Editor Note: Mobile is changing Payments, but you have to get security right, so we wanted a real expert to lay it out for us. David Smith is a cryptographer with 12 years of experience in both the public and private sectors. He is currently working on his second startup (currently in stealth mode) that will track and interpret the use of contactless payments. His expertise includes: system design and implementation with contact and contactless smart cards, smart card personalization, mobile payments, and general knowledge and experience with APAC market trends and consumer preferences.
Mobile Payments refers to payments made over the mobile phone. This includes mobile proximity payments where a mobile phone is used to make purchases at the POS terminal through contactless technology like Near Field Communication (NFC) or mobile remote payments where it is used to purchase products or services online using mobile phones. Mobile wallets payments using software like Apple Pay or Google Wallet can also be categorized as mobile payments. Enhanced smart phone technology, better network speed and rise of ecommerce applications have all resulted in the growth of the mobile payment sector. McKinsey reports that, use of mobile wallets will reach $400 billion in annual flows by 2022, in the US alone. Due to its convenience, the use of mobile payment technology seems to be very popular amongst the millennial generation. However conventional wisdom dictates that we understand the security features and vulnerabilities of mobile payments thoroughly before we enable them in our businesses or start using them as consumers.
Following are the security features which can potentially make mobile payment technology more secure than card or online payments.
- Tokenisation: Square defines tokenization as “the process of protecting sensitive data by replacing it with an algorithmically generated number called a token”. It is used in mobile payment transactions to replace the customers primary account number with a series of randomly generated numbers. Thus the customers actual bank details are not sent over the network.
- Device-specific Cryptograms: These are used to ensure that the payment originated from the card holders mobile device. If an hacker somehow obtains the transaction data, the cryptogram sent to the payment terminal with the token cannot be used on another mobile device. Thus the stolen data is useless.
- Two-Factor Authentication: This is used as an additional layer of security when executing the transaction. The 2nd level of authentication could be a password that needs to be keyed in on the mobile device or biometric authentication using fingerprint recognition technology.
- Protection against loss: Mobiles ensure data security as consumers can remotely erase their data on a smart phone, when a device containing a mobile wallet is lost or stolen. This can act as a safeguard against fraud and identity theft scenarios..
- mPOS devices: According to this article on ZDNet, vulnerabilities in the mobile Point of Sales (mPOS) machines, can allow merchants or personnel at the terminal to change the amount charged to the credit card. The vulnerabilities in the mPOS could also allow attackers to perform man in the middle attacks, by intercepting the Bluetooth communications between mobile and the reader.
- Variety of mobile devices: There are multiple varieties of mobile phone hardware and software available in the market. People living in developing countries may not always find the latest technology affordable and accessible and may continue to use older versions of the phones and operating systems. Such devices may render mobile payments insecure even if they were done through a secure app.
- Malicious apps: Users who do not have anti-malware tools on their phones may be targeted by using malicious app clones available outside the usual app-store/play-store framework. The best way to protect oneself from this is to only install apps published on Apple AppStore or Google Play Store on your iOS or Android devices.
- User Habits: Some users prioritise convenience and fail to protect their devices using a PIN or biometric authentication. Keeping the phone locked at all times can protect the data on the phone in case it is stolen or lost. According to this article, most of the reasons causing mobile payments vulnerabilities are related to user habits.
Like any new technology, adoption of mobile payments overcomes the disadvantages of older technology and presents new challenges and vulnerabilities. It is essential to identify these vulnerabilities and secure the system end-to-end. While device and services providers are required to provide adequate security, each user needs do his part to keep his data and transactions secure.
I have no positions or commercial relationships with the companies or people mentioned. I am not receiving compensation for this post.
Subscribe by email to join the other Fintech leaders who read our research daily to stay ahead of the curve. Check out our advisory services (how we pay for this free original research).