Security concerns dampen mobile-payments enthusiasm

By:
Solomon Teague
Published on:

Early adopters of cutting-edge mobile-payments technology should be aware of the complexity of the security challenges, experts have warned, with a lack of regulatory oversight of app developers or security standards, thanks to divergent interests of the multiple parties involved in transactions.

Mobile payment platforms are loosely regulated and, unlike card transactions, the legal liability rests on the payer.

As a result, consumers should be aware of the rising risks of unwittingly revealing comprising data to developers, analysts say, while calling for greater co-ordination between banks, network providers, merchants and consumers to address growing security challenges.

“If mobile security is not controlled properly the risks for fraud are much greater than the internet posed after EMV [Europay, MasterCard and Visa] was introduced for face-to face transactions,” says Richard Sanders, principal solution consultant EMEA at ACI Worldwide.

Even non-financial apps could gather information that could be sold on to third parties or used for other criminal activity.

Colin Clark, operations manager for EMEA at PSC, a payment and security consultant, says: “Your phone could be subverted by any app, a Tube map application, a game, anything. Then any application loaded afterwards could be at risk from malicious code running on your phone.”

With card payments, the merchant is legally responsible for the security of the transaction, and qualified security assessors must sign off payment systems according to clear, standardized requirements, ensuring systemic integrity.

By contrast, with mobile payments, the responsibility for security rests with the payer.

“It’s like having your wallet in your back pocket, but where the pocket is transparent,” says Clark.

Barclays has more experience in the area than most banks, with Pingit, its mobile payments platform, having penetrated deepest in the market.

“Malware, short for malicious software, is software specifically created to access your technological devices covertly, often with the intention of stealing your information for profit,” Barclays advises its customers.

It recommends they avoid downloading software without verifying its security and privacy features, and install anti-malware software designed specifically for their device. High volumes of unsolicited texts or emails should be treated with suspicion, it warns, as it could be evidence of infection.

Mercifully, there is little sign fraudsters have turned their attention to mobile phones – yet. This might be because the market has not reached a sufficient level to make it worthwhile, or ripping off cards might still be reaping enough rewards to prevent them looking elsewhere.

However, there is little doubt the attention of fraudsters will come, so security needs to be pre-emptively tight.

And phones are still at risk from old-fashioned methods of attack, such as snatching, exacerbating fears about the concentration of risk inherent in using mobile phones for transactions.

Co-ordination challenge

There is still a fundamental disagreement between network providers and banks concerning how best to approach phone security.

Network providers believe the security component should reside on the Sim card, while the banks believe that is insufficient and that an effective single-wire protocol – the connection between a Sim card and near-field-communication chip in a mobile phone – is needed.

The handset manufacturers also have a stake in the debate, while the fragmentation of the phone market between Android, iPhone and Windows complicates matters, though the competition could help breed solutions.

“The number of interested parties in a mobile transaction creates a new logistical element to the challenge that did not exist with EMV compliance, where you just needed a conversation between the merchants and the banks,” says ACI’s Sanders.

“For mobile point of sale, life gets more complicated because you add the network operator, handset operator plus the app manufacturer and distributor as a minimum, each with their own agendas – and there doesn’t seem to be anyone coordinating the debate or defining standards across all these players at an industry level.”

Not only is this a recipe for inertia, it also provides fraudsters with a massive opportunity, especially with the lack of defined standards around some of these different schemes. “The more people who are involved, the more points of attack there are for fraudsters,” says Sanders.

There is also the question of recourse. Cards are insured and if their systems are hacked it is usually possible to reclaim lost money from the issuer, which serves as an incentive for card companies to maximize security standards.

“If you had money stolen from an online wallet, who are you going to ask to reimburse you that money?” asks PSC’s Clark.

All payments systems experience teething problems as the technology is refined over time and security is improved. In the early days of the internet, online payments were not secure, and early chip and pin were subject to attacks via pin harvesting, for example. ATMs are still subject to creative attacks by fraudsters.

The security of mobile payments is bound to improve over time, but with the technology in its infancy, early adopters are taking a risk.

It will be easier for security to evolve once a clear winner emerges among the mobile-payments platforms, but the technology is locked in a catch-22 situation: installing new payments infrastructure is costly for merchants, and few will risk implementing a new system until there is a critical mass of demand for it.

Yet potential users are put off by the lack of opportunities to use mobile payments.

Meanwhile, lingering questions persist about the demand for mobile payments. How keen will supermarkets be to offer the service, when some are suspected of actively blocking mobile signals from their stories to prevent people making price comparisons using their phones?

How keen will casual businesses, such as window cleaners and gardeners, be to receive mobile payments, when cash-in-hand offers the opportunity to keep payments off the books?