Hacking in Mobile Payments Space

Whether it’s an app, digital wallet, social peer-to-peer platform, or mobile POS or NFC system, mobile payments are the future of payments. However, privacy and security concerns have prevented mobile payments from going mainstream.

Take for example the 2015 holiday season. A survey conducted Inside Secure found that despite an increase of users planning to make in-store holiday purchases with their mobile device from 33% to 40%, a whooping 70% of respondents claimed that they would not use their smartphones to make a purchase over concerns of identity theft.

Another survey released from the Federal Reserve found similar findings. The report stated, that “Concern about the security of the technology was a common reason given for not using mobile banking or mobile payments (62 percent and 59 percent, respectively, of non-users).”

Even those in the cybersecurity industry have reservations with the security of mobile payments. According to ISACA’s 2015 Mobile Payment Security Study, almost half of the professionals believed that mobile payments are not secure. In fact, those 87% surveyed believe that they expect to see an increase in mobile payment data breaches within the next year.

As the mobile payment space continues to expand, in both usage and profits, the threat of hacking remain a serious and viable threat. And, it will continue to be that way until the landscape changes.

Mobile Payments Are Vulnerable

Not to scare you, but there have already been a number of mobile payment platforms that have been jeopardized. As Troy Leach, CTO of PCI Security Standards Council, states in Forbes, “The risk is that there are many different ways payments can move through the mobile payment platform from SIM, to host card emulation (HCE,) to in-app purchases.” Leach also said, “Each unique type of transaction requires unique risk for how criminals may attempt to circumvent controls to steal cardholder data or commit fraud.”

Over the last couple of years, mobile payment systems, as the following, have been compromised:

  • Google Wallet has had it’s fair share of hacks in the past, such as the 2012 hack that exposed user’s PINs.
  • The Starbucks app was hacked in May 2015 which automatically withdraw funds from user’s bank, credit, or PayPal accounts.
  • CurrentC was jeopardized in 2014 after the email addresses of pilot participants.
  • Slate discovered in early 2015 that the accounts of users on the popular mobile-payment solution Venmo had been hacked, which resulted in their accounts getting drained.
  • Fraudsters were able to hack into Apple Pay accounts when users were first inputting their credit card information.
  • LoopPay, the core of Samsung’s mobile payment system, was broken into in 2015 by state-sponsored Chinese hackers. While no information was stolen, it’s believed that the group left backdoors so that they could reenter the system.

That’s not to say that platforms offered from Apple, Google, Samsung, and others have not addressed this issue. Apple Pay, example, uses tokenization and it’s Touch ID to replace credit card numbers and passwords to increase security.

However, because some platforms, such as Google, store credit card information in the cloud, hackers can still break into the system – even if tokenization is used. As Sharon Profis states in CNET, “anything that operates in the cloud — instead of locally — is automatically more vulnerable to security attacks.”

How to Secure Mobile Payments From Hackers

One way to secure mobile payments is to introduce legislation and regulations. The Clearing House (TCH) white paper, Ensuring Consistent Consumer Protection for Data Security: Major Banks vs. Alternative Payment Providers, suggests that these regulations focus on:

  • Data Security Act of 2015. This is a proposed law that would establish “flexible and common-sense standards for firms of all sizes to follow in order to secure consumers’ sensitive financial information and prevent breaches.”
  • More resources. Provide the FTC with more resources to properly staff investigations and enforcement actions.
  • Better security. Require alternative-payment providers to have the same level of security as banks, such as giving the FTC or the Consumer Financial Protection Bureau examination authority.

Another suggestion from IBM Master Inventor Christopher Hockings is to integrate the following:

  • Access Management: A set of services that, among other capabilities, provide authentication and user context-based decisions for Web and RESTful Web services. When used with the aforementioned capabilities, products in this domain must provide the risk-based framework for authorizing users on devices using particular app code to perform transactions. It must provide this capability along with a set of industry-standard authentication mechanisms for authenticating user
  • Fraud Protection: Fraud protection services ensure the status of the connecting device is known. This includes the identification of an individual device and attributes of the device, such as jailbroken, rooted, malware infection status, installation of rogue applications and the use of root-hiding tools. It provides quantitative, risk-based trustworthiness metrics that reflect the device’s operating state
  • Application Security: Application protection wraps the app code to ensure executable code authenticity — i.e., the app being used on the device has not been tampered with.

You can also take several simple security measures on your own that can protect your mobile platform system from getting hacked.

  • Keep your actual mobile device secure by adding extra layers of security by having a strong password, using biometrics, and being able to remotely shutdown your device. The same is true when using your mobile payment platforms.
  • Only download trusted and secure mobile payment apps.
  • Be cautious on public Wifi connections by using a VPN (Virtual Private Network) service.

Finally, hackers could be thwarted if more mobile payment platforms embrace blockchain technology. Blockchain apps are hyper-secure because third-parties are removed from transactions, each token has a unique code known only to the parties involved, and each transaction is recorded on a public ledger. It also takes a lot of energy to break blocks free.