Mobile Payments Security Risks & Issues for Merchants (Service Providers) & Customers

PCI Security Standard Council has been working on to improvise PA – DSS as different mobile devices are capable of performing financial transactions. The earlier version of PA – DSS which have traditionally covered payments made in merchants’ stores and on PCs. After a research analysis it is known that Mobile devices present a security risk to any payment applications, even those that meet all of the PCI data security standard requirements compliant. Payments industry is now concerned about vulnerabilities in the design of mobile hardware and software and a lack of security functions in mobile payment software that would mitigate the vulnerabilities of mobile devices.

Mobile payments are an evolving ecosystem within the payments industry as we have been observing increase in mobile transactions with PayPal, eBay, Intuit, Google Wallet, and many other companies. There has been a consistent drive toward flexibility for both consumers and merchants that use payment cards and payment devices. Along with the flexibility lot of risks are attached with consumers and merchants, maintaining the level of trust would be a big challenge.

The rapid development and deployment of new and innovative mobile payment technologies has brought a level of complexity to the industry never seen before. This new complexity and the resulting influx of mobile payment applications introduce a new set of risks and threats that may affect the security of cardholder data & merchant’s data.

Five types of Mobile Payments:

Mobile AT Point-of-Sale (Mobile Wallet using NFC, tap & go) Mobile AS Point-of-Sale (Using smartphone as a Cash register) Mobile Payment Platform (For all kind of payments, it might be at p2p, @POS, etc.) Direct Carrier Billing put it on my phone for consumers buying ringtones, games, digital content Closed Loop mobile payment, best example is Starbucks, Target, etc.

Mobile Payment Risks:

Consumers Risks:

Identity theft, information disclosure, replay attacks Transaction repudiation, Theft of authentication parameters, information disclosure Fraudulent transactions, provider Liabilities Reduced adoption of the technology; “security by obscurity” Data disclosure and privacy infringement; profiling of user behavior

Service Provider Risks:

Denial of Service (DoS) Theft of service, replay, message modification Theft of content, digital piracy, risk to provider for digital rights infringement, loss of revenue to content provider or merchant Theft of service or content, loss of revenue, illegal transfer of funds

Mobile Payment Security Issues

Man-in-the-middle attacks – applications may use higher-layer cryptographic protocols such as SSL to establish a secure channel on top of the NFC standard. Eaves dropping – by interception of the communication Takeover – is related to the impersonation attack. The takeover of what is expected from a customer perspective but dealing with a different entity. Data modification – t is relatively easy to alter data by using an RFID jammer. There is no way currently to prevent such an attack. However, some NFC devices can check the RF field to possibly detect attacks. Lost property – losing the NFC/RFID card/device will open access to any finder and act as a single-factor authenticating entity. Mobile phones protected by a PIN code act as a single authenticating factor.

With so many startups with new ideas in mobile payments market it is one that is undergoing transformation and holds a future that is promising for both consumers and providers alike in a world that is witnessing a rise in mobile services based on smartphone technology.

You can reach us on contact at loyaltypayments dot com, Follow us on twitter: @mloyaltypayment, Like us on Facebook: LoyaltyPayments.com.