June 2, 2014, 4:25 PM

Mobile security evolves

As consumers engage in more m-commerce, retailers rely on vendors to address security.

Lead Photo

At long last, consumers can pay for their m-commerce purchases with only the swipe of a finger. EBay Inc.'s PayPal last month began enabling Samsung Galaxy S5 smartphone owners to pay at any e-retailer that accepts PayPal on its mobile commerce web site with the swipe of a finger.

Using fingerprint-based identification, biometric technology allows for the ultimate in mobile checkout and, because fingerprints are unique, mobile commerce security.

Biometrics is the latest step in the evolution of mobile security, and is a prime example of how vendors and retailers are working closely to advance mobile commerce and mobile payment security. Further announcements between major retailers and technology vendors are expected in the coming months. A vendor executive tells Internet Retailer on condition of anonymity that a handful of the nation's top retailers will soon debut new versions of their apps that include fingerprint scanning for security and one-touch checkout, for example.

Retailers know they can't ignore mobile consumers' demands. U.S. consumers will make $18.2 billion in purchases on their smartphones this year, up 143% from $7.5 billion in 2011, according to research firm eMarketer Inc., and half of smartphone users have completed a purchase on a phone, according to Prosper Mobile Insights.

It is critical that merchants protect sensitive payment and payment-related information when consumers make purchases on smartphones through m-commerce web sites and apps. Why? A big breach of security can damage a retailer's reputation and sales—just ask Target Corp., which saw its standing among consumers plummet after a highly publicized data breach at the store level last year, and the breach damaged sales in the critical holiday season. According to the YouGov Brand Index, which gauges consumer sentiment on a scale of +100 to -100 where zero means equal parts positive and negative feedback, Target was at +26 the week before the breach was disclosed and a few days after news of the breach broke its score nose-dived to -19.

With retailers needing to manage mobile sites and mobile shopping apps in addition to desktop web sites, there are more properties to keep secure, and retailers are turning to vendors to provide additional layers of security. With its new biometric feature, PayPal is a perfect example of a vendor doing the mobile security heavy lifting while retailers enjoy the fruits of the vendor's labor.

"With all these crazy hackers out there, I don't claim to know where to begin with mobile security," says David Byun, president of e-retailer Accessory Geeks. "We rely on our cart vendor, Magento, for mobile security."

E-retailers don't have to do anything to allow a customer to check out using PayPal's technology; all the actions occur within PayPal. Here's how it works: When an S5 owner links her fingerprint to her PayPal account, the Samsung device scans the fingerprint and generates a unique number based on the fingerprint, the device and an encryption key—a long string of characters—from PayPal. This unique number is stored in a secure area on the device and provided to PayPal each time a user elects to pay with PayPal on an m-commerce site that accepts it. The fingerprint never leaves the device and no biometric data is ever transmitted.

From that point in the transaction, PayPal authorizes a biometric-enabled transaction only if the encrypted number sent from a device matches what PayPal has stored for that consumer. And the only way to send that number is by that consumer pressing her finger to her smartphone.

PayPal displays a Review Order page where consumers press OK. That's it. No typing a user name and password. No typing shipping or payment information. PayPal is running special deals with numerous online retailers, including Abercrombie & Fitch Co., Foot Locker Inc., Target Corp. and Toms Shoes, to promote authorizing payments by fingerprint.

Samsung reports it has sold more than 11 million Galaxy S5 smartphones since the phones launched in April. And 473 of the top 1,000 e-retailers in terms of online sales as ranked by Internet Retailer accept PayPal.

"We've spent a lot of time over the years building trust with retailers and building a better mobile checkout experience for retailers," says Joel Yarbrough, PayPal's senior director of global product solutions who led the biometrics team. "The fingerprint scanning feature addresses both of those things, providing a super-secure experience and a delightful buying experience that will increase retailers' conversion rate on smartphones, where conversion has been lower than on tablets and desktop computers."

PayPal says it also has just updated its mobile software development kit, or SDK, to include checkout secured and enabled by biometrics, so retailers can bake biometrics into their Android apps. (Apple Inc.'s iPhone 5s also offers biometric fingerprint scanning, however Apple has yet to include this function in its SDK so developers cannot yet enable biometrics with Apple devices.)

One area where retailers can get into trouble with mobile security is apps. Poorly developed apps can handle data in dangerous ways or leave openings for criminals to break in. In January, for example, Starbucks Corp. acknowledged a vulnerability in its Apple iOS app that could have let hackers access its users' data. A security vulnerability also showed up in Google Inc.'s Google Wallet app. In both cases security analysts exposed the issues before any breach took place and Starbucks and Google fixed the problems.

The number of malicious and high-risk Android apps, for example, has increased significantly over time. The number of afflicted Android apps took three years to reach 350,000 in December 2012, and then more than doubled to 718,000 in June 2013, according to a report from security software maker Trend Micro Inc.

In the hopes of preventing problems like those experienced by Starbucks and Google, Malauzai Software Inc., an app builder for the banking industry, uses, among a variety of tools, the viaLab app security testing tool from mobile security vendor viaForensics. It tests apps as it builds them to find any problems before going live because it's more expensive to fix a security problem after an app has launched, the company says.

comments powered by Disqus



Get a Free Subscription to IR


From The IR Blog


J.T. Compeau / E-Commerce

How Walmart is getting its Oscars debut right

Consumers talking about the Oscars on social media are also engaging with Wal-Mart, data shows.


Mike Cassidy / E-Commerce

5 e-retail planning tips for holiday 2017

Monday’s turn out to be prime shopping days during the holiday season.

Research Guides