I’ve had multiple discussions over the courseof the last few weeks that revolve around the market’s propensityto adopt one or another flavor of mobile payments, mobile wallets,and the various security attributes of each configuration. Ofcourse the dichotomy at the heart of the mobile payment controversyis that of cloud versus contactless, or a mobile wallet thatoperates via a retailer’s in-store wireless network interactingwith the point of sale versus a mobile wallet that can effectpayments via the tap of an NFC chip on a POS hardwareperipheral.
There are certain differences in functionality, cost, etc., thathave been discussed nearly to death (so I won’t bother to rehashthem here), but there also happens to be a big difference in therelative security of each kind of implementation and the degrees offraud risk associated with each. Additionally, there are pros andcons on both sides, making the balancing act in determining theoverall worth of each implementation more difficult. The essentialdifferences come down to hardware versus software and the relativevulnerabilities associated with each.
On one hand, with NFC, physical security is paramount. Certainly,there is a software component to the NFC implementation, but secureelements and over-the-air credential provisioning (OTAP) havepretty much narrowed the soft vulnerabilities on NFC paymentinstruments (i.e. phones) to the extent that can be narrowed. Butwhat happens in an instance where a user’s phone is lost, stolen,or otherwise misused for a face-to-face NFC transaction? Whatauthentication procedures exist to prevent fraudulent tap-to-paypurchases? As far as I know, authentication of NFC mobile paymentsin the U.S. will soon be governed by the EMV standard, the versionof which Visa is suggesting issuers implement doesn’t require a PINfactor to accompany the dynamic authentication of the chip.
In the cloud, on the other hand, the threat of mobile malware isstrong enough that wallet providers will need to make absolutecertain that they understand the nuts and bolts of each mobileplatform and operating system for the phones that will carry thewallet. Scary new mobile malware such as NotCompatible andAndroid.Bmaster have been able to access private networks and sendsensitive data from the phone to remote users. Combine this type ofthreat with keylogging and formgrabbing malware that might bedistributed through mobile websites, and the potential for datainsecurity is high, even when card credentials are not stored onthe phone.
As always, I’d like to hear from you! Please let me know yourthoughts on mobile security and mobile payment fraud risk by usingthe contact link below.