Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Mobile payment security under scrutiny

Sarah Putt | April 11, 2013
Paying for goods using your smartphone is closer to becoming a reality, but how secure is it?

Near Field Communications (NFC) enables the transfer of information stored on a customer's credit card or phone to a retailer's Eftpos terminal.

In New Zealand NFC is being embraced by Paymark and the three mobile telcos -- Vodafone, Telecom and 2degrees -- which are in the process of creating a special mobile payments platform called a Trusted Service Manager.

But how secure is NFC and what can we learn from contactless card payment systems already in the market?

University of Auckland honorary researcher Peter Gutmann says consumers have grounds to feel concerned about security. He observes that banks, which have already deployed NFC-type payment mechanisms through contactless credit cards, claim that electronic readers can only read credit card details within a very short distance, usually a few centimetres, and that this guards against the possibility of person's credit card details being unknowingly detected.

"But wind up the power and use antennas that detect longer distances and the credit cards have no protection, no encryption whatsoever, the credit card number is there," he warns.

There have been some well-documented overseas experiments highlighting the dangers of contactless credit cards, most notably the work of Kristin Paget. And locally at Kiwicon 2011, NFC was a major topic of interest. Kyle Gibson, director of Wellington security consultancy Confide told Computerworld last year that the idea of just "bumping" phones together or passing them over a point-of-sale scanner to transfer funds without even the protection of a PIN is worrying.

Gutmann says that at a recent conference in Australia, he rigged up a reader with a battery and as he walked around the crowded room it beeped everytime it could detect a person's credit card information. He hastens to add that he had not enabled the reader to download the information -- merely to detect if it was possible to do so.

"The thing is we don't know how secure it [NFC] would be," says Gutmann.

"The rule of thumb given by security companies is that once a new electronic service gets to 15 percent market share the bad guys start attacking it."

MasterCard country manager Albert Naffah denies that contactless payments are insecure.

He says that "electronic pickpocketing" is a "fallacy which is a story invented by 'security experts' who happen to be selling some sort of solution."

"The fact is that in markets such as Australia and Canada which have led the world in contactless payment adoption, average fraud levels have declined."

He emailed Computerworld a fact sheet from MasterCard regarding its PayPass contactless credit card service, which was first launched in New Zealand during the Rugby World Cup in 2011. The fact sheet claims contactless cards are at least as secure as other credit cards because:

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.