Can You Trust Mobile Phones with Your Money?

Recent reports about the security of mobile phone payments has raised red flags on the next hot payment channel.  Encryption on GSM calls has already been hacked and various researchers have released findings and tools that might encourage cybercrime.  Well, maybe not exactly the motive, but a GSM encryption codebook – a “how-to” guide to break GSM encryption – has been released by a team of German researchers.  Their goal was not to assist cyber criminals, but to encourage stronger security protocols for mobile technology.  A Dutch security firm, XS4AII, discovered a worm that infects iPhone users who conducted banking with ING Group.  Recent news also reported that three researchers from Israel broke an encryption algorithm used to encrypt communications on the, fairly new, 3G wireless networks.  It’s important to note that GSM is employed in over 80% of mobile phone technology and the algorithm used to encrypt GSM phones is over 20 years old.

“…. the algorithm used to encrypt GSM phones is over 20 years old.”

Mobile payments are a hot topic, particularly for companies and merchants targeting the unbanked – or underbanked – segment.  Research by Mercator Advisory Group shows that 68% of consumer payments (by dollar volume) will be electronic-based in 2012.  The group estimates that volume to be 75% by 2017.  Electronic payments offer huge cost savings for merchants, as well as financial institutions.  Consumers are demanding more ways to operate remotely as well as easy ways to make payments.  It’s a win-win for both sides.  However, the fraud issue cannot be ignored.  Since smartphone technology is fairly new, few anti-fraud tools have been developed and even fewer have been deployed.

As smartphones provide access to more sensitive data each year, the need for security is of monumental importance.  There is some protection available for mobile phones, such as McAfee’s VirusScan Mobile (for Windows Mobile phones) and the VeriSign(R) Identity Protection Access for Mobile.  While these programs protect the phone against viruses, worms, spyware and malware, they do not encrypt data being sent or received.  However, VeriSign’s application does use a two-factor authentication tool and iPhones are equipped with Remote Wipe, which can erase the phone’s data remotely, should the phone be lost or stolen.

There are varying levels of security issues, depending on the type of mobile payment (mobile web site, contactless, SMS, etc).  Vulnerabilities of standards, infrastructures, platforms, and technologies (i.e. GSM, NFC, SMS, Bluetooth, RFID, mobile applications, etc.) pose a complicated issue for researchers to develop protections against secure data loss.  Mobile malware and spyware, Trojans, phishing attacks and third-party applications add even more threats.

The future of mobile payments, tagged sometimes as ‘m-payments’, would have credit card data embedded on the SIM card or on a chip in the phone.  (Fingerprint scanning is envisioned further into the future.)  Remote access to the phone and its payment applications would be necessary should the phone be lost or stolen.  This would require agreements between carriers, equipment manufacturers and financial institutions.  Additionally, organizations that deal with sensitive data (i.e. financial, medical, personal identification) would still have to comply with various regulatory requirements (such as HIPAA and SEC) for protecting data.

A new industry consortium, the Financial Services Technology Consortium (FSTC), formed in 2009, is tasked with developing standards for secure mobile payment transactions, regardless of the device or carrier.  Jim Pitts, managing executive of the FSTC’s Payments Standing Committee (Payments SCOM), stated that the standards may also recommend that individuals be authenticated before making a purchase.  Standards will likely include the use of a SIM card or data chip to authenticate the device and authorize the payment.  Due to various technologies and products in use today, the costs required by all parties will likely cause delays in the standards being accepted as well as compliant products and services being deployed.

Contact us Now or Call Us Now at 855-204-3838 and see how we can help you!  Do it Now!