More than ever before, we're living most of our lives via mobile devices, which means sensitive information is in transit constantly. In the past, data security relied heavily on methods that really only work well on a desktop — but given that online ne'er-do-wells seem to get craftier and more industrious every day, the old defenses are past their prime.
But have no fear: forward-thinking companies like Braintree, a PayPal company, are now rebooting data security to make online commerce safe — and lucrative — in the mobile age.
Out with the Old
The Internet has existed only for about half a century, but some of the methods we use to keep the data we share safe are surprisingly archaic. Security questions, for instance, date all the way back to the early twentieth century, when brick-and-mortar banks started asking customers to provide their mother's maiden name to open accounts.
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) was introduced at Carnegie Mellon University in 2000, essentially predating the smartphone era. The fact that CAPTCHA is annoying to users is only the beginning of its problems; studies have found it's actually bad for business. Even the pillar of online authentication — passwords — is becoming passé: the guy who invented them in the 1960s thinks they're "kind of a nightmare."
The old Catch-22 of commerce is that, often, the more secure a transaction is, the more of a pain it can be for the customer to complete it. An easy user experience translates to dollars, which is why one-touch payments are so desirable. Braintree recently unveiled this new capability for PayPal and Venmo to eliminate the need to reenter usernames and passwords without sacrificing security. Apps like Jane.com and StubHub have already enabled it.
In with the New
Humanity recently reached an astonishing milestone: there are now more mobile connections than people on the planet. The mass adoption of mobile technology and commerce — to the tune of a projected $293 billion in 2018, by research firm Forrester's estimate — means there needs to be a massive shift toward data security that is optimized for mobile. Here are a few ways this is happening:
Fraud Protection Technology: According to research firm Aite Group, "card-not-present" fraud will cost merchants $2.9 billion in losses in 2014. When any transaction is made online, whether it's made and received on a desktop or mobile device, it needs to be tested for integrity. Who is making the transaction, and where are they? Braintree provides merchants with free fraud protection — code that subjects transaction data to hundreds of instantaneous tests for things like location, email, and billing address. Depending on the results, the transaction is either accepted or rejected as authentic.
Encryption: "The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it." That was the advice of Robert Morris, the famous cryptography pioneer who helped develop the Unix operating system in the 1960s. Nobody's really taken that bit of playful wisdom to heart, but his message was clear and it endures: all of our online activity — especially when it involves our financial data — needs to be encrypted.
Data is most at risk when it's in motion, like when we make payments. Encryption keys are codes physically stored somewhere (at Braintree, they're stored on multiple distinct servers). Stolen data would be useless to a thief without these tough-to-get keys.
Encryption presents special concerns for businesses like Uber, for whom speed is the name of the game. The international car service app, which switched to Braintree in 2011, was able to gain customers and cut compliance costs by using Braintree's client-side encryption written in a mobile language, which is much faster than encryption written for web pages. Not only is Uber's app fast, but it's secure: the last person to see the credit card information is the customer who enters it.
It's also worth noting that, in some situations, like when you're not at work or at home, mobile devices can actually be fundamentally more secure than a desktop computer, since they can connect over a mobile network, which is encrypted. More advanced mobile technologies, like 4G LTE, use longer — and thus, stronger — encryption keys. In contrast, most public Wi-Fi hotspots, like those you would find at a coffee shop or hotels, are not encrypted, meaning that a malicious user on the same network can see any data you send and receive.
Session Timeouts: The longer you're logged into an app or a website, the higher the chances are that someone can intercept your data. Many services automatically log you out of an inactive session after an established period of time. Braintree times users out after 15 minutes, so, if a customer has second thoughts about their weekend getaway and forgets to complete a booking on Airbnb, they're covered.
Multi-step Authentication: The end is near for the era of tapping in a single password or PIN to gain access to your accounts. Many companies that store and handle sensitive data, including PayPal, now offer or even require two-step verification — a conventional password, plus a temporary code either generated by a code-generating device you carry or sent via text to your phone — to keep the bad guys out of your account.
Tokens: Perhaps the best way to keep cardholder data out of the hands of thieves is to avoid transmitting it altogether. This is accomplished by substituting credit card information with a "token" that contains no meaningful information, like a QR code. LevelUp, the mobile customer loyalty app, uses a "triple token" system for transactions. Neither LevelUp nor the merchant — or even the customer, for that matter — handle the card data. Instead, the customer flashes a randomly generated token (a QR code) with their LevelUp smartphone app. That token maps to another token, which also lacks any useable information, onto LevelUp's servers, which then maps to a token stored in Braintree's vault, where the card data is ultimately held. Only with all three tokens — which basically act as a key to another key to another key where the real data is held — can a transaction happen.
Penetration Testing: Two can play at hacking. Sometimes the best way to expose vulnerabilities is to conduct testing yourself. Many companies plan what are essentially purposeful, honest hacking attempts — by both automatic and human, internal and external entities.
Background Checks on Data Handlers: Have you ever wondered if some guy in a cubicle can read your messages to friends or browse through your private photos stored in the cloud? In 2012, former Facebook employee Katherine Losse published a tell-all book that claimed that in the early days of the social network, a "master password" could give employees access to any of the millions of accounts on the site. Even the U.S. government has been guilty of compromising taxpayer information by failing to check up on its workers; in 2014, a federal audit found that the IRS handed over sensitive data to contractors, a significant number of whom underwent no background checks at all. Standards are being raised all the time, and nowadays, most large companies, including Braintree, give access only to a select group of employees who undergo background checks, sign agreements that they will use information appropriately, and receive training.
With the majority of Americans (58%, according to the Pew Research Center) now owning a smartphone, the battle lines have officially been redrawn — and thanks to improvements to mobile security from companies like Braintree, we'll be carrying the tools to fight fraud wherever we go.
Andréa Ford is a freelance journalist covering technology and other topics. She has a specialty in infographics and previously wrote for TIME Magazine.