I first wrote about the Smartphone Theft Prevention Act last year, when it was originally proposed but ultimately not passed during the 2014 session. The bills were revived again in both the House and Senate for 2015, but GovTrack.org only gives the legislation a 2% chance of making it through Congress this year, likely because it lacks bipartisan support. California and Minnesota did pass State laws in line with the Act, and of the two, California’s is expected to have greater impact as it forces all smartphones sold in the state to be equipped with the technology. Both state laws go into effect July 1, 2015.
The technology is already available on some manufacturer’s devices and is intended to prohibit the use of stolen phones, which would be rendered worthless to anyone but the owner once reported stolen to the carrier. Apple included the technology starting with iOS 7 and their Activation Lock solution, which has led to a 40% drop in iPhone theft in San Francisco, 25% drop in New York, and 50% drop in London, according to Reuters.
Beyond the obvious benefit of reducing consumer costs associated with replacement devices, there is a potentially huge security implication, as this technology better positions the smart phone as an extension of personal identity.
Using a cell phone as an extension of one’s identity is not a new idea. Near field communication (NFC) permits data exchange and contactless payments, and a variety of one time password apps are available for most mobile platforms to enable two-factor authentication for banking and secure login. Apple Pay has extended the notion of the electronic-wallet and incorporated a variety of token and cryptographic features to improve payment security, but payment is only the first wave of capability. Extending identity is the next logical step.
The phone number is just part of what ties a device to a user; depending on the technology used, the SIM, electronic serial number (ESN), mobile equipment identifier (MEID), or International Mobile Station Equipment Identity (IMEI) all serve to associate a device to an account. Manufacturers implementing the kill switch technology are also removing the barriers and much of the risk of tying people to their phones, which could further help protect consumers against fraudulent charges and reduce losses to financial institutions as well.
Today, many financial institutions use consumer buying habits and principal geographical regions to flag accounts for unusual activity and alert customers of potentially fraudulent charges. The primary issue with this technique is that it is often reactionary, occurring only after a transaction happens at a far-flung point of sale. While the consumer is protected against the erroneous charge, a vendor or financial institution takes a loss, which is ultimately passed along to all consumers through higher costs. This is where a cellular device, with built-in GPS or cell tower triangulation can come to the forefront of fraud prevention.
...if the phone indicates the individual was some distance away from his or her primary address, say 100 miles, a banking app could prompt them with a security challenge ...the correct reply leading to an approved purchase
Security experts recommend multiple factors of authentication for added protection with banking and other sensitive accounts. This solution is typically comprised of a combination of three authentication categories; something one knows, such as the traditional username and password; something one has, such as a passport, license or phone; and something one is, think fingerprints or retinal scan. Adding a new category to this group, where a person (and their phone) is located, increases the complexity further and helps break the chain of deception by distant thieves.
Want a possible scenario? An individual associates their phones to their credit card account, and when they make purchases using their card, the company references the current phone location to the point of sale or the last known location. This way a purchase made in their hometown would be fine, one in a neighboring town an hour later – still ok, but the next transaction an hour later from across the country would be denied.
Additionally, if the phone indicates the individual was some distance away from his or her primary address, say 100 miles, a banking app could prompt them with a security challenge requiring a response, with the correct reply leading to an approved purchase. A text message verification or secondary phone app solution would be beneficial for online transactions as well, limiting the value of possessing credit card data alone. These solutions already exist in some form today, so these scenarios merely extend proven cell phone technology, but with fewer identity risks.
Privacy concerns spring to mind of course, but how much additional data would really be mined? Many smart phone users freely share personal data and enable location services on social networking apps, parking helpers, map and navigation apps, and restaurant and services locators. Entrusting a financial services company one currently uses with your actual location at the time of a transaction is not as intrusive as it first appears. As consumers, people tell their financial institutions where they shop every time they purchase something; this just provides an additional element to ensure it really is the account holder.
Whether or not the proposed bills become law or additional states follow California and Minnesota, the technology finally exists that could easily morph the smartphone into the long-promised electronic identity that could improve consumer protection. One barrier to adoption has been the risk of a lost or stolen device being used by someone else. With a smartphone kill switch solution available, this obstacle may finally be overcome.
Post A Comment:
0 comments: