Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Malware, Governance, Risk and Compliance, Compliance Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Clutter in the airwaves: Mobile payment security

While already ubiquitous in much of the world, mobile payment options are gaining traction in the United States, reports Stephen Lawton.

In the 1960s, The Jetsons envisioned a future where everyone rode around in a personal spacecraft, while Star Trek imagined a world without money. While jetpacks and private space ships are still a ways off, cellphones, 3-D barcodes, tiny high-resolution cameras, radio frequency identification (RFID) chips and near-field communications are working to make cash as obsolete as the Spanish dollar, also known as the piece of eight. 

However, while mobile payments are becoming ubiquitous in much of the world, it still lags behind in the United States where cash and plastic credit cards, with their 1950s-era magnetic stripe technology, still dominate. 

The lag in acceptance in the United States is, in large part, cultural rather than technological, says James Vanreusel, chief financial officer of South Pacific Business Development, a Newark, N.J.-based network of microfinance institutions doing business in Fiji, Samoa, Tonga and the Solomon Islands. 

Unlike the United States, where banks or automatic teller machines are on almost every street corner and payments are easily processed, third-world nations often have few physical bank branches, and those that do exist could be a day's travel for villagers, he says. While Europe does have more brick-and-mortar banks, British-born Vanreusel notes, many have inconvenient hours, so transactions – such as mobile payments using technology – becomes the preferred choice.

The vast majority of the cellphones used for mobile payments in places like Fiji or Tonga are not elaborate smartphones, but rather the basic-feature phones, Vanreusel says. Popular services used for sending funds around the world, such as MoneyGram or Western Union, which have a physical presence, charge a fee based on a percentage of the amount being transferred, he says. Internet-based services that have much lower operational costs can reduce that to mere pennies per transfer.

A large percentage of the mobile payments made today in the United States are called remittances, where a family member living in the U.S. might send a portion of each paycheck home to family members living in a country that has a limited banking system. Fees for these remittances can eat up a significant portion of the transfer depending on the type of service used, Vanreusel says.

James Wester, a research director responsible for the global payments practice for IDC Financial Insights, a Framingham, Mass.-based research, consulting and advisory services firm, agrees that remittances represent the largest percentage of domestic transactions. Because the banking infrastructure overseas might be limited, one challenge third-world users face is that the funds associated with mobile payments are often tied directly to a user's phone. If the phone is lost or stolen, the money is lost as well, much like someone losing their physical wallet. 

But, unlike mobile payments in the third world, U.S. users of smartphones who make mobile payments are protected, much in the same way that credit card users are protected domestically, notes Stan Stahl, president of Citadel Information Group, a Los Angeles-based data security consultancy, and the president of the Los Angeles chapter of the Information Security Systems Security Association, an international nonprofit association of information security professionals and practitioners.

“Consumers paying via credit cards on their smartphones, or [who] have e-wallets connected to their credit card, are protected from loss by regulations – provided they notify the credit card company in a timely way,” Stahl says.

However, he cautions, businesses using corporate cards connected to their smartphones may not have the same protections provided to consumers. Such is the case with credit cards as well. “The best that can be said for prepaid cards, like Starbucks, is that the loss ‘may' be limited by the amount on the card. Obviously this goes away if the card can be refilled from a credit card connected to the smartphone,” he says.

Stahl has cautioned against mobile banking in the past because of the security risks and the banking industry's priority to make money rather than provide security. His warning still holds. 

Wester – who previous to IDC was founding editor of Mobile Payments Today, a news site focused on mobile payments, commerce and financial services – believes that mobile payments in the U.S. today are driven by the frequent need for users to conduct small transactions, such as buying coffee at a café or purchasing tickets for mass transit. In the past, he says, users would pull coins or currency from their pockets. Today they pull out their phones.

Near-field communications (NFC) is a technology that does not require a device, such as a phone, to be removed from a user's pocket or purse in order to conduct a transaction. There are several mobile phones that currently support NFC, as well as vendors that do financial transactions, including Google Wallet, MasterCard PayPass, Visa payWave, Apple iPhone and PayPal.

While proximity technology works well in enclosed locations where there might be just a few people, Wester notes it potentially can fail when used in large retailers, such as big-box stores, where hundreds of shoppers might have devices with proximity sensors. A shopper at Costco, for example, would not want another customer's cart full of expensive merchandise automatically charged to his proximity-powered smartphone payment program, he says.

That said, any payment program that is backed by a credit card still would be covered by the security requirements of the Payment Card Industry Data Security Standard (PCI DSS), he points out. 

But challenges persist. Jerry Irvine, CIO of Prescient Solutions, a Chicago-based IT outsourcer, says malware on Android and iOS devices have increased up to 800 percent in less than a year, making smartphones and tablets problematic for mobile payments. And, he characterizes Apple's recent approach with multifactor biometrics – its Touch ID offering which debuted on the iPhone 5s in September – as a failed approach on multiple levels.

Multifactor security includes something the user knows (a login and password), something the user has (either a token that connects to a device or perhaps a chip embedded in a device), and something the user is, such as a fingerprint or iris scan. With its approach, he says, Apple replaced something you know – a four-digit password – with something you are – the fingerprint. So in his reasoning the move did not actually increase security.

“If a high-definition fingerprint picture is all you have, that's not much more secure than a password,” he says. His comment was underscored when Germany-based Chaos Computer Club (CCC) publicly announced it had defeated Apple's fingerprint scanner, then posted a video showing exactly how the hack was accomplished.

“Mobile devices were designed for ease of use,” Irvine says. While it is possible to increase the security of mobile devices using additional layers of user authentication, that could make the devices too burdensome for the user. It comes down to the historic tug-of-war between IT departments – which are tasked with making technology convenient enough so that users will use it – versus the security team that is tasked with protecting data, regardless of the impact on the users.

As far as Android and Windows phones, these do not provide security out of the box unless a user specifically goes into the settings and enables particular functions, such as encryption. Apple does offer encryption out of the box, but as the CCC demonstrated, the security can be breached.

One popular way of improving security is by using a token of some sort. On a laptop, for example, the token might be a thumb drive that contains data that unlocks the Microsoft BitLocker software and decrypts the hard disk. On cellphones, Irvine says, the token could be a chip inside the 3G or iDEN [integrated digital enhanced network] mobile phones that contains the usually unique International Mobile Station Equipment Identity, or IMEI, number. On a smartphone, the number can be found either in the operating system settings or on a sticker placed on the phone by the manufacturer.

However, the downside to using the IMEI number is that it travels with the phone, so if the device is lost or stolen, the thief has the first part of an owner's multifactor security data.

In order to improve the security on mobile devices and, therefore, make them more appropriate for mobile payments, mobile device manufacturers need to permit the encryption of multiple partitions – not only of the hard disk, but of RAM as well, Irvine says. Additional data leakage prevention technology needs to be added to mobile devices as well.

Too, from an application standpoint, he says, a greater focus on security is needed. Devices that are used for both personal and business applications need to have those personalities clearly delineated so that corporate information cannot be accessed by applications or malware that is not authorized to access the data. 

Ultimately, Irvine sees mobile devices reverting back to a technology reminiscent of that employed by mainframes in the 1960s. He says mobile devices should act as front-end processors with all sensitive data stored off the device in the cloud, much like mainframe data was stored when users had dumb terminals on their desks. He also foresees a time when mobile devices will have the ability to do greater degrees of encryption and allow complex passwords and perhaps even biometrics, while not limiting the user's security options.

He recommends that users treat their mobile devices more like their laptops by updating and patching the operating system and applications. He also recommends that users not jailbreak their phones or tablets – the process of removing security limitations that manufacturers put on devices – in order to run software that has not been vetted by the operating system vendor. If users install applications from sites other than the official app store for the device, he says, “you significantly reduce the security of the devices.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.