While point-of-sale systems at brick-and-mortar stores continue to be a rich feeding ground for data-hungry hackers, some merchants are at least beginning to take the security of their online shops seriously. The altruistic goal of protecting customers might not provide enough inspiration, but the goal of avoiding the costs of expensive charge-backs on fraudulent purchases does.
Yet, retailers are historically resistant to increased authentication and authorization measures, because they increase "friction" -- meaning, they make the purchasing process longer and more complicated for the buyer, thereby making the buyer more likely to give up and go elsewhere.
Fortunately for those merchants, the industry has released a few new security tools over the past week that aim to improve security without increasing -- perhaps even reducing -- customer friction.
This week, Israel-based startup BioCatch expanded the e-commerce offering of its "passive biometrics" technology. The technology collects behavioral data from a user's endpoint input devices -- keyboards, mouses, accelerometers, etc. -- and paints a picture of the user's very unique, but completely unconscious habits. As DarkReading explained in an interview with BioCatch in July:
They capture physiological behaviors like whether the user is left-handed or right-handed, the duration of their hand tremor, the size of their finger press, their hand-eye coordination, and their muscle structure. They capture cognitive indicators like how a user scrolls through a screen -- do they click the mouse, click and drag the mouse, use the arrow keys, use page up and page down, etc. -- how they interact with certain applications, and how they move the cursor -- quick and direct, slow and circuitous, curving up, curving down.
Then the BioCatch application issues "invisible challenges." The application may speed up or slow down how fast a selection wheel moves, or nudge a cursor in one direction, or create a "force field" that requires a user to press a touchscreen more firmly, and then see how the user responds.
All of those factors are combined into a "cognitive signature," which can then be used for "passive biometric" authentication or fraud detection.
This technology is particularly good at spotting the difference between a human being and a robot, or one human being and another.
The company says the e-commerce solution can also be used to tell the difference between regular behavior and criminal behavior.
“When making purchases online, fraudsters behave differently than legitimate consumers. Whereas most of us take some time to adjust to a site’s specific checkout process, fraudsters breeze through it with a high familiarity level because they have done it tens or hundreds of times before,” said Uri Rivner, VP Cyber Strategies and Co-founder at BioCatch.
Smile To Pay
Last week, Alibaba both introduced a new biometric authentication mechanism to the payment world and tried to bring some joy to the task of parting with one's money, by announcing Smile to Pay.
Alibaba founder Jack Ma demoed the product at the CeBit conference in Hanover, Germany. The details thus far are minimal, but the gist is, when a purchaser presses "buy," a facial recognition interaction is initiated; essentially the buyer completes a purchase by holding their phone up for a quick selfie.
The name Smile to Pay is appropriate when buying gaming systems or new shoes; less so when paying exorbitant mobile phone bills, but don't worry -- you don't actually need to smile.
Smile to Pay is being tested by Ant Financial, an Alibaba affiliate that uses the Alipay oline payment system. Alibaba plans to roll-out the service first in China.
Zumigo Assure Payments
Zumigo released a new tool this week, Zumigo Assure Payments, to improve verification of identities of buyers making purchases from mobile devices.
Partnering with mobile operators and Equifax, Zumigo can check the billing records of the mobile device being used to conduct the purchase, and check to see whether or not the identity of the mobile user and the identity on the buyer's payment card match. If they do, it's a lower-risk purchase; if they don't, it's higher-risk.
The Zumigo tool also zeroes in on the real-time location of the mobile devices, compares them against the IP address, and the shipping/billing addresses of the buyer. The closer the match, the lower the risk.
While the partnership with the mobile operators could reduce fraud, customers and privacy advocates may balk; it could be seen as another case of mobile operators playing fast-and-loose with customers' identity and location data.
Yet, privacy complaints may go ignored, if both security and convenience are well served. Last week, Facebook built upon its Messenger app -- which has also been criticized by privacy advocates -- to create a peer-to-peer payment application for Messenger users to send money to one another directly.
According to data released today by SecurityMetrics, six out of 10 merchants still store, unencrypted, payment cards' 16-digit primary account numbers. Further, 7 percent store the full magnetic stripe data, including PAN, cardholder name, expiration date, CVV, PIN, and service code. With data like that floating around, new payment security technology can't come soon enough.