Mobile payment security under scrutiny

Paying for goods using your smartphone is closer to becoming a reality, but how secure is it?

Near Field Communications (NFC) enables the transfer of information stored on a customer's credit card or phone to a retailer's Eftpos terminal.

In New Zealand NFC is being embraced by Paymark and the three mobile telcos -- Vodafone, Telecom and 2degrees -- which are in the process of creating a special mobile payments platform called a Trusted Service Manager.

But how secure is NFC and what can we learn from contactless card payment systems already in the market?

University of Auckland honorary researcher Peter Gutmann says consumers have grounds to feel concerned about security. He observes that banks, which have already deployed NFC-type payment mechanisms through contactless credit cards, claim that electronic readers can only read credit card details within a very short distance, usually a few centimetres, and that this guards against the possibility of person's credit card details being unknowingly detected.

"But wind up the power and use antennas that detect longer distances and the credit cards have no protection, no encryption whatsoever, the credit card number is there," he warns.

There have been some well-documented overseas experiments highlighting the dangers of contactless credit cards, most notably the work of Kristin Paget. And locally at Kiwicon 2011, NFC was a major topic of interest. Kyle Gibson, director of Wellington security consultancy Confide told Computerworld last year that the idea of just "bumping" phones together or passing them over a point-of-sale scanner to transfer funds without even the protection of a PIN is worrying.

Gutmann says that at a recent conference in Australia, he rigged up a reader with a battery and as he walked around the crowded room it beeped everytime it could detect a person's credit card information. He hastens to add that he had not enabled the reader to download the information -- merely to detect if it was possible to do so.

"The thing is we don't know how secure it [NFC] would be," says Gutmann.

"The rule of thumb given by security companies is that once a new electronic service gets to 15 percent market share the bad guys start attacking it."

MasterCard country manager Albert Naffah denies that contactless payments are insecure.

He says that "electronic pickpocketing" is a "fallacy which is a story invented by 'security experts' who happen to be selling some sort of solution."

"The fact is that in markets such as Australia and Canada which have led the world in contactless payment adoption, average fraud levels have declined."

He emailed Computerworld a fact sheet from MasterCard regarding its PayPass contactless credit card service, which was first launched in New Zealand during the Rugby World Cup in 2011. The fact sheet claims contactless cards are at least as secure as other credit cards because:

" The PayPass card never leaves your hand when you make a payment. It means you are in absolute control;

" There are no accidental payments -- your card must be tapped against the reader at the checkout to work;

" You also don't need to worry about being billed twice. Even if you tap more than once at the checkout, you'll only get billed once for the purchase;

" And MasterCard's Zero Liability protection means cardholders are covered from the costs of unauthorised transactions.

But NFC and contactless payment technology also removes the mental barrier to spending money, Gutmann says.

"Academic studies have shown that the physical act of signing your name to something, for example when you write a cheque, provides a significant psychological barrier to overcome when spending money."

This is slowly being eroded by the move to, first PIN numbers in cards, and now the ubiquitous forms of contactless payment. Gutmann says that even having the cash in your pocket -- in notes and coins -- is a physical representation of the amount consumers have and so makes them hesitate to spend it.

The banks counter this by setting a nominal limit for contactless payments, and a transaction over this amount requires a PIN number. For the MasterCard PayPass card, the limit is set at $80.

In addition to being an expert in cyptography and security, Gutmann has a background in cognitive psychology. This combination of academic disciplines has prompted him to write a book -- the manuscript is currently with his publishers -- that examines the way systems are designed, not for ordinary users, but for the people that create them.

"Geeks have this nasty habit of designing technology which is really cool and works for them, but doesn't work for anyone else," Gutmann says.

He is also part of an international judging panel for a competition to develop a new password hash algorithm which would make it more difficult for hackers to break.

The intention is to raise the standard of password encryption in e-commerce. Gutmann says the reality is that passwords are inherently insecure, but they remain the best defence against hackers.

"To paraphrase Churchill [who was speaking about democracy as a form of government]: 'passwords are the worst form of authentication, except for all the others.'" Entries to the Password Hacking Competition (see close on January 31, 2014.

Join the CSO newsletter!

Error: Please check your email address.

Tags Paymarke-commercesecuritymobile securityVodafone2degreestelecominternet

More about NFCVodafone

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sarah Putt

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts