Adoption of mobile payments has been slow, and it's not clear why. Some have suggested the problem is a lack of understanding among consumers. Others have questioned whether mobile payments really address a consumer pain point.
But there’s another reason: security concerns by consumers fearful of data breaches.
And it’s not just consumers: IT security professionals are nervous too. A recent survey conducted on behalf of Experian found that 24% believed the greatest security risks in their company’s payments ecosystem were in mobile.
What’s surprising is that many of the measures built into mobile payments—from tokenization and biometrics to end-to-end encryption—seem like significant advances on the security we have now. So what are some of major mobile security concerns, and are they well-founded?
One big potential risk of mobile payments is old-fashioned social engineering. Even Apple Pay’s vaunted security measures—which include tokenization and encrypted merchant-specific keys—may stop you breaking in, but they don’t stop you cutting a key for the front door.
Apple Pay suffered an early setback when it was revealed in March that criminals were using stolen credit card numbers to activate Apple Pay. The problem was weak verification procedures by banks: too often, banks verified customers with information which fraudsters could easily obtain, such as social security numbers.
As banks tightened their procedures, the issue faded from the headlines. Many banks now call their customers before allowing them to activate Apple Pay. But the system is still vulnerable in several ways.
First, banks whose verification procedures are still lax could get their customers in trouble. Many banks still don’t specify their verification procedures in their Apple Pay FAQs. They may prefer not to publicize their security procedures, or they may just be hoping for the best.
Second, as mobile payments are more widely adopted, best-practice verification procedures may not be scalable, or banks may consider them too expensive. Mobile payments expert Cherian Abraham put it bluntly: “Fraud scales. Call centers do not.”
Second, if mobile payments accounts can be verified with a phone call, criminals may turn their attention to fraudulent portage of mobile phone numbers. There have been anecdotal reports of criminals simply stealing the phone number on which Apple Pay is verified.
Mobile payments fraud is especially damaging because it allows criminals to turn credit card numbers into virtual cards, enabling card-present transactions. Once the great liability shift of October 2015 pushes the U.S. to EMV technology, and physical cards become far harder to clone, being able to turn card numbers into (virtual) cards will become even more attractive.
Mobile phone payments usually rely on Near Field Communications (NFC) technology, a radio-based communications standard. NFC is simply a standard for transmitting information, and has no built-in security.
Criminals have noticed. In the past, Android phones have proved vulnerable to “digital pickpocketing”, exploiting NFC, phone vulnerabilities, and point of sale terminals. One hacker proved this point by implanting a chip in his hand and using it to exploit NFC.
Fortunately, as the name suggests, NFC is a short-range technology, so a digital pickpocket has to get very close to you—or get a device very close to a point of sale device—for an attack to work.
But NFC is being taken seriously as a security problem. Experian found that 54% of IT security professionals thought NFC technology increased the risk of a security breach.
Right now, mobile phone malware is not a major issue. Verizon put it best when it reported: “I’ve Got 99 Problems and Mobile Isn’t Even 1% of Them”. But the growth of mobile payments may give hackers another reason to look at mobile malware.
Built-in security may limit what hackers can steal with malware. The whole point of tokenization, in particular, is that stealing a token isn’t all that useful compared to stealing a credit card number.
But credit card numbers are vulnerable at one point—when the user enters them for the first time. And that initial stage might be vulnerable to malware.
All this might seem to paint a gloomy picture. But to be clear, many of the measures now being incorporated into the technology—especially tokenization—will be an improvement on current systems. With a staggering $7.1 billion in payment card fraud in the United States in 2013, better security is desperately needed.
So while mobile payments will require vigilance—and a certain amount of learning from banks and other industry stakeholders—there’s reason for cautious optimism if consumers can be persuaded to come on board.
Stephen Price is CEO of E-Complish.