Have Money, Will Travel: A Brief Survey of the Mobile Payments Landscape

Executive Summary

By Carlisle Adams, Professor, School of Electrical Engineering and Computer Science, University of Ottawa.

The views and recommendations in the report are those of the author; as such, they should be viewed as input for consideration by the OPC and others to formulate their own policies and guidelines in the area of mobile payments.

The report looks at mobile payments technology through the lens of security and privacy.  More specifically, it looks at potential security or privacy risks and possible ways to mitigate those risks.

The report is divided in three sections:

  1. Part 1, Context – Motivations for mobile payments, important payment models and major actors, examples of money flows.
  2. Part 2, Security and privacy risks of specific payment models – A closer look at different payment models.
  3. Part 3, Security and privacy risks mitigation – Recommendations generally relevant to all mobile payment models, categorized by specific audiences.

Part 1, Context & Analysis

History and Motivation

The motivation behind replacing traditional cheques with digital payments is greater convenience and efficiency, and potential cost savings for processing electronic cheques over paper cheques. The potential annual saving associated with digital payments in Canada is estimated to range from $3B to $7B by 2020.

The report notes that the value of mobile payments in Canada in 2011 was approximately $10B, and $13B in the United States, with the increasing availability of tablets and smart phones, the value of mobile payments in the United States could reach $90B by 2017. 

Types of Mobile Payments

  • Mobile peer-to-peer (mP2P): This covers transactions between individuals; for example, PayPal©, text messaging, Near-Field Communications (NFC), or other technologies on each person’s mobile device.
  • Mobile Point-of-Sale (mPOS): This covers commercial transactions between a person and a registered merchant in a bricks-and-mortar store.
  • Mobile payment acceptance (mAccept): This is essentially a blend of mP2P and mPOS.  Two individuals are involved in the transaction, but one is a merchant.
  • Mobile commerce (mCommerce): This involves the use of an app or the browser on a mobile device to do online shopping; for example, Amazon©, eBay©, and iTunes©.  In this category, a mobile device is used but is not essential for the transaction (for example, the same transaction could be performed on a laptop or desktop computer).

The full report focuses on the mPOS model of mobile payments, but also looks at some subcategories of the mP2P, mAccept, and mCommerce payment models.

Part 2, Security and privacy risks of specific payment models

This section of the report examines the security and privacy risks of some specific payment models.  In particular, this part of the report examines the NFC-enabled mPOS model of mobile payments, but also briefly considers the current mCommerce model.

In an NFC mobile payment there are a number of possible locations for an attack to occur. For example, the POS terminal (more generally, the reader) may be corrupted in some way, or the channel between the mobile device and a legitimate reader (i.e., the air space) may be breached in some way.

In addition, some general technological privacy risks associated with electronic financial transactions are identified, such as the small screen of mobile devices, lack of security implementation, poor audit controls, and software bugs,

Some of the privacy risks associated with payment models identified in the report include:

Corrupted POS Terminal

  • A corrupt “rogue” POS terminal could possibly send valid-looking messages to a mobile device, causing the device to think that a legitimate payment transaction is occurring and therefore transfer money from the user’s account to the corrupt reader.

Corrupted Channel between Mobile Device and POS Terminal

  • With NFC, messages are being transmitted through the air between a mobile device and a POS terminal.  The types of attacks that have been investigated include eavesdropping, data corruption, data modification, data insertion, and man-in-the-middle (MITM) attack.

Corrupted Mobile Device

  • The security and privacy risks on the mobile device can be divided into two categories:  hardware-based attacks (requiring physical access to the targeted device) and software-based attacks.

Part 3, Security and privacy risks mitigation of various payment models

This section of the report provides a sample of recommendations directed to various players.

Recommendations

  • To Device / Operating System (OS) manufacturers
    • Manufacturers are encouraged to continue, and even extend, their rigorous design and testing procedures to ensure that the systems they deliver are as bug-free as possible.
    • Manufacturers should continue and increase their efforts to provide protection mechanisms such as remote locking, remote encryption of data, and remote wiping of data.
    • Manufacturers are encouraged to continue, and to extend, their rigorous testing of data protection mechanisms, especially when the device is subjected to unusual or extreme operating conditions.
    • Manufacturers are encouraged to continue their extensive efforts to eradicate security and privacy vulnerabilities from their OSs and device hardware, and to contribute actively to keeping devices malware free by creating and disseminating patches, improved versions, and so on, in as timely a fashion as possible.
  • To Mobile Network Operators (MNOs)
    • MNOs should explore techniques to ensure that data has actually been securely wiped when requested.
    • MNOs are encouraged to continue their efforts to keep devices malware free by disseminating patches, antivirus tools, and so on, to their customers in as timely a fashion as possible and to assist users to install these protective measures as soon as they are available.
  • To Wallet / payment app developers
    • Developers should ensure that payment and other sensitive data are protected at all times.
    • Developers are encouraged to continue their efforts to keep the wallet and apps on any mobile device as free from security and privacy vulnerabilities as possible.
    • Developers and providers are encouraged to implement strict audit controls and other technological and procedural measures with respect to employee access to payment and other sensitive data.
    • Developers are encouraged to explore ways in which truly anonymous payment transactions can be offered as an additional feature to existing payment models.
    • Developers are encouraged to develop clear policies regarding fraudulent and unauthorized charges and clearly convey these policies to consumers.
  • Merchants
    • Merchants should have clear, succinct, plain-language policies in place.
    • Merchants are encouraged to continue their efforts to keep the OS and apps on any mobile device used as a POS terminal malware-free by installing patches, antivirus tools, and so on, in as timely a fashion as possible.
  • End users
    • Users should become familiar with wallet and payment app policies.
    • Users are encouraged to store the emergency contact information for every entity that they may need to notify in a location that is readily accessible but independent of the mobile device.
    • Users are encouraged to take all available precautions to protect their devices, including downloading and installing only a trusted wallet (i.e., a wallet from a trusted source) and making every attempt to keep the device malware-free (such as installing the most current security patches, antivirus tools, and so on).
    • Users should make use of all protections available to them from the device / OS manufacturers, the MNO, and the wallet and app providers.

Please consult the full report for further details and references.

Date modified: