Mobile marketers forced to choose between security and convenience
By Chantal Tode
January 21, 2014
Personal data is vulnerable in Starbucks’ mobile app
Recent developments such as the Target and Neiman Marcus data breaches as well as vulnerabilities uncovered in Starbucks payments application point to how mobile is making it harder for companies to protect their customers private information while simultaneously delivering engaging experiences.
President Obamas recommendations last week for putting more controls on the National Security Agencys phone surveillance points to just how concerned United States citizens are about how their personal data is being used. If companies do not take these concerns seriously,there isthe potential to slow adoption of mobile services, such as payments.
The recent breaches at Target and Neiman Marcus were caused by RAM scrapers developed by sophisticated criminals, that infected point-of-sale systems to find clear text data, said Mary T. Monahan, executive vice president and research director for mobile at Javelin Strategy Research, Pleasanton, CA.
Starbucks is intentionally leaving data in clear text supposedly for their customer’s convenience, she said. For a criminal gang, that is like putting a bull’s eye on a target, and saying, ‘Aim here.’
It won’t be very convenient for their customers when they are breached, because it is really just a matter of when, not if. Customer data must be protected.
Convenience vs. security
The significant success of Starbucks mobile payments app is, in part, based on how easy it is to use.
However, last week it was revealed that the company may have chosen to sacrifice a certain level of data protection to insure a streamlined experience.
A security researcher revealed that Starbucks’ iOS app stores customer data in plain text and locally on a device. This means passwords and geolocation could be accessed by a hacker.
While Starbucks has said it knew about the vulnerability and downplayed its significance, the company is reportedly working an adding additional protection.
The log-in page within Starbucks’ app
With consumers expecting quick-and-easy mobile experiences, one challenge companies face is coming up with ways to safeguard personal data without compromising the user experience. Having users of mobile apps input a four-digit password is one commonly-used strategy for insuring data cannot be accessed by the wrong person.
When users are expected to re-enter the password every time they engage in an action that leverages their personal data, such as making a purchase, this can become cumbersome.
This seems to be a failure of the mobile app development process, as clear text credential should never be stored in this way, said Jamie Cowper, senior director at Nok Nok Labs, Palo Alto, which is a founding member of online authentication organization Fast Identity Online Alliance.
It showcases the challenge that developers face with regards to authentication do they make access to an application more secure but run the risk of limiting usability, or do they take the path that Starbucks seems to have done, and weaken the security to improve the customer experience, he said.
The way the situation at Target has evolved over the past month points to the challenges with security that companies operating across multiple channels are having.
Retailers are under a lot of pressure to offer omnichannel experiences because this is what their customers are demanding. As mobile use continues to grow, consumers increasingly expect to be able to engage brands when and where they want throughout the path to purchase.
However, as the number of customer touch points grows, this gives the criminals interested in stealing customer data more fronts on which to attack.
Target first announced its customer data had been breached back in December and, at the time, insisted only 70 million customers had been affected and only those who had shopped in its physical stores.
However, the scale and breadth of the breach has continued to grow since then, with Target now saying that up to 110 million customers were affected, including online shoppers.
In an email to customers last week, Target said mobile phone numbers were compromised.
As companies increasingly put mobile devices into the hands of their employees to enhance customer interactions, supply chain management and other operational issues, another problem that is arising is that these devices are being lost or stolen and winding up in the wrong hands.
The challenges with mobile and protecting customer data underscore the need for companies to integrate mobile across the organization.
You have to understand what the obstacles to trust are from your customers, said Jason John, vice president of online, mobile and social marketing at Gilt, New York. We have less of a barrier because our customers are early adopters of mobile.
We keep reiterating to the customer that we have security measures, especially when things like Target came out over the holiday, he said.
Internally keeping that integrity is a combination of legal, finance and being on the same page. Mobile is a corporate strategy so you need to be integrated in all phases.
Mr. John recommends retailers try a financial incentive to help customers overcome any insecurity they feel about using mobile.
When you get somebody to buy cross-channel, you see a general lift, you see their overall lifetime value grow, Mr. John said. They can maybe get over that insecure feeling if they know theyre going to get an extra 20 percent off.
Moving beyond passwords
Growth in mobile payments is already moving slowly because due to issues other than data protection and mainly to do with the lack of a clear-cut winner when it comes to which technologies will enable mobile payments.
The data breaches are likely to further restrain consumer and retailer interest in adopting mobile payments.
However, the industry is working on solutions that would enable companies to better secure personal data without compromising usability.
The challenge is also that as consumers, we often reuse passwords across multiple sites, weakening security across the whole ecosystem, Nok Nok Labs Mr. Cowper said.
Industry initiatives, such as the FIDO Alliance, are attempting to combat this trend by looking at new ways to simplify strong authentication, leveraging the capabilities of mobile devices including hardware secure elements, biometric sensors and more, he said.
It seems that we are going to need this kind of technological innovation to get away from the current password problem.
Additional reporting for this story was provided by Rebecca Borison, editorial assistant on Mobile Marketer.
Chantal Tode is associate editor on Mobile Marketer, New York