Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Mobile security: the coming battle of hardware versus software

Maria Korolov | June 19, 2015
According to security experts, there are several paths forward for mobile payments, each with its own security implications

Mobile versus web

With all the discussion about ApplePay and what Google and Samsung might or might not do, what actually happens on the ground is that most mobile payments have nothing to do with any of these technologies.

Instead, they are simply web-based payments made via browsers on mobile devices, or dedicated apps. For example, Amazon has a shopping app for smartphones and tablets, and PayPal has a mobile app that lets you send money to friends.

According to San Francisco-based payments company Adyen, these kinds of mobile payments account for 27 percent of all online payments in the first quarter of this year, a growth of 39 percent compared to the same period last year.

A small subset of these mobile payments are for local purchases -- you can pay for your Starbucks coffee for example, or your Uber ride, by using their respective apps. These are in-person mobile payments, and totaled $3.74 billion in the U.S., according to Forrester Research. But Forrester expects them to grow faster than other kinds of mobile payments, to reach $34.2 billion by 2019.

Security-wise, the big downside to that approach is that of any web-based payment system, said Andrew Blaich, lead security analyst at Bluebox Security. If there was a data breach, hackers could potentially steal all the saved financial information about users.

"And if someone steals your username or password they can impersonate you and make payments under your name," he said.

In addition, the mobile apps themselves could be compromised, said Andrew McLennan , vice president at Metaforic, a mobile security company. This has already happened with both the Starbucks and Uber apps.

Hackers can download the apps, root their devices, switch off wireless connectivity if necessary and then spend all the time they need to take apart and analyze the apps.

"Once they have done this they can weaponize what they learn for later, mass attacks -- from simple theft to more insidious harvesting of personal data for future use, far removed from the original app," said McLennan.

It's not either-or

Because of the way that NFC technology works, if a terminal accepts one payment system, such as ApplePay, then it will automatically accept others, such as Google Wallet. And web-based payments, such as those of Starbucks and Uber, don't depend on specialized payment terminals at all.

That means that neither customers nor retailers will have to choose.

"I think everything will co-exist," said Jerry Irvine, CIO at Prescient Solutions. "It's not whether NFC or HCE are better than one another, but do they fulfill the requirements of secure payments as defined by PCI and banking institutions -- and both of them do."


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.