A Forrester Research report analyzes the early successes and failures of Apple’s mobile payments system.
Phone Verification sends a one-time passcode to an online buyer’s phone.
To provide an extra level of security in authenticating a buyer on an e-commerce site, one way is to use a method outside of the Internet-connected shopping device to contact the shopper who has supposedly logged into a web site and is attempting to use her credit card. The aim is to ensure that the person trying to make a purchase is not a criminal who has stolen a legitimate shopper’s credit or debit card, or in some other way obtained her payment card information.
Such an additional level of security is offered by a phone-using application launched this week by security technology companies iovation, a provider of device identification technology, and TeleSign, which provides technology for sending passcodes to phones. The system combines device identification with a one-time passcode sent to an online buyer’s landline or mobile phone.
The Phone Verification application, offered as part of iovation’s ReputationManager 360 security software suite, uses technology from TeleSign designed to automatically send a single-use passcode to the phone number that a customer has registered on a retail site. Retailers can set business rules to trigger the delivery of the passcode, such as when a fraud-prevention system assigns a high risk score to a pending transaction. For example, iovation’s device-identification technology may flag that a buyer is attempting to complete a transaction on an Internet device with a history of being used to commit fraud.
To help determine whether that transaction is legitimate—it could be a legitimate buyer, for example, logged onto a public computer that had been used by others for fraud—the Phone Verification application provides a way outside of the suspect computer to authenticate the buyer. Before a shopper completes a purchase transaction, the system pops up a window informing a shopper that the retailer will send her an authentication passcode, via either text message or automated voice call, to the phone number the customer has already registered with the retailer. The pop-up window only shows the last few digits of the customer’s phone number, requesting her to enter the full number into the window to receive the passcode.
Once the buyer receives the one-time passcode she then enters the code into a data-entry window on the retail site to provide authentication. If the shopper enters the code correctly so that it matches a corresponding code in the retailer’s security system, the shopper can complete the purchase transaction, says Scott Olson, vice president of product for iovation.
By delivering the one-time passcode to a customer’s phone instead of through her computer or e-mail, the system is designed to avoid computer malware—such as those that use “man-in-the-middle” attacks to intercept passwords—or cases where a criminal may also have access to the legitimate buyer’s e-mail inbox, iovation says.
Jason Malo, a security technology analyst and research director at research firm CEB TowerGroup, says the technology behind Phone Verification as part of ReputationManager 360 is not unusual and is available from other technology providers. But offering the integrated device identification and phone-based verification service in a single package is an important development in online security, he says. “A partnership like this to bring these two pieces together in a single package is a positive step,” he says.
He adds that including a phone communication channel to send a passcode is a process familiar to consumers, making it a good way to increase security for high-risk transactions.
The Phone Verification application along with ReputationManager 360, which can send passcodes to consumers in 200 countries and in more than 87 languages, starts at “pennies per transaction,” Olson says. He says the cost varies based on the volume of transactions and the geographic location of shoppers receiving codes. In the U.S., he adds, fees are usually the same for passcodes delivered via text message or automated voice calls, but in other countries they can vary based on each country’s telephone and mobile phone systems.
Iovation delivers ReputationManager 360 through a software-as-a-service model accessible to a large number of users through the Internet. This enables the company to compile information regarding online security threats, such as software viruses and malware, and share updated information across its customer base, Olson says.Iovation says its technology tracks the security reputations of more than 1.2 billion Internet-connected computing devices and is used by more than 2,000 fraud managers across the globe. Its retailer clients include apparel merchant Abercrombie & Fitch, No. 45 in the Internet Retailer Top 500, and tickets retailer New Era Tickets.