Mobile Payments: The Security Challenge
SWACHA's Simmons Says Banks Must Play Key RoleAs demand for mobile banking and payments transactions grows, banking institutions face increasing pressure to ensure security, says Dennis Simmons of SWACHA, a Texas-based electronic-payments adviser for banks and credit unions.
As a result, Simmons says, banks and credit unions must take advantage of mobile device features, such as geo-location, biometrics and device identification, to enhance authentication.
"One of the things that we've been thinking, about as far as authentication is concerned, is that the smart phone provides a lot of physical biometric opportunities," says Simmons, president and CEO of SWACHA, in an interview with Information Security Media Group's Tracy Kitten [transcript below].
Unlike laptops and desktop PCs, smart phones and tablets can easily accommodate biometric authentication, Simmons says.
Pairing biometrics, such as a fingerprint scan or facial recognition, with geo-location, which can be used to verify a device and the user's location, will take authentication a step further, he adds.
"[Institutions] want to have the same kinds of authentication requirements and security around the mobile device that they would have around a laptop, for instance," Simmons says. But because most smart phones and tablets have additional components, such as cameras, which can be used for image-capture, user and device authentication for mobile banking transactions can go beyond what's typical for PC-based online banking, he adds.
During this interview, Simmons discusses:
- Common mobile threats, such as malicious applications, lost and stolen devices, and downloadable files within mobile malware that institutions continue to address;
- How banking institutions will approach mobile risks differently; and
- Unique security concerns mobile payments pose.
As head of SWACHA, one of the largest not-for-profit electronic payment associations, Simmons is a frequent speaker and recognized expert on payments issues. He is a member of the board of NACHA, serves as chairman of NACHA's Government Relations Committee, is past chairman of NACHA's Electronic Check Council and past co-chairman of NACHA's Risk Management Advisory Group. He serves as the chairman of the Payments Executives Leadership Forum.
Mobile: Consumer Insights
KITTEN: What kind of increases did you see in mobile banking from 2009 to 2011, based on the results or your consumer insights surveys of Texas consumers?SIMMONS: We actually saw that when we asked consumers about use of their mobile devices for accessing banking services, the usage had actually tripled since 2009. That was a pretty significant increase.
KITTEN: What has changed since the last survey was conducted?
SIMMONS:We're in that period of time when you're going to start to see big jumps [in mobile adoption] before things start to mature. Based on the research that we've done and the reading that I've done, I don't think the results would be too much different if we were to conduct the survey today. We do this survey every other year, and we will be doing it again, probably during first quarter of 2013.
KITTEN: How do you see smart-phone usage impacting the security of these mobile transactions?
SIMMONS: For the most part, the usage of mobile devices is really an extension of the financial institutions' online-banking platform, and so the same concerns you have in that environment extend over to the mobile device: authentication, password protection, and how the consumer uses that platform to access their balances and their banking services.
Mobile Payments: Security Concerns
KITTEN: What about mobile payments? The latest survey noted significant increases in mobile payments or at least an interest in mobile payments options over cash and card transactions. Was any light shed on security concerns, where mobile payments come into play?
SIMMONS: When we talked to the consumers about those kinds of issues, security certainly came up as a major concern. I want to say that when we asked the question of, "Why don't you use mobile payments," concern over security was the overriding reason.
KITTEN: Were there any specific areas that they were more concerned about than others?
SIMMONS: I just think it's probably lack of familiarity. It's something new and so, therefore, they're going to be a little bit hesitant about it, especially because the industry has done such a good job of educating consumers about the concerns that they should have about mobile platforms and devices.
Addressing Mobile Risks
KITTEN: From the financial institutions' perspective, mobile payments pose increasing concerns, just because of the sheer number of entities that touch the mobile environment, especially non-financial entities. How are institutions that SWACHA works with addressing some of those concerns?
SIMMONS: The first thing, obviously, is consumer education. We need to make sure that consumers are very much aware of some of the concerns that the industry has. What gets lost in that conversation is that sometimes the mobile device can actually be more secure and easier to identify than a laptop or a desktop because of the unique identifiers that are inside that device. Some of the things that will be done in the future are going to really make mobile a whole lot more secure.
Authentication Recommendations
KITTEN: What about some of the authentication worries, as well as FFIEC conformance issues, for mobile transactions?
SIMMONS: The first question the financial institution has to ask itself is, "What's the functionality that I'm deploying on the smart phone?" Is it just an extension of their Web platform? If that's the case, then they want to have the same kinds of authentication requirements and security around the mobile device that they would have around a laptop, for instance, in that environment. If they're going beyond that, then some other kinds of processes should be in place, such as geo-tagging - making sure that the consumer is where they say they are by looking at the geo-location of the device - and testing the IMEI [international mobile equipment identity] number on the device to make sure it's the device the consumer has registered.
Emerging Areas
KITTEN: What about some of the emerging concerns? Chip payments are something that we've been talking about a lot because of the migration to EMV [Europay, MasterCard Visa standard]. But are there special concerns, especially when it comes to RFID, or near-field communications on mobile devices used for payments?
SIMMONS: Absolutely. You mentioned EMV, and one thing that gets lost in the conversation about EMV is that you have to have physical contact with the reader. But we've also seen chip payments with the tap-and-go applications - RFID [radio frequency identification] and NFC chips being embedded in devices. One of the things that's of concern is that those RFID chips are on all the time and they can be read by proximity devices placed next to a checkout stand. And the same thing can happen with NFC when it's turned on. That signal can be picked up. Granted, it's in a small proximity, but if I put a small device next to a cash register at a retailer and then come back later on and pick it, then [if I'm a fraudster] I've gathered the information that was contained on that transaction. Protecting those devices from the signals being intercepted is certainly a concern.
KITTEN: Aren't most of those transactions encrypted in the same way that other transactions would be encrypted ?
SIMMONS: They can be encrypted. But part of the problem is that oftentimes when you're near an RFID reader or an NFC reader, those transactions aren't necessarily encrypted. And even if they are encrypted, oftentimes that encryption can be defeated because it's not as robust as some of the encryption that you might see in other arenas.
One of the things that we've been thinking about and talking about, as far as authentication is concerned, is that the smart phone provides a lot of physical biometric opportunities. Think about being able to put a thumbprint reader, for instance, in a mobile device. That's already being done. Because you speak into your smart phone, it can have voice-recognition capabilities, too. You can look at facial recognition as well. Most of these devices have some kind of a scanner in them. You could look at doing retina scans, as an example. With the ability to tie biometrics with geo-positioning and a variety of things that you embed in a smart phone, I think security over the next three to five years is going to get a lot better for these devices.
KITTEN: That goes back to support the point that you made earlier that these mobile devices can actually make transactions more secure then PC-based transactions.
SIMMONS: Correct. I'm also encouraged by the fact that there are a number of really good malware tools that are being deployed on some of the operating systems, especially the Android operating system. The kinds of malware detection that you might see on a PC or a laptop have now been deployed down to the mobile device. And that is one of the things that financial institutions can encourage their consumer customers to do: make sure they're using one of those malware products on their smart phone as an added layer of protection for themselves.
Anti-Malware Options
KITTEN: How well informed are most of the institutions you work with about some of these anti-malware options?
SIMMONS: That's one of the things that we're constantly working on with our members: making sure that we're communicating with them about the things that we see. I know it's very difficult for financial institutions to keep up with what's going on, and that's why they engage us to do those kinds of things to help keep them informed as well.
KITTEN: Beyond mobile malware, what types of concerns or questions are you hearing most often from the institutions you work with?
SIMMONS: The major issue really is who owns the customer. That's one of the big concerns. The financial institutions want to own the customer. The telcos, the mobile telephone operators, they want to own the customer. And I think at the end of the day the debate is going to have to be they both own the customer and they're going to have to share. If we can overcome that impediment, I think we're going to be in a lot better shape in the future.
The other concern really is trying to have a good understanding of the implications of these devices as far as interactions with retailers, interactions with merchants and interactions with the financial institution. They need to make sure that there's a good, strong and robust communication that takes place between those parties.
Security Education
KITTEN:When you have all these different players involved in mobile payments transactions, how do you ensure consumer education is uniform?
SIMMONS: That's a major challenge and I think that's where the financial institutions can really play a strong role because they tend to be trusted parties. Consumers can look to their financial institutions as a source of reliable information about security and how these devices work. ... I would encourage financial institutions to make sure they're that trusted resource and that trusted brand that the consumer can rely on.