What are mobile payments?
The term ‘mobile payments’ refers simply to all payments that are made using your mobile device. Mobile payments include the use of mobile wallets and mobile money transfers. There are two types of mobile payments: online or in-app purchases, and using a POS terminal in a brick-and-mortar store.
The worldwide mobile payment revenue is expected to hit $12.06 trillion by 2027, with a CAGR (compound annual growth rate) of 30.1% from 2020 to 2027. The extraordinary growth in the mobile payments market can be attributed to the popularity of smartphones. The number of smartphone users worldwide is expected to grow by one billion every five years, which means that by 2023, the number of smartphone users is expected to reach 4.3 million.
In 2014, Apple launched Apple Pay which sparked the popularity of mobile payments and began a new era of convenience for consumers. More and more companies have joined this increasingly popular, competitive digital payments landscape including Samsung Pay, Android Pay and Google Pay (with the latter finally fully overtaking Android Pay’s place). However, there are some concerns when it comes to the security of mobile payments.
How do mobile payments work?
Near-Field Communication, also known as NFC, is the technology that enables consumers and businesses to make and accept contactless payments. NFC technology is also used in smartphones for applications, such as Apple and Google Pay, which allows a user to hold their phone next to a payment terminal to purchase goods.
When making a contactless payment, NFC technology establishes a connection between your mobile device and a POS terminal. Using close-proximity radio frequency identification, payment data is sent from the phone to the card reader and, once the consumer has validated their identity either via a passcode or fingerprint, money is transferred from the account. As with traditional credit card processing, none of the cardholder data is taken from the card, instead, tokenization is used to replace sensitive data.
Are mobile payments secure?
Sadly, data breaches are not yet a thing of the past. Hackers are constantly finding new ways around technology security, an infamous attack was seen with the Samsung Galaxy 8 Iris Scanner scam in 2017.
According to a PEW survey, US consumers were more likely to believe that mobile payments were “poorly protected” (38%) than prepaid (28%), debit (22%) or credit cards (9%). For mobile payments that use a credit card, still only 35% of consumers said that they were well protected, compared to using a credit card on its own (61%).
Despite consumers’ perception, in reality, there are several security advantages of mobile payments, including tokenization, device-specific cryptograms and two-factor authentication:
Tokenization
Tokenization is a technology that successfully promotes mobile payments, while protecting sensitive customer data against hackers and other cybersecurity threats.
If a merchant system is compromised by a cyber attack, thieves will only be able to access tokenized data. Tokenized data is useless to cyber criminals because customer data is encrypted via a randomly generated token. Mobile wallets do not transmit a card’s primary account number (PAN) as is the case when paying with a credit card. During a mobile payment transaction, the token is sent to the POS terminal, protecting the data while in transit.
Device-specific cryptograms
This technology ensures that a payment originally came from the cardholder’s mobile device. If a hacker managed to obtain data during a mobile payment transaction, the cryptogram that is sent with the token to a POS terminal, cannot be used on another mobile device as it is unique to the original.
Two-factor authentication
Otherwise known as ‘2FA’, this form of security uses two forms of identification for authentication. This can be a combination of a password, a payment card or phone, and a biometric mechanism such as a fingerprint, voice or facial recognition.
These advancements in payments technology are all key factors that make the option of mobile payments appealing to both consumers and vendors, as each party are protected against fraud and cybercrime.
5 mobile payment security issues and their solutions
Despite the convincing evidence that mobile payments are potentially more secure than credit card payments, caution is always necessary.
Below are 5 key areas of mobile payment security issues you should look out for:
- Lost or stolen devices
- Phishing scams
- Weak passwords
- Using Public Wifi
- Human error
1. Lost or Stolen Device
Risk. The majority of people use their mobile phone as a lifeline for absolutely everything. They have replaced our wallets, business cards, GPS and more recently credit card scanners and banking. All of these applications or hardware require the user to enter some form of sensitive data such as passwords, personal information, location and banking details which are stored on the device.
How to protect. Smartphone vendors continue to introduce protection technology that can prevent a hacker or thief from accessing your mobile wallet. Two-factor authentication requires two forms of identification to unlock your device. This is normally a combination of a fingerprint or facial recognition and a PIN number. Tokenization ensures that your card information is never seen by merchants when a randomly generated payment token is created in place of sensitive card details.
2. Phishing scams
Risk. Phishing scams have been around for a long time, but as the digital landscape continues to grow, attacks on mobile devices have seen cybercrime evolving to new heights of speed and intelligence. In a Proofpoint survey, 84% of organizations said they were subject to mobile-based phishing attacks. The FBI reported losses exceeding $4.2 billion in internet crime in 2020, with phishing scams being the top one suffered by individuals and businesses.
How to protect. Protecting yourself from a phishing scam requires you to, predominantly, use common sense. Be vigilant when downloading apps from unknown sources, stick to well-known creators. If you suspect you have received a phishing text message, delete it immediately and do not click on any links. Pay attention to the URL of websites you are browsing. Due to the size of your mobile phone screen, most websites are optimized to reduce URL visibility and you may not even realize you are visiting a phishing URL.
3. Weak Passwords
Risk. Being hacked due to weak passwords, or overused passwords, is one of the oldest forms of hacking. Even the strongest form of password hashing encryption, used by corporate security firms, can fail when it comes to cyber criminals' decryption tools.
How to protect. It may sound obvious, but don’t use the same password for everything, and try and change them once a month. Look into using a password manager such as LastPass. These online password resources will generate strong passwords using a combination of numbers, letters and special characters, and store them all in an encrypted vault.
4. Using Public Wifi
Risk. Some of the most popular ways hackers can compromise public wifi are by creating fake connections and sidejacking (stealing a user’s access to a website through wireless public networks). Fake connections are created by setting up an access point (AP), which can be done using any form of device with internet access, with the same name as a legitimate connection. Hackers then intercept any data in transit, such as a bank transfer or online payment.
How to protect. Using a VPN, or Virtual Private Network is one of the most secure forms of protection against hacking. A VPN establishes a level of encryption between your device and the website you’re browsing, so any data transmitted is unreadable without a unique decryption key. Be careful when choosing a VPN, as even these can be compromised or faked.
5. Human Error
Risk. Human error or carelessness has been cited as the number one contributor to security breaches in a number of scenarios. A study by Tessian found that 88% of data breaches are caused by employees’ mistakes. Hackers rely on human error when planning some form of cyber attack as they count on users to click on insecure links, open emails containing security threats and accidentally download malware.
How to protect. When it comes to protecting yourself against phishing, malware, and identity fraud, it almost always comes down to using common sense. As mentioned above, don’t click on any links in emails from unknown senders or sources, be vigilant with your passwords and how you store them. If you want to start using a mobile wallet, load your cards into your phone at home using your own private wifi. As this is password protected, it is much safer than doing this at work or in public.
Be vigilant and avoid mobile payment security risks
When it comes to the security of your mobile phone, you may take for granted that it already comes with the highest security. However, we are continuing to learn that this is simply not the case.
If you lose your wallet, you could potentially spend the next few hours, or even days, calling every relevant company that had a connection via documentation you had in your pocket. During this time, any amount of sensitive data could have been accessed, cloned and used by thieves. However, if you misplace your phone, you can remotely track it and wipe its data using Android's Find My Device feature and Apple’s Find My Phone.
Mobile payment security concerns are still at large amongst businesses and consumers alike. Nevertheless, with the correct education and proper training, mobile payments could see dramatic current and future growth opportunities. Retailers could finally, collectively, see the huge benefits of going cardless, cashless and paperless, if only to reduce queues at the counter.
If you would like some more information on how our P2PE (point-to-point encryption) and tokenization works, we’d love to connect with you today. Fill out the form below and we’ll connect with you.