12:10 PM
Connect Directly

Authentication Risks Tops Concerns Over Digital Payments

A new report shows that organizations plan to adopt new payments forms like digital wallets, but still worry about security.

Payments stories this year have been dominated by a seemingly unending string of data breaches, putting security at the forefront of the agenda for the industry. Authenticating users to prevent intrusion by criminals tops the list of concerns when implementing new electronic payments systems, according to a new survey commissioned by HP Atalla and conducted by the Ponemon Institute. Two thirds (66%) of the 634 IT professionals surveyed said authentication is the biggest problem when deploying new digital payments systems like e-wallets.

But those authentication concerns aren’t stopping the organizations represented in the study from adopting new digital payments technologies. Three quarters (75%) of the respondents said their organizations plan to support payments via a mobile device or phone number, and 43% said they would support payments with virtual currencies.

[For more on security and authentication, check out: 3 Keys To Making Payments More Secure.]

“Support for virtual currencies is being driven by two components: economics and security,” Albert Biketi, general manager of HP Atalla enterprise security products, explains. “It’s a way to break the economics of the system that imposes transaction fees that can add up for a merchant. For a large retailer, having 3% to 4% [of your revenues] being charged for transaction fees can be a lot of money.”

On the security side, Bitcoin’s blockchain creates more trust in the system, since a third party verifies every transaction. “It’s a system built on aggregate trust. You're not just trusting one institution [with the transaction]. If you look at the architecture of Bitcoin – it’s really hard to cheat. And every transaction is logged in near real time.”

The study also found that data privacy isn’t an urgent concern, compared to security for organizations adopting new payments technologies. Only 38% of the respondents said that would be wary of new payments technologies to protect the privacy of their data.

“I think consumers realize that the data that they share with their banks and retailers helps those organizations serve them better. Retailers especially rely on that data to serve their customers better. It’s how they create value for their customers,” Biketi remarks.

Tokenization topped the list of security measures that could help mitigate the authentication concerns over new payments methods, the report found. “Attackers right now are very focused on getting credentials and valuable data. Tokenization is an excellent way to neutralize [the impact of] breaches,” Biketi suggests.

Even though 75% of the respondents said one-time passwords and tokens were “very important” or “essential” to securing new payments methods, only 48% said their organization uses them for security.

“Tokenization hasn’t been widely adopted because of structural and budget issues. I think it will gradually become a basic standard. But there are different approaches to deploying tokenization, and organizations want to extend it to as many systems as possible. That can be difficult across some [complex] architectures,” Biketi explains.

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/13/2014 | 7:50:53 PM
Apple Pay and False Sense of Security
Apple Pay may well be the agenda.  

Apple is expected do something about the vulnerability that their Touch ID brings:  Biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used. 

The convenience of biometrics is often obtained by sacrificing the security. Bringing biometrics carelessly could end up with worsening the password headache instead of mitigating it.

Whether static, behavioral or electromagnetic, biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction.  I would appreciate to hear if someone knows of a biometric product operated by (1).  The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset.  It is the same with the biometrics operated without passwords altogether.

Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors.  This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y).  The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

What makes us nervous is the possibility of seeing such pictures that many of the consumers, who are trapped in the false sense of security, are piling up their assets and privacy in the cyber space while some of the criminal wolves, who are aware that those consumers are now less safe, are silently waiting for the pig to grow fat.

As such, it is really worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about "using two factors together".
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.