Security and fraud is fast becoming one of the main
concerns of customers, particularly as online transactions
increase. John Hill looks at two different approaches to solving
these problems, speaking to Voice Commerce’s Nick Ogden, the
founder of WorldPay, and Steve Brunswick, head of strategy at
Thales.
Security is always at
the front of card-holders minds and never more so than in the
current environment, where stories of professional fraudsters
stealing card details become more and more prevalent in the media.
Relative newcomers to the market Voice Commerce say they can
provide an innovative new solution to the issue of payment
fraud.
While Voice Commerce may be new,
their CEO and founder Nick Ogden is no stranger to the payments
world, having set up WorldPay back in 1997. In fact it was during
his work at WorldPay that Ogden saw the opportunity available in
using voice as a type of biometric authentication, seting up Voice
Commerce in the process.
“Over the course of the last few
years we’ve been looking at how the convergence of the internet and
the regular phone network is going to occur,” said Ogden.
“We have been looking at mobile
payments and transactions and how mobile authentication is going to
work and what the bridge will be between the mobile smartphone
device and internet based transactions.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalData“A few years ago we started to look
at the use of voice biometrics as a method of authentication. One
of the problems you have when performing any kind of e-commerce is
that if you are sat in front of a computer you can use various
methods such as a security dongle to authenticate your identity and
details, but if you are in a street or in an airport for example,
using a mobile phone to do a transaction makes this a lot more
difficult.
“We felt that using voice
biometrics made a lot of sense for several reasons: firstly it
doesn’t require any software to be installed on the phone, so can
be used by all current mobile phone handsets, secondly the human
voice is already used as a source of trust in conducting most kinds
of agreement, so it would require much less training and education
on the part of the user.”
A new
beginning
After RBS’ hostile
takeover of WorldPay for £40m ($59.4m) in 2002, Ogden is eager not
to make the same mistake twice and is attempting to create a
different company to previously, learning from past problems and
relying less on others.
“Over the course of the last few
years we became a payments institution under the PSD and are now a
principal member of Visa. We are now deploying voice biometric
technology, both as an authentication platform for financial
transactions and as an authentication platform for identity. The
reason we have put the two together is because we think it’s
actually easier to deal with both these issues at the same moment
in time because the device that people will use is the same – the
mobile phone,” he said.
“We are already a merchant acquirer
and we have just over a thousand merchants worldwide. We had plans
to partner with a number of mainstream banks to accelerate the
deployment of this but we, along with many others, got credit
crunched when those plans to partner with banks were sidelined –
and arguably we were highly fortunate because part of our strategy
had been to become principle members of the schemes. Moving forward
we are not reliant on anyone to partner with to get this technology
into the marketplace.”
While Voice Commerce may be
attempting to help merchants avoid the need for PCI DSS, Steve
Brunswick, Strategy Manager at Thales explained exactly why PCI DSS
is such an important factor in payment security.
“The big issue in PCI DSS for us is
the mandates around protecting cardholder data, both in transit
across the network and also while it’s at rest. It’s interesting
that PINs have been secured and mandated to be secured by the
schemes for many years, which is the fundamental basis of Thales’
business – security modules that did exactly that,” said
Brunswick.
“A lot of the other cardholder data
isn’t so, for example, the sixteen-digit primary account number is
not generally secured across the network, and many merchants up
until PCI DSS routinely stored as plain text primary account number
details, which, as a lot of the world has not turned to chip cards,
can be used to clone a card and then used somewhere that still uses
magnetic strip cards for fraudulent transactions.
“So PCI DSS has been about
tightening all that up and making sure all that data does get
encrypted as it moves through the network and does get encrypted as
it sits on acquirers’ systems. Many acquirers do need to store that
data for legitimate reasons to be able to manage chargebacks and to
manage relationships between customers.”
One of the biggest worries with
security technologies is how easily they can be spoofed or cracked.
Despite a lot of reservations about voice authentication,
particularly around imitation of voices, Ogden said the technology
was 100% safe, even going as far as to guarantee it.
“When we started talking about this
[security] and announcing what we were going to do, the BBC heard
about what we were doing and got one of their top impressionists to
go into a studio and try and hack it, and he couldn’t,” said
Ogden.
“Biometric technology is highly,
highly reliable. The one thing about it that nobody knows is
whether we are all unique, because there are about 6.5bn of us on
the planet and obviously we don’t have 6.5bn voice signatures in
our voice silos. Equally the other organisations don’t have the
same number of fingerprints or iris scans or DNA on theirs, but the
balance of probability is that these are unique.
“On the basis of that we guarantee
two things. To the consumer, we guarantee their identity won’t be
stolen and they won’t make a fraudulent transaction. They have a
100% cash guarantee on any transactions they do and then [we
provide] exactly the same to the merchant.
He continued: “What we
have done is built a 51-country network, because we needed to
provide inbound channels to the IVR [interactive voice response]
platforms that we operate that allow people to call in to
authenticate transactions, because we do other things aside from
e-commerce. What we are now doing is we are extending onto that
network. That network exists in all the European countries, North
America, all the places you’d expect, China, Japan, Korea. What we
are now extending out into those countries is what we call a trust
centre.
“A trust centre effectively is a
national repository of voice signatures for citizens in that
country. For example, in the UK the voice trust centre will
maintain voice signatures of consumers who choose to use this
service. Then we built an interchange structure, similar to the way
Visa and MasterCard’s scheme operates so that within the UK a
person can have one voice signature that can be used by a number of
different organisations, but the control of the signature lies
totally in the hand of the consumer.”
New security
technologies
There have been many new security
technologies entering the market recently, not least of all
MasterCard’s SecureCode and Visa’s Verified by Visa. Brunswick
thinks that while some of these new systems are potentially of
great benefit to consumers and merchants, there will always be the
challenge of getting new users to adopt them, especially if they
are more complex to use than the current system.
“There are a number of new
technologies in the market and the ones which consumers see as
attractive are ones where they don’t have to put their card number
in on a site, and that’s why some people view things like PayPal as
‘more secure’ because while your PayPal account is linked to either
you card or account number you are not putting it in on the
internet directly,” said Brunswick.
“That having been said, I
personally have seen quite a large uptake of Verified by Visa and
MasterCard SecureCode in the last few months. It seems like
MasterCard and Visa are both looking hard at e-commerce as a place
they need to encourage users to accept these increased security
measures. The issue is always one of critical mass – can you get
merchants to support either that new technology, if you are an
existing card scheme, or if you are not an existing card scheme and
are a vendor using alternative payment means like PayPal or Google
Checkout, can you get those to critical mass such that people will
use them.”
Hardware
demand
Thales has traditionally been a
supplier of hardware to the security industry, specifically ATMs
and other larger banking and financial institutions.
With consumers making a tectonic
shift towards the internet and e-commerce it is feasible that this
could potentially reduce demand for hardware, specifically on the
merchant side, however Brunwick thinks this is not the case.
“At the moment,
conventional bricks-and-mortar isn’t declining, and card
transactions in general are growing despite the economic downturn,
but you still need hardware to secure your cryptographic keys, even
in an online transaction and in fact the whole 3D secure uses
hardware security modules to secure the keys that are used in that
– there’s a lot of encryption key technology that goes on in the
background there,” he said.
Specifically the Encipher produced
security modules are used throughout the world to secure that kind
of protection.
Of course at the core of any
security technology is its ability to prevent fraud. As more
complex systems are adopted, fraudsters will simply head to the
area offering the least security and the easiest access to personal
information. From what Brunswick has seen, as fraudsters become
more organised it becomes more important to lay out a standard
scheme everywhere.
“Fraud has changed in its nature
hugely. Ten years or 15 years ago fraud was opportunistic and
carried out by individuals, whereas now it is highly organised,
requiring huge technical skills, is a marketplace in itself trading
card details that have been fraudulently obtained, it has [become]
a whole business,” Brunswick said.
“The targets it is trying to attack
have also changed. It is a general mantra that fraudsters move to
the weakest point in any system and the introduction of chip and
PIN in the UK, for example over the last four years or five years,
has resulted in a marked decrease in face-to -face card fraud,
people trying to pass cards off in shops because that becomes far
more difficult, so not surprisingly it has declined. Fraud on
online purchases has as a result gone up, but interestingly not as
much as online purchases themselves have increased.
“The other place that fraudsters have migrated to is – as it is
not possible to clone an EMV card – they have started capturing the
magnetic stripe data that’s on that EMV card, clone it as a
magnetic stripe card and then conduct fraud abroad.