Are Mobile Payments and Data Privacy an Impossible Duo?

In the technology arena, convenience and cool have long been at war with security and privacy—usually with convenience and cool winning. The latest and greatest device is rarely the safest and most secure. As FBI CISO Arlette Hart has said, “[With technology], cool trumps safe.”

Unless you’re in the mobile payment space, that is. Here, privacy holds a pretty high trump card. An Inside Secure survey released late last year shows that more people were planning to make mobile payments while holiday shopping; however, the same survey shows that worries overpayment fraud, data privacy, and identity theft kept other would-be users reaching for the plastic.

A March 2015 Federal Reserve survey backs up these findings. For those who didn’t use mobile banking, 62 percent said they were worried about security, and 34 percent didn’t “trust the technology.”

Ironically, cybersecurity professionals themselves are also concerned with mobile payment security. Eighty-seven percent of respondents in ISACA’s 2015 Mobile Payment Security Study expect to see an increase in mobile payment data breaches within the next 12 months. In addition, only 42 percent of those surveyed had used mobile payments in the year-to-date, and less than a quarter feel that their personal information is secure when making mobile payments.

According to the survey, these professionals were most concerned about public Wi-Fi use on a payment-enabled device, lost or stolen devices, and phishing/smishing (phishing attacks via text messaging).

Mobile Payment Insecurity

Privacy and security are high priorities for mobile payment providers such as Apple Pay, Android Pay, Samsung Pay, and their banking or retail equivalents. Tokenization, device-based, or other security measures help. However, as one writer puts it: “anything shared has the possibility of being stolen.”

For example, IBM “master inventor” Christopher Hockings writes that even the mobile payment apps themselves are vulnerable. He says that the app’s actual functionality can be leaked to an attacker, who can “access, modify, rebuild and deploy without the transaction service being aware.”

Then, he says, there is the “trustworthiness of the device.” Mobile payment apps have to function across a broad range of devices, with different operating environments. This exposes the app to “a broad range of potential vulnerabilities across the support devices.” Hackers can target operating systems running on devices “where known vulnerabilities remain unpatched.”

In addition to app and device vulnerability, the providers themselves have access to a boatload of personal information. In July last year, the U.K.-based publication, Independent, reported that “Apple will be privy [if only for short periods of time] to our all-important spending habits and will quickly be able to create a virtual profile of each of its users: where we shop and how frequently; what we buy; how much we spend; and so on.”

The Independent article continues: “Mike Weston, the chief executive of the London-based data science consultancy Profusion, explained how users sign away their privacy when accepting the terms and conditions. ‘Our spending habits can be quite revealing of our behavior and preferences,’ he said. ‘When this information is combined with our browsing habits, social media profiles and location (via GPS on our phones), it paints a very vivid picture. As the terms and conditions linked with using applications like Apple Pay essentially gives Apple carte blanche to use the data they gather, it puts a lot of power in its hands.’”

(Apple contends that it doesn’t collect a consumer’s purchase history, so it doesn’t “know what you bought, where you bought it or how much you paid for it.”)

Finally, mobile payment providers are susceptible to data breaches. British mobile payments company Optimal Payments allegedly had breaches at two of its locations in 2012 or earlier. Customer names and e-mail addresses are available for purchase on the Dark Web, according to Reuters. And in October 2015, The New York Times reported that Chinese hackers breached LoopPay, whose technology is the “centerpiece” of Samsung Pay.

Securing the Insecure

“Mobile payments represent the latest frontier for the ongoing choice we all make to balance security and privacy risk and convenience,” said John Pironti, risk advisor with ISACA and president of IP Architects. “ISACA members…are using mobile payments while simultaneously identifying and contemplating their potential security risks. This shows that fear of identity theft or a data breach is not slowing down adoption—and it shouldn’t—as long as risk is properly managed and effective and appropriate security features are in place.”

In addition to managing risk and adding in security, experts agree consumer education is critical.

“The payment industry needs to engage in awareness and education. As our survey results show, security issues are by far the primary impediment to adoption,” Trevor Daughney, executive vice president of Inside Secure USA, told eWEEK. “To overcome concerns, banks and other issuers…should also explain how they are handling their customers’ data, for example, are they keeping payment data separate the other data on the mobile device, and are they storing it on the device?”

Mobile payments certainly pose unique security and privacy challenges, but the best protection against hackers is the same that it has always been. It’s about practicing basic security hygiene. For example, consumers should promptly install OS and other updates with security patches. Make use of all the security features a device offers, such as fingerprint authentication. After all, the technology behind mobile payments might be rocket science, but the steps we take to protect ourselves should be kindergarten-level math.