How to Solve Mobile Payment Security Concerns - Security Boulevard

How to Solve Mobile Payment Security Concerns

What are mobile payments?

The term ‘mobile payments’ refers simply to all payments that are made using your mobile device. Mobile payments include the use of mobile wallets and mobile money transfers. There are two types of mobile payments: online or in-app purchases, and using a POS terminal in a bricks-and-mortar store.

The worldwide mobile payment revenue is expected to surpass 1 trillion U.S. dollars in 2019, which is more than 22,000% increase from 450 million in 2015. The extraordinary growth in the mobile payments market can be attributed to the popularity of smartphones. The number of smartphone users worldwide is expected to grow by one billion every five years, which means that by 2019, the number of smartphone users is expected to reach 2.7 billion.

Mobile payment security - illustration of growth of worldwide mobile payment revenue

In 2014, Apple launched Apple Pay which sparked the popularity of mobile payments and began a new era of convenience for consumers. More and more companies have joined this increasingly popular, competitive digital payments landscape including Samsung Pay, Android Pay and Google Pay. However, there are some concerns when it comes to the security of mobile payments.

How do mobile payments work?

The term ‘contactless payments’ is something most people have heard of. However, the technology behind this type of payment is not so well known.

Near-Field Communication, also known as NFC, is the technology that enables consumers and businesses to make and accept contactless payments. NFC technology is also used in smartphones for applications such as Apple and Android Pay which allows a user to hold their phone next to a payment terminal to purchase goods.

When making a contactless payment, NFC technology establishes a connection between your mobile device and a POS terminal. Using close-proximity radio frequency identification, payment data is sent from the phone to the card reader and, once the consumer has validated their identity either via a passcode or fingerprint, money is transferred from the account. As with traditional credit card processing, none of the cardholder data is taken from the card, instead, tokenization is used to replace sensitive data.

Are mobile payments secure?

Sadly, data breaches are not yet a thing of the past. Hackers are constantly finding new ways around technology security, the latest attack was seen with the Samsung Galaxy 8 Iris Scanner scam in 2017.

In 2015, global cybersecurity association, ISACA, conducted a Mobile Payment Security Study. The key takeaways from this study found that just

23% believed that mobile payments were secure in keeping personal information safe, 47% said mobile payments were not secure and 30% were unsure.

Cash was deemed the most secure form of payment with 89% majority, but only 9% of people prefer to use it.

In 2016, ISACA released a new guide which challenged the negative perceptions around mobile payments security, claiming that there are several advantages of mobile payments

Tokenization, device-specific cryptograms and two-factor authentication.


If a merchant system is compromised by a cyber attack, thieves will only be able to access tokenized data. Tokenized data is useless to cyber criminals because customer data is encrypted via a randomly generated token. Mobile wallets do not transmit a card’s primary account number (PAN) as is the case when paying with a credit card. During a mobile payment transaction, the token is sent to the POS terminal, protecting the data while in transit: ‘Tokenization is the security solution that is pushing mobile payments ahead of card payments in consumer sensitive financial information protection in the continuous race to stay ahead of hackers and other threats’.

Device-specific cryptograms

This technology ensures that a payment originally came from the cardholder’s mobile device. If a hacker managed to obtain data during a mobile payment transaction, the cryptogram that is sent with the token to a POS terminal, cannot be used on another mobile device as it is unique to the original.

Two-factor authentication

Otherwise known as ‘2FA’, this form of security uses two forms of identification for authentication. This can be a combination of a password, a payment card or phone, and a biometric mechanism such as a fingerprint, voice or facial recognition.

These advancements in payments technology are all key factors that make the option of mobile payments appealing to both consumers and vendors, as each party are protected against fraud and cybercrime.

Mobile payment security - Mobile phone in foreground with security icons, shield, lock, gears and $, surrounding it

What are the risks and how do I protect myself?

Despite the convincing evidence that mobile payments are potentially more secure than credit card payments, there are still some sceptics out there who believe that data can be hacked as those behind cyber crime become smarter.

Below are 5 key areas where you could be at risk:

    • Lost or stolen devices
    • Phishing scams
    • Weak passwords
    • Using Public Wifi
    • Human error

Lost or Stolen Device

Risk. The majority of people use their mobile phone as a lifeline for absolutely everything. They have replaced our wallets, business cards, GPS and more recently credit card scanners and banking. All of these applications or hardware require the user to enter some form of sensitive data such as passwords, personal information, location and banking details which are stored on the device.

How to protect. Smartphone vendors continue to introduce protection technology that can prevent a hacker or thief from accessing your mobile wallet. Two-factor authentication requires two forms of identification to unlock your device. This is normally a combination of a fingerprint or facial recognition and a PIN number. Tokenization ensures that your card information is never seen by merchants when a randomly generated payment token is created in place of sensitive card details.

Phishing scams

Risk. Phishing scams have been around for a long time, but as the digital landscape continues to grow, attacks on mobile devices have seen cyber crime evolving to new heights of speed and intelligence. According to a report conducted by Wandera’s Phishing Report from May 2018, phishing scams are the number one threat affecting organizations today. Around 4000 new mobile phishing websites are launched every day. Mobile users are 18x more likely to be phished than to download malware. From 2017 to 2018, messaging apps (170%) and social media (102%) have seen the biggest increase in mobile phishing attacks. The top 5 apps for messenger phishing are: Messenger (text or imessage), WhatsApp, Facebook Messenger, Line and Viber. It is easy to emulate trusted sender information via a text message.

How to protect. Protecting yourself from a phishing scam requires you to, predominantly, use common sense. Be vigilant when downloaded apps from unknown sources, stick to well-known creators. If you suspect you have received a phishing text message, delete it immediately and do not click on any links. Pay attention to the URL of websites you are browsing. Due to the size of your mobile phone screen, most websites are optimized to reduce URL visibility and you may not even realise you are visiting a phishing URL.

Weak Passwords

Risk. Being hacked due to weak passwords, or overused passwords, is one of the oldest forms of hacking. Even the strongest form of password hashing encryption, used by corporate security firms, can fail when it comes to cyber criminals decryption tools.

How to protect. It may sound obvious, but don’t use the same password for everything, and try and change them once a month. Look into using a passwords manager such as LastPass. These online password resources will generate strong passwords using a combination of numbers, letters and special characters, and store them all in an encrypted vault.

Using Public Wifi

Risk. Some of the most popular ways hackers can compromise public wifi are by creating fake connections and sidejacking. Fake connections are created by setting up an access point (AP), which can be done using any form of device with internet access, with the same name as a legitimate connection. Hackers then intercept any data in transit, such as a bank transfer or online payment.

How to protect. Using a VPN, Virtual Private Network is one of the most secure forms of protection against hacking. A VPN establishes a level of encryption between your device and the website you’re browsing, so any data transmitted is unreadable without the a unique decryption key. Be careful when choosing a VPN, as even these can be compromised or faked.

Human Error

Risk. Human error or carelessness has been cited as the number one contributor to security breaches. Hackers rely on human error when planning some form of cyber attack as they count on user to click on insecure links, open emails containing security threats and accidentally downloading malware.

How to protect. When it comes to protecting yourself against phishing, malware, and identity fraud, it almost always comes down to using common sense. As mentioned above, don’t click on any links in emails from unknown senders or sources, be vigilant with your passwords and how you store them. If you want to start using a mobile wallet, load your cards into your phone at home using your own private wifi. As this is password protected it is much safer than doing this at work or in public.

When it comes to the security of your mobile phone, you may take for granted that it already comes with highest security. However, we are continuing to learn that this is simply not the case. If you lose your wallet, you could potentially spend the next few hours, or even days, calling every relevant company that had a connection via documentation you had in your pocket. During this time, any amount of sensitive data could have been accessed, cloned and used by thieves. However, if you misplace your phone, you can remotely track and wipe your phone using Android Find My Device feature and Apple’s Find My Phone.

Mobile payment security concerns are still at large amongst businesses and consumers alike. However, with the correct education and proper training, mobile payments could see a dramatic current and future growth opportunities. Retailers could finally, collectively, see the huge benefits of going cardless, cashless and paperless, if only to reduce queues at the counter.

If you would like some more information on how our P2PE and tokenization works, we’d love to connect with you today. Fill out the form below and we’ll connect with you.

*** This is a Security Bloggers Network syndicated blog from LaunchPointe: Payment Security authored by CardConnect. Read the original post at: