PaymentsJournal
SUBSCRIBE
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
No Result
View All Result

Securing Mobile Payments with a “Defense in Depth”

Lance Johnson by Lance Johnson
November 10, 2015
in Industry Opinions
0
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

Mobile payments is the next “big thing” for consumers. But how can we keep it from becoming so for hackers as well? As our “always on” culture moves from good old plastic and chip cards to mobile phones, where data and software are more vulnerable to hackers, how do we maintain trust without eliminating utility?

According to Verizon’s Data Breach Report for 2015, mobile devices are a growing target for hackers, with over 5 billion mobile apps that are vulnerable to remote manipulation. Most of this malware is just annoying rather than malicious, but as mobile payments become more widespread, we can expect that to change.

Moreover, as the number and distribution of mobile devices continues to dramatically increase, so does the potential for new methods and opportunities for attacks.

The explosion of technology that powers most contactless transactions (such as ApplePay and Android Pay) presents a huge opportunity for hackers who are looking for a pot of gold target. According to market research firm IHS, the adoption of this technology – Near Field Communication (NFC) – is expected to increase from 440 million handsets in 2014 to 2.2 billion in just 5 years. And, as traditional personal computers decline in importance, this presents a new battlefield for hackers trying to monetize their efforts.

No silver bullet
Unfortunately, protecting mobile payments is a lot more complex than simply adding a chip or an extra piece of software. But the many entities part of the ecosystem advertise various technologies as “the only solution” needed for securing mobile payments. Recently, I even heard a well-regarded colleague publicly state that all of the security issues have been resolved; that they are “old news.”

Apparently, the hackers didn’t get that memo. While I agree that the environment is relatively well understood and the tools for additional security are available, there are certainly some very real security issues that still need attention.

So what is the solution? Secure elements? Tokenization? Or perhaps end-to-end encryption is the cornerstone of security. The answer is “yes,” “yes,” and “yes” in a chorus of many.

Regardless of what vendors would say, no single tactic resolves all the threats. There is no silver bullet to securing mobile payments.

Even the best available security measures have inherent weaknesses. And it is only a matter of time before a hacker finds an exploitable vulnerability within the existing security infrastructure. So, the most effective countermeasure in this environment is to deploy multiple defense measures between the attacker and its target. This security strategy is often called “Defense in Depth.”

Securing mobile payments with a “Defense in Depth.”
The “Defense in Depth” approach assumes that no single security measure is impenetrable on its own, so the strategy utilizes multiple overlapping security measures in order to increase the security of the whole system. Each of these measures presents a unique obstacle which slows or ultimately prevents a hacker’s progress. These measures are complimented by other security features that detect an attack and report it to the administrator in order to analyze and respond accordingly.

These multiple layers of security work in concert and allow the defender time to respond to the threat and stop the attacker before any sensitive data or processes have been compromised.

In the mobile payments world, the overlapping security measures can be grouped in 3 different areas:

Minimize the reward for the attacker:
The first line of defense is to minimize the reward a hacker would gain from an attack. If the ROI of an attack is low, a potential hacker may pause and re-evaluate his target. Tokenization and the use of limited use keys (LUKs) are two main tools used within mobile payments to help reduce the value of sensitive data and thereby discourage attacks.

Use Secure Elements or create an on-device and software-based “secure element”:
Roughly 25% of all breaches were attributed to memory scraping at merchant’s POS systems. Card data, tokens, keys and cryptographic functions must be protected so that they cannot be easily harvested or reused if stolen
.
Use the Smart Phone as a security monitor:
The growing presence of mobile devices in the payments ecosystem presents both challenges and opportunities in the realm of security. Always-connected devices can serve as a security monitor, capable of continuously sampling information on the user, local connections, the device, and its surroundings. Data such as geo-location, merchant POS paring, customer validation and device/software integrity can be used both on device and at the host to validate every aspect of the transaction and the environment.

Leveraging overlapping security measures that are implemented in parallel with one another that eliminates a traditional “weakest link” vulnerability. If one security measure is breached, others remain in place to block the attack, minimize its impact and report the breach to the host.

This layered approach recognizes that the security of a widely distributed system should never rely on a single “silver bullet”. And because of the dynamic and evolving nature of the threats, no approach will ever be perfect. However, this “Defense in Depth” philosophy is the best course of action because it not only prevents known security threats, it also provides an organization with the time and resources to detect and respond to new attacks.

Learn more by reading our white paper: Securing Mobile Payment with a Defense in Depth

Tags: Fraud Risk and AnalyticsMobile Payments
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

    Analyst Coverage, Payments Data, and News Delivered Daily

    Sign up for the PaymentsJournal Newsletter to get exclusive insight and data from Mercator Advisory Group analysts and industry professionals.

    Must Reads

    online fraud

    Understanding the Cost of Online Fraud and How to Prevent It

    March 27, 2023
    live shopping, ebay

    Q&A: eBay Exec on Live Shopping and the Future of Payments

    March 24, 2023
    AI and Biometrics in Regulatory Compliance in Finance

    The Importance of AI and Biometrics in Regulatory Compliance in Finance

    March 23, 2023
    Everyone Benefits from the Real-Time Payment Networks  

    Everyone Benefits from the Real-Time Payment Networks  

    March 22, 2023
    commercial payments

    Optimizing Commercial Payments in the Digital Age

    March 21, 2023
    cross-border payments

    Cross-Border Payments: Fighting
    E-Commerce Fraud Using Data

    March 20, 2023
    fraud, ChatGPT-4

    How to Fight Fraud While Still Enabling a Great Online Customer Experience

    March 17, 2023
    RTP

    Financial Institutions Without an RTP Strategy Risk Being Left Behind

    March 16, 2023

    Linkedin-in Twitter

    Advertise With Us | About Us | Terms of Use | Privacy Policy | Subscribe
    ©2023 PaymentsJournal.com

    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    Menu
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    • Industry Opinions
    • Recent News
    • Resources
    Menu
    • Industry Opinions
    • Recent News
    • Resources
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Industry Opinions
    • Faster Payments
    • News
    • Jobs
    • Events
    No Result
    View All Result

      Register to download the PayPal report