Mo' money mo' mobile payments... Security risks? Whatever!
Despite experts' concerns, adoption is rocketing in some parts of the world
Analysis A survey on global mobile wallet adoption, published Tuesday, has sparked a lively debate about how banks and fintech might face off in the expanding market for mobile payments.
Global payments software firm ACI Worldwide found that security concerns, while present, are not holding back uptake.
Steven Murdoch, a security researcher at University College London and authentication vendor VASCO, said that the situation with mobile payment security is mixed.
"In terms of risks, it's far easier to compromise a smartphone than a card. Cards are simple special-purpose computers, engineered primarily for security, whereas smartphones are complex, general-purpose computers potentially running software from dubious sources."
The iOS Secure Enclave, and Apple's prompt software update practices, makes iPhones pretty good in terms of security. By contrast, Android is considerably less secure with most phones having delayed or no security updates, and hardware security features are either absent or unused.
Bringing smartphones into the payments mix also offers the potential of introducing security benefits. Applications can incorporate their own security protections which can improve the situation.
Murdoch told El Reg: "There is the potential of having the phone act as a trustworthy display showing the customer what's going on. Contactless cards almost never have a display and so customers have to rely on the potentially malicious terminal and hence are vulnerable to the relay attack.
"The phone can also maintain a log of transactions, that's under the control of the customer, which could help them in the case of disputes. Finally there's biometric (face, fingerprint, perhaps iris) authentication, which is far from perfect but in many ways superior to the four-digit PINs that myself and others have shown to be very problematic for customers."
Lu Zurawski, practice lead for retail banking and consumer payments at ACI Worldwide, told El Reg: "It is clear that mobile devices will play an increasingly central role in the future of payments; not just as mobile wallet enablers, but also as vital components of digital payment security. Our research suggests that consumer confidence in mobile security is firm, which is good news as payments providers increasingly seek to integrate authentication and notification capabilities within their mobile service offerings.
"The challenge ahead is to use mobile technology, including identity and credentials checking, biometric capabilities and transaction initiation (using contactless technology as well as QR codes), in a way that is easy to use and trustworthy for consumers."
Mobile payment is becoming the new battleground between banks and fintech firms, according to ACI Worldwide. The rollout of immediate payments schemes worldwide, combined with new regulation in Europe based on the Revised Directive on Payment Services (PSD2), is pushing increased competition.
"Fintechs are much better at it than incumbents," said Neira Jones, a payments expert who serves as non-executive director for Cognosec and Comcarde, adding that developments in biometrics and the push for frictionless experiences will be a factor in the market shakeup.
Competition will extend beyond mobile payments into the wider field of mobile services (banking, insurance) and everything related to them, such as identity/authentication, Jones said.
Competition will vary with geography – mobile payments like M-PESA have a specific market and specific infrastructure issues, which the Western World does not. For example, QR is very popular in Asia, but not in Europe/US, she added. ®
Sponsored: Becoming a Pragmatic Security Leader