Will mobile payments be safer? They are already are

[Dave Birch] At the Westminster e-Forum, one of the journalists asked me “are mobiles more or less secure than cards?”. It is very difficult to answer this kind of what seems to (but isn’t) a straightforward question. Someone else asked me”are mobile NFC payments secure?”. Well, we are experts in the field and have carried out risk analysis on a number of different systems, so we can only answer “compared to what?”. Anyone who claims that any system is 100% secure hasn’t done their homework, but no-one developing a new payment system would start out with that goal (for the obvious reason that it would be too expensive). What should we compare mobile NFC payments to? I suppose the journalist was right in current circumstances and the benchmark should be plastic cards. In which case, I think the answer is clear.

If the level of fraud around plastic cards is at a some level considered tolerable, then we should aim to make mobile NFC payments more secure than that. This was in the back of my mind while reading an article on the topic that had been sent to me by a journalist asking for comment. The threats set out in this article (and my take on them) are:

1. The threat of having your smartphone stolen, and then used to purchase goods

This is the same as the threat of having your credit card stolen and then used to purchase goods except that people don’t notice when their credit card is stolen, but they do notice when their phone is stolen.

2. The threat of a criminal placing an NFC receptor in close proximity to your smartphone in order to steal your funds. For example, a criminal placing a receptor near your phone while it is in your pocket and you are in a crowded elevator or subway.

This is a wholly non-threat. Even if I could sneak my phone to your back pocket, all it would read would be the same card number and expiry date that you show everyone when you use your card anyway.

3. The threat of intercepting the NFC signal by eavesdropping while you are undertaking a transaction and then altering the signal so that the funds are transferred elsewhere.

This is an non-issue. The digital signature attached to contactless card transactions stops merchants (or anyone else) from altering (or replaying) transactions.

4. Malware on the smartphone.

This is a genuine threat to transaction systems based on mobile phones, but is nothing to do with NFC.

[From How secure is NFC? « Dave Waterson on Security]

My overall take on all this? Mobile NFC payments are safer than than payment cards. Davey Winder was kind enough to quote me making a similar point in an interesting article about the security of contactless payments.

Birch insists that while current contactless payment cards are just as secure as other card payment technologies, contactless mobile phone payments have the potential to be “significantly more secure, since there are a number of characteristics of mobile that make it much harder to defraud people”,

[From Infosecurity – How Secure Are Contactless Payments?]

It’s hard to say definitively that “mobile” is more secure than “cards” because obviously there are lots of different kinds of mobile payments and lots of different types of card (well, two, really, stripe and chip). There was a recent report from the Boston Fed looking at these security issues and comparing the different mobile payment technologies to contrast the vulnerabilities of each.

This report examines in detail how near field communication (NFC) and cloud technologies address security for mobile payments at the retail point-of-sale (POS).   It also provides a brief overview of security for two other mobile technology platforms, QR code, and direct carrier billing (DCB). Each technology manages and processes information uniquely; hence security practices and issues will vary with the technology deployed by each payments platform provider.

[From Mobile Phone Technology: “Smarter Than We Thought” – Boston Fed]

The report makes an interesting distinction between a mobile wallet, where the payment credentials are stored on the mobile device, and a digital wallet, where the payment credentials are stored in the cloud. I think these connect with the final point above about malware and the distinction is important, especially as we are moving from a world of mobile payments to a world of mobile wallets, with lots of software running in the handset.

In the cloud, on the other hand, the threat of mobile malware is strong enough that wallet providers will need to make absolute certain that they understand the nuts and bolts of each mobile platform and operating system for the phones that will carry the wallet.

[From The Issue of Security and Fraud Risk in the Cloud vs. Contactless Mobile Wallet Debate – PaymentsJournal]

There is another way. Suppose the phone just stores the keys to the payment credentials in the cloud? Then the problem resolves to the more manageable (and well-understood) issue of managing keys. Since the keys are small, relative to the data, they can be stored in a Secure Element (SE) or Trusted Execution Environment (TEE) on a mobile handset and then we can ignore all of the nodes and links between the counterparties to a transaction and move to end-to-end security. I think we’re on that track: so not only are mobile phones already more secure than plastic cards, the gap is going to widen.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers