There’s no doubt that mobile payment systems are the future of retail transactions. Carrying around a pocket full of credit cards, ATM cards and debit cards (not to mention the plethora of store loyalty cards) is a pain. Credit cards are easily lost or stolen, their bulk adds up when stacked in a wallet, and they often leave your sight when making a transaction such as at a restaurant or when the point of sale (POS) device is behind the sales counter.
A mobile payment solution rids you of the task of carrying around credit cards, saves space in your pocket or purse and never leaves your possession when making a transaction. A mobile device can be lost or stolen, but unlike a credit card, it can have on-device security configured (such as a screen lock with password and storage encryption) and support remote tracking and remote wiping. Thus, mobile payments might be a better solution … eventually.
My concern is that many mobile payment systems available today do not provide sufficient security. There are lots of issues that a mobile payment user must face such as:
- When storing a credit, ATM or debit card in a mobile payment system, is your account at risk of eavesdropping or compromise? In other words, how easy is it for hackers to break into your mobile payment account and learn your card numbers?
- Can this be attempted against an online service or must an attack occur on or against my mobile device?
- Is the mobile payment app on my mobile device at risk from malicious code infections?
- If I root my device, how does this affect the security of the mobile payment app?
If a mobile payment system stores your financial information on the device, then it is at risk of eavesdropping when being transmitted for a purchase and it is at risk at all times from malware infection of the mobile device. If the mobile payment system stores your financial information in an online service database, then attacks could be waged against that service without needing to attack on or through your mobile device. If you choose to root your phone, your device has an increased risk of malware infection as a wide range of malware can only infect a device if rooted. Often, not rooting is a more secure configuration to maintain, especially if using a mobile payment system.
When selecting a mobile payment system, you should consider several important security questions:
- Is the mobile payment app always active once the mobile device boots or is it only active when its app is launched?
- Does the mobile payment app time out or become disabled after a timeout idle period or does it stay operating in the background after use?
- Does the mobile payment app require a login, PIN or other mechanism to authorize its launch?
- Does the mobile payment app require a confirmation when a transaction is attempted?
- Does the mobile payment app display the amount being charged before the transaction can be processed?