Mobile wallets and m-banking: how secure are they?

In September, Google introduced the M-Wallet for Android. It uses near field communication (NFC) to allow Android smartphones to be used as a pseudo credit card for easy, rapid and mobile payment. Mobile wallets are based on the increasing ability of the smartphone to be used as a personal identification device. This in turn allows the phone to be used as a virtual wallet. It’s not a new idea. Back in August 2010, Microsoft’s Ric Merrifield predicted that “our mobile devices will be the ‘credit card’ of the future.”

Now this is becoming a reality. Some methodologies allow the user to load virtual money and spend it straight off the phone. Others turn the phone into a form of credit card. But as many as 71% of CISOs do not believe that consumers are ready to adopt mobile wallets, and 47% consider that security concerns will delay any adoption. ValidSoft’s CEO, Pat Carroll, believes that the industry must tackle this concern. While you can never guarantee 100% security, and any perceived lack of it will delay the take-up of mobile wallets and banking, “it is a fallacy that ease-of-use must be compromised to achieve strong security,” he says. “It is equally a fallacy that privacy must be compromised to achieve strong security. However,” he adds, “achieving this capability requires security to be considered from the outset, ‘by design’, rather than as an add-on.”

Google is taking this seriously. “It is a concern that Google initially chose not to encrypt some less important credit card information,” says Andy Kemshall, the technical director of SecurEnvoy. “However we should applaud Google for fixing this and resisting man in the middle attacks.”

Mobile banking, however, is more acceptable than mobile wallets, and usage is expected to overtake desktop internet banking. Banks were asked whether mobile banking would reduce fraud. A massive 99% of respondents consider the attempt to be either essential or very important, while 63% believe that mobile banking will help. Surprisingly, only 36% believe that this is a priority for consumers themselves.

All of this is dependent on ‘trust’, trust that the user of the smartphone is the owner of the smartphone. Nearly half of those questioned, 49%, believe that voice biometrics has a role to play in tighter security by authenticating the user. One advantage that voice biometrics has over other methodologies is that it can equally be used on legacy mobile phones; that is, the pre-smart phone. Nick Ogden’s Voice Commerce Group (Ogden was the original founder of WorldPay) is one organization offering voice biometrics for mobile wallets and banking.

The key to mobile wallets and mobile banking, says Pat Carroll, ValidSoft’s CEO, “is to harness the potential of the mobile device both to make payments and be the means through which they are secured and verified. It isn’t practical to have to use any extra hardware when you are ‘mobile’, on the go.” This is what makes biometrics in general, and voice in particular, an attractive means of authentication: all mobile phones have voice without requiring any additional hardware. “The ubiquity of the mobile phone means it is ideally placed to be the vehicle for secure payment. Its multiple internal channels – which enable security checks, invisible and visible, to be made ‘out of band’ and support a multi-layered approach to fraud prevention,” he concludes, “also work greatly in its favour.”

“Mobile phones will continue to become our personal wallet and our tokenless authentication device,” agrees Kemshall. “This change is inevitable.”

What’s Hot on Infosecurity Magazine?