back to article Mo' money mo' mobile payments... Security risks? Whatever!

A survey on global mobile wallet adoption, published Tuesday, has sparked a lively debate about how banks and fintech might face off in the expanding market for mobile payments. Global payments software firm ACI Worldwide found that security concerns, while present, are not holding back uptake. Steven Murdoch, a security …

  1. nematoad
    Unhappy

    No thanks.

    "Trust us, we are a bank/IT provider/government."

    I do not and will not trust anyone with my money unless I am the one in charge of the account and can see who is doing what with it.

    As for using a smart phone for my banking, no thanks. Why should I pay the likes of Apple or Google for the privilege of paying a bill? Finally I do not have a smart phone and no wish to get one.

    All pretty Luddite I suppose but I have precious little money to start with and certainly do without others taking a bite out of what I do have.

    1. John Robson Silver badge

      Re: No thanks.

      "As for using a smart phone for my banking, no thanks. Why should I pay the likes of Apple or Google for the privilege of paying a bill? Finally I do not have a smart phone and no wish to get one."

      Erm - you don't.

      It might be that the merchant gives them a kickback - but the bill to you is the same either way.

      If you already have a smartphone it is therefore a zero incremental cost option.

  2. Anonymous Coward
    Anonymous Coward

    I think most of what needs to be said on this subject was covered by the comments in the article about the survey.

    Most westerners have got a banking system which means that Smart-phone payments aren't any more convenient in reality but are a lot less secure.

    To be honest the same goes for contactless payments really.

    I know Google et al want us to do this so there strategy seems to be to push surveys which paint it in a good light so it's really three steps:

    1. Everyone else is doing it so you should too.

    2. Young people are doing it therefore it's better and you risk becoming an old fogey if you don't.

    3. This is modern and you risk becoming outdated so you've got to change.

    Then the debate becomes all about name calling and no longer about the facts.

    1. Anonymous Coward
      Anonymous Coward

      Google wants you to do it because that's more information they can collect about you to monetize. Apple touts the anonymity of Apple Pay, but wants you to do it because you're more likely to buy another iPhone the more of their services you're using. No one is altruistic here, all the of players from Apple/Google to banks to credit card issuers are most definitely for-profit concerns, after all.

      I view it as a "nice to have" in case I am ever somewhere without my wallet but I have my phone and want to buy something. But there's really no reason to go out of my way to look for places that can do it and use it, because it isn't any faster nor any more convenient. The times when I don't want to bring my wallet are usually times I'll be drinking - if I bring cash only I know I have a limit on my spending and won't keep buying rounds of shots :) Fortunately when I'm drunk enough to do that I'm probably too drunk to remember I have Apple Pay, even if bars start taking it (until the EMV hard deadline comes which hasn't even been set yet, few have chip readers since the 'signature override' mode is acceptable for now)

  3. Prst. V.Jeltz Silver badge

    "In terms of risks, it's far easier to compromise a smartphone than a card. "

    I beg to differ, with a contactless card you just wave it around and cannot optionally set a pin, with a smartphone you can set a pin - THEN wave it around, thereby defeating anyone walking around the pub with a high powered contactless card reader.

    You are of course less likely to be able to browse to "hackmywallet.com" using a cashcard

    1. Anonymous Coward
      Anonymous Coward

      "with a contactless card you just wave it around"

      Only for small amounts. Here the max amount without a PIN is €25. And you could still be reimbursed, if someone swipes a pub with card reader there would be not a few complaints, it will be quite simple to demonstrate the transaction was fraudulent.

      But I'm glad I don't have to unlock my smartphone to pay, say, the highway toll, since the smartphone is in its hidden cradle used via Bluetooth.

      1. Banksy

        Re: "with a contactless card you just wave it around"

        Some banks and app based banks allow you to turn off the contactless functionality of your card as well as remote purchases (e.g. Starling Bank).

    2. Aitor 1

      Err no.

      It is easy to compromise a phone, and do silent transactions.

      The same is difficult with a card, and the card can be discarded (pun intended), not so easy for the phone.

    3. annodomini2

      Accessing the information from the card requires physical access and is payment limited as has been stated, a net connected smart phone can be breached from the other side of the world, potentially unbeknown to the user.

      The Window Of Opportunity for the attack is much wider which increases the risk massively.

      1. Anonymous Coward
        Anonymous Coward

        But the card doesn't respond when it is tagged, so it can be silently pwned using something like a Yagi antenna hidden in a long sleeve, and you wouldn't know about the foist until you checked your balances. So you lose either way.

        PS. You say smartphones can engage in transfers without your knowledge. Can you provide proof of this without a dodgy app?

  4. Anonymous Coward
    Anonymous Coward

    "in Europe banks are entitled to refuse to reimburse victims of fraud"

    As Murdoch states in one of the links.

    Yet, I have to see one that did, unless they are really, really sure the victim did something really criminal or almost.

    Also, mobile payments are OK, storing PINs on a mobile phone, probably in a password manager is not?

    Sure, my old parents share a single card and PIN. Are many devices able to work on the same bank account more secure? Especially devices you can't easily thoroughly destroy when no longer in use? It looks to me they broaden the attack surface more than a single shared card.

    Maybe he know many people with nine cards, and maybe in countries like US where they are given away with chips is common, but here a relatively small number of people have more than two cards, often one only.

    Also, even if I use a card, I can still use the phone to monitor the transactions. Actually my banks sends me a message for each transaction. The good thing is card and phone are two separate channels, and it would be more difficult to compromise both of them and orchestrate an hidden transaction. Also, they are not all eggs in a single basket. I'm used to avoid to keep everything in a single wallet - I wish I could avoid to have everything in a single electronic wallet as well - which also depends on a battery.

    I understand a lot of people see a goldmine in mobile payments, but I still see little benefits and just more dependencies on a more complex device.

    1. DontFeedTheTrolls
      Boffin

      Re: "in Europe banks are entitled to refuse to reimburse victims of fraud"

      "Especially devices you can't easily thoroughly destroy when no longer in use?"

      Have you read how Apple devices apply security? When first set up the key is generated which encrypts everything in the device. EVERYTHING. Factory reset destroys the key, hence all that terrorist noise about accessing the San Bernardino iPhone by bypassing the PIN so it didn't wipe the key.

      While mathematically possible to recover the encrypted data, since its beyond the FBI its probably beyond the efforts of most people of a nefarious nature.

      1. Anonymous Coward
        Anonymous Coward

        Re: "in Europe banks are entitled to refuse to reimburse victims of fraud"

        And if they manage to pwn the phone without your knowledge, meaning they can rifle through it and you don't know so you don't engage the factory reset?

  5. Aodhhan

    Working InfoSec for a bank, I'm aware of all the problems.

    First... doing banking via a phone app is a lot different than say, using your credit card to buy an item online.

    All features must be activated by the customer. Nothing is default "on/open".

    Most banking apps have limitations on them. For instance... you can deposit and you can view balances, but you aren't allow to electronically withdraw in most cases.

    You can make electronic payments, but only to reputable companies/organizations (your utility companies for instance), but not to individuals. You can opt to some others, such as ebay.

    The customer must place limits on transactions; with the default being "0.00".

    There are more but you get the picture.

  6. Pascal Monett Silver badge

    "Applications can incorporate their own security protections"

    In a word : fragmentation.

    Security on a mobile phone must be at the OS layer, maybe even baked into the hardware if you wish to have any hope of making things difficult to crack. Anything else is just a game for blackhats to win.

    As for fraud and European banks, I was a victim of fraud once and my French bank made absolutely zero trouble when I asked for reimbursement. I do not know that any bank in France has a reputation for not behaving in the same way.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Applications can incorporate their own security protections"

      "Security on a mobile phone must be at the OS layer, maybe even baked into the hardware if you wish to have any hope of making things difficult to crack. Anything else is just a game for blackhats to win."

      Something tells me the blackhats already command the high ground if you consider state-level actors among them since they have demonstrated the ability to influence things at the hardware level. Which in turn can apply to anything accessible to the consumer.

      IOW, we're already screwed if they wanted it to be. And since we can't avoid it anymore (remember, they control the cash and can heavily influence all the markets), might as well let it go and get on with things.

  7. Anonymous Coward
    Holmes

    QR Code payment by phone in China is all the rage

    People buying a small bag of apples from a street vendor by scanning the QR code on their phone. Renting bicycles with QR codes scanned by a scanner box built onto the bike. Haircuts, restaurants, taxis. It's pretty wild to see how quickly they are pushing it forward, and how widely it's been adopted in a very short period of time.

  8. Jin

    Bringing in biometrics, things get even riskier

    So long as a fallback password is needed in case of false rejection, biometrics brings down security as explained in this video.

    - Biometrics in Cyber Space - "below-one" factor authentication

    https://youtu.be/wuhB5vxKYlg

    1. John Robson Silver badge

      Re: Bringing in biometrics, things get even riskier

      You assume that the pin is the same between the two devices.

      If I have to type a code into a device every time I open it, then it will be easy to type (and easy to find a time to watch me typing it).

      If I only have to do it on reboot, or on failure of the biometric (maybe I've been in the bath and my fingers are all crinkly) then it can be significantly stronger, and will be less vulnerable to being overlooked.

      It's not quite as simple as 'either pin or biometric' is inherently less secure than 'pin only'

    2. Anonymous Coward
      Anonymous Coward

      Re: Bringing in biometrics, things get even riskier

      Agreed, personally I believe probabilistic methods have no place in security. Biometric authentication is deployed increasingly as a marketing ploy of service providers for consumer convenience - not security.

      I think a lot of security professionals are aware of the potential problems of Biometrics, there have been a number of well publicised failures. Things will only change when the $$$ are impacted IE when the cost insuring the losses increases, business will change tack.

      It is actuaries that will determine the long term success of Biometric Authentication - Biometrics will remain valid as a method of Identification.

      1. Charles 9

        Re: Bringing in biometrics, things get even riskier

        "I think a lot of security professionals are aware of the potential problems of Biometrics, there have been a number of well publicised failures."

        But there's another well-known failure that's also on the security sector's minds: the common and well-known failure of human memory, which is why passwords are so derided (and no, xkcd doesn't provide a solution. Was it "correcthorsebatterystaple" or "donkeyenginepaperclipwrong"? Oh, and repeat the exercise 10 times or so.). So how are you going to provide a solution that's guaranteed to be there, even in the event of very bad memories?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon