Blog article
See all stories ยป

The last day of mobile payments

I will keep this blog post short and jump straight to the point (following our recent discussions with a number of key industry players who develop m-wallet platforms as well as phone-bound secure element solutions).

I would greatly appreciate readers' comments on the following two questions:

How many times would consumers need to be subjected to mobile payment fraud ("zero day" attacks, PIN-harvesting malware, NFC relay attacks, "small value" fraud, hostile takeover, etc.) and how much would those consumers need to lose, in order for them to stop using - ever (!) - mobile phones for any financial operation?

How many companies that provide m-payment solutions can ensure that their users are fully in control of every (sensitive) transaction?

With regard to the first question, I had a chance to see "tricks" that allow - at least on a semi-theoretical basis - to commit types of fraud that go beyond the wildest imagination of any Chief Security Officer of any large bank. Some of the exploits and "loopholes" are hard to implement in real life, but purely from a logistical point of view (e.g. withdrawing cash every minute from every ATM machine in the UK is far from trivial to stage. Physically...)

As to the second question, any secure element that resides on the phone, is - or can be made to be - "always on". Once (i.e. "when", not "if") a way is found to access and/or control that SE remotely, e.g. via resident malware, the user - and the bank - would have no way of knowing that is happening, until after the event.

To put things into perspective, the annual level of attempted fraud against PayPal is around $500m. The level of "realized" fraud (oh, yes) is below $50m. That is the difference between being one of the leaders in payments and becoming a dead fish. Will PayPal be able to remain that good in fraud management? Considering, for example, that PayPal now invites you to pay at a retail POS by entering your mobile number and PIN... (mine are 07777 111 000 and 1234, btw, in case you are too lazy to "shoulder-surf")

4642

Comments: (2)

A Finextra member
A Finextra member 27 September, 2012, 22:33Be the first to give this comment the thumbs up 0 likes There is a potential exploit in Passbook for iOS 6. Potentially someone could obtain access to someones (unsecured) cellphone and use the screen capture facility (power button and home button) to clone a token - this can then be emailed or MMS'ed to a secondary device and used without the original cardholders knowledge - I have tested and proved this myself. I have notified Apple and recommended they disable the screen grab service whilst Passbook is active/open.
A Finextra member
A Finextra member 27 September, 2012, 22:38Be the first to give this comment the thumbs up 0 likes

Thank you for sharing that. I guess you are referring to the "remote" capture. That would indeed be a potential security hole - one of the reasons it's safer to close the transaction loop by "pull" from POS (as opposed to "push").

Retired Member

Member since

19 Mar 2009

Location

Blog posts

5,573

Comments

6,020

More from Retired

This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.


See all