We store a lot of information about ourselves on social media sites like LinkedIn and Facebook. This incident is essentially a data breach – and there will be more breaches like this to come. Although we may not prevent criminals from stealing the data, we can stop them from using it to access our bank accounts through guessing the answers to security questions, for example. Instead of using passwords which are hard to remember and therefore, the same one is often used for several social media accounts, we should move towards voice biometrics for authentication. A voice print is not only difficult for an imposter to replicate and can therefore play an important role in a multi-layered approach to authentication, but a voice print can also be screened in real-time against a known database of fraudsters’ voice prints.
07 Jun 2012 17:54 Read comment
Martin, I completely understand your frustration and you are absolutely right about finding a better way of verifying a transaction abroad. No doubt, many more bank holiday-makers will experience the same card declines when they’re away! The good news is, there is a solution similar to the one you’ve described. Proximity Correlation Logic (PCL) is a technology that works in real time and is far more accurate than transaction history, which often results in false-positive declines like the ones you experienced. PCL works on the basis that you are likely to have a mobile phone near you when you are making a payment. It can detect that your mobile is in the vicinity of the POS device or ATM without compromising on your privacy because it’s not a Location Based Service. The security system could even call your mobile so you can verify the transaction as an extra layer of security.
08 May 2012 10:02 Read comment
This is a positive development in the right direction from the European Central Bank. However, with the growing sophistication of hackers, a two factor authentication may not be sufficient any more (see my blog on Finextra). Security technology has advanced so that a four or even five factor authentication can be conducted with some of the layers being invisible. This enables both a sufficiently safe and a convenient way of safeguarding a transaction.
20 Apr 2012 14:39 Read comment
Ketharaman as you have correctly highlighted, determined criminals will always find ways to out-smart technology for their own gains. We have to work on the premise that we can’t stop them from stealing individuals’ information, but what we can do is stop them from being able to use it when it comes to electronic financial transactions. The real-time technology that I have previously described can prevent the crime occurring - ipso facto fraud loss as a percentage of crime will decrease. Furthermore, this technology will be able to eliminate the false positives, which is where the real costs are incurred.
05 Apr 2012 09:43 Read comment
Thanks for your comment Ketharaman. I agree with you in that using traditional methods to try and achieve multi-factor authentication would increase friction and cause more inconvenience than is necessary. However, technology exists to enable some of the layers to be invisible and the customer may not even be aware that strong authentication has occurred in a totally privacy-sensitive manner.
For example, as mentioned in my latest blog, Proximity Correlation Logic is a technology based on the fact that your phone is likely to be near you when you’re making a transaction. It can detect whether your phone is in the area of the origination point of a transaction, without compromising on your privacy as it is not using a Location Based Service.
Incorporating visible and invisible layers of authentication makes the process sufficiently strong and at the same time, user-friendly.
04 Apr 2012 11:32 Read comment
Thank you for your comment. What I mean by “a lot safer than cash” is that in the instance of a cash wallet, when the wallet is stolen, the cash is gone for good. In the case of a mobile wallet, the cash cannot be used if strong authentication (as I explain in my blog) applies”
05 Mar 2012 17:39 Read comment
Thank you all for this great debate. Like some comments suggest, 2-F authentication can be defined differently. But, an effective 2-F authentication solution must use an Out-Of-Band (OOB) channel. As security technology vendor, my premise must be that the device used to make the transaction is compromised; then you work back from there so all fraud vectors are addressed.
Of course the number of factors (2,3,4) depends on business imperatives but aren’t customers demanding security already? Let’s be real, as an industry, are we seriously going to stop at 2-F? We need to evolve with technology (especially mobiles) and with the sophistication of attacks from fraudsters.
Multi factor authentication and OOB are just the beginning though – authentication alone does not stop the transaction from being compromised – you need transaction verification which is where the OOB comes in.
Who has not heard of ZITMO, ZEUS, sim swap, CFU?
Understanding security is no longer enough; any serious player in security will need to understand how telcos/mobile operators work to develop the right technology with the sufficient factors for strong authentication. Oh, by the way it is cost effective as well and can be delivered under 400 milliseconds.
17 Jan 2012 16:48 Read comment
Stephen, not my doing. Finextra bloggers have no administrative control over comments. I can see your first comment if it is any help
16 Jan 2012 14:05 Read comment
As the first comment against this article shows, security is a real concern for end-users, and I’d say PayPal needs to be very mindful not to let any perceived weaknesses in this area have a detrimental effect on either the trial or future uptake of the system. The US may not use Chip and PIN, but users in the Europe who are used to the system may not feel entirely confident in the security measures briefly mentioned above.
What we’re seeing is a move towards a multi-layered approach to security, which in this case – at POS – could involve using a technology called Proximity Correlation Logic. This works by checking the proximity of the POS, where someone is making the transaction, to the card holder’s mobile phone. It’s not about tracking users to see where they are; rather it’s just about detecting that if the POS and the phone are NOT in the same jurisdiction, there is a much increased chance that the transaction is fraudulent. This can be done in complete compliance with European Data Protection Law, so privacy should not be a concern.
11 Jan 2012 10:43 Read comment
Ketharaman, the point made is of course a good one. However, the example provided was for illustrative purposes only. Simply put, the move to faster payments means that we will need to start deploying the same real-time protection available for Card Present transactions for all payment types impacted by the FPD, clearly the majority of these include internet banking and other forms of online payments. Proximity Correlation Logic (PCL) equally applies to CNP transactions, although the basis for the correlation is more intricate, but equally accurate. For example, if I know that a transaction is originating from your home (although I don’t need to know where your home is), and your mobile phone is also correlated to your home, then there is a high probability that this is a genuine transaction. Other invisible tests of course need to be performed to ensure that the integrity of the transaction has not been compromised, and the institution may still want to ensure that the parties to the transaction, and the integrity of the transaction itself, have not been compromised in any way. This is the power of real-time, privacy sensitive, PCL when implemented as a component of a layered, multi-factor, telecommunications based security model.
19 Dec 2011 10:16 Read comment
Disruption in Retail Banking
Information Security
Innovation in Financial Services
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.