The Security Features And Vulnerabilities in Mobile Payments

its me david

Editor Note: Mobile is changing Payments, but you have to get security right, so we wanted a real expert to lay it out for us. David Smith is a cryptographer with 12 years of experience in both the public and private sectors. He is currently working on his second startup (currently in stealth mode) that will track and interpret the use of contactless payments. His expertise includes: system design and implementation with contact and contactless smart cards, smart card personalization, mobile payments, and general knowledge and experience with APAC market trends and consumer preferences.

Introduction

Mobile Payments refers to payments made over the mobile phone. This includes mobile proximity payments where a mobile phone is used to make purchases at the POS terminal through contactless technology like Near Field Communication (NFC) or mobile remote payments where it is used to purchase products or services online using mobile phones. Mobile wallets payments using software like Apple Pay or Google Wallet can also be categorized as mobile payments. Enhanced smart phone technology, better network speed and rise of ecommerce applications have all resulted in the growth of the mobile payment sector. McKinsey reports that, use of mobile wallets will reach $400 billion in annual flows by 2022, in the US alone. Due to its convenience, the use of mobile payment technology seems to be very popular amongst the millennial generation. However conventional wisdom dictates that we understand the security features and vulnerabilities of mobile payments thoroughly before we enable them in our businesses or start using them as consumers.

Security Features

Following are the security features which can potentially make mobile payment technology more secure than card or online payments.

  • Tokenisation: Square defines tokenization as “the process of protecting sensitive data by replacing it with an algorithmically generated number called a token”. It is used in mobile payment transactions to replace the customers primary account number with a series of randomly generated numbers. Thus the customers actual bank details are not sent over the network.
  • Device-specific Cryptograms: These are used to ensure that the payment originated from the card holders mobile device. If an hacker somehow obtains the transaction data, the cryptogram sent to the payment terminal with the token cannot be used on another mobile device. Thus the stolen data is useless.
  • Two-Factor Authentication: This is used as an additional layer of security when executing the transaction. The 2nd level of authentication could be a password that needs to be keyed in on the mobile device or biometric authentication using fingerprint recognition technology.
  • Protection against loss: Mobiles ensure data security as consumers can remotely erase their data on a smart phone, when a device containing a mobile wallet is lost or stolen. This can act as a safeguard against fraud and identity theft scenarios..

Vulnerabilities

  • mPOS devices: According to this article on ZDNet, vulnerabilities in the mobile Point of Sales (mPOS) machines, can allow merchants or personnel at the terminal to change the amount charged to the credit card. The vulnerabilities in the mPOS could also allow attackers to perform man in the middle attacks, by intercepting the Bluetooth communications between mobile and the reader.
  • Variety of mobile devices: There are multiple varieties of mobile phone hardware and software available in the market. People living in developing countries may not always find the latest technology affordable and accessible and may continue to use older versions of the phones and operating systems. Such devices may render mobile payments insecure even if they were done through a secure app.
  • Malicious apps: Users who do not have anti-malware tools on their phones may be targeted by using malicious app clones available outside the usual app-store/play-store framework. The best way to protect oneself from this is to only install apps published on Apple AppStore or Google Play Store on your iOS or Android devices.
  • User Habits: Some users prioritise convenience and fail to protect their devices using a PIN or biometric authentication. Keeping the phone locked at all times can protect the data on the phone in case it is stolen or lost. According to this article, most of the reasons causing mobile payments vulnerabilities are related to user habits.

Conclusion

Like any new technology, adoption of mobile payments overcomes the disadvantages of older technology and presents new challenges and vulnerabilities. It is essential to identify these vulnerabilities and secure the system end-to-end. While device and services providers are required to provide adequate security, each user needs do his part to keep his data and transactions secure.

Bernard Lunn is a Fintech deal-maker, investor, entrepreneur and advisor. He is CEO of Daily Fintech and author of The Blockchain Economy.

I have no positions or commercial relationships with the companies or people mentioned. I am not receiving compensation for this post.

Subscribe by email to join the other Fintech leaders who read our research daily to stay ahead of the curve. Check out our advisory services (how we pay for this free original research).

Telecom Fintech innovation is spreading

Africa-Mobile-Money-Market

MPesa`s early success in Kenya, will remain the mobile money business case study of payment innovation in Emerging markets[1]. It was 12 years ago; in 2007 when Vodafone launched the service.

Africa continues to be the continent where `Necessity is the mother of invention`.

Africa brings to market further efficiencies, improving the MPesa business model and pushing innovation in financial inclusion (be it remittances, micro-payments, or microinsurance). However, it is not as easy as it may seem. As Chris Skinner notes:

Not only was M-Pesa a roaring success, but its concept was copied in most countries across Africa, Asia and South America. I say concept because M-Pesa itself has failed to repeat its success in other countries.[2]

Today, EcoCash, is a success story in Zimbabwe. It is a rich mobile payment platform hosted by local telco, Econet. Despite recent tech glitches on the Ecocash platform[3], Econet the parent telco continues an expansive digital strategy. It spun off Cassava Smartech, an entity that offers more financial services than just mobile money. From remittances, digital banking and all kinds of insurance.

Orange Money, started in 2008 in Côte d’Ivoire and has currently 40million customers in Africa in 17 countries (francophone and anglophone). Late last year MTN Money[4] and Orange Money, teamed up to create a JV, called Mowali[5]. They are targeting the 300 million mobile money users in Africa. MTN and Orange alone operate in 22 African countries. Mowali is built on the open-source software payment platform Mojaloop, of the Bill & Melinda Gates Foundation. The aim is Interoperability at a pan-african level.

South African startup, Wala, has launched its own mobile money solution, with the Dala utility token, using blockchain technology. Wala provides no-fee banking services and is creating a decentralized financial platform (Defi) functioning with the Dala coin. Listen to my interview with founder Tricia Fernandez on the unique approach of the Wala foundation.

Dala is one example of the opportunity that Telecoms can grasp by using tokens, be it stablecoins or some such, in order to offer their existing customers ways to manage their digital lives. Alex Mifsud, Co-founder and CEO, Open Payments Cloud emphasizes this point[6] and uses the example of Dala in South Africa and another approach used in Mongolia. The Mongolian telecom company, Mobicom, has received approval to issue a stablecoin (pegged to the national currency), called “Candy”.  Every Mongolian citizen will be able with a mobile phone to pay bills, shop online, transfer funds, and take out microloans. The pilot will start in the capital, Ulaanbaatar[7].

Now back to the West – US and Europe. The recent T-Mobile announcement of a bank account offering did create some talk. For me, it is a move from a Telecom to extend services to non-T-Mobile customers. But the business innovation is lacking, as it is backed by a conventional bank  – Customer Bank is behind the Baas service of T-Mobile Money. This is actually very different to Orange Money, that has also a bank of its own that was launched in 2017. Orange bank is built from the start with a customer relationship model based on AI technology. It has signed up 200,000 customers as of the start of Q1 2019. It has set a target of reaching 4 million customers and €500 million of net income from banking within five years.

Telecoms and banking

`My conclusion was that banks would merge with telecommunications firms and become hybrid institutions. Twenty years later, it hasn’t happened.` excerpt from Chris Skinner`s vision Banks and Telcos? Two become one!  

Will this blurring become true soon?

Will Orange become the business case or some African entity?

Who will customers trust for their financial digital business?

Will blockchain be the enabler or will AI banking be enough?

[1] Why is M-Pesa the foster child for Financial inclusion? Faisal Khan

[2] Getting the Infrastructure Right for Financial Inclusion, Chris Skinner 2018

[3] A two-day crash in Zimbabwe’s mobile money system shows the vulnerabilities of going cashless

[4] MTN is Africa’s largest telecoms operator

[5] Unlocking mobile money interoperability and merchant payments across Africa through Mowali

[6] Telecoms need not sideline cryprocurrencies, by Arti Mehta, TMForum

[7] Mongolia Starts Off 2019 With Its Eyes On Crypto Payment Adoption

Efi Pylarinou is the founder of Efi Pylarinou Advisory and a Fintech/Blockchain influencer.

 I have no positions or commercial relationships with the companies or people mentioned. I am not receiving compensation for this post.

Subscribe by email to join the 25,000 other Fintech leaders who read our research daily to stay ahead of the curve. Check out our advisory services (how we pay for this free original research).