Security: Locking Down the Smart Phone

Kevin Woodward

Securing mobile payments involves taming a many-headed beast of suppliers, developers, and manufacturers.

Imagine creating a mobile-payment service using the latest and most advanced security features, and then realizing that with one download a consumer could sidestep all of that and incur a mobile-payment headache. It’s a very real possibility because the mobile-payment environment is so fragmented, putting many factors out of the control of providers.

It’s not just that there are so many providers for consumers and merchants to choose from. There are also scores of mobile handsets, replete with many flavors of operating systems. Just 37% of Android users have the latest version of the Google Inc. mobile operating system, for example, while 89% of the Apple Inc. iOS user base has the latest version. Any one element in this mix could pose a risk to the integrity of a mobile payment.

Also distinguishing between Apple and Android apps is that Apple’s App Store is much more controlled than the Google Play store. Apple supposedly vets each app, and does not allow for the level of operating-system customization that Google does with Android apps.

A lack of standardization among security methods likely is a factor in the grinding progress of mobile-payment adoption as consumers wield scores of different types of smart phones using vastly different operating systems. With so many options, a majority of consumers have yet to settle on a favored method, creating opportunities for scores of mobile-payments companies to offer products in hopes they might gain that elusive most-favored status. Together with the embryonic nature of mobile payments, it’s little wonder consumers have yet to endorse a select group of products as their favorite.

‘Huge,’ ‘Complex’ Systems

But a universal factor in any such decision is gauging the security incumbent in the mobile device and mobile-payment service.

While there are many factors consumers consider when selecting a mobile-payment method, an important one is security. It’s a situation not unlike the early days of e-commerce, when consumers were unsure about entering their payment card information online.

The growth in e-commerce seen over the past few years is thanks, in part, to an increase in consumer comfort in knowing their payment data are relatively secure. Web browsers use technology to check for security-certificate revocation, which could endanger any data entered into a Web site.

“One of the big issues at the moment around payments on smart phones and tablets is the sheer wealth of different solutions,” says Jeremy Gumbley, chief technology officer at Creditcall Ltd., a United Kingdom-based transaction gateway and mobile-payments solutions vendor. “At the moment, the consumer is in shock.”

With so many offerings, none yet has reached critical mass to hold a majority of market share, he says. For many consumers, the big question is how will the mobile device and the apps it can use improve the consumer’s life, Gumbley says. “When you start to go past that and look at the overall environment and some of the payment schemes, you then have to start to be concerned about potential security issues in using this technology,” he says.

Just what sort of issues could arise? Well, a smart phone’s operating system could harbor a bug that enables unauthorized access, such as a keylogging security flaw announced earlier this year in Apple’s iOS 7 software, pointed out by security firm FireEye Inc., that Apple quickly patched.

Or, a consumer could download an app that mimics the appearance of another app. That happened in May when an app called 1Password-Password Manager popped up in Apple’s App Store that had a similar logo to the legitimate 1Password app that consumers use to store online usernames, passwords, and credit and debit card information. Unwary consumers could have been tempted to place these sensitive credentials into the doppelganger app.

Another consideration, especially in light of the emerging nature of mobile payments, is that payment professionals may not know all that they should about closed operating systems, says Gumbley.

As an example, Gumbley cites news reports about leaks of national security documents, which revealed possible access to electronic data through covert means, and the recent Heartbleed vulnerability uncovered in online security certificates. “These systems are huge and complex,” he says. “It is beyond the comprehension of a single person to understand everything in that environment.”

‘Biggest Issue of All’

So what are payment companies to do, especially if so much outside of the native payment-processing flow is out of their control?

The complexity of the mobile-payment supply chain—payment provider, mobile operating system developer, app developer, the consumer, the merchant—calls for a way to manage trust between each entity, says Vanessa Pegueros, deputy chief information security officer at DocuSign Inc., a San Francisco-based company that provides electronic authentication services.

Her company is developing a Digital Transaction Management standard that could help ensure software is properly loaded onto a trusted device. It’s not an easy task. Such protocols are easier to develop within a closed system, such as among devices made by one manufacturer.

“Mobile is such a critical part of everybody’s business now,” Pegueros says. Banks, for example, could profit from using such a scheme, and requiring their partners to use it. “What banks don’t realize is they have something critical. They have the trust of their customers.”

Other vendors are working on similar products. South Africa-based Entersekt received this spring a patent for its mobile multifactor authentication software from the U.S. Patent and Trademark Office. The software can validate online users and their actions via their mobile devices.

Garnering that trust in mobile payments is critical. “The biggest issue of all is the perception of consumers that mobile is insecure,” says Todd Ablowitz, president of consulting firm Double Diamond Group LLC. “It’s very much what people believed as e-commerce rolled out.” A 2012 Federal Reserve study that found 42% of consumers were concerned about data security. Concern was especially high among those who had not used mobile payments.

Some standardization might help, Ablowitz says. “We don’t have anything close to standardized solutions for mobile payments,” he says. Though mobile-payment use is increasing, it has much room to grow, he notes. Widespread consumer adoption of mobile payment will be furthered by such standardization, he says.

\'You Can\'t Trust Anybody\'

So what can payment providers do in the meantime? The best bet is to mitigate problems for merchants, Ablowitz says. Merchants using the payment provider Stripe, for example, do not store sensitive cardholder information in their systems.

That’s been popular among developers because it means they can offload compliance with the Payment Card Industry data-security standard, Ablowitz says. “What can you do to take the merchant and ideally yourself out of as much scope as possible from the likelihood or impact of a data breach?”

Such questions are necessary to garner the trust of consumers, says Steve Brumer, partner at 151 Advisors, a New York-based consulting firm. With that viewpoint, app developers have a responsibility to ensure trust is built into their mobile-payment products, he says.

The same goes for organizations that commission apps, he says. Selecting the cheapest developer may not yield the same attention to detail, especially critical for security elements in the app, that more money might bring, Brumer says. “You really can’t trust anybody,” Brumer says. “You have to learn you can’t trust any portion of the communication from the device to the back end. The only way to solve that is by starting out your build with that in mind.”

That said, Brumer recommends using an app developer who has experience building secure applications. For example, a payments provider may have concerns about Android because it is more open than Apple’s iOS. However, an experienced app developer knows about the Android vulnerabilities and can create an app that mitigates these risks, Brumer says. “When you look at the role payment providers should have, they have to do everything,” he says. “The responsibility is on them.”

For example, an app developer with security experience might better understand the nuances, says Wade Williamson, senior threat researcher at Mountain View, Calif.-based Shape Security, an online security company.

“When you build a native app, you will have to think about what Web browsers normally have done in the background and think about doing that in the app,” Williamson says.

Specifically, Web browsers used on desktop computers have security-certificate management built in, he says. They can determine if a certificate has been revoked. “These are things the browser has done in the background,” Williamson says. “Now, we need the functionality for the app itself.”

When the Heartbleed risk surfaced earlier this year, Web browsers had a difficult time keeping up with the revoked certificates, Williamson says. “On the app side, you have to make sure that update is programmed into the app. For app developers, they have to solve that themselves.”

‘A Tricky Challenge’

Other tactics to bolster mobile-payment security include point-to-point encryption and tokenization. Encrypting the card data minimizes the risk that data could be tapped while in transit and used for criminal purposes, says consultant Ablowitz. Encryption could be a selling point to merchants, too.

And, even if a criminal was able to snag the data, he would have to attempt to crack the encryption key by brute force, says Creditcall’s Gumbley. “With today’s computing power, that would be cost-ineffective,” Gumbley says. “It would take hundreds of thousands of years of computing time to brute force that particular cardholder data.”

Tokenization, which masks the card number during processing by creating a stand-in string of characters not mathematically derived from the original data, also can benefit mobile payments, observers say.

“In card-not-present transactions, whether e-commerce or mobile, there seems to be a push for tokenization at the card-brand level that in theory could secure [card-not-present] transactions,” consultant Ablowitz says.

Time may or may not be on the side of mobile payment. “We’re at least a decade into this and probably a little more, and to me, it’s still hard to see an endgame in mobile payments,” Ablowitz says. “We’re still in a highly diverse and chaotic mobile-payments space in general, and that’s going to dictate that security will be a tricky challenge as well.” Security will follow the business models, he says.