Can the mobile device be the first — and among the best — line of defense in the battle against data beaches and payments fraud? It’s a point of view that Entersekt, the mobile app security firm, sees emerging as one of the more viable opportunities in meeting data security needs, particularly in the North American market.
It’s a market that Sherif Samy, Entersekt's SVP of North America, says is a bit more complicated than what exists in the more than 40 countries in which the firm does business. For starters, consider the sheer size of the U.S. market, he said.
“You’ve got thousands and thousands of financial institutions [FI]. You’ve got millions of retailers, you’ve got interesting demographics of consumers,” he told PYMNTS. “You’ve got tech-savvy consumers who want things fast and convenient, and you’ve got the more conservative, older generations that are not willing to adopt technology” as quickly.
As a result, he said, there exists in the U.S. a combination of factors and factions that impact the technology, which can be implemented by financial firms and eCommerce enterprises.
The U.S. is the country most under siege by hackers, said Samy, noting the data breaches and hacks that have happened globally — 60 to 70 percent have happened in the U.S. Thus, of the 2 billion consumer records that are out in the market and floating around on the dark web, a disproportionate number of those come from the U.S.-based consumer. The data is sensitive in nature, such as social security numbers.
Ascertaining that someone is who they say they are becomes a challenge, he added. A range of industry players own different types of data. Efforts to confirm identities requires more of a fragmented approach than exists in other countries.
Samy said, “Your MNO [mobile network operator] data is stored somewhere, your credit bureau data is stored somewhere, your credit history is somewhere else, your change of address is somewhere else … a lot of these databases are not connected.”
Those far-flung data repositories, said Samy, are what make synthetic identities possible. The bad guys take data from the dark web, add a dash of fake data, put that blend into the ecosystem and generate a whole new ID.
At the same time, consumers and businesses are constantly looking to add services on top of digital channels — a trend which supersedes markets around the world, he said. However, therein lies a quandary: As companies expand channels, they open up new avenues for attack.
That’s because fraud happens in multiple ways, he said. A fraudster can intercept legitimate communications between the consumer and their bank, and stage attacks at a later date — or the bad apple might set out to impersonate a consumer from the very beginning of his or her malevolent efforts. In another example, hackers create synthetic IDs, create bank accounts and merchant IDs, then sell goods and services to consumers, collecting money all the while and not delivering goods or services.
Across the FI sphere, the response to such threats is fragmented. Samy said Tier One banks are building their own solutions or looking at best-of-breed offerings. However, the long tail of the banking industry may not have the resources to innovate.
Describing Entersekt’s approach, Samy said, “You always look for commonality. If you look at it from a consumer perspective, the consumer has one common link, and that is the mobile device.”
That approach has led — and still leads — Entersekt to look at what he termed a “mobile first world” with focus on identity and authentication. In terms of rules of thumb, the focal points here are something that the consumer has, something the consumers is (rendered via biometrics) and other data points such as contextual information, which can include geolocation. Samy noted that the “something that you have” could, in fact, be tied to the mobile device itself, and is among the strongest factors that exist.
“If you take that mobile device, and you build a strong device identity out of it, and integrate that into the banking system, you are able to leverage those channels to secure other channels … such as call centers or online channels,” he told PYMNTS.
This confluence enables ongoing detection, he said, where fraud can be identified in real time. In leveraging the device, and Entersekt’s technology, the FI can alert the consumer with a prompt that asks if a transaction is legitimate and authorized before it goes through.
Other markets provide promising templates for North America, where the company has established HQ in Atlanta, he told PYMNTS.
He said, “We’ve actually seen banks in Germany and other markets reduce their fraud by 99 percent, and increase their transaction volume by 29 percent … and the value of the transactions has increased by 50 percent.”
The questions asked — “Is this you and are you actually doing this transaction?” – through strong device identities, he said, mean “you are able to stay one or two steps ahead of the hackers.”