Join the Community

22,472

Expert opinions

44,547

Total members

529

New members (last 30 days)

193

New opinions (last 30 days)

28,849

Total comments

Join Sign in

The last day of mobile payments

24 September 2012 Be the first to comment

Retired member

I will keep this blog post short and jump straight to the point (following our recent discussions with a number of key industry players who develop m-wallet platforms as well as phone-bound secure element solutions).

I would greatly appreciate readers' comments on the following two questions:

How many times would consumers need to be subjected to mobile payment fraud ("zero day" attacks, PIN-harvesting malware, NFC relay attacks, "small value" fraud, hostile takeover, etc.) and how much would those consumers need to lose, in order for them to stop using - ever (!) - mobile phones for any financial operation?

How many companies that provide m-payment solutions can ensure that their users are fully in control of every (sensitive) transaction?

With regard to the first question, I had a chance to see "tricks" that allow - at least on a semi-theoretical basis - to commit types of fraud that go beyond the wildest imagination of any Chief Security Officer of any large bank. Some of the exploits and "loopholes" are hard to implement in real life, but purely from a logistical point of view (e.g. withdrawing cash every minute from every ATM machine in the UK is far from trivial to stage. Physically...)

As to the second question, any secure element that resides on the phone, is - or can be made to be - "always on". Once (i.e. "when", not "if") a way is found to access and/or control that SE remotely, e.g. via resident malware, the user - and the bank - would have no way of knowing that is happening, until after the event.

To put things into perspective, the annual level of attempted fraud against PayPal is around $500m. The level of "realized" fraud (oh, yes) is below $50m. That is the difference between being one of the leaders in payments and becoming a dead fish. Will PayPal be able to remain that good in fraud management? Considering, for example, that PayPal now invites you to pay at a retail POS by entering your mobile number and PIN... (mine are 07777 111 000 and 1234, btw, in case you are too lazy to "shoulder-surf")

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

5174

Report

Channels

/payments

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Join group

1744 opinions 248 members 55 mins

Comments: (2)

A Finextra member

27 September 2012

There is a potential exploit in Passbook for iOS 6. Potentially someone could obtain access to someones (unsecured) cellphone and use the screen capture facility (power button and home button) to clone a token - this can then be emailed or MMS'ed to a secondary device and used without the original cardholders knowledge - I have tested and proved this myself. I have notified Apple and recommended they disable the screen grab service whilst Passbook is active/open.

Report

A Finextra member

27 September 2012

Thank you for sharing that. I guess you are referring to the "remote" capture. That would indeed be a potential security hole - one of the reasons it's safer to close the transaction loop by "pull" from POS (as opposed to "push").

Report

More expert opinions

Ritesh Jain Founder at Infynit / Former COO HSBC