Mobile payments are starting to gain a foothold in the U.S. More and more retailers are enabling customers to use technologies such as Android Pay, Apple Pay and Samsung Pay. However, these payment apps are still relatively unknown and highly underutilized.

When I discuss mobile payments with friends and colleagues — people including IT and security professionals, a bank chairman and close relatives — the conversation is very predictable. It goes something like this: “Oh, I don’t know about that. It seems risky.” There’s a general lack of trust and people aren’t willing to take that chance with their credit cards — but why?

Times Are Changing for Retailers and Consumers

For many consumers, the fear of having their credit card information exposed outweighs the benefits of mobile payments. I don’t fully understand why, but I believe it’s related to change. Humans are, by and large, averse to change. Due to the data breaches against U.S. companies and the fact that the typical consumer doesn’t understand how mobile payments work, the acceptance of this technology in the U.S. has been lukewarm at best.

That’s going to change over the next few years because MasterCard and Visa are mandating contactless payments in all retailers by 2020. In the meantime, what can retailers, processors and banks do to promote this amazing technology?

It’s really all about education — simplifying what appears to be a mysterious payment feature into something that everyday people understand. To summarize, both Android Pay and Apple Pay use near-field communication (NFC) to send payment data from the phone to the reader at the checkout counter. This short-range wireless communication method is supported in the iPhone 6 and newer models, as well as most flagship Android phones since the release of KitKat. Android Pay and Apple Pay require the checkout line’s personal identification number (PIN) pad to have NFC built in and enabled. Samsung Pay uses NFC as well, but also has magnetic secure transmission (MST) technology, which emulates a typical credit card swipe.

Rather than using the actual cardholder data, all three of these mobile payment technologies use tokenization to represent the credit card number rather than using the actual number. This helps prevent the cardholder’s data from being exposed. None of these technologies will work unless the device’s screen locking capability is enabled and the device is unlocked when the payment occurs. Apple Pay and Samsung Pay keep the tokens in a secure chip on the device. Android Pay gets its tokens from the cloud but keeps a small number offline to allow it to work when the device is offline.

Securing Mobile Payments

As for exploitability, at least in today’s terms, criminals could access the cards by finding a way to authenticate the device on both iOS and Android. This requires the phone to be held within inches of the reader. Remote tracking and wipe controls found in Android’s Find My Device feature and Apple’s Find My Phone tool can add an extra layer of security in the event a device is compromised.

Enabling these technologies just takes a few seconds: Simply open the app, snap a picture of your credit card and off you go. An additional authentication or verification step may be required, depending on the card issuer. It’s that easy.

To further ensure the security of mobile payments, Google offers a set of services and application program interfaces (APIs) called SafetyNet, which is built into Google Play Services. SafetyNet checks whether a mobile device has been rooted, has had the bootloader unlocked, is running a custom ROM or is infected with malware. For Android Pay to work on a device, it must pass the Compatibility Test Suite (CTS). When you root or install a custom ROM, the device is no longer CTS-compatible. If your device meets one of the criteria that SafetyNet checks for, Android Pay will no longer run. This measure is designed to protect you from an outside source that could potentially read Android Pay data.

I’ve been using Android Pay for over a year now, and it’s been an interesting journey. Most retailers lack training in mobile payment technology, which certainly isn’t helping its current and future growth. They have no idea what it means to pay with a phone, even when their company supports mobile payment. Many don’t even know which buttons to push on the register when someone asks to pay via mobile. Some retail employees insist they don’t have mobile payment capabilities even when the contactless logo is displayed on the terminal. It blows their minds when it works! In fact, on several occasions, my teenage son and I were suspected of hacking into the register by paying via mobile phone, even though the transaction was closed out and a receipt printed. There’s even a story of a shopper at a Florida Publix who was told that he couldn’t use that form of payment because the cashier and store manager thought he was committing fraud.

The Myth of Mobile Insecurity

To me, mobile payment technologies are much more secure than consumers carrying physical cards in their wallets, purses or pockets. If a breach does occur, many banks offer zero-liability protection if cards are then used fraudulently. There’s really nothing to lose. It could be argued that even enterprise security as a whole can benefit from employees running more modern (and more secure) phones with screen locking enabled.

Economics of mobile payment transactions aside, retailers and everyone up and down the food chain, including mobile terminal manufacturers such as Square and Clover, should embrace this technology. Training is crucial. Educating merchants about mobile payments can go a long way. Displaying decals, which Google, Apple and Samsung provide for free, on storefronts and at registers can help as well. From the perspective of this consumer, mobile payments seem like a no-brainer, especially given the potential boost in checkout line efficiency.

Embracing Change

Just because mobile payment technologies and processes are secure doesn’t mean that everything behind the scenes is rosy. You have to look at the bigger picture of mobile payments in the enterprise and consider the security of systems, network communication and business workflows after these transactions are made.

Still, the technology is proven. Ditto for its security — at least for now. Large corporations that have suffered high-profile breaches haven’t let security get in the way of business. Furthermore, most people are willing to use web browsers and random mobile apps without thinking twice about privacy or security concerns.

So what’s the holdup with Android Pay, Apple Pay, Samsung Pay and whatever’s next? With innovations in mobile payment technologies and the move to eliminate signatures at the checkout counter, we’re not only moving on to a new level of technology, but also a new level of trust that’s simply expected.

People, especially younger generations, look for and want to use this type of modern technology. It’s helpful and there’s a bit of a wow factor. With the proper training, this technology can help retailers gain significant efficiencies. Everyone wins.

As of now, there’s no real reason for security concern over mobile payments. As I’ve said before, if we’re looking to truly eliminate the low-hanging fruit that really gets businesses into trouble, we’ve got much bigger fish to fry.

More from Banking & Finance

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan

16 min read - In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors. BlotchyQuasar, which X-Force describes as…