Why Tokenization Might Not Be Security’s Foolproof Plan
In order for mobile payments to truly take their place on the world stage, such systems must be regarded as safe for use. People have to be as confident about mobile payments as they are about their credit cards, or even cash.
While great advances have been made in getting there, drawing on the previous successes of online payments in general, there are still new risks. Tokenization is being pushed as a means to provide that little something extra, but new reports suggest that tokenization has a few issues of its own.
The rise of tokenization in Apple Pay was regarded as a great step forward for the field, and indeed, tokenization is seen as quite a step forward. It’s certainly better than nothing at all, but there are some lingering doubts over whether or not tokenization is sufficiently powerful to serve as a primary security measure.
Essentially, tokenization works as a way to send sensitive data like card numbers using a random number that represents other data. The data is packaged into this token and processed in the cloud, which means that the data is protected both at rest and actively in transit.
Hackers managing to crack the system in mid-flow, meanwhile, would only get the tokens, and the tokens would be effectively useless.
This is good news for several reasons; merchants don’t have to hold onto sensitive data, so that limits liability, and more powerful identification features can be put into play like fingertip or facial recognition.
However, tokenization doesn’t come without vulnerabilities, including issues of network segmentation, where the tokenization system has to be inherently separate from the data processing mechanism. Also, an issue is how token generation is generated; if strong crypto-graphical functions aren’t used in generating the tokens, the tokens might ultimately be hacked as the encryption can be broken. Recycled tokens, therefore, pose a similar problem. Some even suggest that there aren’t sufficient standards around tokenization to really make this effective.
The good news here is that the problem doesn’t seem to be inherent, but rather, is a matter of how it’s used. Tokenization is sufficiently powerful to serve as a protective measure for mobile payments, but only if it’s used the right way. If it’s used in conjunction with other authentication tools, tokens aren’t recycled, or there are some basic standards in place so that the token experience on Amazon is the same as the one on eBay and so on, then tokenization achieves its full power, That’s a good point, and one that should move tokenization to the front of the pack security-wise.
When some basic points are put in play, tokenization becomes a more powerful alternative, and one that looks like it would be ready to take on the field. The down side, of course, is that for every security measure put in place, hackers are hard at work looking to find a way around these measures. Will tokenization be the next big thing in security? It might be…at least for a while.