By David Midgley, head of operations, Total Processing
In recent years, the proliferation of near field communication (NFC) technology has meant that mobile contactless payments have continued to grow, with more than 100 million people around the world to have used an NFC handset to make a purchase this year, according to a report from Strategy Analytics.
However, as with all new financial technology, criminals will try to find ways to access people’s accounts. So what do retailers need to do to ensure they and their customers aren’t the victims of fraud?
Security versus convenience
Mobile payments are indicative of the convenience culture we now live in, where many expect things to be as easy as possible for them. However, when it comes to financial information, security should not be compromised to provide convenience.
In fairness, Android Pay, Apple Pay and Samsung Pay all seem to be very secure. For example, the Security And Privacy Overview on the Apple website let you know exactly who sees your information, where your information goes and what Apple does to protect your information at different stages. On a day to day basis too, the app requires users to authenticate the transaction with their fingerprint each time they make a purchase, while Samsung Pay requires either fingerprint or PIN authentication.
However, methods intended to break the encryption protocols do exist, meaning those with malicious intentions could defraud users of mobile payment apps.
For example, one of the trumpeted security advantages of NFC technology is that the read range is about an inch. Therefore, it would be obvious if someone was trying to intercept the communication between your phone and the point of sale (POS) terminal, as they’d have to have their device right next to both. However, researchers at the University of Surrey have shown that the read range can be extended to 80cm . Therefore, while someone stood right next to you trying to steal your data would be obvious, the person casually stood nearly three feet away wouldn’t be.
In addition, more and more businesses now also provide free in-store Wi-Fi for customers (yet more evidence of our convenience culture). However, many don’t secure the connection, and so, it is possible for anyone who is within range of the signal to hack into the hosting network and any phones that are connected to it.
Given many people set up their phones to automatically connect to any open Wi-Fi connections so they can save on data roaming charges, it is very possible that a hacker could match the information they’ve intercepted between your phone and the POS terminal with any information stored on your phone to steal your card information.
Secure the connection
The solution is very simple; secure the Wi-Fi network or use a separate, dedicated connection for your POS terminal. By doing this, a retailer makes it much more difficult for hackers to subject both the retailer and its customers to data corruption, manipulation and interception attacks.
Furthermore, while the Android Pay, Apple Pay and Samsung Pay apps themselves, and the payment processes they use, are very secure, the NFC chip itself isn’t necessarily.
For example, you may remember there were reports early this year of people using a POS terminal on the London Underground to clandestinely steal money from commuters’ contactless cards following a post on Facebook. While the image used was found to have been taken from Russian media, it highlighted an inherent vulnerability in the security of contactless cards as no authentication process is required in order to take money from the card.
Given that mobile payment apps utilise the same NFC technology, it remains to be seen if criminals will be able to find a way to bypass the authentication processes and security measures Apple, Google and Samsung have put in place.
Contactless payments are the way the world is going, and so, it makes sense for retailers to offer customers the ability to take payment from mobile devices. However, with this comes the responsibility to ensure that these payments remain secure. While the likes of Apple, Google and Samsung have been seen to take reasonable measures to secure their devices, it is also the responsibility of retailers to ensure they are doing everything they can to secure the payments in-store too.
Total Processing is a payment gateway and merchant services provider.