Mobile security technology fights fraud

COMMUNICASIA, SINGAPORE--An Australian company has developed technology for securing mobile payment, which it claims can help authorities provide timely intervention for fraud.

Qpay's Mobile Voice Identification (MoVid) platform is a layer of security that sits between the authentication platform and the application, which could be anything from remote enterprise network access to mobile shopping or banking.

Greg Walter, CEO and founder of Qpay, told ZDNet Asia in an interview Thursday at CommunicAsia 2008 there are tremendous opportunities in mobile commerce given the ubiquitous nature of mobile devices. However, he pointed out the "mobile phone is a very unsafe device".

Online transactions, he added, are insecure despite the advent of two-factor authentication. For instance, smart keylogger software can reverse-engineer the algorithm of a hardware token with just five transaction timestamps, he said.

"[With MoVid,] we can provide three- to five-factor authentication that's cheaper than a token," said Walter.

Rather than rely on security technology that works via the Internet, which is susceptible to attacks, Qpay opted for out-of-band or offline technology as their second and third authentication mode. For a higher dimension of security, voice biometrics can be used as the fourth or fifth authentication factor, said Walter.

According to him, the user sets up a one-time PIN (personal identification number) using an automated voice machine. When the user tries to perform a transaction using his passcode for the application or service, the interactive voice response (IVR) system is activated to call the user and request him to provide the registered PIN to proceed with the transaction.

A unique feature of the IVR is that the response prompts allow the user to authorize the transaction or automatically alert the service provider of man-in-the-middle attacks or stolen credentials--believed to be a world first, said Walter.

The ability to detect fraudulent activity at the point of transaction, makes it possible to alert authorities and try to track down the location of the criminals, he added.

The fraud mitigation technology is currently pending a patent, and is targeted for commercial release in early July. According to Walter, Qpay has already secured a contract with a payments provider in the area of mobile reload, where consumers can top up their prepaid cards for use as credit cards.

Over in Hong Kong, Qpay has customized a proof-of-concept system for a bank to securely notify customers of their account balance upon an SMS. In Singapore, it is in talks with two banks and two telcos.