Think Outside the CAPTCHA Box

by Mary C. Long

Mobile devices make our lives easier. But they also open us up to increased potential for fraud and security issues. 

Verifying mobile device users is something all businesses should be thinking about, especially as more of our activities — both professional and personal — are conducted via apps.

Mobile devices make our lives easier. But they also open us up to increased potential for fraud and security issues. 
Verifying mobile device users is something all businesses should be thinking about, especially as more of our activities — both professional and personal — are conducted via apps.

The App Generation

It used to be that many of us would only feel safe conducting tasks like banking, viewing health records or accessing work email from a desktop browser, but not anymore. According to a Pew Research Center study from April 2015, 10 percent of Americans own a smartphone, but don’t have broadband Internet at home. Another 15 percent of Americans own a smartphone and report that they have a “limited number of options” for getting online without that device.

If consumers are turning more to mobile devices, that means the bad guys are too. This increases the chances of fraud through mobile apps — especially since lazy authentication processes are still the norm. 

Why is that? Because when building mobile apps, the focus tends to be on the user experience: make it beautiful, seamless, easy.
Should we as consumers accept part of the blame for lax security? We want access to be as seamless and easy as the UX, and having to enter our social or answer security questions to check our credit card balance in the midst of errands is annoying.

Of course, we’re never happy to discover our information has been stolen or compromised, or to hear that popular apps we rely on (like iCloud) have been hacked. 

Where's the middle ground?

Safe, Secure and Subtle

Mobile users want to feel safe, without having to think about it all the time — and they expect businesses to take on this responsibility. Luckily, there are leaders in the authentication industry trying to walk that fine line between genuine safety and a satisfying, simple user experience.

Entrust, for example, works with enterprise businesses on beefing up mobile security while also knocking down “frustrations and barriers” — as it puts it — on the front end. They’ve predicted that phishing is becoming a bigger and bigger problem so “reinforced authentication” is no longer optional.

On the backend, there are vendors like Trulioo who are working on how to streamline authentication for enterprise clients, while also keeping consumers informed about the types of fraud risks they're susceptible to — particularly as mobile wallets gain popularity.

The thing is, data verification is complicated and, unless you're a developer, is hard to explain. Knowing this, even businesses outside the ID verification space are sharing best practices with their clients to keep them informed of the dangers.

Financial service provider Due recently posted reminders to do simple things like “not sharing your passwords with anyone, regularly changing your passwords and subscribing to an identity protection service.” Seems obvious, right? But when was the last time you changed a password voluntarily? 

Simple security measures are sort of like flossing: everyone knows they should, but many often don’t.

What Will it Take to Change?

Although businesses can force security measures and authentication codes on their employees, in their personal lives Americans don’t trust verification methods. To really improve security, many security pros say they need better data, but insights from Pew Research Center prove the public still needs some convincing:

⦁    57 percent of Americans have refused to provide information about themselves that wasn’t relevant to a transaction
⦁    25 percent have used temporary usernames or email addresses to register for an online service
⦁    24 percent have given inaccurate or misleading information about themselves
⦁    23 percent have not used a certain website because it asked for a real name

But that doesn't mean mobile security experts should stop trying. The danger is real, but so is the need for better protection in a consumer-approved form.

Mobile has changed everything else in our lives — from the way we communicate to the way we do business — so why would we use old methods to verify identities? It’s time the industry started to think outside the CAPTCHA box.


This post originally appeared at CMSWire.

Title image "National Security" (CC BY 2.0) by  garryknight ​