Samsung Pay Steps Up Mobile Security, but Weak Links Remain

MasterCard and Visa are using Samsung's mobile wallet to further the adoption of tokenization and other security methods at the point of sale, but safety concerns still cast a shadow on mobile payments and commerce.

Even Apple Pay, which mixes in biometric authentication and sends a strong message of security, has had its problems. At launch, some Apple Pay users were double-charged for their purchases, and more recently Web crooks found a way to exploit the connection between Apple and issuing banks, according to a report in Apple Insider.

"After some of the recent concerns regarding Apple Pay, I'm not surprised that [mobile security] hasn't been put to bed," Al Pascual, director of fraud and security for Javelin Strategy & Research.

Venmo, a mobile payments company owned by PayPal, has also suffered reports of lax security in recent days. But it's no recent trend; Starbucks, which provides one of the most popular mobile payment apps in the U.S., was criticized a year ago for its handling of password security. And of course the breach of celebrities' nude photos from Apple's iCloud service — disclosed days before the public unveiling of Apple Pay — made it easy for competitors to use their marketing budgets to undermine trust in Apple Pay.

Samsung and Apple both mix tokenization and biometrics to secure payments made at the point of sale, but even when these processes work perfectly, they leave other avenues vulnerable to takeover. Mobile banking and remote deposit capture, for example, could become more attractive targets for fraud if they are not similarly shored up, Pascual said.

"More needs to be done to ensure that the device to which data is provisioned belongs to the legitimate account holder," he said.

Venmo has posted an update on its security policy on its site, including fraud protection algorithms, encryption, PCI compliance and transaction limits. Apple provided a statement clarifying that it is the bank's responsibility to verify each card added to Apple Pay.

At the point of sale, the card brands are using mobile wallets to provide a significant boost to security over the way they protect magstripe cards. The MasterCard Digital Enablement Service (MDES) will protect Samsung Pay transactions when the mobile device manufacturer's payment service launches later this year. MDES will power tokenization, or the use of a secure substitute for account numbers.

"We will not put real credentials on the phone, but will put in a tokenized credential that will be equipped with all of the latest cryptography," said Jorn Lambert, a group executive for digital convergence at MasterCard.

Visa is also including its tokenization method as part of its support for Samsung Pay, though it did not respond to a query by deadline.

By mixing tokenization with the Samsung Galaxy S6's built-in fingerprint reader, Samsung Pay follows the example set last year by Apple Pay in the way it protects account details.

Apple Pay uses Touch ID, Apple's fingerprint biometric technology, along with tokenization. Touch ID is an increasingly popular way to protect card not present transactions from multiple payment apps that support in-app funding from Apple's mobile wallet.

Given the lingering security challenges facing mobile payments, companies should tread lightly when using security as a selling point, according to analysts, particularly since protecting the mobile device does not necessarily protect data once it's outside of the transaction flow. 

"While the dynamic data in the chip renders the transaction itself safe, it does nothing to secure the data once it's within the merchant's infrastructure, nor does it prevent registration fraud," said Julie Conroy, a research director for Aite Group.