Adoption of mobile payments has been slow, and it's not clear why. Some have suggested the problem is a lack of understanding among consumers. Others have questioned whether mobile payments really address a consumer pain point.
But there’s another reason:
And it’s not just consumers: IT security professionals are nervous too. A
What’s surprising is that many of the measures built into mobile payments—from tokenization and biometrics to end-to-end encryption—seem like significant advances on the security we have now. So what are some of major mobile security concerns, and are they well-founded?
One big potential risk of mobile payments is old-fashioned social engineering. Even Apple Pay’s
Apple Pay suffered an early setback when it was
As banks tightened their procedures, the issue faded from the headlines. Many banks now call their customers before allowing them to activate Apple Pay. But the system is still vulnerable in several ways.
First, banks whose verification procedures are still lax could get their customers in trouble. Many banks still don’t specify their verification procedures in their Apple Pay FAQs. They may prefer not to publicize their security procedures, or they may just be hoping for the best.
Second, as mobile payments are more widely adopted, best-practice verification procedures may not be scalable, or banks may consider them too expensive. Mobile payments expert
Second, if mobile payments accounts can be verified with a phone call, criminals may turn their attention to fraudulent portage of mobile phone numbers. There have been anecdotal reports of criminals simply
Mobile payments fraud is especially damaging because it allows criminals to turn credit card numbers into virtual cards, enabling card-present transactions. Once the great liability shift of October 2015 pushes the U.S. to EMV technology, and physical cards become far harder to clone, being able to turn card numbers into (virtual) cards will become even more attractive.
Mobile phone payments usually rely on Near Field Communications (NFC) technology, a radio-based communications standard. NFC is simply a standard for transmitting information, and has no built-in security.
Criminals have noticed. In the past, Android phones have proved vulnerable to “
Fortunately, as the name suggests, NFC is a short-range technology, so a digital pickpocket has to get very close to you—or get a device very close to a point of sale device—for an attack to work.
But NFC is being taken seriously as a security problem. Experian found that 54% of IT security professionals thought NFC technology increased the risk of a security breach.
Right now, mobile phone malware is not a major issue. Verizon put it best when it reported: “I’ve Got 99 Problems and
Built-in security may limit what hackers can steal with malware. The whole point of tokenization, in particular, is that stealing a token isn’t all that useful compared to stealing a credit card number.
But credit card numbers are vulnerable at one point—when the user enters them for the first time. And that initial stage might be vulnerable to malware.
All this might seem to paint a gloomy picture. But to be clear, many of the measures now being incorporated into the technology—especially tokenization—will be an improvement on current systems. With a staggering
So while mobile payments will require vigilance—and a certain amount of learning from banks and other industry stakeholders—there’s reason for cautious optimism if consumers can be persuaded to come on board.
Stephen Price is CEO of E-Complish.