Mobile Payments: Mobile-first means Security-first

As smartphones, tablets and other sorts of mobile devices proliferate, enterprises are developing mobile first strategies for their electronic services. Nowadays, there are already web transactions and interactions that are primarily performed through mobile devices, rather than through conventional desktop or laptop computers. Web search is a prominent example: Last year the number of Google queries executed from mobile devices exceeded the number of computer-based searches. This trend is gradually extending to all sorts of electronic transactions, such as mobile banking and mobile commerce (m-commerce) transactions. However, when it comes to transactions that involve payments, end users could be more reluctant, especially when they are concerned about security and privacy issues. Fortunately, there is great interest in mobile payments security, including a surge of innovative products and services. Nevertheless, security is not only a technology solutions game but rather a discipline that asks for awareness and engagement from multiple stakeholders, including the end users of mobile payment applications.

Mobile Payments Options

Mobile payments concern in most cases payments from users who are on the move, including payments at the Point of Sale (POS). The most prominent technologies for supporting such payments include:

• Mobile POS: A large number of mobile transactions are supported by mobile POS devices, which are connected to payment networks via some mobile device. Mobile POS devices allow end users to pay simply by swiping or inserting their conventional payment card in the MPOS device.
• NFC & QR Codes: NFC (Near Field Communications) technology allows end users to pay at a POS simply by using their mobile phone. From a technological perspective, this is based on the communications between a RFID (Radio Frequency Identification) link on the mobile phone with a contactless transmitter that is made available at the POS. From a practical perspective, the NFC phone includes a mobile wallet that allows the user to select one among his/her cards which are emulated in the phone. The phone is tapped on the POS device and the selected card is charged based on communication with the SIM (Subscriber Identity Module) card of the device or with a cloud that hosts the information about the emulated card. QR codes provide a compelling alternative to NFC payments, as they work in a very similar way. In particular, QR codes are based on the association of the mobile device with a unique QR code, which is scanned at the POS in order to complete the payment. The user taps his/ her phone on the POS device similar to NFC mode of payment. QR codes-based payments, however, requires the involvement of a mobile payments provider, who provides clearance for the payments of specific QR codes on the cloud.
• Providers of cloud-based services: Beyond QR code-based payments, there is also a list of retailers who manage payments conducted via mobile apps and without a need to scan any code. PayPal is one prominent example of such a cloud-based service. Note however that such cloud payments have to be accepted by the merchant as well i.e. the merchant must be connected to the cloud service provider.
• Mobile Wallets: Mobile wallets provide end users with the means of organizing credit cards, payment cards, coupons, loyalty cards and other forms of payment-related assets that can be dematerialized. Mobile wallets provide a host of functionalities that increase end users’ convenience and engagement, such as location-aware shopping, integration with social media and a wide array of personalization features.

Security Threats

In this complex technological landscape- payment providers, merchants, and consumers are threatened in multiple ways. First, the security of the mobile devices that enable the payments can be compromised due to malware and spyware viruses. The viruses are installed by adversaries on the mobile devices in order to create security holes that could allow malicious parties to compromise the operation of the device, including the payment applications that run over them. As a prominent example, malware apps can act as loggers of information associated with the credentials or the cryptographic keys that are used in the scope of the payment transactions. Therefore, end users should be very careful about the applications that they download and install on their devices.

Malware finds fertile ground to penetrate a device, in cases where the device’s security is weakened. These are the cases of jailbreaking in Apple iOS devices and rooting in Android devices. Jailbreaking and rooting refer to the loosening of the security constraints that these mobile platforms deploy by default in order to prevent the installation and execution of malicious apps. Users are offered with the option of relaxing these default constraints in order to boost the performance or the functionality of some other app. However, this can have catastrophic consequences as it opens a backdoor for malware and spyware.

Another challenge stems from the complexity of the networked interactions of mobile applications. The latter is performed through a greater number of payment channels than in the past, while at the same time involving multiple cloud infrastructures and services. This complexity increases the number of possible cyber risks and provides more room for adversaries who could attack mobile payment infrastructures. This is the reason why m-commerce services providers are more vulnerable to cybersecurity attacks and must invest more in security technologies and processes.

Recommendations and Supportive Regulations

Given the above threats, the following recommendations could be taken into account in order to increase the security of mobile payments:

• Protect your account data at all times, such as when logging in and when using your account. We need to ensure that the electronic transactions are driven to a conclusion while making the payments through the mobile device.
• Safeguard your device against malware, through activating available security functions and through disabling mobile services that are not used.
• Beware of physical security measures, such as the secure disposal of your device to ensure that it’s not misused by adversaries
• Update your device with the latest security features of your mobile platforms and apps. Note that many apps updates contain security fixes.

Moreover, online payments have recently received significant attention from regulatory bodies, as they handle personal data and transfer sensitive data across different stakeholders. In this context, the second Payment Services Directive (PSD2) has been recently released in order to regulate electronic payment interactions, including mobile payments. PSD2 has also been integrated with Banking APIs, Open Banking and various innovative services offered by FinTech enterprises.

In the coming years, the trend of mobile payments will continue to grow. Hence, financial services stakeholders (including FinTech enterprises) should pay emphasis on designing and developing secure payment services for mobile users, along with services that comply with existing and emerging regulations. At the same time, end users should undertake a behavioral change towards more responsible and secure mobile transactions. The future of payments should be secure much as it is also mobile.