Payment, Mobile, and Online Security Mashup

March 1, 2009
  • ThreatMETRIX Online Fraud Control and Chargeback Protection USA
    ThreatMETRIX monitors online profiles of users to determine the risk of a sensitive transaction. Their risk profile will work even if the users browser has disabled cookies or javascript. The service also accesses a reputation network to determine if the presented user has been flagged on any other web services, firewall logs, and honey pots. This looks very similar to some of the services offered by RSA.
  • Silver Tail Systems: Protects Websites from Logic Attacks
    “Online criminals don’t need to break into your website, VPN or secure networks to defraud you or your customers. They can use the front door – exploiting legitimate business logic or business logic flaws of the website itself”. Silver Trail has two products. The forensics product monitors you site and raises alerts when it identifies suspicious behavior (deviations from the norm). It also provides a search tool that allows administrators to investigate behavior. The rules engine provides a mechanism that allows administrators to restrict navigation flow on the site for specified users.
  • NCore Systems
    NCore Systems provides enterprise class delivery channel solutions to Banks within the ASEAN region fusing applications, innovative security and middleware technology into a single integrated platform. The company builds complete virtual financial destinations that empower Financial Institutions to ‘reach out and touch’ their customers through the innovative use of web based and mobile technology. Basically, they provide online banking and a software based mobile banking second factor authentication.
  • Aradiom: Mobile framework, Security Token
    Aradiom provides a security token application that can serve as a second factor for online sites. The Aradiom SolidPass can be used to generate a one time password, generate challenge codes, and security questions. SolidPass also supports Transaction Data Signing (TDS). This allows the user to authenticate the transaction with a challenge issued by the enterprise and a response generated by SolidPass based on the transaction details
  • Acculynk: Software Pin Capture
    Acculynk provides a solution that allows online shoppers to pay for products using a unique software pin capture solution. The solution allows you to enter your pin using a pin pad control on the screen. The order of the numbers scramble after each digit in your pin is entered. The biggest advantage is the reduction in charges to the merchant. In many cases, pin purchases cost less than credit purchases.
  • Atmel Products – Security & Smart Card ICs – Secure RFID: CryptoRF
    CryptoRF is 64 bit encryption security for RF devices. CryptoRF product labels, tags, and cards are virtually impossible to copy. Rather than using passwords that are easily captured during contactless transactions, CryptoRF devices use the authentication keys, session encryption keys and a random number to generate a unique identity, or “cryptogram”, for each transaction. The host reader and the CryptoRF device must both be able to duplicate each other’s cryptograms before any data can be accessed or written.Uniquely, CryptoRF devices allow two completely independent users, each of which has its own separate authentication key to access the same section of the memory. This feature is useful for applications such as cards used in cash-transactions.
  • TazTag mobile identity
    The TazCard is a new multi-purpose device in a slim credit card format (6 mm in thickness).  It’s like a personal safe with a large touch screen, a fingerprint sensor and various communication interfaces (NFC, USB, ZigBee) TazCard interfaces with a range of security applications such as access control, ticketing, couponing and payment. If required, a Java Software Development Kit makes possible the addition of further customized applications. I really like the finger print technology. Also, all data exchanges requires approval. So, the card will not exchange information unless the user is authenticated (with finger print) and authorizes the data exchange.  I think NFC payment adoption would accelerate dramatically if fingerprint technology was introduced in phones at the same time NFC chips were introduced.

RFID: Share Your Personal Data with the World!

February 24, 2009

compass_card_fareboxA few weeks ago I wrote that contactless payments will help drive mobile banking adoption. What I didn’t say is that you can also use RFID to broadcast your personal information to the world.  Yes, RFID enabled passports can double as your personal radio station that keeps playing your same personal info over and over again.  The good news is it has never been more affordable to have your own radio broadcast.  The bad news is, it is apparently pretty easy to put together the equipment that will tune into your channel.

RFID  (Radio Frequency Identification) is not a new technology. The origins of RFID trace back to WWII and the first RFID related patent was issued in 1973. From supply chain management to toll tags, RFID is certainly useful in a variety of applications.  Still, RFID is not inherently secure.  The potential problems are apparent in the latest RFID enabled US passports. The US includes a metal sleeve and Basic Access Code with new passports to try and keep thieves from stealing your personal information as you walk by.

NFC technology extends the RFID specification. NFC enabled devices must be in very close proximity in order to communicate.  Thus, proponents assert that NFC is inherently more secure than plain old RFID.  Still, not everyone is ready to start replacing cash with wireless payment systems.  Despite an improved security profile, NFC enabled devices are vulnerable to a variety of attacks.

fastrak_transponderWhy does all this matter to financial institutions?  More now than ever, financial instituions must prove that they are safe.  The general perception of a bank’s commitment to cyber security can change very rapidly.

I believe NFC enabled payment devices will eventually become very popular. There is a signficant amount of utility in a phone that will consolidate my rapid transit passes, affinity and rewards cards, coupons, and payment cards.  However, this will only happen if mobile payments and the devices that make them possible are perceived to be secure.  A recent survey found that security concerns is the number one deterent to mobile banking adoption.

Most of the mobile payment news I read focuses on convenience and new delivery technologies. Mobile technology companies mention security but they certainly don’t focus on it.

So to complete my answer to the question above, mobile payments represent a significant opportunity for financial institutions.  However, unless the industry begins to promote security with technology improvements and additional marketing, it might be a while before NFC payments move past the focus group stage.  Even worse, the big event that finally introduces NFC payments to masses might be news of a major NFC related fraud rather than a human interest story on NPR about how mobile banking is spurring commerce in Africa.