Is mobile payment technology secure? While companies such as Google, Apple and Venmo are racing to assure consumers their data is safe and sound, users aren’t convinced. As noted by TechTarget, just 3 percent of mobile phone owners in the United States accessed their mobile wallets in-store over the past three months. However, it isn’t all bad news for mobile payment developers, since 57 percent of consumers polled reported they were interested in these technologies. Are consumers just cautious, or are mobile payments not quite ready for mainstream adoption?

The Problem With Payment Technology

According to a recent Forbes article, some layers of the mobile payment process are secure. For example, near field communication (NFC) means no physical credit cards are necessary. However, there are other ways for malicious actors to get their hands on consumer data, and it all depends on the security of a vendor’s mobile payment product. The following is a look at how some of the big-name players stack up:

Apple Pay

Available for iPhone 6 and iPhone 6 Plus users, Apple Pay uses a form of tokenization to protect consumer data. First, users send encrypted payment card details to Apple, which decrypts the data, identifies the card’s payment network and then re-encrypts the data with a key only the payment network can use. The network then creates a device-specific Device Account Number that is encrypted and sent back to Apple.

The device manufacturer does not keep a copy of the number, and while this data is added to the Secure Element of a user’s iPhone, it is kept separate from iOS, never sent to Apple servers or backed up in the cloud. The result is a reasonably secure payment method, since no real credit card data is ever sent via NFC, only a user’s unique payment number.

This isn’t to say Apple Pay is entirely problem-free. A recent ZDNet article reported that lapses in verification between Apple Pay and banks could make it possible for cybercriminals to link stolen credit cards to the system using card verification values gleaned from hacking online stores. While this isn’t a widespread problem, it points to a broader issue: No payment technology system is perfect.

Google Wallet

Rolled out in 2011, Google Wallet offers similar functionalities to Apple Pay but hasn’t enjoyed the same scale of adoption. As noted by TechRepublic, setting up the Wallet is easy: Users simply download the app, create a PIN, link their favorite cards and then swipe their phone near a participating retailer’s NFC reader. The big difference comes from how Google stores data. The Wallet app stores credit and debit card information on secure servers and then encrypts this data using a Secure Socket Layer. Full credit card details are not shared with merchants and do not appear in the app, but unlike Apple, there is no use of tokens to bridge the gap.

For users who don’t feel comfortable using the Wallet app as a direct payment method, another option is the Google Wallet Card. This is a physical card linked to the Wallet app. Money can be added to the card via Wallet or Gmail transfers or by using a linked credit or debit card. Think of it like a hybrid form of mobile payment; it is linked to the app but not entirely dependent on it.

Venmo

Venmo could be the next big thing in mobile payment technology. Unlike Apple Pay and Google Wallet, Venmo isn’t used to pay merchants or retailers. Instead, it is used to send money between friends. Users download the app and set up a funding source, which could be their Venmo balance, a credit or debit card or a U.S. bank account. Then, they can send money to other Venmo users or even people who don’t use the app by providing phone number and email address details.

Despite the app’s simplicity and popularity, some security concerns have emerged. For example, Slate reported that one Venmo user was the victim of fraudulent transactions just under the weekly sending limit of $2,999 when malicious actors hacked his account. The victim said he wasn’t notified when another email address and mobile device were added to his profile or when multiple user settings were changed without his consent.

Venmo has now updated its security protocols to include multifactor authentication. If a sign-in attempt is made from a phone or browser that is not already linked to a user’s Venmo account, the company sends out an alert with a six-digit text code to the primary mobile number. In theory, this should prevent the situation described by Slate, since cybercriminals would need both user credentials and access to their mobile device.

Calling All Cards

Are mobile payment technologies safe? Mostly. Companies are making an effort to encrypt, tokenize and authenticate user credentials before allowing transactions to proceed, but no system is foolproof. Interest in these technologies is high, but they’re short on history, suggesting myriad undiscovered attack vectors. The bottom line? Both vendors and users are warming up to the idea of leaving cards at home and going mobile, but this is no sure thing; anything shared has the possibility of being stolen.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today