It seems that the cyberthieves gained access by taking over a Global Payments administrative account “by answering the application’s knowledge-based authentication (KBA) questions correctly.”[From StorefrontBacktalk » Blog Archive » Could Global Payments Breach Finally Kill KBA Questions?]
This madness has got to stop. Any organisation that wants to be taken even slightly seriously has to move to better authentication at the earliest opportunity. But what might this authentication look like in the mass market? Last month MasterCard hosted a great day at their new innovation centre in Dublin to show off their technology platforms and explore some practical ideas about the future of payments.
MasterCard has made Dublin the location of its latest MasterCard Labs office. The ‘innovation hub’ will lead the development of technology for the company’s worldwide operations and will foster projects in the areas of coupon purchases, biometric authentication, near field communication and gesture control.[From MasterCard unveils Labs office in Dublin | TechCentral.ie]
There were some great demonstrations of the PayPass contactless wallet and PC payments as well the integration of secure (i.e., chip-based) payments into the new digital media age. One of our senior consultants, Tony Pickup, was there and so I asked him for his professional opinion of what was on show. Rahter interestingly told me:
The demo that caught my eye may be not as “sexy” as the contactless and mobile stuff, but it demonstrate a potentially important change in the way we may access funds in the future. This was a demo of the South African entitlement card distribution process and funds distribution to a market expected to be 10 million by the end of 2012. This service may show how remote card account management may develop in the next few years.
The South African Social Card service uses a layered approach to biometrics and their use. The idea is that on registration a voice biometric is captured to support account management, a fingerprint biometric is captured and loaded onto an EMV card only. Also once the biometrics are taken the user is asked to set-up a PIN to enable chip and PIN authentication for purchases at physical POS. The fingerprint biometric is used for authentication purposes when a person presents themselves for an entitlement. This is clever as the biometric is checked by the EMV card using the data collected to prove the customer is ‘alive’., there is no need to collect or match fingerprints in a central database. The voice biometric is used to ensure that if a customer needs to re-issue a card it can be done efficiently. However, this multi-model approach also offers the ability to use the voice biometric if the person is unable to present themselves or their finger to prove their entitlement and access the funds granted to them.
This may show the future for remote authentication and layering biometrics to authorise different types of transactions, but it certainly indicates to me that it is identity, not money, that will be the crucial field of competition in the near future. I’m sure that Visa, MasterCard, Amex and others are all on the case, for the simple reason of economics: if you know who the counterparties to a transaction are, then the payment and settlement part becomes easy.
Kris Ranganath, director of technology and solutions of NEC, pointed out that the latest developments in biometrics focus on multimodal fusion matching, or “person-centric identification”. This means that any available biometric data generated by a person can be used for verification. This, he noted, is unlike the past when tools depend solely on a single mode of a person’s biometrics such as fingerprints.[From Biometrics more accurate, but uptake ‘disappointing’ – ZDNet Asia News]
So what is the path into the mass market? There is no silver bullet for authentication, not even biometrics, but some intelligent multi-modal application can quickly shift authentication into a sweet spot for most transactions, most of the time. Buy a pack of gum, tap. Buy a pair of shoes, chip and PIN. Buy a car, chip and PIN and fingerprint. Buy a house, chip, PIN, fingerprint and voiceprint. Launch nuclear missile, chip, PIN, fingerprint, voiceprint and DNA. That kind of thing, although we don’t need to wait for all of these technologies to reach mass market security. There really is no excuse for not implementing better authentication now and I’ve often wondered why we don’t use bank-issued chip and PIN cards to do it: if they can do it in South Africa, we can do it here.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers