Mobile payments is the next “big thing” for consumers. But how can we keep it from becoming so for hackers as well?
As our “always on” culture moves from good old plastic and chip cards to mobile phones, where data and software are more vulnerable to hackers, how do we maintain trust without eliminating utility? Unfortunately, protecting mobile payments is a lot more complex than simply adding a chip or an extra piece of software.
According to Verizon’s Data Breach Report for 2015, mobile devices are a growing target for hackers, with over 5 billion mobile apps that are vulnerable to remote manipulation. Most of this malware is just annoying rather than malicious, but as mobile payments become more widespread, we can expect that to change.
Moreover, as the number and distribution of mobile devices continues to dramatically increase, so does the potential for new methods and opportunities for attacks.
The explosion of technology that powers most contactless transactions (such as ApplePay and Android Pay) presents a huge opportunity for hackers who are looking for a pot of gold target. According to market research firm IHS, the adoption of this technology - Near Field Communication (NFC) - is expected to increase from 440 million handsets in 2014 to 2.2 billion in just 5 years. And, as traditional personal computers decline in importance, this presents a new battlefield for hackers trying to monetize their efforts.
But the many entities part of the ecosystem advertise various technologies as “the only solution” needed for securing mobile payments. Recently, I even heard a well-regarded colleague publicly state that all of the security issues have been resolved; that they are “old news.”
Apparently, the hackers didn’t get that memo. While I agree that the environment is relatively well understood and the tools for additional security are available, there are certainly some very real security issues that still need attention.
So what is the solution? Secure elements? Tokenization? Or perhaps end-to-end encryption is the cornerstone of security. The answer is “yes,” “yes,” and “yes” in a chorus of many.
Regardless of what vendors would say, no single tactic resolves all the threats. There is no silver bullet to securing mobile payments.
Even the best available security measures have inherent weaknesses. And it is only a matter of time before a hacker finds an exploitable vulnerability within the existing security infrastructure. So, the most effective countermeasure in this environment is to deploy multiple defense measures between the attacker and its target. This security strategy is often called “defense in depth.”
The “defense in depth” approach assumes that no single security measure is impenetrable on its own, so the strategy utilizes multiple overlapping security measures in order to increase the security of the whole system. Each of these measures presents a unique obstacle which slows or ultimately prevents a hacker’s progress. These measures are complimented by other security features that detect an attack and report it to the administrator in order to analyze and respond accordingly.
These multiple layers of security work in concert and allow the defender time to respond to the threat and stop the attacker before any sensitive data or processes have been compromised.
In the mobile payments world, the overlapping security measures can be grouped in 3 different areas:
Minimize the reward for the attacker.The first line of defense is to minimize the reward a hacker would gain from an attack. If the ROI of an attack is low, a potential hacker may pause and re-evaluate his target. Tokenization and the use of limited use keys (LUKs) are two main tools used within mobile payments to help reduce the value of sensitive data and thereby discourage attacks.
Use secure elements or create an on-device and software-based “secure element." Roughly 25% of all breaches were attributed to memory scraping at merchant’s POS systems. Card data, tokens, keys and cryptographic functions must be protected so that they cannot be easily harvested or reused if stolen.
Use the smart phone as a security monitor.The growing presence of mobile devices in the payments ecosystem presents both challenges and opportunities in the realm of security. Always-connected devices can serve as a security monitor, capable of continuously sampling information on the user, local connections, the device, and its surroundings. Data such as geo-location, merchant POS paring, customer validation and device/software integrity can be used both on device and at the host to validate every aspect of the transaction and the environment.
Leveraging overlapping security measures that are implemented in parallel with one another that eliminates a traditional “weakest link” vulnerability. If one security measure is breached, others remain in place to block the attack, minimize its impact and report the breach to the host.
This layered approach recognizes that the security of a widely distributed system should never rely on a single “silver bullet." And because of the dynamic and evolving nature of the threats, no approach will ever be perfect. However, this “defense in depth” philosophy is the best course of action because it not only prevents known security threats, it also provides an organization with the time and resources to detect and respond to new attacks.
Lance Johnson is the Chief Security Officer of Sequent.