NicoElNino - Fotolia
Smart security: Go beyond the basics with biometrics
With smartphone makers offering new features such as biometrics, there are lots of options available to businesses when putting mobile security into practice
Smartphones have quickly become the fastest and most convenient way for people to make purchases. Electronic wallets combined with biometrics built into modern smartphones are helping to securing these purchases.
Research firm eMarketer predicts mobile purchases will account for 52% of e-commerce sales by 2021, compared with 43% in 2017.
A number of high street retailers offer apps for mobile devices that support Android Pay and Apple Pay. These are native payment options where users keep an electronic version of their card on the phone. They can also use these systems to approve transactions in a physical store, using in-built near-field communication (NFC) technology.
With Android Pay, the user is protected because the system uses a virtual account number to represent the card, rather than sharing their real card information. Furthermore, some retailers restrict the use of Android Pay to transactions of under £30. For shops without this cap, users must authenticate using biometrics or a passcode for purchases over £30.
Similarly, Apple Pay does not access the user’s actual card details in-store, but instead a device account number and a unique security code, which is different for every purchase. The user must approve every transaction with biometrics or a passcode on this system, and it is therefore not capped at £30.
These measures mitigate the risk of unauthorised transactions. In fact, the device owner is the biggest security risk, according to Rob Bamforth,an independent industry analyst. “Those mobile payment systems and NFC, like Oyster cards, are sufficiently well protected against the level of risk they typically face. To put consumers’ minds further at rest, the issuing organisations generally offer a backstop protection in the event of the system being compromised or failing,” he says. “The technology itself might be more highly secure, but the entire transaction process needs to be considered and, as is often the case, the person is a weak link.”
This is where Apple and Samsung have been focusing in their latest flagship smartphones.
With a combined share of the mobile market of almost 33%, leading manufacturers Samsung and Apple have been pushing biometric security to their respective users. A growing number of mobile app developers are making use of these security enhancements to ensure users remain as secure as possible when using their apps.
Samsung offers face recognition on its latest flagship models, the Samsung Galaxy S8 and S8+, along with fingerprint and iris scanning options.
Apple’s latest handset, the iPhone X, is its first to bring facial recognition unlocking, in the form of Face ID. At its launch, the company said the technology maps 30,000 unique points on a face so unauthorised users cannot breach it by using a mask, for example. Apple claims that false positives – when the phone incorrectly identifies a user – are 20 times less likely with Face ID than fingerprint recognition.
Deciding which biometric technology to build into an app can be very subjective. “This is somewhat subjective but the securest are fingerprint and iris, followed by face and eye vein. This is based on their cumulative characteristics – distinctiveness, performance and resistance to attack – taken together,” says Gartner research director Raul Rabinovich. “In all cases, liveness detection is key, so not all implementations are equal. Quality of sensors, protection of biometric templates and matching algorithms vary, so again, much depends on the implementation.”
Banking on biometrics
In addition to mobile commerce, banks are also starting to incorporate biometrics in their applications. For example, Santander announced in February 2017 that it was in the second phase of its voice-controlled banking initiative, to allow iPhone users of its SmartBank app to make payments using their voice. Phase one enabled them to ask for their card spend. Then TSB announced in November 2017 that it would be bringing support for Face ID authentication to its app. The bank also allows for Samsung users to access their bank accounts using the iris scanner, with CIO Carlos Abarca claiming it is the “most secure form of authentication”.
Dankort, the national debit card for Denmark, announced similar plans for biometrics in June 2017, when it said it would accept fingerprint authentication through its mobile wallet.
Due to increasing customer demand for this form of security, passwords will become less common going forward, says Roberta Cozza, research director at Gartner. “Whether they are less reliable or not, we will move towards methods of authentication that use biometrics because this is what users will expect. It won’t become acceptable having to remember passwords, it’s just not convenient,” she says.
In its Predicts 2018: Personal Devices report, Gartner stated that because of biometrics and machine learning, passwords will only count for 10% of digital authentications by the end of 2022.
However, despite the benefits of biometrics, it is not without risk, says Quocirca’s Bamforth. “One of the challenges is that it could potentially put the individual at risk because their physical presence is needed, and an element of them is physically needed, in order to get access,” he says.
“If we’re talking about protecting something of relatively low value, it’s less likely that somebody is going to do something very aggressive or violent against you to comprise your biometric connection with your security.”
Beyond the consumer market, IT security is an ongoing concern in the enterprise, and both Samsung and Apple also offer enterprise-level security services on their devices. The former provides an extra layer of security for business customers with Samsung Knox security.
This service offers multi-layered security, to protect against three areas of attack: physical exposure, snooping and malware. Physical exposure is where a hacker tries to transfer files from a stolen phone to a computer. With a snooping attack, a hacker attempts to steal sensitive files that users send from a device to the cloud. Mobile malware could be used by a hacker to damage or take control of the device.
Due to the fact that Samsung has built this technology into its smartphones, it is one of the strongest enterprise security options available for Android, says Gartner’s Cozza. “When we see implementations of Android phones in the enterprise, Samsung is definitely the first choice,” she says. The availability of Knox means chief security officers can implement a secure smartphone strategy based around Samsung devices.
As for Apple, its security strategy relies on a partnership with Cisco, through which it offers the Security Connector service to enterprise customers. The Connector platform allows an organisation’s security team to monitor all the network traffic on the device and block access to potentially dangerous websites.
Smartphones are increasingly being used to provide two-factor authentication (2FA), which offers a level of security above password protection. For instance, government departments such as HM Revenue and Customs (HMRC) send text messages or call the user’s number as an extra form of validation when they want to access personal information.
Google users can set up 2FA on their Gmail account. Once the user has entered the correct password, Google sends a code to their smartphone via SMS. This code must be entered on the Gmail login screen to access the email account. Google also provides Authenticator, an app that creates a one-time passkey, which developers can use to authenticate users. For instance, a user can protect their Amazon account by enforcing 2FA. Then, every time they log in, it is necessary to start Google Authenticator and enter the one-time passkey.
Using two-factor authentication makes sense for government departments, as well as retailers and banks, to deter hackers.
“There’s no such thing as perfect security,” says Bamforth. “What you’re looking to do is reduce risk all the time or make the risk less than the value of breaking. Mobile phones as a mechanism for delivering two-factor authentication are very useful.”
Bamforth says previous methods of using two-factor authentication, such as a dedicated security token, were “really inconvenient compared to taking advantage of something you’ve already got in your pocket”.
He also points out it is vital that organisations remain agile with security, describing it as a “constant evolution” of the software. “It’s a constant improvement process to stay ahead of the competition – those who are trying to break in – so you have to think that way; you have to think more dynamically about what it is you’re doing to put in increasing levels of protection,” he says.
Read more about mobile security
We look at the challenges and opportunities to be found in creating mobile apps for an expanding array of devices.
Intel has just released an updated patch after its previous update failed spectacularly. Now its CEO is promising security assurance.
Mobile key in your pocket
Just as people tend not to leave home without their door key, they also generally take their smartphone wherever they go. In 2015, car manufacturer Ford announced its Sync Connect technology, which enabled users to lock, unlock, locate and start their connected car remotely.
Bamforth says such technologies provide better protection for the different aspects of the user’s life, as long as the product itself is secure.
Smart doorbell company Ring recently partnered with home security specialist ADT to provide door locks that can be locked and unlocked via a smartphone app.
As the smartphone becomes more integrated into people’s lives, the use of secure e-wallets, biometrics and two-factor authentication, along with links to physical security, will become more mainstream. All of these offer app developers extra layers of security for their users.