2 research outputs found
Survey of Strong Authentication Approaches for Mobile Proximity and Remote Wallet Applications - Challenges and Evolution
Wallet may be described as container application used for configuring,
accessing and analysing data from underlying payment application(s). There are
two dominant types of digital wallet applications, proximity wallet and remote
wallet. In the payment industry, one often hears about authentication approach
for proximity or remote wallets or the underlying payment applications
separately, but there is no such approach, as per our knowledge, for combined
wallet, the holder application. While Secure Element (SE) controlled by the
mobile network operator (i.e., SIM card) may ensure strong authentication, it
introduces strong dependencies among business partners in payments and hence is
not getting fraction. Embedded SE in the form of trusted execution environment
[3, 4, 5] or trusted computing [24] may address this issue in future. But such
devices tend to be a bit expensive and are not abundant in the market.
Meanwhile, for many years, context based authentication involving device
fingerprinting and other contextual information for conditional multi-factor
authentication, would prevail and would remain as the most dominant and strong
authentication mechanism for mobile devices from various vendors in different
capability and price ranges. EMVCo payment token standard published in 2014
tries to address security of wallet based payment in a general way. The authors
believe that it is quite likely that EMVCo payment token implementations would
evolve in course of time in such a way that token service providers would start
insisting on device fingerprinting as strong means of authentication before
issuing one-time-use payment token. This paper talks about challenges of
existing authentication mechanisms used in payment and wallet applications, and
their evolution
Review of Considerations for Mobile Device based Secure Access to Financial Services and Risk Handling Strategy for CIOs, CISOs and CTOs
The information technology and security stakeholders like CIOs, CISOs and
CTOs in financial services organization are often asked to identify the risks
with mobile computing channel for financial services that they support. They
are also asked to come up with approaches for handling risks, define risk
acceptance level and mitigate them. This requires them to articulate strategy
for supporting a huge variety of mobile devices from various vendors with
different operating systems and hardware platforms and at the same time stay
within the accepted risk level. These articulations should be captured in
information security policy document or other suitable document of financial
services organization like banks, payment service provider, etc. While risks
and mitigation approaches are available from multiple sources, the senior
stakeholders may find it challenging to articulate the issues in a
comprehensive manner for sharing with business owners and other technology
stakeholders. This paper reviews the current research that addresses the issues
mentioned above and articulates a strategy that the senior stakeholders may use
in their organization. It is assumed that this type of comprehensive strategy
guide for senior stakeholders is not readily available and CIOs, CISOs and CTOs
would find this paper to be very useful