In the past year, there have been major network intrusions at many major consumer electronics companies, retailers, insurance companies, and more. All of these fall under the requirements of various regulations including PCI DSS, and were found to be compliant at the last audit they had before the intrusion took place. Yet, they still experienced breaches and customers’ data was compromised.
How many of you have lost a phone, had a phone stolen, left a phone unattended somewhere, or have had a close friend or family member do one of those? Quite a few of you are nodding in agreement.
Which begs the question: Why would anyone want to tie their credit card or bank account details to a device that can easily go missing, or save it with a company that is likely to be hacked sooner, rather than later? Is it really that hard to pull out a credit card to make a payment? If we assume that most of us will soon start to see and use chip-and-pin style credit cards, do any of us really think using a mobile device with Near Field Communication (NFC) will be more secure?
Let’s look at the technologies and then we’ll discuss which is more secure and which is more convenient.
Chip-and-PIN credit cards (Chip and PIN is a brand name) are credit cards that include an embedded chip, just like any other smartcard, that requires you to enter a PIN before the data on the chip can be accessed. To use a chip-and-PIN card, you have to insert the card into a reader, and then when it is time to tender payment, verify the amount and enter your PIN on a numeric keyboard. It combines something you have, the card, with something you know, the PIN, and requires physical contact between the reader and the card, so there are no radio waves, skimming or other capabilities involved in reading data off the card. You can read more about the technology here.
Near Field Communications (NFC) chips are the next generation of RFID, and are built into smartphones, smartcards, key fobs and other technologies that permit radio frequency communications between two devices when in extremely close proximity; essentially when touching. NFC chips can read other chips, be read by other chips, or for mutual communications, and are becoming popular with tap to pay technologies. Operating at 13.56MHz, readers generate a field that powers unpowered chips. The normal range is 10cm or so, but a more powerful transmitter and antenna array operating at the correct frequency could operate at a greater distance. NFC runs at layer two, and while chips have their own OID, they do not themselves store data any more than a network card does. Communications between NFC devices are vulnerable to sniffing, so applications must implement encryption to protect from eavesdropping. If you want to learn more about NFC you can click here.
A payment SIM is a special type of Subscriber Identification Module that is used by mobile devices both to identify the device to the cellular carrier’s network and that can also securely store payment data, like credit/debit card numbers. Payment SIMs must comply with both the cellular carriers’ networks for which they are built and payment card industry standards so that they can be used as a vehicle with which to make payments.
Each of the three major credit card companies have terminals that offer compatibility with NFC/Payment SIM equipped devices. Visa’s terminals are called PayWave, MasterCard’s are called PayPass, and American Express’ are called ExpressPay.
Apple partnered with retailers and the major credit card issuers to create a new payment system. Rather than storing credit card details, modern Apple devices use NFC technology to make secure payments through enabled hardware and dynamically generates a one-time payment code. Users must authenticate their device using the built-in fingerprint reader available in current model iPhones, or by code to older devices include iPads and the Apple Watch. Current users feel it is very convenient since they have their mobile device with them and very secure since they must authenticate using a fingerprint or unlock code. Initially available in the United States, Apple plans roll-outs internationally in the near future.
While Apple Pay seems to be revolutionary, most Android users will point out that they have had the option to pay using their mobile device for a couple of years. The biggest difference between Apple Pay and Google Wallet is that Google Wallet actually stores credit card and debit card information on the device. This makes the payment method less dependent on any one company and available to any vendor with one of the three major payment terminal types, but also means that if a device is lost or stolen, credit card data is stored on the device. Users must unlock their device with their PIN in order to pay.
Tap to pay
Microsoft’s mobile phones have a similar capability called Tap to pay. Also leveraging NFC and payment SIMs, Microsoft’s device can be used to pay in three modes – “while phone is unlocked,” “while screen is on,” “anytime.” While the convenience of not having to first unlock the device may be great for users whose corporate email policy requires a complex PIN, the idea of allowing payment without first unlocking the phone is quite scary if you consider all that would be needed is physical possession of the charged device.
Convenience or security?
At present, Google appears to be completing purchase transactions on behalf of users and then billing users for their purchases. Security analysts have found vulnerabilities in Google Wallet, most of which have been remediated, but there still appears to be ways to access or intercept the PIN, perhaps by convincing the owner to install a malicious application. Apple shares liability with the banks for any fraudulent transactions. Microsoft’s capabilities appear to be in the latest version of their mobile OS, but no applications seem to take advantage of it yet.
No matter which version you use, it is arguably very convenient to pull out your phone, enter your PIN or swipe your finger, and then tap the payment terminal to complete the transaction. But what if someone with a small directional antenna is sitting nearby and “sniffs” the transaction, or eyeballs you entering your PIN and then pickpocket’s your phone?
When I look at the number of people who leave their phone sitting on the table when they get up to grab something, or have it sticking half-way out of their pocket, I cannot help but think how easy it would be for someone to steal their device – much easier than lifting a wallet from a pocket. And unless restaurants start to adopt portable terminals or have you pay at the front counter, you’re not likely to hand a waiter your phone to go run your payment.
A traditional magnetic-stripe credit card can easily be skimmed or even just rubbed when out of your sight, and that happens every day. Chip-and-PIN cards seem to be the most secure, since they require actual physical contact and two-factor authentication, but these are still vulnerable as long as they have numbers embossed into them and use magnetic stripes for legacy systems.
Ideally, the most secure portable payment would involve chip-and-pin or chip-and-biometric, and do away completely with magnetic strips and visible numbers. Of course, until the processing hardware catches up, that’s an unlikely scenario, so hopefully Apple Pay will branch out to other mobile platforms, and all major phone vendors will start to embed fingerprint readers which will have to be used to unlock the payment SIM or other secure store for card details.
Do you use any of the mobile payment methods? If so, leave a comment and let us know which one and how you feel about the security of the solution. If you have other ideas about what could make for a more secure payment plan, especially one that isn’t locked in to any one mobile device maker, cellular carrier, or credit card issuer, (and you already have you patent paperwork filed) leave a comment and let us know what you think would work better.