Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Security can still make or break mobile-payment systems

Kenneth van Wyk | Aug. 30, 2012
The market for these systems is getting crowded, but the only way to attract customers to them is to make them inherently safe.

So, clearly, vendors are lining up for mobile payments. The question is whether consumers will do the same.

Security could well be a deciding factor. I firmly believe that the security of these systems absolutely cannot be an afterthought. A massive security failure of any of these could cause equally massive losses for all. Consumer confidence is fickle, hard-earned and easily lost.

As an enthusiastic consumer of technology that makes my life easier, I look for some basic attributes and features in a payment system. These include the following:

Don't show the merchant the account number. This is one area where the "chip and pin" payment systems used pretty much everywhere in the world except the U.S. excels. I've personally been burned by the theft of credit card account numbers more than once, and I'm all too familiar with the inconvenience of having to update my credit card information with all the merchants I frequent. That model was antiquated 20 years ago and hasn't improved with time.

Make it hard to eavesdrop. As much as I like the convenience of using the Starbucks app to buy my morning cappuccino, I don't like that the barcode system it uses can be observed and replayed by a determined attacker. OK, that's not a likely scenario, but it can happen, and it makes me keep my barcode covered for as long as possible. Like credit card numbers that are easy to steal and use, reused and observable barcodes aren't a good idea.

Strongly authenticate the merchant to the customer and the customer to the merchant. Failing to do strong authentication between the chip and the terminal is the problem I wrote about in the chip and pin system, as discovered by Cambridge University researchers a couple of years ago.

Failures of these basic principles could well enable attackers to break our new mobile-payment gizmos, and we'd all lose if that came to pass. The lure of payment systems that are secure to the consumer as well as the merchant is enormous. I'd love to get rid of that relic of the 19th century, the wallet. But if consumers feel that they are much more secure carrying money in their wallets, mobile payments will never get off the ground in a big way.

And I for one want them to. We were promised the Jetsons, and too often it feels like we're getting the Flintstones.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

 

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.