Today, there is a variety of smartphones on the market. For many people, the smartphone has become an essential part of their professional and personal lives, with which they can make calls, send and receive text messages, and browse the internet in search for products to buy. Professionally, smartphones can be used to access the corporate intranet, as well as confidential company files and data. Because of this increased use of our smartphones and the extra functionality they now have, security has become a prime concern. In this article, Ravi Das describes how biometrics might be used to mitigate security threats.
If a smartphone is lost or stolen, and it falls into the wrong hands, the information stored on it can be abused by malicious individuals. Probably the biggest threat at this point is that of identity theft. At the moment the only viable way of protecting the information on the smartphone is using a password or PIN or a combination of both to gain access to the device.
Nowadays, smartphones can also be used to make online purchases, from browsing for products to paying for purchases and arranging shipping. This process is known specifically as ‘virtual payment’. The extra information which is required to make online purchases is stored on the phone demanding a higher level of security. As biometric identification may be the solution, interest in this technology has increased and implementation of biometrics in smartphone technology has already begun.
The primary objective of this article is to describe how biometrics can be used to make virtual payments with smartphones secure. Specifically, this article will cover the following subjects:
- A formal definition of a virtual payment.
- The components of a virtual payment: the mobile app, the Near Field Communication protocols and the Trusted Service Manager.
- The security threats posed to virtual payments.
- How biometrics can be used to mitigate the security threats.
- The social impacts of virtual payments.
A virtual payment can be defined as “a functionality on a mobile device that can securely interact with digitised valuables.”1
Virtual payments involve three separate components:
• A software application known as the ‘mobile wallet’.
• The Near Field Communications Protocol.
• The Trusted Service Manager.
A mobile wallet is a mobile application which can be downloaded instantly onto just about any modern smartphone. The mobile wallet contains virtually all of your financial data, such as credit card and debit card details. Once you have selected a product on your smartphone, all you have to do is launch the mobile wallet app, and the payment is processed instantaneously. With the advent of the mobile wallet, the world could theoretically become a cashless society, because all that would be needed would be a smartphone with a mobile wallet.
The most popular mobile wallet app available today is Google Wallet. It was launched in 2011, and Google designed it in such a way that it covers the entire shopping experience, rather than just enabling payment for online purchases. According to a First Data White Paper: “It is about several aspects of commerce coming together into one place to provide more value for consumers and merchants.”2
Near Field Communication protocol
The network protocol which allows virtual payments to take place is a wireless protocol known as ‘Near Field Communication’ (NFC). Although it may sound complex, the NFC protocol is simply based on Radio Frequency Identification (RFID) standards.
NFC is a two‑way radio communication between two contact points − in this case between the smartphone and the NFC reader located at a store. These contact points must be in very close proximity to each other, usually no more than just a few inches apart.
To enable the radio communication with an NFC reader, the smartphone is equipped with a set of very small coiled wires and a smart chip known as an ‘NFC tag’. This tag is used to help securely transmit the financial data from the mobile wallet to the NFC reader. The memory capacity of these NFC tags is anywhere between 96 and 4,096 bytes. It is the smartphone which initiates the communication with the NFC reader. This process is known as ‘inductive coupling’.
Trusted Service Manager
The third major component of a virtual payment is the Trusted Service Manager (TSM). This component helps to secure the communication between the NFC tag in the smartphone and the NFC reader located at a store. More specifically, the TSM “enables the user to enter their account number into mobile wallets, authenticates with the financial institution, and enables that payment credential to be used from within the mobile wallet.”2
There are two main areas in virtual payments that are vulnerable to security threats:
• The mobile app itself.
• The wireless connectivity.
Threats related to the mobile app
At the moment, Google Wallet and other mobile wallet applications only either use a PIN, a password, or at best a combination of both to protect the customer’s account. Since PIN numbers and passwords can be intercepted and hijacked very easily, they are now considered very weak forms of security.
Threats related to wireless connectivity
In this case, we are primarily referring to the NFC between the NFC tag within the smartphone and the NFC reader located at a store. Although the distance of wireless connection between the NFC tag and the NFC reader is very short, the wireless connectivity is still unprotected. With the right network sniffing tools, a hacker with a strong criminal intent can quite easily hijack the financial data while it is being transmitted and with it commit serious forms of identity theft. This is mainly due to the fact that NFC is a very old type of wireless protocol based on the standards of the RFID wireless protocol, a protocol which itself offers no security mechanisms.
The use of biometrics to mitigate security threats
In the world of virtual payments, the traditional security model involves three layers of protection:
• Something you know.
• Something you have.
• Something you are.
The most common vehicles for security have been the password and PIN. Virtually everyone has a password and PIN they know by heart, so this obviously provides the first layer of protection.
However, these do not provide the second layer of protection. To accomplish this, we have to be in physical possession of a security tool such as a smartcard, which contains a memory chip and can contain more details about the user. But both of the above are insufficient to provide a solution to the third layer of protection.
So what will provide the third layer of protection? This is where biometrics comes in. Biometrics fundamentally covers the element of ‘something we are’. Whether it is a physical or behavioural aspect, we all have unique features and characteristics inherent to our nature which separate us from everybody else, be it by the smallest degree.
The four most widely used biometric technologies are fingerprint recognition, voice recognition, facial recognition and iris recognition. But how exactly will they work on a smartphone and provide an additional layer of defence for virtual payments?
Traditional fingerprint scanning involves an optical sensor that captures the user’s fingerprint and registers its unique features. In many biometric devices, the optical sensor is large enough to be able to capture the entire fingerprint image. However, in smartphones this is not the case, as the optical sensor has to be placed both outside the screen and the keyboard area, and also has to be small enough to fit the smartphone casing. Due to space limitations, the optical sensor can only capture the central region of the user’s fingerprint. After the minutiae of the fingerprint have been broken down, the verification template is compared with the enrolment template stored in the small database on the smartphone. If confirmed as legitimate, the smartphone will then unlock itself.
Facial recognition and iris recognition
The actual camera of the smartphone would be used to capture the image of the face or the iris, and these would be stored in the memory of the smartphone. As facial recognition and iris recognition are much more powerful biometric technologies than fingerprint recognition, they require much more processing power. The user has to download a special mobile app (available from the facial recognition or iris recognition vendor) onto their smartphone. This app creates and processes the verification template and extracts the unique features using eigenfaces for facial recognition and Gabor wavelets for iris recognition. Subsequently, the verification template is compared with the enrolment template stored in the memory of the smartphone. If there is a close enough match between the two templates, the smartphone will unlock and allow the user to access it.
Compared to the other technologies just examined, this would be by far the most convenient one for users as no specialised hardware or software would be needed, just the speaker component of the smartphone. Voice recognition does, however, suffer from one serious setback: the sound quality must be high in order for it to work well. With a landline, this is usually sufficient, but smartphone microphones also capture extraneous sounds from the user’s environment. As a result, both the voice recognition verification and the enrolment templates have to be created and compared by a third party vendor, such as an Internet Service Provider.
Voice recognition on smartphones would work as follows: the user dials a special phone number and recites either their name or answers a challenge or question using the receiver of their smartphone. From there, the voice of the user is transmitted to the call centre, in order to create, process, and compare the voice recognition verification and enrolment templates. The call centre also extracts the unique features of the voice using statistical profiling, such as hidden Markov models.
Using biometric technology to secure the mobile wallet
The security of Google Wallet relies on a traditional four‑digit PIN. If the smartphone is lost or stolen, all of the credit card information can fall into the wrong hands if, for instance, a hacker is able to guess the four‑digit PIN or obtain it through a brute force attack.
So how can the mobile wallet app be made more secure? The answer lies in biometric technology. This is how a proposed biometric scheme could work: once the user has downloaded the Google Wallet app onto their smartphone, they must submit their particular biometric generated with their smartphone to Google, who in turn will permanently store the user’s enrolment template in their biometric databases.
If the smartphone user wishes to make a virtual payment, the only way the Google Wallet mobile app can be launched is by submitting themselves to the entire biometric verification process. The biometric verification template on the smartphone is compared with the enrolment template stored in the biometric databases at Google. If the match between the verification and enrolment templates is close enough, the user will be positively identified. Subsequently, the Google Wallet mobile app will unlock and the user will be able to start the virtual payment process of their desired goods and services.
Using biometric technology to secure the NFC wireless protocol
As previously discussed, the NFC wireless protocol is the primary means of communication when a virtual payment is made using a smartphone. The smartphone has to be literally inches away from the NFC reader in order for it to pick up the NFC field which is generated by the NFC tag.
The common misconception is that, since the distance of the communication is so short, its security cannot be compromised. The common belief is that signals can only be maliciously captured when there is a long network communication stream between two devices, but this is not the case. If a hacker has a powerful networking device, such as a high‑powered network sniffer, they can stand far away from the user and still covertly hijack the data packets which are in transit between the NFC tag in the smartphone and the NFC reader.
Although the NFC wireless protocol may be efficient to use, it is totally insecure. So by which means can this wireless channel of communication between the NFC tag and the NFC reader be protected? The answer lies in the use of cryptography. Using the principles of cryptography, the data packets would remain in a scrambled state while in transit between the NFC tag and the NFC reader. If the data packets were then to be picked up covertly by a hacker with a network sniffer, the scrambled data packets would be no use to them. A hacker would only be able to descramble them with the specific cipher (a key or mathematical algorithm) used to scramble the data packets.
The most effective ciphers are those found in asymmetric cryptography structures. This is when the scrambling (or ‘encryption’) and the descrambling (or ‘decryption’) of the data packets involves both a public cipher and a private cipher. Even if the hacker were to intercept one of these ciphers, he or she would still not be able to decrypt the captured data packets, because the other (either public or private) cipher is needed to fully descramble the intercepted data packets.
Building upon these principles of cryptography, biometrics can also play a large role in helping to further secure the NFC protocol. As virtual payment is becoming increasingly popular and the growing number of transactions increases the total risk, it is very likely that the combination of biometrics and cryptography will provide the required enhanced security layer for NFC. This is the emerging field known as ‘biocryptography’.
Using the above method, the financial information contained in the Google Wallet mobile app could be offered two additional layers of protection:
• The scrambled data packet (through the principles of cryptography).
• The biometric template it is associated with (through the principles of biocryptography).
The use of biocryptography in this fashion helps to enhance the security of the financial information contained in the mobile wallet by associating it with the biometric template of the user. Furthermore, it can help to scramble and descramble the data packets transferred between the NFC tag and the NFC reader.
The asymmetric algorithm of choice in biocryptography is the RSA algorithm. The strength behind the RSA methodology is the fact that it uses the power of prime numbers and the effort associated with factoring large numbers. The public and private keys which encrypt and protect the verification and the enrolment templates are direct mathematical functions of a pair of very large prime numbers (over 200 digits long). The logic behind this is that it is very difficult to work backwards from the created product to discover these large prime numbers. Consequently, it would take a very long time to figure out what the keys are, causing the hacker a lot of frustration.
In conclusion, biocryptography can provide the virtual payment infrastructure with a second tier of security by helping to secure the wireless NFC protocol, as well as the financial information.
Social impact of virtual payments
The adoption rate of virtual payments in the United States is much lower than in other parts of the world. Research into the reasons why has provided a number of clues.
Although Google Wallet is the primary mobile wallet vendor in the marketplace today, there are plenty of start‑up companies and some established ones competing for a share of this market. In other words, there are many mobile wallet vendors vying for dominance, with a dizzying number of available offerings.
- Rather than using the NFC wireless protocol to support the virtual payment infrastructure, many vendors just use simple barcodes or QR codes instead. Thus, the mobile wallet applications which are designed to support the NFC wireless protocol cannot be used. The three largest wireless carriers, T‑Mobile, Verizon Wireless and AT&T, have also been criticised for failing to support Google Wallet, in the interest of developing their own mobile wallet brand and thus limiting the growth of virtual payments.
- Though convenience for the users was the main reason for the development of the mobile wallet application, many of the mobile wallet apps are claimed to be confusing, and even more require further third party apps which need to be downloaded, thus further stifling the growth of virtual payments.
- US consumers are still used to credit cards and making payments with those, so why change over to something else? In other words: “If it isn’t broken, why fix it?”
- Both mobile wallet vendors and wireless carriers provide retailers and vendors with insufficient training regarding the proper use of virtual payments. One example is Starbucks, whose use of Square technology has in some cases outpaced the barista’s grasp of how to use it, generating some recent bad publicity around the user experience3.
- With regard to the US consumer, privacy rights issues have also emerged, such as:
– the ability of the vendor/retailer to track the user’s purchasing habits and actual geographic location with mobile technology;
– the fear of identity theft if the smartphone is lost or stolen;
– the fear of being inundated by phone calls from telemarketers and vendors/ retailers not associated with the virtual payment made, despite being on the ‘Do Not Call List’.
- US consumers simply do not possess a mobile wallet app.
- Vendors and retailers have not implemented virtual payment infrastructure in their particular store, because it is still uncertain whether the NFC wireless protocol will become the industry standard for virtual payment infrastructure in the United States. To quote one article: “Equipping the most popular phone with NFC would have been a huge education for consumers and a big validation…”4.
- Overall, since US consumers are not familiar with virtual payment technology, the learning curve is extremely steep, which has a negative effect on the growth and adoption rates of virtual payments in the United States compared to other countries.
What will it take to get US consumers to jump on the virtual payment bandwagon and catch up with other geographic regions where virtual payments are being used on a much larger scale? According to a recent comprehensive survey conducted by Accenture, the road to large‑scale adoption of virtual payments will be a difficult one at best5. The biggest obstacles in the United States will be the giant gap or disconnect which exists between the mobile wallet vendors, the wireless carriers and the US consumer, as well as the lack of understanding of biometric technologies.
The US consumer is much more interested in the convenience of using their smartphone to make virtual payments and benefitting from the virtual payment process as a whole. The consumers also want to be assured that the virtual payment they are making is secure and that all parties involved in the creation of the virtual payment infrastructure are doing everything they can to ensure that the consumers will not become a victim of identity theft.
1 Mobey Forum. Mobile Wallet-Definition and Vision, Part 1. Available at http://www.mobeyforum.org/whitepaper/mobile-wallet-whitepapers-part-1-definitions-and-vision/
2 First Data Corporation. Inside the Mobile Wallet: What It Means for Merchants and Card Issuers. Available at http://files.firstdata.com/downloads/thought-leadership/MobileWalletWP.pdf
3 Payments Source. Starbucks Grinds Through Square Mobile Wallet Adoption Issues. Available at http://www.paymentssource.com/news/starbucks-grinds-through-square-mobile-wallet-adoption-issues-3013699-1.html
4 Sidel, R. and Efrati, A., 2012. What’s In Your Mobile Wallet? Not Much. Available through The Wall Street Journal:
5 Accenture. Consumer Mobile Payments Survey: Driving Value and Adoption of Mobile Payments – Consumers Want More. Available at http://www.accenture.com/SiteCollectionDocuments/PDF/FinancialServices/Accenture-Consumer-Mobile-Payments-Survey.pdf
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He is also studying for his Certificate In Cybersecurity through the ISC2.