Mobile security: a moving target
Mobile and NFC payment technologies have been on the rise in recent years. But with many merchants and retail outlets still reluctant to invest in the new technologies, and with the rise of fraud in existing solutions, industry participants are divided over how and whether the technology will ever gain widespread acceptance in developed markets.
In theory, mobile and contactless payment services are all about convenience and ease of use. Customers lacking a bank account can use their mobiles to send and receive money – a model that has seen great success in emerging markets such as Kenya, where mobile payment service provider M-Pesa has 15 million users. Similarly, NFC payment technologies such as Google Wallet allow customers to pay for goods and services simply by tapping their mobile device, rather than dealing with cash. That should reduce the need for checkouts, tills and queuing.
However, not everyone is convinced. Earlier this month, Davide Steffanini, head of Visa Europe’s Italian operation, said that mobile technology such as the mobile wallet was no longer being held back by technology, but rather by retailer and merchant adoption. In other words, if customers cannot use payment innovations at the retail outlets of their choice, the technology will be limited in its usefulness and may struggle to gain traction. That is a view shared by Mark Westbrook, head of payment services at ATM maker Wincor Nixdorf, who argues that the whole of society is moving towards greater speed and convenience.
“Cash is gradually being used less,” he said. “But if you go to a retail outlet and your mobile wallet is not accepted 50 per cent of the time, you’re still probably not going to bother using it. Conversely, from the retailer’s side adding support for a new kind of payment is expensive – a supermarket chain for example, would have to spend a huge amount of money to redesign its IT system to support NFC. Why would it bother? Unless there are major benefits, it’s going to keep using cash.”
Adding to the difficulty is the relatively small customer base that currently has access to technology sophisticated enough to make use of NFC payment facilities, even if they did exist everywhere. Google Wallet’s website lists just six phones that are compatible with NFC. The new Apple iPhone 5 is not one of them, despite being released in September. Even when all smartphones are counted, whether NFC compatible or not, they still account for less than half (46 per cent) of devices used by consumers in the US, according to a study conducted by the Pew Research Center’s Internet & American Life Project in Q1 this year.
“We need to make merchants understand the value of the mobile payment, and industry participants should collaborate to ensure that the technology achieves circularity, so that customers can go to almost any store or any website and use their mobile device to make a payment,” said Alessandro Perego, co-director of the ICT and management observatories, school of management, Politecnico di Milano. “Mobile payments should also be connected with other services and discounts, to attract new users.”
Even where payments innovations have been implemented, customers still face potential pitfalls. Last month, NatWest suspended part of its mobile banking app following a spate of incidents in which criminals were able to withdraw money from unsuspecting customers, apparently accounts.
The bank says that the Get Cash feature of its mobile banking app that allowed users to withdraw cash without a debit card was suspended for maintenance. Using the feature, customers could simply use their existing online account to generate a passcode. After downloading the app to a mobile device, the code enabled the user to withdraw the cash.
NatWest withdrew the facility after customer complaints were reported by BBC Radio 4’s MoneyBox programme. However, it is unclear whether the app itself was to blame. Ben Knieff, head of fraud at financial crime and technology specialist NICE Actimize, believes that the hackers probably used phishing emails to obtain users’ security codes, then used a phone to get to
“There are different places for criminals to attack,” said Knieff. “In this case, it was the customers’ home computer that was targeted. The app was just the means they used to exploit their fraudulent gains. The mobile app itself may not be weak – it may use PIN codes, impose limits on cash movements, etc. – but there may be weaknesses in the surrounding processes that can be exploited by malware.”
Some 51,447 unique samples of Android malware were detected in Q3 2012, according to research by online security firm F-Secure. Although Google introduced a new security system, Bouncer, on its Android Play Store, F-Secure has reported that the incidence of malware continues to increase. That rise has been partially attributed to the increase in Android smartphone adoption, with Android phones capturing 81 per cent of the Chinese market, for example. The rise of third-party apps, which may be less secure, has also been blamed.
Of particular concern to users of mobile banking technology is the new version of Zitmo, a malware that targets Blackberry devices. It is designed to steal the mobile transaction authentication number sent by banks to their customers. Criminals can then use the number to make transactions remotely.
“Criminals have infinite creativity and time to try things out,” said Knieff. “Financial institutions have finite resources of both. But the ability of the banks to be agile and react quickly is vital. Customers won’t use an innovation if they think it’s not safe.”
A safer way forward?
For John Petersen, head of business development at fraud prevention company ValidSoft, the fraudsters are simply an unfortunate but inevitable side-effect of new channels of payment. Cyber threats capable of stealing money and private data should be countered by stronger, more integrated security.
“The industry, namely mobile network operators, merchants, smart phone manufacturers, banks and card issuers, all need to work together to find a best practice solution to combat cybercrime,” he said. “As the new transaction model is largely centred around the mobile phone, so too must be the security model. The solution is to use a layered approach to security, incorporating various telecommunications based technologies that use both visible and invisible layers that work in real-time.”
Fortunately for the consumer, mobile devices often contain technologies such as GPS that track the user’s location, front-facing cameras that can be used for face-recognition, and other biometric tools such as voice recognition technology and in some cases fingerprint technology. Drawing on these technologies, Knieff suggests that mobile banking could eventually become safer than online banking.
“While consumers didn’t like biometrics 10 or even five years ago, rising usage of the technology on sites like Facebook has made it more acceptable,” he said. “Consumer sentiment is changing, and I believe there could actually be an opportunity to use some of these technologies to make mobile banking even safer than internet banking is today.”
The concept of a new kind of payments technology infrastructure is also being supported by defence and security technology provider Thales e-Security. In a recent paper, the firm suggested that established payment firms such as PayPal, Google, Apple and start-up firms such as Square will not necessarily use the phone itself as a security layer – instead they will opt for cloud security.
According to Thales e-Security, the advantages of a cloud-oriented approach are that the user credentials are stored remotely, so less likely to be lost; fees will be more tailored to the consumer; and clearing will be carried out using fast non-card clearing services such as the Automated Clearing House in the US.
“As an industry we have been talking about the arrival of mobile payments for almost a decade now,” said Ian Hermon, mobile payment security specialist at Thales e-Security. “Even though we have seen big players, such as Starbucks in the retail market, invest in mobile payment platforms, we are still a long way off from having one universally accepted model. Whether the industry moves to place its trust in the handset or in the cloud, one thing is for certain: TSMs need to be trusted by all ecosystem participants to guarantee the success of the overall mobile NFC infrastructure.”