Fremont, California-based DeviceAuthority offers the D-FACTOR authenti-
cation engine, which issues a digital fingerprint authentication challenge to
mobile devices connecting to payment systems to check whether
they are genuine, whether they contain malware and whether they have
been jailbroken.
FIS
In March 2015, U.S.-based banking software vendor FIS addedbiometric
access to its mobile banking application via Apples Touch ID. According
to a news release, FIS was to become the first provider to offer fingerprint
access to its Cardless Cash ATM application when it enabledfingerprint
authentication in April 2015.
Using Touch ID, customers of banks that have deployed FISs Cardless
Cash ATM software will be able to withdraw cash from ATMs and check
their balances from their smartphones, without using plastic cards. Au-
thentication, account selection and amount selection all occur through the
FIS Mobile Wallet with Cardless Cash app, and a QR code is scanned to
complete the transaction.
The FIS Mobile Wallet with Cardless Cash is a cloud-based platform that
gives financial institutions control of the branding and user experience
within the application. Customers can add debit, credit, stored value and
loyalty cards, as well as redeem mobile coupons and offers. All credentials
are stored securely in the cloud, not on the smartphone, FIS says.
InAuth
Venice, California-based mobile fraud prevention and app security provider
InAuth raised $20 million in a Series A funding round led by Bain Capital
Ventures in March 2015.
InAuth said the investment came after a year of record growthin which the
company added four of the five largest U.S. banks as customers. Founded
in 2011, InAuth servescustomers including large global banks, payment
processors, e-commerce merchants and health insurance companies.
InAuth says itsMobile Identity Platform measures not just the network risk
of a mobile device, but also the confidence that a mobile device user is the
user expected to be using the device. The platform also checks for fraud and
detects anomalies such as jailbroken or rooted devices, the company says.
Ingenico offers the On-Guard P2PE solution, which consists of three PCI-
certified components: an encryption module, a decryption module and an
encryption key-management solution.
Jumio
In February 2015, Jumio, a Palo Alto, California-based online/mobile cre-
dentials management company, launched a new version of its ID card scan-
ning service, Netverify. The service provides businesses usingmobile and
online channels with an accurate way to authenticate their customers and
prospects identity credentials.
To ensure the person presenting the ID to the device camera is the indi-
vidual featured in the ID,JumiosFace Match technology compares the
customers face with the photo on the ID and produces a likelihood-of-
match score.
Liveness detection ensures that the person is actually present and pre-
cludes a criminals attempt to beat Face Match by presenting a static photo
image of the fraud victim, Jumio says.
Jumio also offers BAM Checkout, which enables consumers to scan their
payment cards and drivers licenses when using a mobile shopping app.
Kaspersky Lab
In February 2015, anti-virus firm Kaspersky Lab launched a free mobile
app, Kaspersky QR Scanner. Theprogram not only reads information in QR
codes, but also warns users about potentially dangerous links such as
phishing links embedded by cybercriminals within them. The app is avail-
able for both Google Android and Apple iOS apps.
When reading QR codes, its important to check that the QR code isnt
spoofed, says Ingenicos Boudier.
MagTek
Seal Beach, California-based transaction security company MagTek
launched the Qwick Codes Mobile Wallet in 2012. Qwick Codes are dy-
namic, one-time-use tokens that replace payment card information for ATM,
POS and online transactions.
To use the Qwick Codes Mobile Wallet, consumers open the Qwick Codes
app, swipe their card through a complimentary MagneSafe reader they
receive with a paid subscription and enter the transaction details such as
maximum dollar amount and an expiration date. A Qwick Code, which con-
sumers can scan from their smartphone or type into a POS terminal or ATM
instead of swiping their card, then is created.
MagTek also manufactures devices and systems for the reliable issuance,
reading, transmission and security of cards, checks, PINs and other identi-
fication documents. Its products include secure card reader authenticators,
check scanners, PIN pads and distributed credential-issuing systems.
MagTeks devices and services are secured using its MagneSafe Security
Architecture technology. By leveraging strong encryption, secure tokeniza-
tion, real-time authentication and dynamic transaction data, MagneSafe-
based products enable users to assess and validate the trustworthiness
of credentials used for online identification, payment processing and other
electronic transactions.
Omlis
Newcastle upon Tyne, U.K.-based Omlis has developed encryption technol-
ogy to protect mobile banking and payments transactions. It says that stan-
dard encryption techniques rely on the repeated use of master encryption
keys, which can be intercepted by malicious third parties. Omlis solution
uses randomly generated one-time encryption keys instead of master keys
to prevent hackers from intercepting transactions. It also uses payment
tokens and authentication tokens.
In January 2015, Omlis announced that it had secured $31 million in con-
tracts to implement its services with various partners over the next five years.
OneVisage
OneVisage, aSwiss digital identity products developer, has launched what
it calls the worlds first3D facial-authentication productto operate on stan-
dard smartphones.
Payfone
In December 2014, New York-based Payfone introduced Identity Certainty,
an authentication product that relies on the same security standards
mobile network operators use to identify their subscribers, Mobile Pay-
ments Today reported.
Payfone launched a pilot of Identity Certainty with three major banks in early
2015 through a partnership with fraud-protection and risk-management
company Early Warning, Mobile Payments Today said.
Payfone didnt reveal which banks are using the service, but Early Warning
is owned by Bank of America, BB&T, Capital One, Chase and Wells Fargo.
Early Warning also is a Payfone investor.
Identity Certainty provides an extra layer of protection that banks can use to
confirm mobile banking customers identity when they log into the service.
Banks have learned that a lot of things that can be done on PCs (for au-
thentication) dont translate well to mobile phones, Roger Desai, Payfones
CEO, told Mobile Payments Today. What the banks wanted us to do was
create a consistent way to identify a phone.
Payfone has 300 million mobile identities in its database, thanks to partner-
ships with all four major U.S. telcos. The company assigns each identity a
unique tokenized ID, known as the Payfone Signature, based on a mobile
subscribers phone number, SIM card and account number. Banks use the
tokenized ID to make sure everything lines up with their systems.
Identity Certainty tracks 400 different lifecycle events to help banks con-
firm a customers mobile identity.Some events occur more often than oth-
ers, such as an address change, a new phone number or a replacement for
a lost device. Other events are less frequent, such as a consumer switching
mobile operating systems or using a company-provided device.
All of these things are critical for the bank to know, Desai said. We elimi-
nate human interaction when it comes to this authentication method. Its
done behind the scenes through the telcos network. This kind of authenti-
cation works because lots of things change with customers that the banks
have a hard time tracking.
Authentify acquisition
In April 2015, Early Warning signed a definitive agreement to acquire
Authentify. Founded in 1999, Authentify providesphone-based, multifactor
authentication products and serves 1,200 financial institutions and e-com-
merce companies.
Early Warning said the acquisition will enable itto offer organizations digital
multifactor authentication and the ability to integrate and manage multiple
digital channel authentication methodsvia one platform.
With its acquisition of Authentify and its exclusive partnership and equity
investment in Payfone, Early Warning says it can provide a suite of
services that:
improves mobile security and reduces consumer friction by leveraging
innovation in biometric and behavioral authentication;
ThreatMetrix
ThreatMetrix offers fraud-prevention solutions that leverage its ThreatMe-
trix Global Trust Intelligence Network shared digital identity network and
real-time analytics platform to protect customers against account takeover,
payment fraud, fraudulent account registrations resulting from malware and
data breaches.
Were seeing over 20 million new mobile deployments each month repre-
senting more than 25 percent of the total new devices being added to our
network, said Andreas Baumhof, ThreatMetrixs chief technology officer.
One challenge our customers face in the mobile channel comes with the
explosion of apps from a multitude of different vendors, many of which are
used as vehicles to deliver malware, said Dean Weinert, ThreatMetrixs
director of mobile products. Its important for businesses to distinguish be-
tween real, trusted apps and apps that have been altered, but that requires
a significant amount of data, especially for mobile devices. ThreatMetrix
provides a solution that is lightweight on users devices, putting those de-
vice attributes and threat risks into our digital identity network. The network
is constantly learning about the growing mobile attack surface so our custom-
ers dont have to.
Detects jailbroken and rooted devices: Dynamic jailbreak and root detec-
tion technologies determine when device security controls have been
thwarted. New jailbreak and root methods are pulled from the TrustDe-
fender server each time a device is profiled, to keep the system up-to-
date without requiring new application releases.
ValidSoft
ValidSoft offers a multifactor user authentication platform including a Voice
Biometric engine and Device Trust technology.
who maliciously redirect mobile phone calls and text messages to defeat
out-of-band authentication systems and other anti-fraud measures involving
customer contact via mobile phones.
Device Trust helps banks protect their customers data and transactions
by securing their communication channels against account takeover, SIM
swap, call divert and international roaming related fraud.
Veridu
Veridu, a London-based ID verification company, provides an API-based
service that enables banks and retailers to base risk-assessment decisions
on a potential users social media profiles.
Rasmus Groth, Veridus CEO, told Mobile Payments Today that banks and
retailers can use the companys ID verification system in the customer on-
boarding process or as a risk-management tool to flag potential fraudulent
transactions. Groth argues that social media profiles can be a better verifi-
cation method than asking people to scan documents or ID cards, which he
believes can be faked easily.
Once a bank or retailer integrates Veridus API into its online or mobile
channel, it can ask potential users to sign into a combination of social me-
dia networks such as Facebook, Twitter and LinkedIn.
The way we gear the service is that 57 percent is what we consider a nor-
mal, trustworthy person,Groth said. Anything below 50, we think some-
thing might be off. Theres always a balance. It depends on what kind of
service you have. If your primary concern is making enrollment or onboard-
ing really easy, you set thresholds quite low in the beginning, but later you
can have the person reverify their identity.
Verifone
All Verifones payment acceptance products, whether mPOS or standard
payment terminal solutions, across all payment types including mag-stripe,
EMV and NFC/contactless, comply with all the PCI standards and support
our P2PE and tokenization solution VeriShield Protect and our Secure Com-
merce Architecture (SCA), said Joe Majka, Verifones chief security officer.
Using SCA and VeriShield Protect, we prevent cardholder data from enter-
ing the POS system, and we deliver this data in encrypted form from the
payment terminal directly to the merchants processor, Majka said. Using
a P2PE solution such as VeriShield Protect with SCA also reduces a mer-
chants PCI and EMV certification burden.
WiseSec
Tel Aviv, Israel-based WiseSec has developed a security technology to
protect Bluetooth-based mobile payments on any type of smartphone,
including Android- and iOS-based smartphones. Its solution uses low-cost
Bluetooth-based beacons to locate and authenticate customers in a store,
enabling them to pay by tapping their smartphone against a touchpad.
WiseSec claims its solution has a lower cost than NFC, as retailers dont
need to install NFC card readers. We provide a plug-and-play solution,
which doesnt require special infrastructure changes to install, said Vadim
Maor, WiseSecs CEO. With our technology, the only players are the cus-
tomer, their card issuer and the merchant.
Our protocol works on BLE (Bluetooth low energy) and on other types of
Bluetooth links, and offers an alternative to NFC, Maor said. It creates a
tokenized communications channel between the server and the touchpad to
simulate full NFC, and can be used for POS payments or cardless transac-
tions at ATMs.
WiseSec creates two types of tokens. First, we tokenize the customers pay-
ment card, and secondly we secure the transaction between the touchpad,
which can be a POS device or an ATM, and the server using tokens, Maor
said. All data is encrypted during transit from the touchpad to the server.
The Bank of Israel, the countrys central bank, acts as a regulatory and ap-
proval body for the Israeli Ministry of Finance.
Mobile Banking and Payments Security: What banks and payment service providers need to know to keep their customers
safe, by Robin Arnfield
Networld Media Group
http://www.networldmediagroup.com/inc/sdetail/12036/18751
mPOS 101: What merchants need to know about mobile point-of-sale technology, by Robin Arnfield
Mobile Payments Today
http://www.mobilepaymentstoday.com/whitepapers/mpos-101/