The Security Features And Vulnerabilities in Mobile Payments

its me david

Editor Note: Mobile is changing Payments, but you have to get security right, so we wanted a real expert to lay it out for us. David Smith is a cryptographer with 12 years of experience in both the public and private sectors. He is currently working on his second startup (currently in stealth mode) that will track and interpret the use of contactless payments. His expertise includes: system design and implementation with contact and contactless smart cards, smart card personalization, mobile payments, and general knowledge and experience with APAC market trends and consumer preferences.

Introduction

Mobile Payments refers to payments made over the mobile phone. This includes mobile proximity payments where a mobile phone is used to make purchases at the POS terminal through contactless technology like Near Field Communication (NFC) or mobile remote payments where it is used to purchase products or services online using mobile phones. Mobile wallets payments using software like Apple Pay or Google Wallet can also be categorized as mobile payments. Enhanced smart phone technology, better network speed and rise of ecommerce applications have all resulted in the growth of the mobile payment sector. McKinsey reports that, use of mobile wallets will reach $400 billion in annual flows by 2022, in the US alone. Due to its convenience, the use of mobile payment technology seems to be very popular amongst the millennial generation. However conventional wisdom dictates that we understand the security features and vulnerabilities of mobile payments thoroughly before we enable them in our businesses or start using them as consumers.

Security Features

Following are the security features which can potentially make mobile payment technology more secure than card or online payments.

  • Tokenisation: Square defines tokenization as “the process of protecting sensitive data by replacing it with an algorithmically generated number called a token”. It is used in mobile payment transactions to replace the customers primary account number with a series of randomly generated numbers. Thus the customers actual bank details are not sent over the network.
  • Device-specific Cryptograms: These are used to ensure that the payment originated from the card holders mobile device. If an hacker somehow obtains the transaction data, the cryptogram sent to the payment terminal with the token cannot be used on another mobile device. Thus the stolen data is useless.
  • Two-Factor Authentication: This is used as an additional layer of security when executing the transaction. The 2nd level of authentication could be a password that needs to be keyed in on the mobile device or biometric authentication using fingerprint recognition technology.
  • Protection against loss: Mobiles ensure data security as consumers can remotely erase their data on a smart phone, when a device containing a mobile wallet is lost or stolen. This can act as a safeguard against fraud and identity theft scenarios..

Vulnerabilities

  • mPOS devices: According to this article on ZDNet, vulnerabilities in the mobile Point of Sales (mPOS) machines, can allow merchants or personnel at the terminal to change the amount charged to the credit card. The vulnerabilities in the mPOS could also allow attackers to perform man in the middle attacks, by intercepting the Bluetooth communications between mobile and the reader.
  • Variety of mobile devices: There are multiple varieties of mobile phone hardware and software available in the market. People living in developing countries may not always find the latest technology affordable and accessible and may continue to use older versions of the phones and operating systems. Such devices may render mobile payments insecure even if they were done through a secure app.
  • Malicious apps: Users who do not have anti-malware tools on their phones may be targeted by using malicious app clones available outside the usual app-store/play-store framework. The best way to protect oneself from this is to only install apps published on Apple AppStore or Google Play Store on your iOS or Android devices.
  • User Habits: Some users prioritise convenience and fail to protect their devices using a PIN or biometric authentication. Keeping the phone locked at all times can protect the data on the phone in case it is stolen or lost. According to this article, most of the reasons causing mobile payments vulnerabilities are related to user habits.

Conclusion

Like any new technology, adoption of mobile payments overcomes the disadvantages of older technology and presents new challenges and vulnerabilities. It is essential to identify these vulnerabilities and secure the system end-to-end. While device and services providers are required to provide adequate security, each user needs do his part to keep his data and transactions secure.

Bernard Lunn is a Fintech deal-maker, investor, entrepreneur and advisor. He is CEO of Daily Fintech and author of The Blockchain Economy.

I have no positions or commercial relationships with the companies or people mentioned. I am not receiving compensation for this post.

Subscribe by email to join the other Fintech leaders who read our research daily to stay ahead of the curve. Check out our advisory services (how we pay for this free original research).

The rise of Tokenized assets – the bridge between the old and the new capital markets

Most people in Blockchain whom I talk to, feel tokenizing real world assets is an amazing concept with huge potential. I have often thought that the real difference that tokenizing offered, as an economic model, is the ability to tag a number value to something abstract. Like attention, brand value, popularity, karma etc.,

security-tokens

Image Source

There have been no lack of attempts to tokenize platforms that act as market places for creating abstract value. In the last year or so, I have come across several firms that act as market places for people to help each other, give and receive points and eventually turn them to tokens.

However, as we create this new value system using Blockchain, it has to be through a logical roadmap. One has to walk before running. And, cryptos have struggled to answer the question “Whats your intrinsic value?” – there are several consensus based answers, but the traditional world typically don’t recognize that. And when the market collapses, the talk about creation of value digitally, often times look baseless.

However, as the Blockchain era turns a new page, we will need security tokens to act as the bridge between the old and the new capital markets.

I still believe value can be created digitally, and there is a market for that. We are at a point, where most of the world agree that Blockchain as a new economic paradigm is here to stay. As institutions plan their entry into this space, the economic model should stand its ground even in a quasi-traditional sense. Security tokens are exactly enabling that. They are beneficial across several dimensions, and some of them are:

  • Inclusion: Tokenizing a fund focused on Manhattan properties could allow people across the world take part in a vehicle, which would have in the past been accessible only to the ultra rich.
  • Liquidity: I can buy and flip a property wholly or partially if it is tokenized. Liquidity has always been a major concern with real estate, venture capital and private equity investments, and tokenizing would change the risk profile of these asset classes
  • Efficiency: Just the speed of execution and settlement that smart contracts offer makes it a very efficient system.

We have had several headlines over the last few months on real world assets backed tokens. Especially from emerging market countries and their central banks. I am closely following India especially. But, Singapore is perhaps the world leader when it comes to their position on tokenized assets.

Earlier this week, the Monetary Authority of Singapore (MAS) and Singapore Exchange (SGX) announced that the Delivery vs Payments (DvP) app they were prototyping was working successfully. I had written about it earlier on Daily Fintech too, and was looking forward to this announcement.

“Based on the unique methodology that SGX developed to enable real-world interoperability of platforms, as well as the simultaneous exchange of digital tokens and securities, we have applied for our first-ever technology patent,”

– Tinku Gupta, Head of Technology, SGX

Through this prototype, the consortium of MAS, SGX, Deloitte and Nasdaq have tested the functionality where financial institutions can exchange and settle tokenized assets across different Blockchain platforms.

Most of these prototypes are conducted in a controlled environment with minimal risk. Thats because the technology and its viability in a global enterprise still needs to mature. But the concept of tokenising assets, and allowing access to a global consumer base would create new business models (and regulatory headaches).


Arunkumar Krishnakumar is a VC investor focusing on Inclusion, a writer and a podcast host.

Get fresh daily insights from an amazing team of Fintech thought leaders around the world. Ride the Fintech wave by reading us daily in your email