Mobile payment systems: A disaster waiting to happen

The apps may be well thought out, but until security improves in the underlying security of the devices they run on, look out

When I saw the Computerworld article about Square touting how it is going to replace cash registers with iPads, I was dismayed that there was no discussion of security. And Square's app isn't the only payment app that makes me anxious. While I admit that I would find applications such as Square Register and Google Wallet useful, turning mobile devices into credit cards or credit processing systems is foolish at this time.

OK, some of these payment applications are pretty cool. Square Register could be really convenient for small-business people, making accepting credit card payments practical for businesses that make few transactions. For some small companies, that could be a competitive edge. Likewise, applications like Google Wallet that let you pay for things by having your smartphone communicate with a terminal consolidate another function onto a device that people always have with them.

But cool only takes you so far.

First, let's take a look at Google Wallet, which to me represents the greatest chance for disaster. Google touts three primary security features: a PIN to use when making a purchase, a special chip for storing your credit card on your phone and PayPass technology to ensure that the credit card number is encrypted when being transmitted to the payment devices.

All of that probably sounds great to the layperson. But it is great only if the phone itself is fundamentally secure, and that this is far from the truth. We have already seen malicious Droid applications, and it is widely acknowledged that Google doesn't adequately vet Droid applications from a security perspective. A smartphone's operating system controls the exchange of data between programs, input/output devices and all of the other hardware components. If malicious software ends up on your phone, it can easily capture your PIN every time you enter it to pay for something. Even if you assume that the credit card is completely secure when it is on the special chip, it is still vulnerable when you are entering the data and every time you access the data when you make a payment. And before the PayPass technology can encrypt and transmit the data, the data must make its way through the operating system.

In security terms, this is like putting an airbag on a motorcycle. If the motorcycle crashes, it is possible that the airbag might help, but there are so many other things that could go wrong.

It's true that PCs and other payment systems have been subjected to the sorts of attacks that I am concerned about in regards to cell phones. And, yes, there have also been attacks against point-of-sale systems. Nonetheless, there is a complete void when it comes to security tools and awareness for cell phones. All you need is a malicious Angry Birds, and it will make the Heartland data breach seem like a footnote.

The Square applications carry pretty much the same shortcomings as Google Wallet. Square's Card Case app certainly is no better -- and it doesn't have a secure storage chip or PayPass encryption ability. On top of that, it offers the location-based ability to run up a tab. Card Case also relies heavily on the native operating system, which is a major security concern. It doesn't take a genius to predict that as iPhones and iPads become a preferred platform for financial transactions, they will become a preferred platform for cybercriminals, and the malware targeting these platforms will increase exponentially. As Willy Sutton told us long ago, criminals follow the money.

To a certain extent, I am less concerned about the Register application. But has anyone pointed out that companies that use an iPad as a register must not use it for anything else? Any device that is used for Internet browsing or accessing other data and applications is at significantly greater risk for exposure to malware. With that said, though, there is still the concern raised by the fact that very few iPads and Android tablets use even minimal security.

And any sort of financial transaction requires much more than minimal security. When you get down to it, Google Wallet and Square rely on insecure platforms for their foundations. Until there are significant improvements in the underlying security of smartphones and tablets, it would be foolish to use these technologies. And that underlying security is out of the hands of Square, though it is something that Google and the other platform developers must address.

Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site,

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags telecommunicationMobile and WirelessGooglesecuritymobileMalware and Vulnerabilities

More about AppleGoogleInternet Security Advisors GroupTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place