Mobile Payments—More Secure Than Conventional Payments? 

 

NEW FROM CSX

Mobile Payments—More Secure Than Conventional Payments?

By Robert A. Clyde, CISM

The Nexus  |  7 December 2015


Mobile payments can make the payment process for consumers much more convenient, eliminating the need to carry or pull out a physical credit card. Consumers can register their credit and debit cards (often simply by using the camera on their phone) into a secure wallet. This wallet may be stored in the cloud, on the device or both. People can then pay for items by simply putting their phone or smart watch near the payment terminal. Consumers can execute online purchases or payments by authenticating themselves on the mobile device to the online mobile payment system (without divulging actual card numbers).

Yet, as with most new conveniences, many worry about the security. In ISACA’s 2015 Mobile Payment Security Study of security professionals, only 23% felt that mobile payments are secure in keeping personal information safe and 87% expect to see an increase in mobile payment breaches over the next year. Amazingly, 89% said that cash was the most secure method of payment, even though only 9% preferred to use it.

For Apple Pay, Android Pay, Samsung Pay and many others, the merchant must have a payment terminal that supports the required near field communication (NFC) (figure 1). NFC chips are built into the mobile device and allow communication with the point of sale device when it is very close by. Generally, the buyer has to use a fingerprint or personal identification number (PIN) to authorize the transaction.

Figure 1—Apple Pay Terminal

Source: ©iStock.com/tillsonburg

In order to maintain compatibility with existing magnetic card readers at the point of sale, Samsung’s newest phones can also use Magnetic Secure Transmission (MST) that allows consumers to simply hover their mobile devices over the magnetic card reader and the reader will receive valid credit card information (figure 2). MST is likely to be more important in the US than in Europe and other parts of the world where magnetic card readers have been replaced with card chip readers.

Figure 2—Mobile Phone Payment Using MST

Source: ©iStock.com/gpointstudio

This article focuses on major mobile payment systems (like those underlying Apple Pay, Android Pay, Samsung Pay, and others) that can be used in place of cash, check or a credit or debit card at the point of sale or for online purchases. Mobile devices are often used to conduct online credit or debit card transactions where the consumer provides actual card numbers to the merchant. However, this is not a new topic and readers should refer to other sources to understand the risk and best practices related to traditional online transactions. Also, the security of online money transfer services between individuals is outside the scope of this article.

So, despite the recent survey results, are mobile payments really less secure than using credit cards or cash? While cash has the advantage of seeming anonymous, there is little recourse if something goes wrong with a purchase and no automatic tracking of transactions. Given today’s ubiquitous video surveillance and affordable facial recognition technology, the perceived anonymity probably does not match reality in most cases.

As to credit and debit cards, the world has recently seen a glut of data breaches involving card transactions. The attacks often target the transfer or the storage of card information by merchants and processors. Fortunately, financial institutions and card networks have sophisticated antifraud software and when fraud is found, the financial institution almost always credits the consumer’s account ensuring the consumer does not bear the loss. Attackers also make copies of magnetic credit cards and use those to make purchases or withdraw money at automated teller machines (ATMs).


At the heart of modern mobile payment systems’ security is the concept of payment tokenization.

But what if transactions can be done in such a fashion that neither the consumer nor the merchant use or ever see the real card or card number? Many mobile or online wallets store credit cards in an encrypted or tokenized vault on the mobile device or at the wallet provider’s site or both, for example Google Wallet which came out in 2011 works in this fashion. Most wallets still do this, but mobile payment systems have advanced significantly beyond that. At the heart of modern mobile payment systems’ security is the concept of payment tokenization. The actual credit card number and expiration date are not used in the transaction, but rather replaced with a payment token that is compatible with existing merchant systems. This is different than the security tokenization that has been done for years as a way to mask stored credit card numbers, since payment tokens are valid for executing transactions.

To reliably operate with a merchant’s point of sale (PoS) device, mobile wallets need to function in an offline mode without requiring the mobile device to have Internet access in order to access the wallet. This means the payment tokens must be stored securely on the mobile device, generally either in the Secure Element (SE) or using Host Card Emulation (HCE). The tokens are generated at the time the consumer registers cards with the wallet provider. The wallet provider sends the card information to the token service provider which contacts the financial institution for approval. The financial institution may require additional identification and verification of the consumer. Once approved, the token service provider then sends a payment token which is stored by the wallet provider on the device using SE or HCE generally in conjunction with a cryptogram tying the payment token to the specific device or user. At the time of payment, both the payment token and cryptogram are used.

The merchant never sees the real card number. Even the mobile wallet providers (e.g., Apple Pay, Android Pay, Samsung Pay, etc.) generally do not have the real credit card number. When the transaction is processed by the card network or token service processor the token is translated back to the real credit card number. Only they have the keys to do this. For example, Visa, MasterCard, and American Express all provide token services. Some financial institutions may also serve as token service providers. In the case of Google Wallet, PayPal and Amazon, they essentially act as a token service provider and do have access to the real card number at their backend sites. Also, Apple iTunes has access to the real card number, but Apple Pay does not.

With modern mobile payment systems based on payment tokenization, the real credit card number is not transmitted from the mobile device to the merchant or from the merchant to the card network (common points of attack for stealing credit card numbers) (figure 3). So, theoretically, these mobile payments should be more secure than using a physical credit card. This payment tokenization method is explored in detail in a paper from the Federal Reserve Banks of Boston and Atlanta, Is Payment Tokenization Ready for Primetime?

Figure 3—Apple Pay Transaction Flow

Source: US Federal Reserve Bank of Boston, compiled from various sources. Reprinted with permission.

Nevertheless, we should assume that mobile payment systems will be tested by attackers. In October 2015, for instance, attackers broke into LoopPay, the technology provider Samsung bought for MST. No Samsung Pay accounts were compromised. Presumably, the attackers were trying to steal the technology so they could leverage it to create devices for committing credit card fraud. Imagine a single mobile device compatible with magstripe PoS readers that could hold thousands or even millions of stolen credit cards. The fraudster could then choose different ones to use at different point of sale devices. This LoopPay incident demonstrates that attackers will vigorously try to crack mobile payment systems. In particular, the payment tokenization process and system will be heavily scrutinized.

So what should we do? Merchants should avoid transmitting any unencrypted personal information, particularly in a wireless fashion. Payment tokens are valid financial instruments for making purchases. So merchants should encrypt or tokenize any stored payment tokens. Consumers should avoid using mobile payment systems that are not well known and backed by large institutions. Also, they should use credit cards rather than debit cards in their mobile wallets since they often have better fraud protection from card issuers. Consumers should make use of fingerprint and PIN or password authentication on their device and never share their PIN or password with anyone else. If their mobile device is lost, they can simply remotely wipe it or deauthorize mobile payments from that device rather than cancelling all their credit cards. Figures 4 and 5 include additional risk and recommendations for consumers and merchants.

Figure 4— Consumer Mobile Payment Risk and Recommendations

Risk

Recommendations


Lost or stolen phone
  • Do not share password or PIN for your mobile payment system with others or use the same password used for other sites.
  • Use strong passwords. Use biometric authentication (like a fingerprint) and a PIN to authorize payments. Deauthorize mobile payments or remotely wipe missing device.
  • Auto-lock your phone with a time interval of five minutes or less.

Phishing attack to steal credentials to mobile payment wallet
  • Be wary of e-mails that send you to sites requesting your mobile payment credentials.

Untrustworthy mobile payment system
  • Use newer tokenization-based mobile payment systems from major providers
  • Use credit cards for underlying payment mechanism (card provider will generally cover fraudulent charges).
  • Download mobile operating system and payment app updates regularly.

Malware infects phone and steals payment tokens
  • Use antimalware on phone.
  • Consider using payment systems that tie payment token or transactions to specific device or device characteristics.

Cloned phone by attacker
  • Could be mitigated by payment systems that tie payment token or transactions to specific device and require biometric authentication as well as a PIN.
  • Monitor credit card activity for unusual charges.

Stolen payment tokens at merchant
  • Consider using payment systems that tie payment to specific device.
  • Monitor credit card activity for unusual charges.

Stolen actual card numbers from financial institution or token service provider (similar risk with conventional card payments)
  • Stick to credit cards rather than debit cards and monitor card activity.

Source: Robert Clyde. Reprinted with permission.

Figure 5—Merchant Mobile Payment Risk and Recommendations

Risk

Recommendations


Stolen payment tokens in motion
  • Ensure networks are secure and that Wi Fi and other vulnerable connections are strongly encrypted.

Stolen payment tokens at rest
  • Use customer identifier or security tokenization that protect payment tokens while still enabling transaction identification.

Inability to easily track purchases since real card number is no longer used or stored
  • Consider developing a customer identifier to track the consumer from end to end.
  • Card networks are working on such a solution.

Unfamiliar with new ways to verify purchaser
  • Leverage device or person present concept instead of asking to see physical card.
  • Consumer has to authenticate with PIN, password and/or fingerprint.

Attacker exploits vulnerabilities in PoS, network or other merchant systems to steal payment tokens or customer information
  • Apply security updates regularly and quickly.

Source: Robert Clyde. Reprinted with permission.

Since the mobile devices and merchants never see actual card numbers during a transaction, mobile payment systems have the potential to be more secure than conventional payment systems and should be cautiously embraced. The worst case scenario is really no different than for a conventional credit card purchase—if fraud does occur, the victim should be able to contest the charge with their financial institution and get it removed.

Robert A. Clyde, CISM

Is managing director of Clyde Consulting LLC; a director on the board of Zimbra, a leader in social media and collaboration software; a director on the board of Xbridge Systems, a leader in data discovery software; and international vice president of ISACA. Previously, he was chief executive officer of Adaptive Computing, which provides workload management software large cloud, high performance computing and big data environments, and chief technology officer at Symantec and a cofounder of Axent Technologies. Clyde is a frequent speaker at ISACA conferences and for the National Association of Corporate Directors where he is a Board Leadership Fellow. He also serves on the industry advisory council for the Management Information Systems department of Utah State University (USA).

 


 

ISACA Knowledge Center

Share Knowledge about Cybersecurity with other members and discuss current issues. Collaborate, make connections and learn how to keep your enterprise safe

Knowledge Center