First reported in November of last year, Bluebox found that 10 out of 10 mobile payment apps had major vulnerabilities:
“Mobile app security provider Bluebox found vulnerabilities in all the roughly 10 unnamed U.S. mobile payment apps it examined last year. “Most of the time, the apps themselves aren’t using any kind of encryption to protect the data on the phone or to protect the data in transit,” says Andrew Blaich, Bluebox’s lead security analyst.
On March 2 the Consumer Financial Protection Bureau levied a $100,000 fine on Dwolla, a service that allows people and businesses to make and receive payments via a website or mobile app. The agency said Dwolla misled users by claiming that its data security practices ‘exceed industry standards,’ while in a number of instances it stored and transmitted Social Security numbers and other sensitive information without encrypting the data. In a statement, the Des Moines-based company said ‘the CFPB has not found that Dwolla caused any consumer harm.’”
This is particularly dangerous as current laws only apply to bank provided wallets:
“The Federal Trade Commission, which regulates nonbank financial-services companies, won’t disclose whether it’s investigating any mobile-payments-related cases, but “it’s something that we are looking closely at,” says Duane Pozza, an acting assistant director at the commission’s division of financial practices.
Current laws may need to be updated to determine who’s liable in instances of fraud. The Electronic Fund Transfer Act doesn’t cover services not offered through traditional financial entities, such as banks and credit unions. Hughes, the professor, advises app users to read the fine print and consider whether they’re “satisfied with the level of privacy and security that provider is offering.”
The bottom line: Mobile payments technology is evolving faster than regulation, leaving some users exposed to fraud.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group