Security can still make or break mobile-payment systems

The market for these systems is getting crowded, but the only way to attract customers to them is to make them inherently safe

Way back in January 2011, I talked about a dawn of mobile payment systems that seemed about to break. A year and a half later, it appears to have been a false dawn, but light is starting to spread on the horizon.

One system that I mentioned back then did come to pass. The Starbucks system that lets you pay via iPhone is up and running and seems to work adequately, though as far as I can tell, it hasn't been a roaring success.

My observations are hardly scientific (and back in December, Starbucks claimed that 26 million transactions had been conducted using its mobile-payment app, making it the largest such program in the U.S.), but I rarely see other Starbucks customers using their iPhones to pay at Starbucks. It could be that people just don't want to go to the hassle of setting up an account -- you have to register a Starbucks account and tether it to your credit card. Whatever the reason, I hardly ever see anyone but me using the system at my local shop.

Regardless of whether people are clamoring to pay for their morning brew with their iPhones, the mobile-payment market is getting more crowded. One player, Square, is offering a mobile payment app that lets customers pay for goods at Square-using merchants with a minimum of fuss. This could be a success, since small merchants that have steered away from accepting credit cards are attracted to another Square offering, a miniature credit card reader and app that works on many varieties of smartphone. An attractive aspect of Square's mobile-payment app is that the merchant never sees the customer's credit card number, unlike with the Starbucks system. Actually, it's about to be just like the Starbucks system, since Starbucks has announced that it will be rolling out Square shortly to its stores. (It isn't clear whether that will replace Starbucks' existing payment system or augment it.) If I'm correct about why Starbucks' system hasn't been widely adopted, the Starbucks deal is sure to boost Square's position as a mobile-payment purveyor.

And just recently, a group of major retailers including Wal-mart, Best Buy, Lowe's and CVS announced a system called Merchant Customer Exchange (MCX). While the details of that system aren't yet clear, it should further increase the visibility of mobile-payment options. Of course, PayPal and Google Wallet are also part of the mobile-payment space. And if that doesn't sound like enough, here comes Apple, whose iOS 6 will feature Passbook, an app that could help bring multiple systems together for use with many merchants and can also handle things like sporting-event tickets, concert tickets and airline boarding passes.

So, clearly, vendors are lining up for mobile payments. The question is whether consumers will do the same.

Security could well be a deciding factor. I firmly believe that the security of these systems absolutely cannot be an afterthought. A massive security failure of any of these could cause equally massive losses for all. Consumer confidence is fickle, hard-earned and easily lost.

As an enthusiastic consumer of technology that makes my life easier, I look for some basic attributes and features in a payment system. These include the following:

Don't show the merchant the account number. This is one area where the "chip and pin" payment systems used pretty much everywhere in the world except the U.S. excels. I've personally been burned by the theft of credit card account numbers more than once, and I'm all too familiar with the inconvenience of having to update my credit card information with all the merchants I frequent. That model was antiquated 20 years ago and hasn't improved with time.

Make it hard to eavesdrop. As much as I like the convenience of using the Starbucks app to buy my morning cappuccino, I don't like that the barcode system it uses can be observed and replayed by a determined attacker. OK, that's not a likely scenario, but it can happen, and it makes me keep my barcode covered for as long as possible. Like credit card numbers that are easy to steal and use, reused and observable barcodes aren't a good idea.

Strongly authenticate the merchant to the customer and the customer to the merchant. Failing to do strong authentication between the chip and the terminal is the problem I wrote about in the chip and pin system, as discovered by Cambridge University researchers a couple of years ago.

Failures of these basic principles could well enable attackers to break our new mobile-payment gizmos, and we'd all lose if that came to pass. The lure of payment systems that are secure to the consumer as well as the merchant is enormous. I'd love to get rid of that relic of the 19th century, the wallet. But if consumers feel that they are much more secure carrying money in their wallets, mobile payments will never get off the ground in a big way.

And I for one want them to. We were promised the Jetsons, and too often it feels like we're getting the Flintstones.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

Read more about mobile payments in Computerworld's Mobile Payments Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth van Wyk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts