Today, most customers are using their smartphones while shopping in-store, online, or in-app. Since the use of smartphones has increased, a growing number of retailers are now expanding their mobile apps to include shopping, promotions, and payment capabilities. Thanks to this, customers can not only use the mobile app during shopping to find the right products with the right personalized promotions, but can also checkout quickly while redeeming their loyalty points, rewards, and offers. Through the mobile apps, these retailers are able to bring customers back to their stores more often through issuing time sensitive reward currencies based on previous shopping.
As retailers drive the use of their mobile apps, they have a responsibility not only to secure their own data, but also to make sure that their customers’ personal and financial information is secured. This hasn’t always been the case, though, and even big wigs like Starbucks have had issues.
Retailers must do more to protect their loyal customers; mobile apps should be designed with the below points in mind to shield customers from malicious attacks and fraudulent use of data.
Fraudulent use of Payment Card Data
It’s crucial to verify the identity of the device owner along with the payment information entered. A retailer app should not allow the use of somebody else’s payment card data entered into the app for making purchases. If not careful, it is very easy to run into this problem as multiple mobile wallet applications did in the start of their roll out. Most of those apps finally addressed the issue, but it could have been avoided from day one. Such issues could be easily addressed through confirming that both the card and the mobile device being used to enter or activate the card belong to the same customer.
Account Take Over
Retailers must be prepared to fight “account take over,” where a customer’s account is accessed and their stored payment information is taken advantage of. This widely reported problem is an issue not only for fraudulent financial transactions, but also for identity theft cases. There are still leading retailer applications out there struggling with this “account take over” problem, even after multiple years in operation. Take note of what not to do from these retailers, who most likely did not design their mobile app platform to address this issue at the core level from day one.
Encryption of Data during Communication and Storage
Retailer apps should always use strong encryption and best practices to secure customer personal and financial information during communication and storage according to the PCI DSS security guidelines. As an example, when the customer enters payment or personal identity information on their device, it should be encrypted by the app right away using a public key generated by a PCI-certified secure vault with proper signature, so that only the secure vault can receive the entered data from the intended device and can decrypt it using its private key before storing the encrypted form under its own storage keys.
Malware, Man-in the-middle attack, and Health of the App
It is also the retailer’s job to protect their mobile platforms from any malware, phishing, or man-in-the-middle (spoofing) attacks. Such problems could lead to a number of various fraudulent misuses like gathering consumer information, fraudulent transactions, account takeover, identity takeover, app locking, and compromise of retailer backend networks. Retailer apps should use authentication techniques during communication between the app and its servers and app-level signatures to confirm the health of the app itself, especially before allowing any sensitive functions to occur.
Retailer mobile apps should always allow customer authentication through multiple factors, including already-known device engagement, One Time Password (OTP), customer biometric, fingerprint or face recognition, and geo-location factoring.
The list of possible security issues to deliver a dependable and secure mobile experience to customers goes on and on, and has dependencies not only associated with the retailer mobile app, but also the mobile device. Factors like device ID, hardware components, firmware and operating system, carrier subscription, device SIM, programming practices, malware types, unintentional vulnerabilities introduced in applications, and more can all affect mobile app security.
According to the Hewlett Packard Enterprise Cyber Risk Report 2016, 90% of web apps end up with vulnerabilities caused by security functions, where authentication, access control, encryption and similar functions were originally introduced to make applications more secure. Instead, more often than not, developers end up introducing security vulnerabilities in the product because of incorrect implementation of these tools.
Clearly, retailers are pushing exciting boundaries to deliver delightful customer experiences hand-in-hand with dependable service. Building the right level of security implementation as part of a retailer mobile app is essential. At the same time, various types of malicious attacks are growing, implementing security is complex, and the security and authentication technologies are evolving quickly. Implementing the right type of security design that can grow with time should not be taken lightly, using only existing in-house resources. The best course of action and the only way to play it safe is to ensure the proper security measures are taken is to seek help from relevant experts and services in the industry.
Mohammad Khan, President & Cofounder of Omnyway. Besides other roles, Khan was the security lead for Verifone during its first 12 years of growth through 1995, and also participated in ANSI standard committees for mutual authentication and security key management standards for the retail industry. Khan has more than 50 patents granted and pending in secured payments and mobile commerce.