Security and compliance for mobile payments
Date: Fri, 11/06/2009 - 17:32 Source: By Stephen Gibb, Chief Information Officer, Upaid
Mobile payments are on the verge of the mainstream. Gartner predicts that the number of mobile payment users will reach more than 190 million in 2012, representing more than 3% of total mobile users worldwide. And Tower Group, another analyst firm, has reported that mobile banking, separate from mobile payments, will grow by five times its current US level by the end of 2013
Mobile banking generally refers to using a mobile device to check bank account information, make transfers and direct payments between accounts. By the end of 2009, there will be 10 million mobile banking users in the US alone, a number expected to mushroom to 53 million users in 2013.
From the very beginning of the first wave of Internet commerce in the mid 1990s, Internet payment mechanisms were a serious impediment to adoption. Now, consumers are wary of security issues relating to mobile payments – including authentication, verification and payment validation. The ubiquitous nature of the mobile means many consumers are willing to accept it as a payment tool but there are still security risks associated with user-not-present (UNP) mobile payments. In fact, the Unisys Security Index showed 71 percent of respondents polled in 14 major countries would not consider using mobile devices to conduct financial transactions.
Visa is trialling a system in the UK that will send SMS or email confirmation of card transactions to account holders' mobiles whenever their debit, credit or prepay card is used. The texts include the time, location and amount involved in each transaction. The idea, with credit card fraud on the up, is to offer cardholders peace of mind that payments are being made only by those authorised. If an unwanted transaction takes place, the consumer can put a stop to their card.
In a move to address the concerns over security, a financial services technology group is developing standards for making secure mobile payment transactions. The project is an effort of the Financial Services Technology Consortium (FSTC), an industry group comprising banks, technology vendors, researchers and government organisations which develops technology standards for the financial services sector.
Securing mobile transactions
In some countries, particularly developing nations, mobile commerce uses the most basic and ubiquitous technology to ensure that services are offered to a large percentage of the population via a GSM network and a simple handset. In fact, the only limiting factor of what services are offered is the technology itself.
However, the issue of security remains – whether it is a simple bill payment or a more complex NFC transaction involving pre-loaded credit and a mobile device. Different countries have different security perspectives for mobile payments, largely dependent on the banking infrastructure of the country and the services offered by the local mobile network operators.
A mobile payment security solution must be incorporated both on the device, which is of high value in some countries, and at the service level. Ultimately, the responsibility for security lies with the service provider, be it the financial service provider or the mobile operator.
The most reliable and efficient method of securing mobile transactions is by specifying what level of security is needed for the services required. With regards to mobile payments, the most popular user authentication methods are related to the use of 2-factor authentication combining usage of a PIN-code and possession of the mobile device (SMS verification). SMS verification, while popular with consumers due to the familiarity of the technology, is a little clunky, can be costly and necessitates a delay while messages are relayed. That said, SMS verification is very suitable for low-value transactions or bill payments, where there is little scope for fraudulent activity.
However, the sole reliance on the classic PIN-code protecting the mobile device is not considered to be sufficient to meet most banking regulations. The service provider must provide advice to cover their own liability.
As the payment device itself is by definition physically unsecured, it’s imperative that logical security measures address the appropriate level of risk for each type of transaction. For example, if a user wants to pay a bill then SMS verification may be suitable. However, for more complicated transactions a different method of securing the transaction is required. Encryption on a handset is key to NFC transactions, as is the ability to disable everything on the device remotely if it is stolen.
Creating standards to secure mobile payments is difficult because the technology available to consumers varies with different phones and carriers. Security needs to be standardized so that if a consumer is paying someone else, the two devices are able to correspond with one another.
There is currently no large-scale commercial m-payment service so regulation is still in its infancy. M-payments will be regulated in the future, with the FSTC and the Secure Mobile Payment Service (SEMOPS) taking the first steps towards this. However, m-payments need be allowed to grow to a mass-market volume before being regulated or the technology may be strangled before it is allowed to prosper. It must be used commercially first and widely accepted as a viable payment method before it is regulated too heavily.
Commercial barriers to the widespread adoption of mobile payments include the high cost of some technologies and differences in national legislation. However, legal and contractual restrictions and obligations are not considered as important barriers against the development of cashless payments.
The future – what lies ahead?
The industry expects more mobile transactions. More Point-of-Sale (POS) integration will increase adoption but opens new security risks. Each new technology development, such as RFID integration, increases ease-of-use but also opens new security challenges.
In addition, upgraded phones will have operating systems that are more susceptible to viruses, and more smartcard data make devices more valuable. However, some consumer applications, such as location-based services, actually add to security as well as increasing the popularity of a service/device and its usability.
Biometrics will further increase security, but the authentication method can be a security risk. Back-end security will be more of a “honeypot”, and more IP data means more opportunities for sniffing, caching, archiving, and hacking. Finally, payment fraud will be an issue via false entry/data copying, but a more serious problem will be identity impersonation and large-scale disclosures.
Ultimately an international standard will develop to secure m-payments but these types of transactions must be allowed to grow so that the potentially stifling legislation does not turn consumers away and kill the technology before we really see its benefits.