The Security Features And Vulnerabilities in Mobile Payments

its me david

Editor Note: Mobile is changing Payments, but you have to get security right, so we wanted a real expert to lay it out for us. David Smith is a cryptographer with 12 years of experience in both the public and private sectors. He is currently working on his second startup (currently in stealth mode) that will track and interpret the use of contactless payments. His expertise includes: system design and implementation with contact and contactless smart cards, smart card personalization, mobile payments, and general knowledge and experience with APAC market trends and consumer preferences.

Introduction

Mobile Payments refers to payments made over the mobile phone. This includes mobile proximity payments where a mobile phone is used to make purchases at the POS terminal through contactless technology like Near Field Communication (NFC) or mobile remote payments where it is used to purchase products or services online using mobile phones. Mobile wallets payments using software like Apple Pay or Google Wallet can also be categorized as mobile payments. Enhanced smart phone technology, better network speed and rise of ecommerce applications have all resulted in the growth of the mobile payment sector. McKinsey reports that, use of mobile wallets will reach $400 billion in annual flows by 2022, in the US alone. Due to its convenience, the use of mobile payment technology seems to be very popular amongst the millennial generation. However conventional wisdom dictates that we understand the security features and vulnerabilities of mobile payments thoroughly before we enable them in our businesses or start using them as consumers.

Security Features

Following are the security features which can potentially make mobile payment technology more secure than card or online payments.

  • Tokenisation: Square defines tokenization as “the process of protecting sensitive data by replacing it with an algorithmically generated number called a token”. It is used in mobile payment transactions to replace the customers primary account number with a series of randomly generated numbers. Thus the customers actual bank details are not sent over the network.
  • Device-specific Cryptograms: These are used to ensure that the payment originated from the card holders mobile device. If an hacker somehow obtains the transaction data, the cryptogram sent to the payment terminal with the token cannot be used on another mobile device. Thus the stolen data is useless.
  • Two-Factor Authentication: This is used as an additional layer of security when executing the transaction. The 2nd level of authentication could be a password that needs to be keyed in on the mobile device or biometric authentication using fingerprint recognition technology.
  • Protection against loss: Mobiles ensure data security as consumers can remotely erase their data on a smart phone, when a device containing a mobile wallet is lost or stolen. This can act as a safeguard against fraud and identity theft scenarios..

Vulnerabilities

  • mPOS devices: According to this article on ZDNet, vulnerabilities in the mobile Point of Sales (mPOS) machines, can allow merchants or personnel at the terminal to change the amount charged to the credit card. The vulnerabilities in the mPOS could also allow attackers to perform man in the middle attacks, by intercepting the Bluetooth communications between mobile and the reader.
  • Variety of mobile devices: There are multiple varieties of mobile phone hardware and software available in the market. People living in developing countries may not always find the latest technology affordable and accessible and may continue to use older versions of the phones and operating systems. Such devices may render mobile payments insecure even if they were done through a secure app.
  • Malicious apps: Users who do not have anti-malware tools on their phones may be targeted by using malicious app clones available outside the usual app-store/play-store framework. The best way to protect oneself from this is to only install apps published on Apple AppStore or Google Play Store on your iOS or Android devices.
  • User Habits: Some users prioritise convenience and fail to protect their devices using a PIN or biometric authentication. Keeping the phone locked at all times can protect the data on the phone in case it is stolen or lost. According to this article, most of the reasons causing mobile payments vulnerabilities are related to user habits.

Conclusion

Like any new technology, adoption of mobile payments overcomes the disadvantages of older technology and presents new challenges and vulnerabilities. It is essential to identify these vulnerabilities and secure the system end-to-end. While device and services providers are required to provide adequate security, each user needs do his part to keep his data and transactions secure.

Bernard Lunn is a Fintech deal-maker, investor, entrepreneur and advisor. He is CEO of Daily Fintech and author of The Blockchain Economy.

I have no positions or commercial relationships with the companies or people mentioned. I am not receiving compensation for this post.

Subscribe by email to join the other Fintech leaders who read our research daily to stay ahead of the curve. Check out our advisory services (how we pay for this free original research).

Cyber Risk Insurance translates Nerd-Speak to Boardroom-Speak

 

Cyber Risks Extra Extra

Reposted, as it is Chinese New Year for Zarc Gin, our regular Insurtech Expert based in China.

Why do Banks exist? That is not some deep, philosophical question about the role of money in society. Banks exist to protect your assets from thieves. Because they do a good job of this, they can make a lot of money lending some multiple of what they store in the vaults. The only difference now is that the modern version of Butch Cassidy and the Sundance Kid are getting monitor tans as they cyber-attack the vaults from their computers.

Money is one asset to protect. Data is another. So is data about assets. In the digital age, it is all about data. And data is easy to steal.

All the good things that we write about on Daily Fintech – all that agility/productivity enabled by data and connectivity – also benefit Butch Cassidy and the Sundance Kid.

Cyber Risk is one nerdy subject that gets Board level attention because the risk is so high. Global 2000 companies can lose $ billions from a single hack. The problem is that cyber security is also an intensely complex subject technically.

One reason that so many influential leaders subscribe to Daily Fintech is that we are good at translating Fin to Tech and Tech to Fin. So we are attracted to the challenge of translating Cyber Security Nerd-Speak to Boardroom-Speak. It is one of the toughest translation jobs around. Even with a lot of technical experience, Cyber Security can be daunting. Even with a lot of business experience, understanding how a Global 2000 Board thinks can be daunting. Both are tough on their own. Translating between the two is even tougher, because they could not be further apart.

That translation, though hard, is ultra-critical. The Board has to really understand Cyber Security and they are currently failing at this task. This article on LeadingBoards describes the problem very well

Cyber Security technology = big budgets & bigger risk

The global cybersecurity market reached $75 billion in 2015 and is expected to hit $170 billion in 2020 (source, Forbes).

This is one market where the “you never get fired for buying (insert Big Tech vendor)” mantra breaks down. In most other enterprise technology markets, the big vendors tend to win because the Boardroom does not really care who is picked. So the senior IT managers making the decision go for the vendor that is competent enough to do the job and big enough that if it all goes wrong they can say “but all our well-respected peers made the same decision”.

That defence breaks down in Cyber Security because the risk is so high. Nor can a Board simply say “the CISO who made the decision has already been fired”. The Board has to take direct responsibility. Which means the Board has to understand Cyber Security.

How is the Board supposed to understand something as nerdy as Cyber Security?

We take a lot of briefings on cyber security technology, because we know how important it is. Listening to all these super-smart tech guys explaining the latest cyber security teaches us that a) it is hugely complex and b) there is no silver bullet.

We use a simple mental map that translates Cyber Security to the analog world:

  • Perimeter Security is where most money is spent. Think fences, guards, dogs. The fundamental problem is that somebody will always get through. The bad guys also benefit from Moore’s Law and can use SMAC (Social Mobile Analytics Cloud) to collaborate and share (what has been dubbed Crime As A Service). You can be the biggest bank or the biggest government and you still get hacked.
  • Digital ID. Think body part scanners (finger, eye, voice etc) that determine who can get into the building. We have written a lot about Digital ID technology and it is improving at a remarkable pace. The problem is collusion with a trusted inside-person who is part of the crime gang; the person with perfect Digital ID is a criminal.
  • Protect from the inside. This assumes that both Perimeter Security and Digital ID is imperfect. One way to protect from the inside is process controls (for example needing more than one person to send a wire). This also suffers from the collusion problem, but it is better as it is harder for criminals to corrupt the two individuals in a process. Another way is to write code that is secure. The problem is that both better process and better code hit the agility/efficiency problem. Banks have to move fast and efficiently to beat competition AND be secure. One alone is not enough. For example, Banks want to use high level languages and tools that enable rapid time to market even if that means the developers are not thinking much about security.
  • Protect when data leaves the vault. This assumes that all three methods above will fail. The analogy here is marked banknotes used in a kidnap ransom. Again, the bad guys have very sophisticated technology to get rid of these markings, so this is yet another arms race.

If you cannot measure it, you cannot manage it

That is one of the oldest truisms of business. If you listen to the pitches of any Cyber Security vendor, you will hear that they have the solution. The problem – as any reasonable attentive business person can observe – is that even companies with all this smart technology still get hacked. The empirical evidence is that there is no silver bullet.

Insurance has historically worked on statistical models. This works fine – until it no longer works. When something fundamental changes, the models become deeply flawed. We have tracked this as it relates to catastrophes created by climate. The use of data and connectivity by cyber-criminals is analogous. The risk went up in unpredictable ways. It is no longer good enough to rely on historical models. Cyber Risk is like Climate Risk – the historical models do not predict the future accurately enough.

What companies want is something as simple as a cyber security safety rating. Insurance Companies have the right motivation to give an honest rating (unlike credit rating agencies that are paid by the seller). Insurance Companies won’t award a AAA cyber security safety rating to a BBB company, because they will pay in claims for getting it wrong.

That means Insurance Companies need to turn into cyber security experts. A tech vendor may say “we have the secret sauce” to change your rating from BBB to AAA and thus lower your premiums. The Board will say “sure, if you can convince our Insurance Company that this will lower our premiums, we have a deal.”

Startups in this risk metrics space include CyenceBitSight and Security Scorecard.

Cyber Risk Insurance is a data game and that is a problem

Cyber Risk is one of the fastest growing parts  of the Insurance market, accounting for over $3 billion in premiums.

Banks are in better shape than others. Protecting against thieves has been a core competency for longer.

Cyber Risk Insurance people differentiate between Micro and Macro. The latter is the news-worthy hacking between governments (cue image of the nerdy young Q in recent James Bond movies). Our concern is the more boring Micro Cyber Risk Insurance – exciting enough as this is about whether huge companies can lose $ billions from a single hack. The Micro could become the Macro if a number of Micro hacks led to a crisis of confidence in the financial system akin to September 2008.

Talking to experts in this relatively new field it is hard to get a lot of on the record quotes. That indicates a market that is nascent enough that the solutions are not obvious. To entrepreneurs that signals opportunity.

Image Source

Bernard Lunn is a Fintech deal-maker, investor, entrepreneur and advisor. He is the author of The Blockchain Economy and CEO of Daily Fintech.

Check out our advisory services (how we pay for this free original research).

To schedule an hour of Bernard’s time for CHF380 please click here to send an email.