Only one percent of consumers believe using a third-party mobile payment provider, such as Apple Pay or Google Wallet, is a safe way to pay for in-store purchases, reveals Tripwire, Inc.
This past holiday season, One Poll and Dimensional Research conducted a consumer survey of over 2,011 consumers in the United States and UK. The survey’s findings include the following:
- Over a quarter (26 percent) of U.S. consumers believe that using a wired Internet connection instead of wireless will make online payments more secure.
- Over 50 percent (53 percent) of U.K. consumers believe paying by credit card is the safest way to pay online versus 37 percent of U.S. consumers.
In recent years, mobile payment methods have struggled to gain popularity amidst a variety of challenges, including retailer payment policy (such as requiring customers to sign for purchases that exceed a certain amount), market fragmentation, and even availability of compatible terminals.
However, the results of Tripwire’s poll suggest that perhaps an even larger obstacle—consumer security concerns—stands in the way of mobile payment providers, including Apple Pay.
Apple Pay – A Case Study
Apple Pay was one of the biggest breakout stories of 2014. Launched in October some weeks after the release of the iPhone 6, the service allows consumers to make debit and credit card purchases using device-specific Device Account Numbers (DANs). The card numbers themselves are not stored, meaning that a customer need only cancel their DANs—not the payment cards—should they happen to lose their phone.
However, despite having received praise from prominent figures in the tech industry, most notably Bill Gates, Apple Pay does have its critics.
Among other things, security experts suspect that hackers might be able to exploit Apple Pay’s use of tokenization. Tokenization is the process by which users first enter their payment card details in order to receive a DAN. After all, iOS devices are vulnerable to certain bugs, a weakness which is readily apparent when enthusiasts “jailbreak” Apple devices in order to download third-party apps. Hackers could exploit those and vulnerabilities in order to steal people’s account information while they try to register a debit or credit card with Apple Pay.
With this in mind, Craig Young, Computer Security Researcher with Tripwire’s Vulnerability and Exposures Research Team, suspects that hackers will increasingly target Apple devices over the coming year: “iOS will continue to see a gradual increase of malware targeting jailbroken and non-jail-broken devices. Apple will also continue to lag behind on WebKit patches for iOS, giving attackers an edge in the development of browser-based exploits.”
Another concern is that malicious actors could take advantage of flaws in Apple Pay’s near-field communication (NFC), a technology which allows the service to communicate one-time transaction information with retailers’ point-of-sale (PoS) terminals. After all, security researchers have already proven NFC’s vulnerability to a variety of attacks, such as when Charles Miller during the 2012 Black Hat Conference demonstrated how hackers could exploit flaws in the higher-level protocol layers of the NFC code stack to take control of another phone and direct it to a malicious website.
Dwayne Melancon, CTO of Tripwire, therefore suspects that hackers will at some point exploit NFC using Apple Pay: “I predict there will be transaction ‘hijacking’ scares related to NFC payments using Apple Pay and Google Wallet, the sum total of which will result in consumer distrust of those payment methods.”
He goes on to suggest that the root cause will be traced back to compromised payment terminals: “We will discover that even though the transactions were intercepted, the payment systems could not be duped into processing false transactions due to inconsistent metadata. Nonetheless, this will cause the public to be suspicious of NFC payment methods.”
Call to Arms for All Platforms
Apple Pay will by no means face these and other threats alone. As Young notes, Android devices will also face their fair share of problems: “Malware samples will continue to be identified in Android 3rd party app stores at an alarming rate. Older/unsupported Android devices will become an ever-greater security liability as details emerge regarding critical flaws addressed in later releases.”
With this in mind, Tim Erlin, Director of Product Management at Tripwire, suspects that all platforms will shift more resources to security in 2015 in order to retain consumer trust: “Given the rise in attention to security and exploit of mobile devices, both Google and Apple will need to take a stronger stand on securing their respective platforms. Blackberry might make a play for the security minded consumer as well.”
This process is already under way, as evidenced by Android’s new model for updating the WebView engine separately from ROM updates. Young explains: “The problem is that web browser engines are full of vulnerabilities, and browsers must receive frequent updates to stay secure. Many of the same vulnerabilities exist in desktop and mobile versions due to shared code, so fixing problems for the desktop software is often revealing flaws in the mobile software.”
Previously, WebView was bundled with the Android firmware. This meant that whenever a bug was detected, Google would need to issue a fix through its OEMs and carriers, who would hopefully in time deliver it to Android users everywhere. Google has since changed this policy by tying WebView to Google Play with Android Lollipop, a move which will better protect security of millions Android users.
Wary Outlook for the Year Ahead
Those efforts by mobile payment providers notwithstanding, Melancon suspects that high-profile security incidents will nonetheless shake consumers’ trust in Apple Pay and Google Wallet. For 2015, he makes the following prediction: “At least one corporate data breach will be traced back to a compromised mobile device. Further investigation will reveal that the attackers brought the compromised device into the enterprise and connected it to a trusted enterprise wireless network, thereby exposing the corporate network.”
Melancon also suspects the world will see at least one corporate data breach that is associated with an “Internet of Things” (IoT) consumer device.
Clearly, the survivability of mobile payment platforms will be tested in the year to come. Those challenges will call on mobile payment providers to give an unprecedented amount of attention to users’ security, and they will demand that consumers employ mobile Apple Pay and Google Wallet safely and responsibly. Only together will users and providers be able to weather 2015 and realize the full potential of mobile payment technologies.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Image header courtesy of ShutterStock.com.