Mobile Payments and Security: How to Avoid Risks
E-commerce actively uses mobile applications to make payments. It is much more convenient and safer than paying in cash. Technologies focusing on users’ convenience will always attract the attention of customers.
Secure mobile payments will significantly improve the quality of customer service of your business, optimize processes and reduce costs.
Undoubtedly, mobile payments will continue to evolve. They have all preconditions to fully replace plastic cards.
Mobile payment is a monetary transaction conducted by means of a mobile device, most often a smartphone.
Advantages of Mobile Payments
- Mobile payments improve relations with your customers
Simplicity is the key to success! Steps are minimized, the customers don’t have to remember their cards or answer any questions related to security checks. A transaction is carried out literally by one touch. According to Statista, mobile payments are rapidly gaining popularity.
- Mobile payments help develop your market strategy
Thanks to mobile payments, you can access information about your customers' personal preferences or the history of their purchases. You can easily segment customers for marketing purposes to draw their attention to certain types of goods during (or after) a purchase.
- Mobile payments are simple and safe
Mobile payments are actually more secure than other forms of payment. Since data for mobile payment are encrypted, the risk of their theft is significantly reduced. In such situation, the customers feel more confident, which ultimately impacts their trust in you.
Payment Systems and Services
According to many experts, mobile payment methods offered by major providers are more secure than physical cards and cash. When you pay by credit card, there is still a risk that your details can be copied by scammers. Electronic payment systems use such security methods as encryption and tokenization to mask the numbers of payment card accounts during the payment.
- Android Pay
It never transmits any information about users’ credit or debit cards. In fact, it does not even store credit card numbers on a device. Instead, the system uses tokens - a one-time set of numbers that is of no interest to intruders. In turn, the app is linked to the device, on which it was registered and launched for the first time. It makes mobile payment even more secure.
- Apple Pay
It uses a similar process. When a customer enters data into Apple Pay, the system encrypts the data and sends them to Apple servers. The data are redirected to the bank, which generates a device account number and sends it back to Apple.
Without decrypting the device account number, Apple sends it to the Secure Element on the customer's phone. Therefore, the account number of a device or a payment card is not stored in Apple.
- Samsung Pay
It applies several methods at once to ensure security. It prevents cyber attacks by using KNOX security infrastructure and fingerprint authentication, in addition to tokenization.
Risks of Mobile Payments
Despite all measures taken, mobile payments are not completely protected from hacker intrusions and theft of personal data. Why is it so? The thing is that most risks related to mobile payments are caused by how the customers use them.
In 2015, a non-profit organization ISACA surveyed more than 900 cybersecurity experts to identify the most pressing security threats to mobile payment apps.
Apart from the money theft, the respondents outlined 3 most significant security concerns related to mobile payments:
- use of public Wi-Fi on a payment-enabled device;
- lost/stolen devices;
- e-mail phishing.
Besides, there is always a risk that a user can mistakenly download a cloned app, intentionally containing a virus, instead of an authentic payment app. Older phone models are also more vulnerable to fraud, because they are easier to hack.
Recently, a Czech company Avast conducted a global survey, which involved more than 40,000 people from 12 countries. In the survey, people were asked to compare the authenticity of an official bank interface in a mobile app with a fake created by intruders.
They got interesting results:
Ways to Ensure Mobile Payment Security
- Contactless mobile payment based on the NFC technology
The NFC technology in itself is not new. Previously, it was utilized to develop passes, travel tickets and airplane boarding passes. Now it is successfully integrated into mobile devices.
The NFC technology is extremely simple. A mobile device is brought close to a payment terminal, and data are exchanged literally in an instant. It either uses a built-in mobile chip (Secure Element) or a regular SIM-card.
- all valuable data (tokens, limited-duration codes) are stored in the Secure Element;
- nobody has access to the payment system.
- Cloud-based payments
Cloud-based Payments technology is an alternative to storing card payment details on a secure module of a mobile device.
All information is stored on a remote server, while the phone has HCE (host card emulation) technology installed. The app running on the phone responds to commands from a POS terminal (external reader).
The HCE is of no value to intruders. The secret is that you can decrypt the data only with the help of this app and only on the phone, on which it is running. The data cannot be used to make payment transactions via the Internet (as is the case with a common bank card).
The Secure Element is provided either by a phone manufacturer or a mobile operator, involved in the development of the app.
4 Levels of Security Protection
- All data are stored in a file system
This is the simplest, cheapest, but at the same time the least reliable method. The phone can fall victim to an attacker who can easily access its entire file system and manage it as an administrator.
Risks rise by far if your file system is open, so it's better to use an encrypted file system.
- Remote server for data protection
When using this method, the app interacts only with tokens. It is relatively cheap but also is not an ideal option to ensure security.
- TEE (trusted execution environment)
A separate primitive (stripped-down version) OS is developed that runs on the same chip as the main OS. Both systems are isolated from each other. The mobile app has no access to the data generated and stored within the TTE.
If you use this method, you get a more secure level of protection; therefore, the price will be higher.
- Secure Element, or SIM card method
This is the most serious (and most costly) level of security in all respects. All information is stored inside the Secure Element, a specially certified microchip. OS apps have no access to it.
To improve the security of your apps, we recommend you conduct an analysis and an independent audit both during the development and at the final stage of product implementation. In this case, you can identify vulnerabilities and test the security of your app.
3 Tips to Help You Avoid Security Problems
1. Educate your customers
Do everything possible to ensure that your customers are aware of dangers related to cloned apps. Educate your customers about the importance of downloading apps only from application stores, as well as the importance of timely app updates to ensure the highest level of payment security.
2. Introduce authentication checks
Many mobile devices enable biometric authentication - identification of a user's fingerprint. For older devices, alternative authentication methods can be used: a two-factor authentication or virtual tokens.
3. Use the data security standard PCI DSS 1
PCI DSS 1 is certified payment service providers that ensure the highest level of security. These providers have blacklists and extensive data to identify fraudsters, as well as to prevent the development of fraudulent schemes. They use advanced algorithms, geolocation and IP address tracking. All this helps detect any potential security breach and identify fraudulent transactions.
More and more, consumers use mobile payments for online and offline purchases. On top of that, they like to have the opportunity to use mobile payments in all areas - from food and clothes to booking of hotel rooms.
If today you decide to develop a mobile app with the ability to make secure mobile payments, you invest in the prosperity of your business tomorrow.