Retail chain Target announced last week that its data breach had potentially affected more than 70 million customers, rather than the 40 million it had initially disclosed, once again highlighting the need for top-level security for all payments, particularly as mobile payments starts gaining a little more traction. The New York Times estimated the breach could have affected as many as 110 million.
A recent Forbes article talked to several experts about mobile payments. Though their views varied, the one thing all of the experts agreed on was that mobile payments would grow in 2014.
However, any growth will be tempered by breaches like the one at Target, whether or not the payment was made with a mobile device. If consumers don't feel their payments are safe, they won't trust the largely untested mobile security. In fact, they won't make payments at all at an untrusted merchant -- Target also on Friday revised downward its fourth quarter earnings estimates citing, in part, a significant drop off in sales since the breach announcement.
Device manufacturers will layer security systems to separate corporate and personal data and applications. These layered security systems will secure the devices themselves and will enable users to positively identify themselves to other systems and to perform advanced functions like secure payments.
Risk-based authentication will expand beyond financial services. Financial services firms have sought to be in the forefront of protecting customer information, due to regulatory pressure as well as common sense -- if a financial institution can't be trusted, why would anyone have his or her money there. However, financial institutions are also one of the prime targets of fraudsters. Much like famed bank robber Willie Sutton, they go to the banks "because that's where the money is." Only now, it is digital rather than physical."The need for both stronger authentication and a positive user experience will lead to the widespread adoption of risk-based authentication, in which contextual data about users, devices, applications, locations and other potential risk factors are collected and analyzed to determine a risk-level for the user's identity," CA says.This means that merchants and others will look more skeptically at purchases "that don't fit the profile" for a buyer, perhaps asking for additional identification or perhaps even going as far as to deny the purchase if too far out of the norm. Taking the later approach does have the potential of angering a legitimate buyer, so that should be kept in mind.
Beyond those suggestions, it's important to follow common sense security procedures:
Use technologies to separate corporate and personal transactions on BYOD devices
Check monthly bills for apparently fraudulent transactions. If there is a suspect transaction, notify the payment card company or other biller immediately of the discrepancy and seek to resolve it quickly. It's similar to making a return of a product to a merchant. The quicker it is done, the faster any refund will be made and the quicker the biller will be to make sure it doesn't happen again. This may mean getting a new payment card with new account number and security code, which can be a hassle, but much less of a one than dealing with fraudulent charges.
When in doubt about the security of the transaction, don't make it or use another form of payment.
What other security precautions would you suggest? Let us know in the comments.
It is easy to blame Target, and indeed they do deserve most of the blame, but before you do, remember that the mobile security concerns are a two way traffic. Some responsibility falls on the shoulders of the customers themselves. The attack on Neiman Marcus should have been a wakeup call but looks like people ignored it just as they are going to forget about the Target attack and wait for the next mess-up somewhere else.
Customers in the U.S. have up to 18 months to dispute a charge, so there isn't much reason for a retailor to save receipts past that.
Part of the problem also is that U.S. retailors are still using old magnetic strip technology vs. chips or other securer methods. Neither retailors or credit card issues want to foot the bill to increase security. So maybe it just should be legislated.
"The fact that three-digit CVV security codes were compromised shows they were being stored."
This is basically everyone's nightmare. Now nobody's accounts are safe. And 110 million customers? That's an astounding figure! Target should do more to make it up to their customers and to make sure that this doesn't happen again.
I share your sentiments. This is really, really bad for Target. Not only does it tarnish their image, but people won't really feel safe to shop there anymore. And it's a big chain. Surely they could have set up better security to make sure that such breaches don't happen.
@Tank you're right about the figure, its now 110 million users! This is an example of a more highly sophisticated attack, the malware used in the Target attack was written by someone with high degree of skill, they look for the security flaws and most of the victims are department stores. The Target breach may also been a part of a similar attack on Neiman Marcus, another retailer. I think its the same person or group, they got similar pattern.
" So this seems to be a case where Target really messed up."
@Tank I could not agree more. A retailer that does the volume that Target does has no excuse for this. They make millions daily and they cannot safeguard customer information ? Much of which they badger you for at the check-out counter. And then it takes four days for the CEO to make a public apology ?
Save the apology and cut me a check. I may never used my card there again. Target has become the text book case of "retailer data-caretaking apathy(ineptness)".
I'm not sure how the Target hack will affect consumer behavior. It may have affected up to 110 million customers. That would be more than the population of many countries. Per the linked article, ""This is a breach that should've never happened," Forrester vice president and principal analyst John Kindervag said in a statement today."The fact that three-digit CVV security codes were compromised shows they were being stored. Storing CVV codes has long been banned by the card brands and the PCI SSC. "
So this seems to be a case where Target really messed up.
Though the target breach doesn't directly relate to mobile payments I think that your recommendations are fairly good. You should always make sure to keep close tabs on all your statements and I think most people do.
I don't think that mobile payments have much more risk in the processing side than normal authorizations, the systems payment authorization companies have is fairly robust (though obviously not foolproof).
The real issue with the mobile payment trend is the transmission of the information. I'm not sure what type of mobile payments you're getting at, but NFC payments have obvious concerns that have been brought up in articles on this forum many times before. In terms of just submitting payments over cell phones or other mobile devices (anything over wi-fi included) you have to be a lot more concerned about man in the middle attacks and spoofing.
You gave a couple of broad security suggestions for both industry and then for individual users but there needs to be a much more specific understanding of threats and how devices work if a consumer or a business wants to be more secure.
Personally I don't think that the target breach is going to have any effect on mobile payment growth.