Guarding against the hackers

Adoption of e-payment systems, especially on mobiles, is gaining pace. But how do you ensure your transactions stay safe and secure? Dave Howell reports


The age of purchasing on the go and one-tap payments is here. From search to shopping, booking a taxi to redeeming a voucher, ever-increasing aspects of day-to-day life are converging on our smartphones and other devices.

Most new handsets will soon be enabled with NFC (near field communication) technology as a matter of course, transforming phones and tablets into electronic wallets or purses.

But just as the rise of plastic, in the form of credit and debit cards, spawned new security risks, so similar concerns are now being voiced about the burgeoning m-payment environment.

As more of us use our devices to buy goods and services, as well as manage our finances, ensuring we have strong security systems attached to these transactions is of paramount importance.

The evidence suggests the risks are rising. The Kaspersky Lab – a leader in security applications – revealed in research published earlier this year that there was a six-fold increase in mobile malware incidents between 2010 and 2011, while “the number of distinct mobile malware families more than doubled” over the same period.

“The latest mobile devices have inbuilt security modules that allow data to be stored securely, but this doesn’t mean they aren’t susceptible to malware,” explains Simon Collins, vice president of business consulting at WeDo Technologies. “Criminals will always opt for the easiest way to manipulate a system, so they’re likely to target things like the keypad or display. Keystroke logging, for example, lives inside malware programmes that run underneath the operating system of a device and allows criminals to track which keys are struck on the keyboard.”

As the m-payments market develops, we will all need to become much more security-aware as we make mobile payments

The good news is that if NFC takes off – and all eyes are on Apple and whether the new iPhone will have NFC capability – the security systems in place will ensure that payments made using that technology should be secure, as they use the same security protocols as current contactless card-based systems, like Barclays PayTag, that can be attached to any phone to make secure NFC payments.

For consumers, the ability to make fast and convenient payments using contactless cards or their phone is not only attractive, but here to stay. That’s why users should be cautious about the security of the environment where a transaction takes place, says Vanja Svajcer, a mobile security expert with Sophos Labs. “For instance, it would not be very wise to make e-payments in an internet cafe where potential attackers may have installed malicious programmes to intercept the confidential information,” he says.

“As long as the operating system can ensure that the data is stored securely, where no other application can read it, it can be considered a secure platform. The problem arises when the device is not properly configured, so that the data is accessible to potentially malicious applications. It is very important for users to make sure the data on their device is encrypted and that the data which leaves the device is also encrypted and accessible only to the user.”

That’s advice echoed by WeDo Technologies’ Mr Collins, who says that, while many mobile and web payment systems have good security, a significant number do not. “Systems using SMS or unencrypted information transfer are particularly vulnerable, as well as those that don’t use security modules in the SIM or mobile device,” he says. “Every system should be checked for flaws in the security design. Unfortunately, there are some mobile operators and systems operators that lack in this area.”

Recent revelations regarding the vulnerabilities of Google’s Wallet on Android phones shows NFC, still in relative infancy, can be exploited by hackers. However, as these systems are backed by standard fraud protection from the banks that support them, any money lost though an m-payment fraud should be refunded in most cases.

As the m-payments market develops, especially if NFC takes off, we will all need to become much more security-aware as we make mobile payments. At present, however, says Vaughan Collie, a fraud expert with Accourt, m-commerce is still too limited a target. “Fraudsters have a knack of focusing on potentially high-value targets where they can maximise the return on their investment in time and money spent on the attack,” he says. “M-commerce in its various guises is still a relatively small market from a transaction revenue point of view and has therefore not attracted significant focus from criminal elements – yet.”

New payment platforms that use contactless systems are still developing, but are based on sound security principles. As mobile payments become more popular, they will of course attract the attention of hackers and fraudsters, yet users are far from powerless. The number of e-payment systems that are now on offer can be bewildering, but the advice is the same: always be aware of the system you are using and take precautions to protect yourself.