Mobile payments and security -- money walks, money talks

Once upon a time a mobile phone was something we used for talking. Today making a call ranks sixth on the list of most common uses for a mobile phone. Now there’s a new kid on the block that, in time, will push making a call even lower down the list. Mobile payment, or m-payment, is taking off.  Early adopters like Starbucks already attribute significant revenue gains to their investment in mobile. Although overall mobile payments adoption and usage rates are still a fraction of standard credit/debit card transactions industry watchers expect this to change very quickly.

Already this year one-in-five smartphone users in the US is expected to use mobile payments – a three-fold increase on 2015.  As m-payment volumes rise cyber criminals are sure to follow. It is a new market with fresh vulnerabilities and low awareness of best practice – in short, an opportunity for easy pickings.

A fierce battle is raging among technology providers seeking to dominate the m-payment industry. These range from USSD and SMS based systems in developing countries to near field, near sound, QR codes and Bluetooth in developed countries. For some time the front runner has been near field communication (NFC) or contactless technology as it is also known.  But the limited availability of enabled handsets and its slow introduction by industry leaders like Apple has hampered its rate of progress. The market has assumed that one technology would dominate and achieve industry standardization. But this has failed to materialize, causing some incoherence.

Security measures are in equal disarray. The 2015 Mobile Payment Security Study by the global cybersecurity association ISACA revealed that out of more than 900 cybersecurity professionals, nearly half (47 percent) said mobile payments are not secure and carry significant element of security risk. An overwhelming 87 percent of the respondents expected the number of data breaches involving mobile payments would surge during 2016. In contrast with the warnings from industry insiders consumer confidence in m-payments appears not to be affected. While about 89 percent of the experts surveyed agreed that cash was the most secure form of payment, just 9 percent actually prefer to use it.

2015 also marked significant regulatory progress for the mobile payments industry with measures taken in the U.S. to tighten security and amplify fraud prevention. In particular, the House Financial Services Committee decided to advance the Data Security Act and the activation of EMV chip rules that have been advocated by security professionals for years. While these are steps in the right direction, securing the payments sector will continue to be a challenge as the technology continues to develop, mobile payments and wallets go mainstream, and criminals look to reap the rewards of new attack vectors.

Some security experts think it’s only a matter of time before criminals begin to target smartphones. Retailers who spent 2015 securing conventional point of sale systems after the wave of high profile data breaches are braced for a fresh wave of attacks as they move to expand their m-payments offerings. Earlier this year a picture on social media of a person on a crowded train holding a contactless card reader close to bags and pockets caused quite a stir, showing just how easy it could be for someone to commit m-payment fraud.

As the above example illustrates when it comes to m-payments criminals will most likely target the mobile device as the point of greatest vulnerability. The easiest and most reliable way to protect the device is via VPN. Securing m-payment data traffic in this way ensures no traffic ever leaves the device unencrypted. Here are four reasons why VPN is an important technology for m-payments protection:

• General security – a proven, reliable security technology for mobile devices
• Encrypted connection – end-to-end encryption prevents criminals from being able to read any intercepted data
• Endpoint security – an effective way to ensure the endpoint device stays secure
• Point-of-Sale systems – can also secure the connections other types of payment system such as Point-of-Sale

It may still be early days for m-payments but the signs are that it is here to stay.  The very fact that it is in a nascent stage of development makes it especially attractive to cyber criminals.  So as businesses consider adding mobile payments to their architecture, they must do so in conjunction with a thorough security evaluation. Care and precautions should be taken to prevent m-payment applications giving criminals easy access to personal data and financial information. In an age where money literally does the talking one of the surest ways to prevent money from walking is via easy-to-use end-to-end VPN encryption.