Shoring up Mobile Payments from Cyberthreats

By George Anderson | 18 March 2015

Mobile payments are becoming increasingly the norm. With Starbucks, Uber, retailers and even banks embracing the idea of turning your smartphone into your wallet, it is expected that mobile transactions will double in 2015. However, from a security perspective mobile payments are only as secure as the weakest link and last year highlighted that retailers have a long, long way to go in adequately securing our information.

According to recent research by Forrester mobile transactions make up 21 percent of all fraud cases that have been reported by retailers – despite mobile transactions only representing 14 percent of all transactions that they process. Last year’s attack on US retail chain Target saw fraudsters create custom-built malware to infiltrate point-of-sale systems and siphon data from cards. Even more worrying is that now fraudsters are able to collect bank details simply by standing next to you. By using easily-purchased RFID readers and an app on their smartphone they clone your contactless card without needing to touch it – the age of the digital pickpocket!

As with any new technology there are going to be fraudsters those looking to take advantage of the situation and seek ways to drain our new mobile wallet and payment debit cards. You only have to look at the SMS and high cost premium call scams that happened a few years ago, before the manufacturers stopped them by requiring permissions, to see that fraudulent activity and technology go hand in hand.

There’s an App for that…

Mobile payment systems, like Apple Pay and the newly announced Samsung Pay, allow payment cards to be added to the app and then used to pay for items by tapping your phone against the till – and your fingerprint is used to verify that it is you using the device. However, there are some major security concerns with these payments, with banks being caught off guard by the level of fraudulent activity through Apple Pay in the US. Fraudsters have taken to adding stolen credit cards to new iPhones to make purchases then sell the goods, highlighting the need for better verification from banks and Apple Pay.

While Apple Pay’s encryption around the fingerprint authorisation hasn’t been breached yet, it is another way in which fraudsters could access mobile payments. Alternatively, the payment systems themselves could be targeted to siphon off money by infecting the mobile device and fooling it into thinking it’s doing a legitimate transaction. As the mobile literally becomes “cash”, the theft and subsequent misuse of the device means that protection for lost and stolen devices and secure authentication access needs to be in place. Otherwise stealing a phone very quickly becomes much better than stealing card.

How secure are your fingerprints?

Industries are increasingly moving towards using biometrics as a security layer, many airports have deployed retina scanners, and even banks are including Apple’s Touch ID as an authentication factor. However, any organisation should tread carefully before implementing biometrics as a security method. In security we are always tasked with making the technology easy to use, but as secure as possible. Unfortunately, these two goals are difficult enough on their own, let alone when combined. Fingerprint technology is notoriously unreliable – for example Apple Touch ID was hacked less than two days after it was deployed.   

Best practice for using biometrics and security is through two-factor authentication, combining fingerprint scanning with passkeys or passwords is the most secure way to key your data safe. But translating this method to retail could be trickier. Ultimately, retailers need secure transaction technology combined with the right data safeguards, while mobile users need to secure their device before turning it into a cybercriminals cash machine.

Securing mobile payments for the future

While concerns surrounding the security of mobile payments and NFC remain for right now, it’s positive to see that mobile manufacturers have taken the first steps to shoring up any weak links in the technology. With the recent acquisition of LoopPay by Samsung, it is clear that manufacturers are taking steps towards securing and integrating code at both a hardware and software level.

Android devices have notoriously been susceptible to malware problems, so the logical next step would be for Google to work with manufacturers to create a secure pay platform for Android, which all Android phones use as standard. This would create the most secure environment for these payments. As technology advances, it is inevitable that the way we pay and protect things will change. But it is crucial that we use technology in the most secure way in order to prevent fraudsters from winning the cyber-battle.

By George Anderson, Product Marketing Director, Webroot

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development