Blog article
See all stories »

Mobile wallet security

Over last few months various groups have launched their mobile wallet offerings.

In the U.S., Isis, the mobile payment initiative that AT&T, T-Mobile and Verizon started last November, recently announced plans to launch a pilot project in 2012. This project will create a payment network that enables customers to pay, redeem coupons and store merchant loyalty cards, all with the tap of their phone.

More recently, a joint venture between Vodafone, Everything Everywhere and O2 announced that it is set to ‘deliver the technology required for the speedy adoption of mobile wallet and payments’. Back in May we of course saw Google launch its platform, which turns Android smartphones into digital wallets.

The Vodafone, Everything Everywhere and O2 offering, if not the other wallets announced, will take the form of a SIM based wallet, meaning it can be used regardless of which NFC enabled mobile device, or mobile network customers are using.

But what does that mean in terms of security? How exactly do you get the wallet onto the SIM in a secure way? As mentioned in previous blogs about security challenges in the age of mobile payments, usually the provisioning of wallets or applications is done ‘Over The Air’ (OTA).

The standards for putting payments on phones are shaping up now, but building the data needed to issue a payment application and to create the secure messages required to personalize the mobile phone OTA can be a lengthy and inefficient process requiring multiple core cryptographic functions which may expose sensitive data.

The activity around mobile wallets has only really just begun and it will be interesting to see which players prove the most successful, but the fact remains that the security of mobile payments is one of the customer’s main concerns. The availability of a more efficient and secure means to enable issuers to provision wallets over the air to mobiles will undoubtedly pay dividends in the long run.

 

6251

Comments: (2)

John Dring
John Dring - Intel Network Services - Swindon 22 August, 2011, 15:42Be the first to give this comment the thumbs up 0 likes

These schemes use the secure SIM storage for one good reason - its the only component that the Operators have control of that the Banks do not.  There are other good reasons too, such as removing the need to be within radio coverage, which is important if you are in the basement of a retail shop trying to pay-by-phone.

But the side effect is to create a prepaid-wallet that you need to store credit on.  And your point is the OTA topup?  I actually don't see it as an issue at all.  No more than ANY online commercial txn.

But I don't like the idea of creating another payment bucket... the mobile subscriber already has a perfectly good source of funds - their prepay account or their post-pay account.  Both can be used to pay for stuff.  Why create a second pot of funds.  Simply provision the wallet with pseudo credit in the form of dynamic payment rules.  The rules link to the pre or post pay account and vary according to the previous status, bill type, spend history, or operator/user settings (e.g. max spend per txn).  That way you are combining the benefits of the local SIM based wallet with the existing billing relationship.

I doubt the ISIS and UK schemes are planning this, but to be truthful I have not checked yet. 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 23 August, 2011, 17:32Be the first to give this comment the thumbs up 0 likes

Using mobile phone prepay / postpay accounts - I imagine it's the same as MNO Billing - as a substitute for m-wallets is a great idea in theory. However, MNOs seem to demand as much as 40% in transaction fees, thus restricting their use to high-margin virtual goods industry. Zong, BOKU and other GenY Mobile Payments / MNO Billing companies are constantly hoping that transaction fees will drop to 10%. However, until that happens, a bulk of what we call 'mobile payments' is really a misnomer, with the mobile phone used simply as another form factor instead of key fobs or plastic cards. The transaction continues to be funded via credit cards, debit cards and other conventional bank-issued instruments and run over the conventional card network rails. That's why whenever I hear that mobile payments will disintermediate banks from the payment loop, I have a good laugh:  Much of what we know today as mobile payments will not exist without banks.