Digital Transactions Authoritative, insightful and timely information for payments professionals
Hey, mobile-payments types: the fraudsters are gunning for you. What are you doing to keep fraud at bay?
So far, the known mobile-payments security lapses have proven to be more embarrassments than the truly damaging data breaches seen with more conventional payment methods.
For example, Square Inc. initially passed out boatloads of card readers for smart phones that transmitted cardholder data in the clear. And Google Inc. in February rushed a fix to market for a flaw in its mobile wallet that could have allowed hackers to gain access to the prepaid accounts of wallet users.
With mobile payments expected to boom, however, hackers and fraudsters assuredly will try to cash in. And opportunities will abound, payment experts say. Millions of entrepreneurs are turning smart phones that were not developed with payment acceptance in mind into portable point-of-sale terminals.
Smart phones are vulnerable to malware and other forms of attack, and not every payment package for smart phones has encrypted data throughout the transaction process.
‘The Human Factor’
But what’s the weakest link in the mobile-payments security chain?
“I think it’s honestly the human factor rather than the hardware or technology itself,” says Calvin Grimes, product manager for mobile solutions at Brookfield, Wis.-based bank processor Fiserv Inc.
Grimes and many others are referring to people who fail to take such simple precautions as protecting their smart phones with passwords.
“There is always the risk that someone will write down a credit card number on a piece of paper to complete a transaction or use skimmer devices outside of the actual hardware,” adds Trevor Dryer, head of product management in Intuit Inc.’s Mobile Payments & Point of Sale unit. Intuit offers the GoPayment mobile-payment service for small businesses, which competes with Square and services from a number of independent sales organizations.
Clearly, education about safe practices is important and getting attention from acquirers, ISOs, payment card networks, and others. But security executives are trying to minimize the potential for human error to cause fraud by fortifying the hardware and software that handles mobile transactions.
In a survey of an international group of executives from banks, card issuers, payment processors, gateways, and related companies at a conference last November, Aite Group LLC asked if “mobile fraud is the next big point of exposure in financial-services fraud.” Some 38% of the respondents strongly agreed and another 50% agreed, while only 13% disagreed.
Conversely, 42% of respondents strongly disagreed with the statement that “the concern about mobile security is overblown” and another 25% disagreed.
“Financial institutions aren’t taking a lot of losses due to the mobile channel yet,” says report author Julie Conroy McNelley, a senior analyst at Boston-based Aite. “‘Yet’ is the operative term.”
Adds Gideon Samid, co-founder of AGS Encryptions Ltd., Rockville, Md.: “I think it’s too risky … what we are doing is shifting POS technology from terminals or even laptops to devices that are so easily lost or stolen.” Fraudsters already have perfected techniques to quickly scrape data from misplaced smart phones, notes Samid, who is Digital Transactions’s security columnist.
In the Aite report, McNelley writes, “One of the factors that makes the mobile channel difficult to secure is the fact that the mobile environment is such a diverse ecosystem, with a wide variety of device types and operating systems. The variety of delivery mechanisms for mobile banking—text banking, mobile browser, and rich-client applications—adds to the complexity of securing the channel.”
Starting Over
Some in the payments industry believe the only way to truly thwart fraud is to get beyond the existing card-based systems that pass personal data around but form the foundation of many of the bigger mobile-payments ventures already in the market or in test.
“Part of the problem with these ‘alternative payment forms’ is a lot of them are just aggregators of other payment forms,” Ben Milne, chief executive of online and mobile-payments company Dwolla Corp., said at a Federal Trade Commission mobile-payments conference in April. “They’re not really doing anything but building on the problem and because the problem is inherently a network-architecture problem … the only way to fix it is just start over totally.”
Starting over from scratch, however, seems highly unlikely. The more plausible scenario is that mobile security will make incremental improvements as overall technology for online banking and payments develops.
The transition to the so-called EMV (Europay-MasterCard-Visa) chip card as the successor to magnetic-stripe cards also could help secure mobile payments, while many in the industry hope that near-field communication (NFC) technology, which would put a secure element controlled by a mobile carrier or financial institution on a mobile phone, will thwart fraud.
But EMV cards are unlikely to become common before 2015, and NFC won’t really thrive until a long-standing dispute between telecommunications companies and financial institutions over control of the credentials-holding secure element on the phone is resolved.
Mobile phones do have some attributes that could help mitigate consumer financial losses when the devices are lost or stolen. These include the often-ignored feature of passwords and GPS systems that can locate lost devices (though often not before it’s too late). In April, the wireless industry announced plans to set up a database of lost and stolen phones to prevent them from being used.
The Battery Problem
Yet when it comes to payments, potential weak spots in mobile devices go beyond the abundance of card readers that plug into their audio jacks. If those readers don’t encrypt data right away, cardholder information could be intercepted and used to make counterfeit cards. Other vulnerabilities can be found in both the phones’ hardware and software.
“Not all mobile devices are the same,” says John South, chief security officer at merchant acquirer Heartland Payment Systems Inc., Princeton, N.J. “Some mobile devices are inherently more secure than others are.”
There’s been plenty of discussion about whether smart phones using Google’s Android operating system, which uses open architecture, are less secure than Apple Inc.’s closed iOS operating system found on the iPhone, iPod touch, and iPad tablet.
“One could argue that iOS is inherently more secure because it is not an open architecture,” says South. “However, I don’t know what degree that is, whether it’s vastly more secure or slightly more secure.”
Some observers say any security advantage Apple, which jealously protects its so-called walled garden of computers, mobile devices, and software, may enjoy comes from the tough vetting process it puts third-party applications through before developers can sell their apps in Apple’s massive App Store.
“There’s less of a review process” in the Android Market, Google’s equivalent of the App Store, says Matt Pauker, co-founder of encryption technology firm Voltage Security Inc., Cupertino, Calif. “Apple has a very strict review process.”
One of the biggest security threats to mobile payments comes from the interaction of malicious software, the weak protections on smart phones against viruses that can plant malware on the devices and capture payment card or bank-account numbers, and users’ erroneous assumptions that data on their phones are secure.
“Consumers don’t think of their handsets as computers, but they actually are computers, except that they don’t have equivalent battery resources,” said Cynthia Merritt, assistant director of the Retail Payments Risk Forum at the Federal Reserve Bank of Atlanta, in an April post on the bank’s Portals and Rails payments blog. The post links to a video interview with Markus Jakobsson, chief scientist at PayPal Inc. “This means that mobile handsets lack the capacity to run the most basic anti-malware software. Antivirus software works by constantly scanning for malware intrusion.”
Jakobsson noted that constant scanning would quickly drain the battery. “This is going to be a problem for mobile devices, a problem that to date has not received much recognition,” the post says.
Aite’s report notes an “exponential pace” of innovation by criminal elements. The report cites data from computer security firm McAfee Inc. saying that the strains of malware targeting the Android operating system alone jumped 76% between 2011’s first and second quarters. (A mid-May press report said Android-targeting malware nearly quadrupled between 2011 and 2012.)
Other potential threats to mobile payments include bar codes that when captured on a smart phone plant malware, and text messages that, like the e-mails that preceded them a few years ago, are “phishing” messages that seek a person’s card or bank-account access credentials.
‘A Balance’
Another weak spot: so-called cross-channel fraud, in which a consumer’s online-banking credentials also give a data thief access to the sensitive information on the same consumer’s mobile device. An antidote for that would be a requirement by banks that their customers have different log-on credentials and authentication measures for PC-based and mobile banking, but that’s not likely to happen, according to McNelley.
“That would be a best practice, but you’re not going to be seeing any financial institution doing that because it’s not user friendly,” she says. “It’s always a balance.”
McNelley also says growth in mobile person-to-person payments will expose more accounts to potential data compromises. Her report outlines a number of efforts banks and payment processors are taking to mitigate mobile fraud. They include:
– Complex device-printing, which is an examination of the unique “fingerprint” created by a mobile device’s hardware and software;
– Behavior analytics to detect suspicious activities or patterns in user sessions;
– Knowledge-based authentication, which asks consumers financial or demographic questions only they can answer;
– Chip technology, including use of the phone’s SIM card or a micro SD card to hold the so-called secure element;
– Biometrics, which can include voice, signature, and fingerprint recognition and iris scans, and
– Static or dynamic (one-time-use) personal identification numbers.
The small group Aite surveyed favors PINs, closely followed by knowledge-based authentication and use of chip technology. Biometrics is the least popular, though AGS’s Samid thinks they could be quite effective.
“You could talk on the phone and get your voice signature,” he says.
A Long Road
Meanwhile, the payments industry is edging closer to common security standards tailored to the mobile channel. Many observers have said standards are needed to address issues raised by the millions of new part-time merchants or occasional sellers who want to take card payments through smart phones or tablet computers.
In November 2010, the PCI Security Standards Council declared that it needed to complete a “comprehensive examination of the mobile communications device and mobile-payment application landscape” before it would approve software under the Payment Application data-security standard (PA-DSS), unless an application developer was prepared to show that “all requirements can be satisfied as stated.”
The council oversees the main Payment Card Industry data-security standard (PCI) and the related PA-DSS and PIN Transaction Security requirements (PTS).
The freeze generated controversy, but few would argue that mobile security is something that could be put on autopilot.
“Today there are not a lot of real secure solutions out there,” says Voltage’s Pauker.
The council on May 16 published guidance on how merchants can accept card payments through smart phones and tablet computers while protecting sensitive cardholder data.
The Wakefield, Mass.-based PCI Council’s new document, called “At a Glance: Mobile Payments Acceptance Security,” is the result of work by its staff and its approximately 50-member Mobile Working Group comprised of vendors, processors, and others.
“This is geared more toward a smaller merchant [and] letting them know how they can accept mobile payments,” says PCI Council General Manager Robert Russo. “We’re going to have a huge number of merchants coming into the system. This is the first time that we’re actually mentioning the word ‘mobile’ and getting people into the fray.”
The guidance explains some of the council’s other initiatives that affect mobile payments. They include its recently updated requirements for hardware systems from point-to-point encryption providers, and updates to the PTS requirements made in October 2011. Those latter requirements addressed how data-encrypting card swipes for mobile devices could meet PCI requirements.
The guidelines, however, do not bring to an end the 19-month-old freeze the council has imposed on approvals of software applications for mobile payments. That could happen later this year, though such an outcome isn’t guaranteed.
Instead, the council sees the guidance as just one step on a long road to fully secure mobile payments. Last June, it issued a “roadmap” that enabled software for purpose-built mobile-payments hardware, products used mainly by full-time businesses, to attain PA-DSS validation. But applications for devices that often do double duty as personal tools and mobile card-acceptance terminals have yet to be approved.
‘Moving Parts’
In addition to May’s guidance, the path to such approvals will first include a set of mobile best practices that the council plans to release this summer, one for vendors and another for merchants, followed by more guidance at about the time of the council’s so-called community meetings. The North American meeting is set for Sept. 12-14 in Orlando, Fla.
Troy Leach, PCI Council chief technology officer, envisions three potential outcomes of the multistep process. “A roadmap [for] whether payment applications can use existing standards, whether new ones need to be created, or whether there needs to be additional security evolutioned to that particular environment,” he says.
Russo says the council is taking a cautious approach to mobile security because of the “complex environment.”
“It’s a lot of moving parts out there,” he says. “We want to make sure we get it right.”
Mobile-payments consultant Todd Ablowitz, president of Centennial, Colo.-based Double Diamond Group, says he’s “pleased that there’s continued progress to give guidance to the community on how to secure mobile transactions.”
Regarding the deliberate pace at which the council is moving, he says, “I think they’ve set a pace for the last couple years. This continues that pace. Are they making progress? Yes. Are they all the way there? Not yet.”
Security expert Samid believes the ultimate solution to making mobile payments safe will involve getting away from what today are data-laden messages between devices that tell one party to debit the account of the other party and move toward biometrics or encrypted digital coins that don’t require parties to have card or deposit accounts.
He’s involved in developing a new cryptographic currency called BitMint, and he predicts the public will embrace mobile payments as such systems prove their worth.
“Once we break this hurdle of the digital coin, it will be like a dam is broken,” he says.
Mobile Payments Catch Uncle Sam’s Eye
Might the federal government pile in on mobile payments like it did with debit cards through the Durbin Amendment?
Congress is showing interest in mobile payments. Senate and House committees have held at least two hearings on the subject in early 2012. But according to press reports, panel members so far are mostly interested in learning about technology and whether existing banking regulations could be applied to mobile payments.
The executive branch also is paying close attention to mobile payments, though no agency has yet floated a major regulatory proposal affecting them. The Federal Trade Commission in late April held a one-day conference on mobile payments, with speakers from payment networks, tech firms, vendors, universities, and government agencies.
“It’s definitely on the commission’s radar,” says James Chen, an attorney in the FTC’s Division of Financial Practices.
The FTC’s focus at the conference was comparing mobile with traditional payments, according to Chen. Its main job as the technology develops will be assuring that mobile-payments providers protect customer data.
“What we’re concerned about [is] any kind of payments situation where there could be theft of consumers’ sensitive financial information,” he says.
Regulatory authority over mobile payments is quite divided. The bank regulators, of course, could have a major say. The FTC has authority over issues involving non-banking companies such as application developers, while the Federal Communications Commission oversees telecommunications companies.
The wild card is the new Consumer Financial Protection Bureau, a creature of 2010’s Dodd-Frank Act with a broad mandate.
The Federal Reserve banks have been monitoring mobile payments since their embryonic stages. Research groups at the Federal Reserve banks of Boston and Atlanta in 2010 formed the Mobile Payments Industry Workgroup. The group, whose members come from throughout the payments industry, has met quarterly since early 2010 to discuss ways to develop the channel.
