Featured news article from Riskskill.
Riskskill Seeks to Reduce Mobile Fraud Wallet Payment Risks.
Following the recent launch of its mobile wallet consultancy practice, risk and fraud prevention consultancy Riskskill has launched a range of analytical, consultancy and advisory services aimed at helping businesses in the mobile commerce and payment solutions space to ensure that their products are 'right' before they hit the market.
The consultancy practice was established to provide strategic advice and direction to protect mobile solution providers from creating new payment architecture solutions with insufficient protection from data breaches and other risks. In addition, the new services, offered by the practice, are designed to deliver a comprehensive assessment of new wallet product strategies. In particular, the UKFraud services will ensure that wallet providers incorporate the right customer ID and authentication technologies and processes.
In advising producers of future wallet type products, the practice's services draw upon the research, findings and in-depth analysis of the market by UKFraud's own Mobile Payment Special Interest Group (SIG). In its findings, the SIG recognised the need for all financial product stakeholders to develop risk reduction strategies capable of matching the projected rapid growth of the global mobile payments sector over the next eighteen months.
The launch of the new range of services reflects a significant increase in the development and appearance of a range of wallet type products in the market. These include a number of recent, positive and influential developments, such as those from Google with their Wallet, mPowa, Skrill, and Apple with the launch of its well-received iPhone 5S with integral fingerprint reader.
The UKFraud practice also advise on a broad range of devices, architectures and platforms including smartphones, tablets and app software along with the likely fraud risks of transporting mediums such as the internet and/or mobile carriers, including NFC, Bluetooth or Wi-Fi, and entry into traditional payment gateways.
A key element of this advice is in the areas of ID and authentication. There are a number of different forms of ID and authentication techniques that wallet products can use. These combine traditional physical processes and technology checks with increasingly more contemporary ones such as biometrics. UKFraud aims to ensure that all elements of these technologies and processes are developed or evolved to be 'user-proof' as well as 'fraudster-proof'.
Key elements of a proper wallet infrastructure should include:
1. Authentication of User Identity
Someone, somewhere must always be able to verify the identity of the individual who owns the device, or at least to have protection against possible identity theft attack in the future. This is as true for any such form of identification, whether it is through a traditional approach or through evolving biometric checks. Worryingly there are few consistent standards in the methods with which a user's bank account, payment preferences, or even credit history are tied into biometric records in order to gain access to such details. This area is especially significant, as there are serious existing layers of legal requirements for identifying customers for all money transmission providers who have to meet Money Laundering, Drug Trafficking and Prevention of Terrorism compliance standards. Future Wallet providers cannot be exempt here if they are involved in the creation or handling of financial 'events'. Thus the authentication of IDs to meet these current standards must accompany all biometrics validation tools and not be replaced by them. For this reason there must be careful planning to ensure that new identification methods are founded on strong foundations.
2. Validation of the Technology Architecture
Emphasis also needs to be placed on any secure repository for the data collected. This includes analysis of where the data is securely held and how accessible such repositories are to others and just how well encrypted the data is. However, equally all transmissions that contain sensitive data need to be 'looked after' and protected over time. In addition, the processes, technologies, validation of identity and the transmission of sensitive data must all be based upon a technology and process base that is globally useable, acceptable and safe. UKFraud feels that this explains why so many organisations are baulking at the prospect of taking action in a non-standardised direction which risks everything.
As so many solutions are still evolving, 'wallet events' especially those where payment occurs, can be very different in nature. Equally where any biometrics or codes and/or passwords are used and transmitted this must also be stored somewhere in the Wallet,' in a device or in a cloud based solution. This is a point of risk and the potential target for attack. Further, there are also other personal and user identity information such as entry tickets, vouchers, discount codes and tokens club memberships and allegiances, contacts and diaries that we have not yet contemplated storing electronically in our mobile 'wallets'. This all needs to be compatible or interoperable. Indeed this interoperability often needs to be global too. The only global operability standards today rest with the major Card Scheme payment solutions which are globally linked, and completely standardised, by virtue of the authentications and controls that have evolved over decades. These are also relatively safe and robust when dealing with criminal attacks and failures.
Taking it a step further; consumers will most likely require the ability to change 'wallet' provider or data solution provider, so that we can have everything that we need still available to us when our 'device' breaks or changes. This facility needs to be built into the wallet and UKFraud will question whether the new and innovative solutions they examine follow the same or common standards that enable customers to move their funds, data and information from one provider to another with ease.
A challenge that some biometric authentication has traditionally had, in addition to the commercial rollout realisation, is how well it actually works. Some of this technology, through lack of global standards and specifications, has on occasion been the subject of perceptual concerns about the system's reliability in storing and validating data against biometric records as a consistent form of identity.
UKFraud believes that it is essential that the issues of what is stored, along with where and how it is stored needs to be governed well.
This includes a wide range of issues around what the fall-back is - i.e. what happens when we get locked out of our smartphones for instance – and where is our data stored and how recoverable / retrievable is it?
According to Bill Trueman the CEO of UKFraud, "Our clients understand these practical ID and authentication issues as part of their 'wallet' designs, and we assist them in closing gaps and weaknesses. Once these are ironed out, they can plan for the future in what is a fast and growing market filled with uncertainty and challenge. It is inevitable that many of the growing businesses in this area will fail simply because of criminal attacks or because the consumer, the merchant, the supplier or market simply 'goes in a completely different direction'. Future-proofing is a prudent course of action and one which UKFraud helps with but of course no-one has a crystal-ball. Indeed, it is essential as we all remember the history of Betamax in the video industry or indeed video rental in the 'on-line download' world.
"As there are already so many new technology developments in mobile payments and m-commerce in general, we still haven't seen a 'full-on' response from some of the main traditional 'payment' organisations yet. Equally, outside of the excellent steps being taken by the European Payments Council, there is not enough heard from governments and regulators relating to governance of the sector, controls and requirements for eMoney, enforcement direction or strengthening of the Money Laundering requirements to cover the sector. We are confident though that The European Payments Council will take a strong lead here soon.
"Fortunately, the recent launches by sector leaders such as Google and Apple have had extremely positive impact and have influenced the market greatly for the better. Our aim in recognising both the beneficial impact of recent market developments and the prospect of announcements from Europe will help other organisations navigate the best route forward for their products, thereby helping them reduce the risks of their own solutions within the broader mobile solutions and mobile 'wallet' space."