Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/24/2015
03:45 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

New Secure Online Check-Out Tech Goes For Less Friction, More Biometrics

BioCatch, Zumigo, and Alibaba release tools to help merchants avoid those pesky charge-back costs.

While point-of-sale systems at brick-and-mortar stores continue to be a rich feeding ground for data-hungry hackers, some merchants are at least beginning to take the security of their online shops seriously. The altruistic goal of protecting customers might not provide enough inspiration, but the goal of avoiding the costs of expensive charge-backs on fraudulent purchases does.   

Yet, retailers are historically resistant to increased authentication and authorization measures, because they increase "friction" -- meaning, they make the purchasing process longer and more complicated for the buyer, thereby making the buyer more likely to give up and go elsewhere.

Fortunately for those merchants, the industry has released a few new security tools over the past week that aim to improve security without increasing -- perhaps even reducing -- customer friction. 

BioCatch e-Commerce

This week, Israel-based startup BioCatch expanded the e-commerce offering of its "passive biometrics" technology. The technology collects behavioral data from a user's endpoint input devices -- keyboards, mouses, accelerometers, etc. -- and paints a picture of the user's very unique, but completely unconscious habits. As DarkReading explained in an interview with BioCatch in July: 

They capture physiological behaviors like whether the user is left-handed or right-handed, the duration of their hand tremor, the size of their finger press, their hand-eye coordination, and their muscle structure. They capture cognitive indicators like how a user scrolls through a screen -- do they click the mouse, click and drag the mouse, use the arrow keys, use page up and page down, etc. -- how they interact with certain applications, and how they move the cursor -- quick and direct, slow and circuitous, curving up, curving down.

Then the BioCatch application issues "invisible challenges." The application may speed up or slow down how fast a selection wheel moves, or nudge a cursor in one direction, or create a "force field" that requires a user to press a touchscreen more firmly, and then see how the user responds.

All of those factors are combined into a "cognitive signature," which can then be used for "passive biometric" authentication or fraud detection.

This technology is particularly good at spotting the difference between a human being and a robot, or one human being and another. 

The company says the e-commerce solution can also be used to tell the difference between regular behavior and criminal behavior.

“When making purchases online, fraudsters behave differently than legitimate consumers. Whereas most of us take some time to adjust to a site’s specific checkout process, fraudsters breeze through it with a high familiarity level because they have done it tens or hundreds of times before,” said Uri Rivner, VP Cyber Strategies and Co-founder at BioCatch.

Smile To Pay

Last week, Alibaba both introduced a new biometric authentication mechanism to the payment world and tried to bring some joy to the task of parting with one's money, by announcing Smile to Pay.

Alibaba founder Jack Ma demoed the product at the CeBit conference in Hanover, Germany. The details thus far are minimal, but the gist is, when a purchaser presses "buy," a facial recognition interaction is initiated; essentially the buyer completes a purchase by holding their phone up for a quick selfie.

The name Smile to Pay is appropriate when buying gaming systems or new shoes; less so when paying exorbitant mobile phone bills, but don't worry -- you don't actually need to smile. 

Smile to Pay is being tested by Ant Financial, an Alibaba affiliate that uses the Alipay oline payment system. Alibaba plans to roll-out the service first in China.

Zumigo Assure Payments 

Zumigo released a new tool this week, Zumigo Assure Payments, to improve verification of identities of buyers making purchases from mobile devices.

Partnering with mobile operators and Equifax, Zumigo can check the billing records of the mobile device being used to conduct the purchase, and check to see whether or not the identity of the mobile user and the identity on the buyer's payment card match. If they do, it's a lower-risk purchase; if they don't, it's higher-risk.

The Zumigo tool also zeroes in on the real-time location of the mobile devices, compares them against the IP address, and the shipping/billing addresses of the buyer. The closer the match, the lower the risk.

While the partnership with the mobile operators could reduce fraud, customers and privacy advocates may balk; it could be seen as another case of mobile operators playing fast-and-loose with customers' identity and location data.

Yet, privacy complaints may go ignored, if both security and convenience are well served. Last week, Facebook built upon its Messenger app -- which has also been criticized by privacy advocates -- to create a peer-to-peer payment application for Messenger users to send money to one another directly.

According to data released today by SecurityMetrics, six out of 10 merchants still store, unencrypted, payment cards' 16-digit primary account numbers. Further, 7 percent store the full magnetic stripe data, including PAN, cardholder name, expiration date, CVV, PIN, and service code. With data like that floating around, new payment security technology can't come soon enough.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
3/25/2015 | 11:58:45 AM
clever
Smile to Pay is a clever marketing strategy, I must say. As we know, the more brick-and-mortar PoS gets locked down, the more the bad guys will redirect attacks to ecommerce shopping. 
glenbren
100%
0%
glenbren,
User Rank: Apprentice
3/24/2015 | 11:50:54 PM
I don't do selfies
I'll just shop somewhere else if a store wants me to send a selfie with my payment. As for Zumigo, will we be aware that the merchant using this has access to our mobile billing records? It's terrifying that merchants have records of so much of our credit card information, there for the hacking. Our information is not any safer with online merchants either.
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5034
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
CVE-2019-5035
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...
CVE-2019-5036
PUBLISHED: 2019-08-20
An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially cr...
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...