So, are mobile payments safer that cards? And how can customers, regulators, financial institutions or mobile operators know for sure? Dave Birch and Neil McEvoy examine market developments in m-payment security. Read on to discover their answers...
If mobile phones are going to be used as credit cards with £10,000 credit limits, or annual season tickets worth £3,000 on the rail networks, or as corporate identity cards or log in devices for bank accounts, or for any of a myriad of other transactional purposes, then the service providers, their customers, and their regulators will need to be confident about the security of the systems. We think that if stakeholders carry out methodical risk analysis and implement appropriate countermeasures, they will determine not only that mobile payments can be made safe, but that they would be crazy to carry on using cards!
Mobile payments, mobile ticketing and mobile transactions of all kinds will be central to our lives in the future. In fact for most people, in most of the world, most of the time, mobile will be the only electronic transaction channel, not just the most popular. With 4.6 billion mobile phones in use, with 1.2 billion mobile web users in the world, with 3 billion active SMS users supporting a $100 billion business (yes, as Tomi Ahonen is fond of pointing out, the SMS business is bigger than music, movies and videogames combined) and with the mobile infrastructure continuing to spread, it is not much of a prediction to say that mobile phones will become the world's foremost transaction platform as well as its foremost communications platform.
The transactions may be local via barcodes, bluetooth or proximity contactless interfaces (such as NFC) or remote via SMS, GPRS and 3G IP and there are many parts of the world where these transactions, both person-to-person and person-to-business, are already commonplace. In Japan, half of all mobile phones now have a mobile wallet and proximity interface and around a sixth of mobile phone subscribers use the proximity interface, mainly for transit ticketing. In Korea, the T-Cash (mobile proximity purse) scheme already has hundreds of thousands of users. In Kenya, the transaction turnover of the M-PESA mobile money transfer system is already more than a tenth of GDP. In France, all of the mobile operators, the main banks and the payment schemes have co-operated to develop national specifications and are starting a national m-payments roll-out in Nice. In the UK, a mobile proximity scheme will be launched by Orange, Barclaycard and MasterCard in 2010.
Exciting times. With new products and services coming from handset manufacturers (Nokia Money), operators (Orange Money), banks (Wing) and specialists (Monetise) coming thick and fast, the global market for mobile payments alone is forecast at more than $5 billion in Western Europe (Frost & Sullivan, 11/09) and more than $100 billion worldwide (Research & Markets, 9/09) in 2013. But for many people, across all markets, the first response to these new systems is the same: what about security? This is a perfectly reasonable response: first of all, mobile payments are new and both customers and providers are naturally unsure about new transaction channels; secondly because the "headline" reporting of security can be somewhat misleading.
Here are a few real headlines taken from newspapers and magazines:
"Mobile wallets may be convenient but they also carry a degree of risk"
"Investigators replicate Nokia online banking hack"
"Report blasts holes in contactless security claims"
"Cracked it" (concerning contactless passports)
"Hackers start poking holes in NFC"
"Microscope-wielding boffins crack Tube smartcard"
Well, mobile payment sounds like a combination of risky mobile platform, plus risky smartcard technology, plus risky contactless interface! Surely you would have to be crazy to consider implementing such a system! What are stakeholders to make of this?
If you are consumer, which you undoubtedly are, is your season ticket more likely to be stolen if it is on a card in your wallet or in software in your smartphone?
If you are a shopkeeper, are you more or less likely to be paid when someone waves a mobile proximity phone over your point-of-sale (POS) terminal or when they put their card in the slot and punch in a PIN?
If you are a law enforcement officer, are you more or less likely to catch a criminal (or terrorist) who is using stolen credit cards or stolen mobile phones?
If you are a regulator, should you be more or less worried about the systemic failure (for technology reasons, not for business reasons) of a handset-based payment service or a web-based payment service?
These are important questions to answer. Fortunately, there is a well-established mechanism for doing so: it is called risk analysis. The goal of risk analysis is to support good decision making: at Consult Hyperion, we use a particular method known as Structured Risk Analysis (SRA) that we have refined over the years to analyse transactional systems thoroughly, but all risk analysis methods share some basic concepts. One of these is "vulnerability". Vulnerability is a characteristic of the infrastructure, not the business. Thus, if we move a well-understood and well risk-managed application from one infrastructure to another, we may introduce new risks into the business via new vulnerabilities.
Consider the example of taking the EMV application (the software that provides "chip and PIN" functions on bank-issued payment cards) and installing it in what is called the secure element on a mobile phone. This secure element may be a special chip in the handset, it may be part of the SIM card or it may be in an SD card or some other removable device. But in any of these cases, the bank issuer's whole supply chain has changed and so the risks are different. When your bank orders your debit card, it orders it from a supplier that has well-established (and audited) procedures for obtaining a chip, embedding the chip in a plastic card, loading the software on to the chip, and testing the hardware and software. When you order a debit card for your phone, then without some special measures the bank will have absolutely no idea what chip your phone has as its secure element, how the software is to be loaded into the chip or what other software is already there. From the bank's point of view, the chip is certainly an "element", but it may not be "secure".
This means, of course, that the risk analysis for a mobile payment application is different from the risk analysis for a traditional payment application. If we put to one side the generic vulnerabilities of GSM and EMV, which are well-known and well-understood, then it is interesting to reflect on the new vulnerabilities.
Last year, the European Network & Information Security Agency (ENISA) published a paper on the security of mobile payments that included a useful classification of these mobile vulnerabilities, dividing them into (broadly speaking) those relating to the secure element, those relating to the handset and those relating to the NFC interface. We have found this to be a very practical breakdown. The vulnerabilities of the secure element are to a great extent the generic vulnerabilities of smart cards and therefore straightforward to feed into the risk analysis process, but the other categories require more thought.
The mobile handset was never designed for transactions, so it is hardly surprising that there are many issues with the current generation that could turn into major problems if not handled properly. For example: suppose that your mobile phone were to contain a "Trojan Horse" that captured the PINs or passwords that you are using. This is a genuine issue, because the keypads in mobile phones are not secure (rather like the keypads in the POS terminals, and it will take another generation of handset design for companies to introduce trusted processing to mobile phones so that, to build on this example, payment applications can lock the keypad.
There are pros as well as cons, naturally. The network-connected nature of a mobile device means that the payment mechanisms in the phone can be "shut down" if the phone is lost or stolen, the payment applications parameters can be changed on the fly and new applications (and, indeed, security updates or patches) can be added almost instantly.
There may be additional "cross channel" vulnerabilities in handsets because of the way they are designed and implemented. It may be that, for example, the Bluetooth interface could be exploited to learn something about the data going to the screen or the NFC interface may be exploited to learn something about the software running on the handset. This is why Consult Hyperion began funding Ph.D research into mobile cross-channel vulnerabilities at the University of Surrey this year. The findings of this research will, we are sure, introduce more security to the mobile transaction platform and the industry as a whole will be benefit.
In the last category, the vulnerabilities of the NFC interface, we have a great head start because the vulnerabilities of short-range 13.56MHz contactless card systems have been studied in great detail. Like any wireless interface, it may be vulnerable to eavesdropping and so forth but there are well-understood countermeasures (such as encryption) to minimise risks. There are lessons that have already been learned from the large scale and widespread use of contactless cards in mass transit (Transport for London alone has issued more than 20 million Oyster cards) and payments (Barclays has issued three million contactless cards and has committed to add contactless to all of its UK cards).
So, are mobile payments safe or not? It's not a "yes" or "no" question, as we hope this discussion has shown. Let's ask another question instead: can we make the risks of mobile transactions manageable: yes. In fact, in the particular case of mobile proximity payments, we happen to believe that there is more security overall in using a mobile than in using a card payment. For a start, people are more likely to notice if their phone is missing, compared to their credit card. Research seems to show that on average it takes a few hours, even almost a day for someone to notice and then cancel a credit card when they lose it, where as it will take just eight minutes to call a phone operator and report your phone missing. Add to that that it is easy to determine the location of a phone, and even to communicate with it, which greatly changes the risk and countermeasure situation when compared with cards. In fact, we think the question should be the other way around: from a security point of view, does it really make sense to carry on with little plastic cards, magnetic stripes and passwords?
About the auhors:
Dave Birch and Neil McEvoy are Co-Founders of independent technology consultants Consult Hyperion