Mobile Payments Security

V Sharma on December 29, 2015

smartphone-mobile-security

Abstract – This is the 4th part of a 5-part story on Mobile Financial Services and security therein. This part focuses on Mobile Financial Services Security and questions around mobile payments, which comes out of this service and got added under the Mobile Financial Services umbrella as an independent question paper or exam papers for many service providers.  However, just because a service provider offers mobile payments does not mean its users will use the service with/without need or with/without reason. In some markets merchants payments are very well accepted and welcomed by subscribers but P2P are disaster and in some markets its just the other way around and it seems, has some work to do to develop itself as a go-to P2P lending platform.

Introduction – Ministry of innovation can add lots of excitement and increaMPKse fire about security of transactions. Subscriber normally don’t ask too much in low value transaction but as it happens on daily basis subscriber do get nervous and freak out more when they add their card or bank details on same. Please note this article is on very very high level on the information on security and no means of teaching or guiding anything. Main objective of this post is to just add some small spark on the need of security and we will try to answer few questions around mobile payments. Anyone looking for guide to implement or learn please refer certified martial and I advise you not to use this materiel but yes can you use this post as sparking materiel. Source of the information is internet search and collated via many website links and effort was to put together relevant, easy, simple and quick information on very very high level.

As said in some conference I attended last month “Inability to adapt to mobile payments can put your company at a competitive disadvantage”. This is seriously very true in todays time

Failure to understand exactly where and how sensitive data is stored and transmitted can prevent organizations from clearly defining and implementing data protection solutions. This can create fraud spikes in rising transaction volumes can lead to performance bottlenecks as inefficient processing limits capacity and degrades the customer experience. How About velocity detection and velocity pattern analysis.

When e-commerce fraud spikes, it can be tempting for merchants to pile on more controls and risk turning away otherwise legitimate transactions that appear to be fraudulent. The alternative is often to shut off these controls altogether and leave themselves vulnerable to criminals. 

Neither extreme is ideal, and acquirers say merchants need to start taking a more systematic approach when setting fraud controls to avoid this dilemma. 

“Though extremely effective when methodically applied, fraud control parameters can be absolute and unforgiving when set inappropriately and can unintentionally defeat legitimate transactions

At a first read over, velocity detection might seem like some complicated instrument mechanics would use at a theme park on a broken roller coaster. But in reality velocity detection is defined as checking the historical shopping patterns of an individual and matching that record against their current purchases to detect if the number of orders by the cardholder match up or if there appears to be an irregularity.

 

A successful attack on the software-based mobile payment application could consist of decompiling the source code, where the attacker obtains access to all assets hidden in the application (such as tokens and cryptographic keys). The integrity of an application can also be compromised by data tampering and cloned applications intercepting sensitive data. Another point of vulnerability is a merchant’s mobile POS, as a fraudulent merchant could tamper with the mobile application controlling the mobile POS. With these methods, an attacker can obtain assets such as user and card details, card verification method values, and use keys. Security mechanisms, such as whitebox cryptography, reduce the likelihood of cloning and decompiling payment applications. Provisioning of secure data to the SE or delivery of a payment token is a point of vulnerability in mobile payment applications.

Mobile operators to communicate with the credit card ( SE ) on the credit card and mobile transaction by means of the communication environment and advanced technology of the carrier. ( E-coupon ), SMS coupon service, and so on , so as to enable you to experience the test plan, such as inductive action payment, download smart poster (E-coupon ), SMS e-coupon service, etc. , for specific users in the agreed special store. Users in the life of the application clearly felt more convenience and entertainment .

Accessing financial services through mobile, internet or any open interface banking involves submitting personal information through a plain/web/encrypted text messaging platform. Hackers can try to access those messages through un-secure communication channel. Also risks involve the bank and financial institution’s not put in enough encryption security of its technology hence would leave the customer’s personal information open for interception. Globally, the increase of mobile telecommunications technology has made mobile phones increasingly common and available for users even in the remotest part of the world.

New processes create new security vulnerabilities. Over-the-air provisioning of payment credentials and applications, for example, potentially creates new attack vectors for eavesdroppers to steal and misuse customer data.

Based on this successful experience, and then create a related financial business opportunities and business, and therefore the construction of a wide range of transparency of the payment environment, but also through the mobile phone screen and keyboard to provide the interface, to create a multi-functional market opportunities , consider the new credit card Business differences (Note 2) and risks , in order to protect the rights and interests of cardholders , improve the credit card business development , while the actual needs of the market and the industry practice , and refer to the relevant credit card organization norms , the development of the mobile credit card business security control.

Questions and Answers on Mobile Payments – Now lets focus on some questions and answers  around mobile payments. The biggest question comes into mind at any time for most at-least mine “Can I make my payment with same method / instrument under mobile payments on all shops/stores I shop with”. Answer is very clear and very short ; “NO”.  Probably the fragmentation in the industry is the quick answer. There’s no single mobile wallet service that works at every store, some promote and wants to use NFC, some accept USSD or mobile app, some wants only card (linked to wallet). All channels depends on your handset and cost of it in case you cary 20$ handset then you can only use USSD function which is widely used (But complex and slow also).

A small survey (shared only one slide here) was done as below.

On a very interesting node if we notice we will find that most or almost 99% pf payments innovation which are happening around the globe are actually led/advocated/invented by  those outside of traditional payments industry.

World is now moving from plastic to mobile phone for payments that also means all the work done in last 20-30 years is now getting scrapped and we are back to basics and shifting our mind set from one side of coin to another side. To achieve faster and quick win here we should adopt the philosophy of  Harvey Mackay where he said “To me, job titles don’t matter. Everyone is in sales. It’s the only way we stay in business”. I personally like this statement as this is the only way where we can zero in the difference between being data-informed and data-driven.

Sign-tConclusion : There is clearly an opportunity for mobile payments. Consumers want to pay quickly, easily and at low costs. An interesting finding is the need to add context to payments, e.g. subject or photo. Privacy and security is flagged as important by the majority of respondents. However this was expected. With the knowledge of know we see more lean product focused towards a specific group of customers. The idea and concept is not new, however it is very promising when targeting the right niche and addressing the right issues customers are facing.

====================== About the Author ================================

Read about Author  at : About Me   

Thank you all, for spending your time reading this post. Please share your feedback / comments / critics / agreements or disagreement.  Remark for more details about posts, subjects and relevance please read the disclaimer.

FacebookPage      Twitter       ContactMe            LinkedinPage    ==========================================================================

Advertisements

Posted by V Sharma

Specialised in Financial Technology(FinTech), Artificial Intelligence for Fintech. Mobile Financial Services (Cross Border Remittances, Mobile Money, Mobile Banking, Mobile Payments), Data Science, IT Service Management, Machine Learning, Neural Networks and Deep Learning techniques in FinTech. Mobile Data and Billing & Prepaid Charging Services (IN, OCS & CVBS) with over 15 years experience. Led start ups & new business units successfully at local and international levels with Hands-on Engineering & Business Strategy.

6 Comments

  1. Financail Security Team February 27, 2017 at 18:15

    Very informative and useful information

    Like

    Reply

  2. This is a good post to understand this issue.

    Like

    Reply

  3. Fintech Technology March 2, 2017 at 09:32

    This information is extreamly useful

    Like

    Reply

  4. This has helped me to understand the basics

    Like

    Reply

  5. Security should come first in financial services domain

    Like

    Reply

  6. Financial Security Team March 2, 2017 at 18:27

    How do you ensure … system is not attacked by guardians…..Please hepl

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: