Thanks for your comments, Ketharaman.
Correlation analysis, or Proximity Correlation Logic (PCL), can work reliably in a CNP environment because just as a phone is identifiable by its SIM card with a unique reference number, a computer can be identified by many attributes within a layered security model. Such attributes can be trusted or untrusted (e.g. an IP Address can be spoofed), but when combining several attributes in the layered security model, the reliability for authentication purposes increases and can provide a basis for PCL using clever invisible techniques which combine speed, accuracy, privacy, ease-of-use and strong security – we believe this is the model for the future, but available today.
To address your other points relating to CP transactions, Proximity Correlation Logic works with any mobile phone, it doesn’t need to be a Smartphone. PCL does not use GPS nor Lat-Long resolution, because both have serious negative implications in terms of accuracy (POS transactions) and breaches of privacy. In fact PCL is the only security solution to have been awarded a European Privacy Seal, guaranteeing it complies with EU Data Protection Law. In terms of speed, our real-time proofs of concept show that the correlation takes under 400 milliseconds, so nothing that would impede customer service. In fact, it’s completely invisible when dealing with legitimate transactions and fast enough to sit within the Authorisation Process.
Regarding voice biometrics, you’re right that there have been considerable developments over the past 2 to 3 years to the extent that we believe Voice Biometrics to be a mature technology capable of mass deployment. In fact, we are currently working on a European Government project that has entered its live trial phase in which the biometrics are performing very well indeed, and is a fantastic security layer within a multi-factor authentication and transaction verification model. One of the great things about voice biometrics is that it is a dynamic biometric, so when deployed in a layered Conversational Biometric format the result is a very strong security model, very reliable, easy to use and can be rendered useless to the fraudster who tries to steal your voice recording. As for how that would work in a CNP environment requiring transaction verification, upon entering the transaction details, the card owner’s phone could automatically ring and the details of the transaction relayed to the customer. If correct, the user could confirm the transaction by voice which again could be authenticated through voice biometric. The strength of this approach is a security model whereby complex transaction data signing up to non-repudiation can be achieved in a very easy to use manner, catering for all transaction types and numeric/alphanumeric data. If the voice test failed, the customer could be transferred direct to the bank’s fraud team, although in a layered security multi-factor model, success or failure rarely relies on a single binary check. Finally Voice Biometric technology these days capture information relating to the shape of the vocal tract, not vocal cords so is pretty resilient in dealing with colds/flu etc and their impact on how we speak.
08 Nov 2011 22:16 Read comment
This story shows how important it is to educate the general public about how to spot scams. Perhaps a consumer organisation like Which? could help to reach those in danger, backed up by an information campaign by the banks.
But longer term, there is a role for security technology here. I’m thinking of a system whereby a customer has the option to choose and record a meaningful phrase that is played back each time the bank calls, before any further communication happens, i.e. mutual authentication. This would be part of a completely automated customer security interaction. If you don’t hear your special phrase, it isn’t your bank, whatever the system at the other end of the line might claim.
Under the current access system, customers give up an increasing list of “credential” data to third parties, thereby potentially undermining the security system itself and legitimising fraud vectors such as Vishing that ultimately comes back to haunt the bank itself.
03 Nov 2011 10:50 Read comment
It’s good to see a bank putting mobile payments right at the centre of its customer relations. A really positive step, and given Australians’ far greater tendency to use mobile payments, this could be a case of Oz taking the lead again. But I’m surprised that the 1.30 minute accompanying video doesn’t mention security once, given that security concerns regularly show up in surveys as the main reason for customer caution about mobile payments. It’s great for new-style payments to be so easy, customers need to know that they are secure. There is a great opportunity for some customer education and winning mind-share here
25 Oct 2011 15:00 Read comment
I too, like David Divitt, I am a firm supporter of a layered approach to authentication. The attack, as described in the Finextra story, all centres on the fact that the bank allows users to change their registered mobile number and then sends a confirmation code via SMS (to the old number) which must be resubmitted into the browser to complete the change. They then use Man in the Browser and social engineering to get the real user to submit this code on another pretext. The fraudster then has his own number registered.
If the fraudsters have infected the users browser with a Man in the Browser attack, they could equally subvert transactions protected by hardware tokens or card readers.
In my view a real-time automated call to the mobile, incorporating authentication and transaction verification (i.e. the playback of the transaction received by the bank – in this case the requested to change his/her registered mobile), would enable the fraudulent transaction to be foiled at source and the customer would be immediately placed in contact with a resource at the bank to deal with such issues….such is the power of real-time telecommunications!
13 Oct 2011 10:26 Read comment
Don’t want to breach the rules of engagement of the blog site by going into commercial detail. Briefly we sit as an additional layer of security alongside existing risk engines – the technology already is in place. We check the proximity of the origination of the transaction to the cardholder through the global mobile network. If in proximity then we simply “confirm” what the bank already knows. If we “refute” we never declare where the phone is. Bank has much better quality information to base its decision on whether to accept or decline the transaction. On the privacy front we are fully compliant with UK Data Protection & Data Privacy laws, as we are from an EU Data Privacy regulation perspective also.
12 Oct 2011 13:05 Read comment
The bank, or card processer always knows where you are (at an ATM or POS) – our technology simply confirms this, or in the event that we refute it we never say where the person is, so the bank only works with the information it already has.
11 Oct 2011 14:30 Read comment
As I explained in an earlier blog on EU Data Privacy, using mobile telephony to improve security for multiple aspects of banking can offer consumers around the world huge gains in terms of improved security and customer service. But those consumers – as well as banks, retailers, mobile telephony companies, regulators and governments – need to feel absolutely confident about the protection of individuals’ privacy, if these exciting opportunities are going to be realised.
And that is why security companies should go through the complex process of applying for a Privacy Seal from EuroPriSe.
European data privacy laws are arguably the most stringent in the world. That should be great news for companies that meet them when those companies come to offer their services around the world.
11 Oct 2011 10:07 Read comment
Adding current location as a factor in authenticating payment transactions is a great idea, but the key factors to consider are security and privacy. How secure are these social media, and how secure is the mash-up? Is customers’ privacy being compromised? We need to be careful that we don’t just make it easier for fraudsters while also failing to respect people’s civil rights and creating a false impression of enhanced security.
14 Sep 2011 12:27 Read comment
Thank you for your comment. I agree with you: convenience, speed, security, efficiency, service and ease of use are all essential to any mobile payment product. Those are not aspirations either; technology is ready and products are available on the market. What hinders it all is the lack of visibility and understanding of such solutions especially in comparison to those traditional two-factor authentication solutions that are no longer at the forefront of the technology. Few are actually able to really understand and embrace the implications of telecommunications and mobile payment solutions, especially when it requires a detailed understanding of both.
05 Sep 2011 16:35 Read comment
Disruption in Retail Banking
Information Security
Innovation in Financial Services
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.