Mobile Payment

Mobile payment security risk in a mobile world

Mobile payment security risk in a mobile world

October 14, 2016

It goes without saying we’re living in an increasingly mobile world. Yet, in many ways, we’re still catching up to this new reality. Especially in industries that work behind the scenes to keep the public and companies safe from those who prey on us. Security is one of these areas that often came as an afterthought to many early developers and designers, who, excited by the possibilities of what these new technologies could offer, didn’t have a framework yet of how to anticipate the risks it would pose down the road. Understandably so. How can you anticipate risk in a totally new paradigm? Consequently, phones still have vulnerabilities that were solved, or didn’t exist, years ago with web systems, and have new emergent challenges that have yet to be discovered as the technology evolves.

By 2020, there will be 11.6 billion mobile-connected devices, as mobile continues to become the channel of choice for everything from online banking to e-commerce. Mobile is the next key step in user engagement and experience, but this vast hockey-stick shaped uptick in mobile proliferation is attracting cybercriminals too. Wherever commerce goes, crime will follow (as the saying goes), and bad actors use stolen identities and compromised devices from major data breaches for their own financial gain.

Along with this uptick in consumer adoption, consumers are getting more comfortable with the idea of using their phone to purchase. Payments made via mobile devices are also increasing. In the United States, for example, mobile payments are expected to total $90 billion by 2017 according to Forrester Research. With forecasts of 210% growth in the total value of mobile payment transactions in 2016—up to $27.05 billion from $8.71 billion – we anticipate a sharp rise in the amount of mobile fraud.

Capitalizing on this risk, many established and emerging players are looking to leverage the shift to mobile transactions with innovative solutions that support in-store mobile payments. Traditional players, like financial institutions and payment networks, are delivering capabilities for established tech companies and emerging start-ups alike to innovate from the edge. As digital and mobile wallets like Apple Pay and Samsung Pay take off, we will see a parallel growth in attacks targeting mobile platforms. Cybercriminals are currently, and will continue to, develop more sophisticated mobile fraud strategies, including bot attacks, malware, device spoofing, jailbroken devices and rooting.

Capitalizing on this risk, many established and emerging players are looking to leverage the shift to mobile transactions with innovative solutions that support in-store mobile payments. Traditional players, like financial institutions and payment networks, are delivering capabilities for established tech companies and emerging start-ups alike to innovate from the edge. As digital and mobile wallets like Apple Pay and Samsung Pay take off, we will see a parallel growth in attacks targeting mobile platforms. Cybercriminals are currently, and will continue to, develop more sophisticated mobile fraud strategies, including bot attacks, malware, device spoofing, jailbroken devices and rooting.

Woman at ATMMobile security is such a hot topic right now because our phones contain a wealth of personal information hackers would love to dip into. We use our phones for everything we do, from paying for our parking to messaging grandma. While most mobile applications really are just the front end of web applications, mobile apps hold many and varied credit card details and personally identifiable information (PII] making them desirable targets for hackers. Security concerns include loss of privacy, loss of security around financial transactions, data loss and the perception of insecurity dampening market adoption. Anyone who does business online needs to sit up and take notice that when it comes to mobile, more than other device, friction is even more of a purchasing mood killer. And, commonly used authentication methods typically cause friction, resulting in a 97 percent mobile commerce cart abandonment.

Security vulnerability isn’t purely on the device. Most mobile apps are just the front-end for existing web applications, and concerns around legitimate applications passing data to other applications in an unauthorised manner are gaining more attention. Also, as George Hume points out, there is risk in security being an afterthought in the development cycle as application teams move to more lean and minimal-viable-product (MVP] models.

Where the risk picture really starts to emerge is the understanding that a single PIN number or a spoofable fingerprint is typically used to lock all of the stored accounts in a phone, allowing much greater exposure in mobile devices.

It’s clear, we need to get past standard methods of consumer identification that use single points of static data to predict risk in order to devise better solutions. We’ve relied too long on device identification, data element matching and static usernames and passwords to define legitimate access. Having all these elements match up in an account application, login or transaction does not mean that interaction is safe and inversely, having anything fail to match up should not remove all faith that an interaction is valid. Attempts to add dynamic elements, like one-time passwords and SMS text messages, to the authentication equation have traditionally met consumer confusion, backlash, and rejection.

Deploying advanced user behavioral analytics allows organizations to detect good users more accurately while improving customer experience. Tracking behavioral patterns shows who the real users are, and when it comes to fraud attempts banks and payment providers can leverage that same information to identify bad actors.

Want to read more posts like this? See our full blog here.