Each day we are bombarded with headlines about successful attacks against mobile payments and the massive rise in mobile payments fraud in general. Yet none of this should be a surprise, and the reasons are simple.
First, we need to understand that the reason we read so much about the losses in the press is that negativity is often the only thing that makes the news. When was the last time you saw the headline; “Mobile Applications Work, Hackers Thwarted!”
The fact remains that for every transaction lost, thousands or even millions of transactions work just fine. However, this sells neither newspapers nor security products.
That said, mobile applications are notoriously insecure. Some of the weaknesses are entirely avoidable and others will be resolved only with a significant shift in both payment methods and the capability of authentication and identity mechanisms.
Avoidable challenges include:
- Poor Business Needs Analysis: Too many Fintech organisations follow the latest trends and buzz-phrases without performing both a proper business needs analysis and its subsequent risk assessment. The implementation of every new process or function must meet established business goals, and not be a result of competitive fear or a CEO’s desire for shiny things and ‘game changers’.
- Swiss Army Approach: The second symptom of poorly defined business needs is the desire to build in as much functionality as possible, hoping that the ‘feature rich’ app will become some kind of de facto standard. The vulnerabilities in an application are directly proportional to the complexity of it, and simple is almost always better.
- Insecure Coding: Often a follow-on from 1., if the business needs aren’t properly defined, it’s unlikely that the application’s function(s) will be either. When the race to market is the number one priority, things like robust software development life cycles and secure coding techniques tend to fall by the wayside.
- Acceptance of Payment Details: The ‘more’ secure mobile payment apps never actually touch the payment details. However, it’s still very common for apps to accept full cardholder data (credit card number, etc.) through the app itself. The better apps will only process a transaction when an e-wallet or equivalent is available in the back-end.
Unavoidable challenges include:
- Older Payment Technologies: There’s no getting away from this one any time soon, we have had these technologies for decades and they will be around for a while longer. The only thing to be done is to ease the transition from these technologies into the innovations of the present slowly and securely. There is little room for total disruption in the payments space.
- Inadequate Authentication of Identity: Last, but certainly not least, Identity Management and Authentication represents not only the limiting factor in almost all current mobile payment methods, but holds the key to supporting everything to come. There is no silver bullet, no single-function remedy, the only way to resolve this challenge is to build as many authentication factors into every transaction as possible, ideally without creating friction in the payment process.
Secure authentication of identity is the key to reducing mobile fraud, but no solution will be accepted that gets in the way of people actually using it. Only by ‘bridging’ the established with the new, implementing new technologies seamlessly behind/alongside old ones, and making room for everything to come can we stay ahead of the thieves.
[Ed. Written in collaboration with www.myPINpad.com]