The Issue of Security and Fraud Risk in the Cloud vs. Contactless Mobile Wallet Debate
December 4, 2012
I've had multiple discussions over the course of the last few weeks that revolve around the market's propensity to adopt one or another flavor of mobile payments, mobile wallets, and the various security attributes of each configuration. Of course the dichotomy at the heart of the mobile payment controversy is that of cloud versus contactless, or a mobile wallet that operates via a retailer's in-store wireless network interacting with the point of sale versus a mobile wallet that can effect payments via the tap of an NFC chip on a POS hardware peripheral.
There are certain differences in functionality, cost, etc., that have been discussed nearly to death (so I won’t bother to rehash them here), but there also happens to be a big difference in the relative security of each kind of implementation and the degrees of fraud risk associated with each. Additionally, there are pros and cons on both sides, making the balancing act in determining the overall worth of each implementation more difficult. The essential differences come down to hardware versus software and the relative vulnerabilities associated with each.
On one hand, with NFC, physical security is paramount. Certainly, there is a software component to the NFC implementation, but secure elements and over-the-air credential provisioning (OTAP) have pretty much narrowed the soft vulnerabilities on NFC payment instruments (i.e. phones) to the extent that can be narrowed. But what happens in an instance where a user’s phone is lost, stolen, or otherwise misused for a face-to-face NFC transaction? What authentication procedures exist to prevent fraudulent tap-to-pay purchases? As far as I know, authentication of NFC mobile payments in the U.S. will soon be governed by the EMV standard, the version of which Visa is suggesting issuers implement doesn’t require a PIN factor to accompany the dynamic authentication of the chip.
In the cloud, on the other hand, the threat of mobile malware is strong enough that wallet providers will need to make absolute certain that they understand the nuts and bolts of each mobile platform and operating system for the phones that will carry the wallet. Scary new mobile malware such as NotCompatible and Android.Bmaster have been able to access private networks and send sensitive data from the phone to remote users. Combine this type of threat with keylogging and formgrabbing malware that might be distributed through mobile websites, and the potential for data insecurity is high, even when card credentials are not stored on the phone.
As always, I’d like to hear from you! Please let me know your thoughts on mobile security and mobile payment fraud risk by using the contact link below.