It’s been a long road to get to where we’re at today when it comes to mobile payments. I first started experimenting with payment system technologies in the late 1990’s. Most of my research focused on how different payment platforms would interact with Windows systems when I was at Microsoft. Over the course of those early years of evaluating everything from magnetic stripe technologies to contact smartcards to contactless, I always wondered how the increasing power of mobile devices would impact the payments ecosystem. In the first decade of my research, I kept coming to the conclusion that the payment system is built on a series of legacy technologies that introduced significant security risks into the ecosystem. Surely, there could be a way to use new mobile technologies to better manage these risks!
In 2008, I collaborated with a team that invented a new way to harness the power of mobile devices to perform peer-to-peer mobile payments, and it solved all of the security problems that the legacy technologies suffered from. But, without a wholesale adoption of those technologies by retailers and payment processors, it was nearly impossible to get the traction necessary to make that system work in the real world. I eventually sold my interest in that effort in 2010 to focus on other mobile security research. Solving security problems in the mobile payment ecosystem didn’t matter if no one used the solution.
If we take a look at the adoption of mobile payment technologies over the last decade, security has not been a key criteria for users’ adoption of mobile payments. QR codes, as they are most-widely deployed today using static numbers and no integrity checks, are one of the lowest-security mechanisms to facilitate payments. Yet, they are by far the most-used mobile payment format with over 1.5 billion monthly active users relying on QR payments in China alone[i].
Another low-security, high-use mobile payment system is Safaricom’s M-Pesa, used widely throughout Africa. Relying on static account identifiers tied to user’s phone numbers, fraud is rampant on the platform, yet users and banks still allow billions of dollars worth of transactions to flow through the platform every year because there is still more up-side than down-side for users, retailers and banks[ii].
The highest-security mobile payment format is what Apple Pay and Google Pay rely on – contactless systems that use dynamically-generated codes for payments. In Apple’s case, they rely on a combination of secure hardware on the device and cloud-based security to generate the codes. Most Google Pay implementations forego the secure hardware requirement and just use the cloud-based Host Card Emulation (HCE) technology. Adoption of those platforms has been relatively slow compared to QR payments and other mobile wallet applications. Further proving the point about how screen-displayed codes have gained wider adoption than contactless or NFC-based payments, Starbucks’ visual code-based mobile payment platform has more active monthly users than Apple Pay or Google Pay, despite the fact that Starbucks’ security features are a whole generation behind Apple and Google.
The Samsung Pay platform relies on a form of magnetic signaling which allows it to interact with many legacy magnetic stripe reader terminals. The key point with Samsung Pay is that its magnetic communications interface will work with most terminals, but has problems with some of the newer payment kiosks and point of sale systems, limiting its adoption and use. From a security perspective, Samsung Pay relies on dynamically-generated HCE account numbers to avoid fraud.
How is it that security has taken such a back seat in the mobile payments ecosystem? Many of the key participants in the mobile payments chain have been willing to take security risks for the sake of market adoption and customer experience. In China for example, most QR transactions are low-value convenience purchases and exploiting the system’s security vulnerabilities cannot net attackers the more-significant amounts that would make attacks on the QR infrastructure worth their time. Chinese regulators have recognized this and have now instituted guidance for QR payment participants that govern how high-value QR transactions must be handled[iii]. It’s a similar situation for Starbucks’ system as it represents very low-value transactions and is essentially a closed-loop system where it can only be used at Starbucks.
So, what is the bottom line from a security perspective when it comes to mobile payments? In the current state of the ecosystem, for transactions over $100, I highly recommend sticking to Apple Pay and Google Pay. If those aren’t accepted, then I would recommend using an EMV-enabled physical payment card. For lower-value transactions, use whatever is easiest, but be vigilant and monitor for suspicious activity on those accounts.
As security experts, what should be our role in the mobile payment ecosystem? I believe that there are opportunities for us to influence the future of mobile payments. Just because a system like QR codes suffers from significant vulnerabilities today, doesn’t mean that it can’t be improved. As the Chinese QR code regulations have spelled out, if QR codes move away from static identifiers and lack of account owner consent, then QR codes could become a very powerful payment platform. This would be true even on the lowest-cost smartphones with just a camera and a screen. That is the power of QR, the nature of letting everyone be a buyer and a seller with just a screen and a camera. The existing contactless ecosystem does not have that potential as either the phone’s NFC is set as a card and the payment terminal’s NFC interface is configured as a reader. That static configuration benefits the existing players in the payments ecosystem, but it doesn’t have to be an inherent advantage.
If we were to advocate the increase in sophistication in QR payments, there could be a fundamental shift away from relying on a select few providers of payment systems. While in mature markets like the U.S. and Western Europe, this is not necessarily a requirement for helping speed up transactions and produce new economic opportunities for small businesses, it would be a fundamental shift for the better in developing markets.
While India’s re-monetization of a few years ago motivated many merchants to purchase legacy payment terminals to facilitate transactions, there are still billions of people without access to an electronic payment system. If you could take the power of advanced software on high-integrity smartphones and pair it with high-entropy cryptography which would then be visually displayed through a QR code, significant improvements could be achieved in the QR ecosystem within a matter of months, without having to wait for a new generation of NFC-enabled terminals in those markets. The same holds true in Africa and Latin America. If we take a look at the Android One effort that Google has put together, it is possible to ship high-quality, high-security devices for about $150.
If I were king for a day of the mobile payment ecosystem, I would take the Android One platform and unleash its potential as a QR code payment system. Establishing a basic hardware standard for assuring some separation between QR-code-generating functions and normal software operations would increase the integrity of QR-code creation and verification. With some form of internet connectivity reaching even the most-remote areas, it would be possible to do online verification of transactions to assure that users consent to the purchase based upon certain thresholds and policies. With Google’s capability on Android One devices to ship security updates directly to the user (without relying on OEMs or Mobile Network Operators), it would be possible to implement policies to assure a minimum level of device hygiene, thereby making it more difficult to compromise certain software components of the QR-code generation and verification processes.
It could be that some enterprising entrepreneur in India or China has already started down this path, and if so I wish them the best of luck. The current payment ecosystem is truly put together with duct tape and bailing wire in many aspects. Re-envisioning it in a way that could benefit billions would help increase the potential for small business owners around the world to get ahead. Here’s hoping we can see such improvements soon.
For a unique learning and networking opportunity in infosec, mark your calendars for April 1 as the InfoSec World Conference & Expo returns for its 25th anniversary.