Today's mobile computing devices typically run complete operating system software providing a standardized interface and platform for application (or “app”) developers. Simply put, an app is software for enhancing a user's experience on a mobile computing device. In recent years there has been tremendous growth in demand for mobile computing devices boasting powerful processors, abundant memory, large screens and open operating systems. A smartphone is one example of a popular mobile computing device that includes a phone with e-mail and Internet access features. Demand for apps has grown in step.
Banks, financial institutions and other issuers of credit cards, bank cards, charge cards, and other payment products, as well as other e-businesses, have focused great attention on tapping into the rising demand for mobile computing devices through the provision of online, mobile financial services and transaction capabilities. However, they have faced hurdles in this regard, including the increasing problem of online/mobile fraud.
Online/mobile credit card fraud is a growing menace to card issuers, e-businesses and their customers as fraudsters target online payments using stolen card details. This type of “card-not-present” fraud takes advantage of the inability of merchants who sell and ship products and provide services online to physically inspect the credit cards. So, when credit card details (which can be easily stolen) are provided over the Internet, it is difficult for a merchant to verify that it is, in fact, the true card holder who is authorizing the purchase. Compounding the problem, shipping companies eschew taking responsibility for checking identification at the addresses where they ship products.
Credit card fraud is also an adjunct to identity theft. Phishing is one particularly problematic technique used to gain personal information for purposes of identity theft. Fraudsters use authentic-looking, fraudulent e-mail messages (which can include links to fraudulent websites) that appear to come from legitimate sources to fool recipients into divulging personal data such as, for example, card numbers, bank account numbers and passwords. It has been reported that approximately 450,000 phishing attacks in 2012 led to losses of approximately $1.5 billion—an increase of about 59% in number and 22% in financial loss over the previous year.
The financial services industry has developed preventive measures. But, such measures have met with limited success, i.e., because of vulnerability to fraud (such as, for example, “man-in-the-middle attacks” where a fraudster intercepts all messages between two endpoints, making each endpoint believe that it is communicating directly with the other over a private connection, when, in fact, the entire conversation is controlled by the fraudster) and/or poor industry adoption (e.g., because the measure is intrusive to the card holder at the point of sale). EMV (EUROPAY, MASTERCARD and VISA) smart card “chip and PIN” technology (the “chip” denoting the integrated circuit embedded in the card; the “PIN” denoting the personal identification number that must be supplied by the card holder) is one example. However, a drawback of using EMV cards is that, in card-not-present transactions, the card holder must use a personal card reading device.
Single and multi-factor authentication approaches also have their drawbacks in the online banking arena. Such approaches require the presentation of one or of two or more of three authentication factors: a knowledge factor (“something the user knows”), a possession factor (“something the user has”), and an inherence factor (“something the user is”). The single factor approach (e.g., a password) has been shown to be highly vulnerable to phishing attacks; the two-factor approach (e.g., a password and a secure token or a fingerprint) has been shown to be vulnerable to man-in-the-middle attacks; and the three-factor approach (e.g., a password, a secure token and a fingerprint) has experienced poor adoption by customers by reason of being too complicated.
Additionally, the use of credit card verification codes (e.g., CVC2/CVV2) in the e-commerce arena has proved vulnerable to phishing attacks. These are the three- or four-digit codes printed on the front of the card or on the signature strip on the back.