Mobile Payments, How Secure?

Mobile payments have taken off, with Apple Pay and contactless cards now widely accepted, but how can retailers be sure these payments are secure and can’t be counterfeited or intercepted?

According to Ovum, proximity m-payment users will rise from 44.55 million worldwide in 2014 to 1.09 billion in 2019, of whom 939.1 million will use near field communication (NFC). The total value of proximity m-payments worldwide (both NFC and non-NFC such as QR codes) will grow from $4.77 billion in 2014 to $141.21 billion in 2019, the analyst firm says.

“Factors driving growth include wider merchant support for NFC across POS acceptance infrastructure, which in the US is being helped by upgrades to EMV,” Eden Zoller, Ovum’s principal analyst, consumer services and payments, says. “NFC is being championed more widely across the ecosystem by players such as Apple, Google, PayPal and Samsung.”

Apple Pay, Android Pay and Samsung Pay support NFC. During 2016, PayPal will offer NFC payments for its new in-store Android m-payments app, which currently supports QR code payments.

Ovum says proximity m-payments traction has been low across the vast majority of mature markets. One reason is consumer concerns about m-payments security. GfK’s FutureBuy 2015 consumer survey found that 52% of US respondents worry about their personal information when using m-payment apps. Only 16% believe that m-payments are more secure than other payment methods, and 20% are confident that m-payments are 100% secure.

Many consumers have yet to see m-payments’ advantage over other payment methods. “M-payments’ real value has yet to become reality: the ability to combine payments, loyalty rewards and targeted offers on smartphones using a frictionless m-wallet interface,” Alan Goode, managing director of Goode Intelligence, says.

Attitudes Toward M-Payments

Source: GfK’s FutureBuy 2015 U.S. consumer survey

An August 2015 survey of 900 cybersecurity experts for ISACA’s 2015 Mobile Payment Security Study found that 47% of respondents believe m-payments are insecure due to vulnerabilities such as using public WiFi, lost/stolen devices, phishing/shmishing, and weak passwords.

Survey respondents said the most effective way to protect m-payments involves using two methods to authenticate users’ identity (66%), followed by requiring short-term authentication codes (18%). Only 9% recommended requiring consumers to install smartphone-based security apps.

EMV in the USA

To improve card security through merchant adoption of EMV-based card readers, US card networks set October 2015 as the deadline after which liability for in-store fraud involving EMV cards shifted to whichever party isn’t EMV-compliant.

“Over 750,000 merchant locations have enabled EMV, representing 17% of total US face-to-face locations,” Charles Scharf, Visa Inc.’s CEO, said in January 2016. “We expect 50% of locations to be enabled by the end of 2016.”

The majority of EMV card readers installed in the US are contactless card/NFC-enabled, while smartphone manufacturers are increasingly equipping their handsets with NFC and security features such as fingerprint authentication.

Analysts think EMV will spur m-payment adoption. “EMV will drive innovation in the US payments market,” says Avivah Litan, a vice-president/distinguished analyst at Gartner. “The way US chip cards work currently, they slow down the checkout process, and consumers and merchants don’t like this. EMV will prompt people to use m-payments and contactless cards as they are much faster than contact-based EMV cards.”

Card On-Boarding

“Apple Pay and Android Pay have introduced great security features for POS terminals,” says Litan. “Merchants just have to pass on the customer identification to their acquirer. The loophole with these third-party services is card on-boarding into m-wallets, especially with the recent data breaches. If criminals load stolen card numbers into secure wallets, this is a major problem.”

“Account takeover and stolen cards are the biggest issues,” agrees John Dukellis, head of Next Gen Wallet at PayPal. “But PayPal has strong risk controls for fraudulent activities, and has policies such as Buyer Protection in place to protect consumers from fraud.”

“Several US banks told me in 2015 that, as they had security gaps for wallet on-boarding, they saw 600 basis points of fraud from Apple Pay on-boarding of stolen card numbers bought online,” says Julie Conroy, research director at US-based Aite Group. “While there have been evolutions to the Apple Pay registration process which have helped, it’s still a major susceptibility.”

Litan says the solution lies in reducing reliance on potentially comprised static data such as personally identifiable information (PII) and increasing reliance on dynamic data including reputation and behavior as well as metadata such as device ID and phone number.

Recommendations

“M-payment security mustn’t be harder than existing security measures,” says Chester Wisniewski, Sophos’ senior security advisor. “If it adds friction, people will be deterred.”

Wisniewski recommends proximity m-payment schemes use two-factor authentication and tokenization. “Apple Pay uses Touch ID to authenticate its users as two-factor security,” he says. “Also, Apple Pay tokenizes a user’s card number so it’s never seen by merchants, and generates a one-time security code for each transaction.”

“PayPal has always used tokenization, so we never share users’ credentials with merchants,” says Dukellis.

“Multiple security technologies are needed for truly secure proximity and remote m-payments, including behavioral and digital identity analytics,” says Conroy. “With remote wallets, you must protect log-in credentials, as there’s great opportunity for compromise due to database breaches.”

The European Banking Authority’s draft m-payment security recommendations, published in December 2013, recommend two-factor authentication involving two or more of the following: something only the user knows (e.g. static passwords or PINs); something only the user possesses (e.g. smart cards or mobile devices); and something the user is (e.g. biometric characteristics).

In October 2015, the European Parliament adopted the Directive on Payment Services (PSD2) which requires payment services providers to use “strong customer authentication” based on the EBA’s concept of two-factor authentication, where each factor is independent of the other so they can’t be compromised by each other.

“We’ve all seen the statistics about mobile malware and the innovative ways criminals use to get to their targets,” says independent IT security advisor Neira Jones. “Unfortunately, basic security principles are rarely followed in favor of quick time to market (for apps), but times are changing, and regulations such as PSD2 will force the ecosystem to get serious about security, particularly in the area of mobile and APIs.”

Kevin Foster, testing services manager at MTI Technology, says cyber-criminals can target smartphones via NFC. “They can transmit small payloads of data between an NFC device and smartphone to exploit zero-day vulnerabilities in the mobile OS and other installed apps,” he says. “When successful, this can enable the attacker to gain full rights and access to all data on the device, as well as the ability to install exploit frameworks and send mobile data to a remote listener host.”

“From the very start of its lifecycle, a mobile payment app needs to be designed and developed securely and subject to penetration testing,” says Foster. “Any web server applications that the app communicates with, via web services, should have penetration tests and code reviews conducted on them throughout the development lifecycle. For example, any data cached or stored on the device should be securely encrypted.”

HCE or Secure Element

M-wallet users’ card credentials can be stored on a secure element within an NFC-enabled smartphone, or in an issuer-managed database in the cloud using HCE software. However, HCE only works on smartphones running Android 4.4 operating system (KitKat) and above as well as on the mobile version of Windows 10. This means that if a card issuer wants to offer proximity m-payments to its cardholders on Apple devices, it has to partner with Apple Pay.

“HCE gives more flexibility to banks, as, before its introduction, they depended on hardware-based solutions controlled by handset manufacturers and network operators, and had to rely on secure elements,” says Jones.

According to Jupiter Research, in 2015 50 banks around the world had commercial HCE deployments. In September 2015, RBC Royal Bank of Canada became the first North American bank to launch an HCE-based wallet.

“Secure elements win due to the fact that they’re geographically distributed rather than centralized,” says Wisniewski. “If your card is stored on your bank's internet-accessible server, there’s more incentive for criminals to hack the bank than your phone.”

RBC has opted for the cloud. “Our m-payments are powered by RBC Secure Cloud, which keeps customer data secure in the cloud, not on the phone, making a safer, faster, more flexible solution,” says Linda Mantia, RBC’s executive vice-president of digital, payments and cards. “Secure Cloud uses tokenization, and works with multiple mobile devices and platforms and with existing contactless-enabled POS terminals.”

Biometrics

Goode says biometrics is the most convenient way to authenticate proximity m-payments users without lengthening transaction times. “Biometrics’ potential is being fulfilled with Apple Pay and Samsung Pay’s success, in addition to what we’ll see in 2016 when issuing banks, payment scheme providers and alternative payment providers bring out biometrics-based user authentication and transaction verification solutions,” he says.

“It’s a good idea to have two-tier verification in m-payments involving passwords and biometrics,” says Joseph Walent, senior analyst, Emerging Technologies Advisory Service at US-based Mercator Advisory Group. “People say we should eliminate passwords to speed up transactions, but retaining passwords that are changed regularly to guard against biometric spoofing provides greater security for higher-value transactions.”

M-payment schemes will also be able to authenticate users’ phones. “They will check where this data is being sent from; where has the user’s phone been recently, and does that fit the pattern the user normally has; is this transaction ordinary or regular for the user?” Walent says. “The technology isn’t there yet for this deeper level of authentication, but this is the direction we’re going in.”

“As smartwatches and wristbands become more ubiquitous, there’s no reason to think wearables won’t play a crucial part in securing payments,” says Goode. “This can either be as stand-alone payment devices, using a smartwatch to make a contactless payment, or in parallel to smartphone-initiated payments, providing a second factor. Biometrics (e.g. heartbeats) will play an important part here.”

Mobile Point of Sale (mPOS)

mPOS card readers attaching to merchant-owned smartphones or tablets are popular with smaller businesses. The global number of mPOS units rose by 64% to six million in 2015, US consultancy IHL Group estimates.

“mPOS readers’ vulnerability is using the audio jack to connect to the merchant’s phone,” says Wisniewski. “Card numbers are converted into audio signals, which anyone can record on their phone and stage a replay attack. A more secure way to connect mPOS readers to smartphones is through Bluetooth, provided Bluetooth is implemented correctly.”

“While not mandatory from an industry governance standpoint, reputable POS hardware manufacturers require mPOS solution providers to use the manufacturer’s proprietary point-to-point encryption (P2PE) system if they lack their own,” says Karen Cox, VP, payments and retail solutions at North American processor Moneris. “Solution providers must ensure merchants and consumers are protected in cases where cardholder data passes through insecure smartphones or unencrypted tablets.”

mPOS solutions using magnetic-stripe-only card readers are vulnerable to counterfeit card fraud, as they don’t offer the additional security of chip-authenticated cards. “This leaves merchants at risk of chargebacks,” says Cox. “There are mPOS solutions that connect portable PINpads to smartphones or tablets and enable EMV chip-and-PIN technology to protect against counterfeit card fraud, as the embedded chip is nearly impossible to clone.”

“We encrypt transactions at the point-of-swipe and tokenize data once it reaches our servers,” mPOS provider Square says. “Also, we use our algorithms to spot and freeze malicious or suspicious activity.”

“Square says its transactions are encrypted, but it doesn’t meet my standards,” says Wisniewski. “It also says it will take liability if something goes wrong, but this is Square’s way of saying it isn’t secure.”

Standards

Currently, there are no standards for payments acceptance by merchants’ mPOS devices, although EMV specifications body EMVCo and the PCI Security Standards Council (PCI SSC) have issued mPOS security recommendations.

For example, P2PE technology should be used to encrypt card data at the point of entry into PCI PIN Transaction Security (PCI PTS) certified devices all the way to the processor.

“As m-payments acceptance is still evolving, it’s premature for new PCI standards,” says a PCI SSC spokesperson. “The Council has a dedicated mobile taskforce that works with other standards bodies, vendors, banks and processors to promote the development of secure devices by providing guidance on what’s needed.”

Existing PCI compliance standards for merchants accepting traditional POS payments apply to mPOS and to m-wallet payments.

“Any business accepting payments via POS or mPOS solutions must adhere to the PCI Data Security Standard (PCI DSS),” Cox says. “Businesses must also use approved PCI PTS-compliant devices. Any POS solution should meet the requirements for the Payment Application Data Security Standard (PA-DSS), which has been updated to include mobile payments specifications.”

EMVCo requires mobile handset vendors supporting m-wallets to meet its EMV Level 1 terminal type approval requirements for contactless payments so that their handsets comply with EMVCo contactless card specifications (e.g. Visa PayWave and MasterCard PayPass). EMV Level 1 is a specification for the hardware interface enabling data transfer between EMV-compliant cards and terminals.