Resources / Opinion / Combatting mobile payment security risks

Combatting mobile payment security risks

The widespread adoption of smartphone technology has revolutionised the behaviour of consumers in both the digital and physical spheres. End users are now confident purchasing products and services online and conducting sensitive banking transactions via mobile applications.

One particular shift in behaviour that we have witnessed in the industry is consumers using their smartphones to physically pay for goods or services. A second, and more challenging trend, is merchants using a handset as a payment terminal in stores.

These changes have dramatically altered the way in which the financial and banking sectors operate with incumbent Financial institutions having had to react and become more agile to adapt to the ever evolving shifts in the market. This includes due to both the regulatory positions and expectations, but also the demographics of an ever increasing cashless society.

The ability to accept payments via a mobile device has gained popularity as it has made mPOS more accessible to merchants, reduces the costs associated with typical hardware terminals whilst maintaining the speed of transactions.

This provides greater levels of convenience to customers and has increased expectations that businesses should now be able to provide a cashless service for the payment of goods and services.

This is likely to expand owing to the digital society which is leading to the move away from cash-based payments, leading to increased demand for mobile payments.

Mobile payment solutions provide new opportunities for small-to-medium-sized businesses to increase revenue and create an enhanced customer experience. However, as this increased adoption continues to gather pace on a global scale, combatting mobile payment security risks is now more important than ever for businesses of all sizes.

What are the main mobile payment acceptance security issues?

Despite the increased user demand for mobile payment technology, there is still reluctance among both end users and businesses to embrace fully the technology due to security-related concerns. These concerns are not misplaced as today’s cybercriminals and fraudsters are utilising increasingly complex tactics to target a wide variety of personal and sensitive user data.

The following are some of the main mobile payment security risks that impact both end users and businesses.

Security weaknesses in applications

The majority of security risks that are present are not due to the end user of the application, instead they are caused by vulnerabilities that are present in the programming of the app itself due to a secure by design approach not being taken to application security, and the vulnerabilities are yet to be discovered.

Often these will not have been considered during the design phase and tend to emerge over time. Once this vulnerability has been identified by criminals, a single data breach can result in millions of users’ personal information being accessible and leaving them open to being victims of fraud.

These types of attacks are a significant threat for end users, which has led to the Payment Card Industry (PCI) regulator introducing stringent requirements for mobile payment acceptance systems to ensure that it is a secure way to pay, especially as the allowed maximum transaction amounts increase.

Network vulnerabilities

Older devices with mPOS applications installed tend to be more vulnerable when it comes to fraud, making them more prone to being hacked by criminals. As fraudsters’ capabilities have become more complex, so too have their methods used to target businesses to acquire sensitive and personal information.

While headlines tend to focus on data breaches at large enterprises, small-to-medium-sized businesses are particularly vulnerable to targeting by fraudsters due to there not being robust enough security measures in place.

As the number of businesses using mPOS gains traction, being aware of cybersecurity on a wider level is going to be essential in order to ensure that businesses are guarding against vulnerabilities that could lead to criminals accessing the device via hacking and other associated methods.

Malware injection

Malware has long been used by criminals to gain access to a device and the financial data stored on it. It is usually placed on a handset due to a user clicking a rogue link or an ad that then starts the process of installing the malware.

Malware comes in many shapes and sizes, and regular software updates can help limit the ability for attackers to infect a phone – however at its worst malware can take complete control over a device.

The prospect of malware on a smartphone that is being used as a mPOS device is evidently a major cause for concern. The PCI standards governing mobile payment acceptance focus on protecting against expected malware attacks by requiring software to be reduce reliance on the security of the device’s operating system.

Mobile payment security solutions

As demand moves more towards cashless transactions from both merchants and end users, mobile payment security is now more critical than ever. This is why Trustonic has a core focus on increasing the accessibility and authorisation rates of payments across the mobile environment.

The introduction of further mobile payment security regulations by the PCI regulator to increase security of payment acceptance systems will lead to greater business and consumer confidence and will further combat security risks and mobile payment fraud.

There are three key standards:

  • CPOC (Contactless payment on COTS) relates to enabling phones and similar devices to accept payment – typically via contactless (NFC) and without using a PIN. (COTS is ‘commercial off the shelf technology’ – i.e. phones).
  • SPOC (Software based Pin entry on COTS) relates not to accepting payment, but to accepting a PIN entry, when a separate ‘dongle’ is used to take the payment via NFC or magstripe.
  • CPOC+PIN is really a combination of the two – allowing a phone to both accept the payment over NFC and to accept the PIN entry. This standard is still draft.

The shift towards a commercial off-the-self-solution opens up mobile payments for a wider number of businesses but it is not without risks. This is because it is moving away from the practice of custom-built terminals, which have bespoke-built hardware at the core to provide higher levels of security.

Increases in demand from consumers wishing to pay for higher value transactions with the technology means that the CPOC standard is gaining traction, especially as it enables any merchant with a compatible smartphone to be able to accept higher value payments. Recently in the UK the limit for PIN-less payment was increased to £100.

However even broader adoption will be possible, thanks to the CPOC + PIN standard which will revolutionise mobile card payments by enabling PIN entry on smartphones to ensure that higher value transactions are fully-secured using  Pin on Glass Technology.

Trustonic is able to actively support partners towards gaining PCI compliance, including both CPOC and SPOC, as we witness shifts towards secure PIN entry thanks to our TEE and TUI. The technology ensures that the user’s PIN number is protected and isolated from their account details.

Our Mobile Application Security solutions empowers mobile application developers to seamlessly implement our technology within their applications to provide meticulous levels of security. This is provided on Android devices thanks to the hardware-backed TEE; on iOS this is achieved via a TUI for protecting sensitive interactions, such as user PIN entry.