Top 6 Best Practices for Securing Mobile Commerce
Mobile devices are quickly becoming the preferred channel for consumer banking and commerce. The convenience of using mobile phones however introduces new challenges in ensuring that smartphones do not become new channels for perpetrating fraud. Criminals seem to be a step ahead in acquiring credentials to log into bank accounts and other systems, and companies are now focusing security measures on preventing the use of those credentials from unknown devices.
In the recent years, vendors have opportunistically rolled out new approaches to address these fraud concerns. Many are helpful to a point, but some have limitations that leave devices vulnerable to the ever-evolving thief.
Multi-factor authentication has been around for decades in the enterprise, and it's a commonly accepted approach for securing information and authenticating users. This method is evolving into the mobile world and organizations understand the importance of identifying and authenticating the mobile device involved in the attempted transaction. Since devices are stolen and lost all the time, accurately connecting the authorized user with the device is equally important.
Here are a few of the requirements that organizations should identify in a mobile identity solution for fraud mitigation and managing the e-commerce security challenge. These best practices include:
1. The mobile identity solution should use the mobile network to validate that the device and its mobile number are associated with the true customer. Implied ownership based on past behavior is not enough. Criminals are smart enough to fool reputation tools.
2. No app should be needed and the solution should be transparent to the end user. Solutions such as out of band PINs that require users to enter data into their mobiles are disliked by consumers and cause abandonment. Implementation should also be lightweight requiring minimum effort, since customers expect ease of use with little complexity.
3. The solution should be capable of identifying location to reduce the use of stolen credentials and provide proof of a customer's location. Utilizing the mobile network, the solution should be able to verify that the owner of the credit card being used in the transaction is actually at that location attempting the purchase.
4. Organizations should select a solution that is truly global and works across all geographies. Some solutions are limited to working with the mobile networks of North America only. We live in a global economy – what use is a mobile solution if customers can't use it anywhere?
5. The solution should work across all mobile platforms and on any mobile device. We have learned this lesson with BYOD in the enterprise – users want to pick and leverage the device of their choice. They do not want to have to change their behavior.
6. The solution should be as close to real-time as possible and able to stop unwanted logons or financial transactions as they occur. It should be effective on day one. Having to rely on shared data between companies or waiting for the system to "learn" the behaviors of the device means there is always a period of acute vulnerability.
Today's approaches which leverage the mobile network for device authentication and mobile identity give organizations an advantage of criminals who, considering all of the breaches in the news these days, at times seem a step ahead of security measures. These best practices can help secure the growing number of financial transactions from the mobile user.
Chirag Bakshi is founder and CEO of Zumigo, a provider of mobile solutions including messaging, location and marketing.
In the recent years, vendors have opportunistically rolled out new approaches to address these fraud concerns. Many are helpful to a point, but some have limitations that leave devices vulnerable to the ever-evolving thief.
Multi-factor authentication has been around for decades in the enterprise, and it's a commonly accepted approach for securing information and authenticating users. This method is evolving into the mobile world and organizations understand the importance of identifying and authenticating the mobile device involved in the attempted transaction. Since devices are stolen and lost all the time, accurately connecting the authorized user with the device is equally important.
Here are a few of the requirements that organizations should identify in a mobile identity solution for fraud mitigation and managing the e-commerce security challenge. These best practices include:
1. The mobile identity solution should use the mobile network to validate that the device and its mobile number are associated with the true customer. Implied ownership based on past behavior is not enough. Criminals are smart enough to fool reputation tools.
2. No app should be needed and the solution should be transparent to the end user. Solutions such as out of band PINs that require users to enter data into their mobiles are disliked by consumers and cause abandonment. Implementation should also be lightweight requiring minimum effort, since customers expect ease of use with little complexity.
3. The solution should be capable of identifying location to reduce the use of stolen credentials and provide proof of a customer's location. Utilizing the mobile network, the solution should be able to verify that the owner of the credit card being used in the transaction is actually at that location attempting the purchase.
4. Organizations should select a solution that is truly global and works across all geographies. Some solutions are limited to working with the mobile networks of North America only. We live in a global economy – what use is a mobile solution if customers can't use it anywhere?
5. The solution should work across all mobile platforms and on any mobile device. We have learned this lesson with BYOD in the enterprise – users want to pick and leverage the device of their choice. They do not want to have to change their behavior.
6. The solution should be as close to real-time as possible and able to stop unwanted logons or financial transactions as they occur. It should be effective on day one. Having to rely on shared data between companies or waiting for the system to "learn" the behaviors of the device means there is always a period of acute vulnerability.
Today's approaches which leverage the mobile network for device authentication and mobile identity give organizations an advantage of criminals who, considering all of the breaches in the news these days, at times seem a step ahead of security measures. These best practices can help secure the growing number of financial transactions from the mobile user.
Chirag Bakshi is founder and CEO of Zumigo, a provider of mobile solutions including messaging, location and marketing.