Expert Q&A: Are mobile payments safe for consumers?

The idea of paying for purchases with your mobile phone has been buzzing around for years. Now that nearly every other Canadian owns a smartphone, the notion seems to finally be taking off. But questions about security still linger.

Mobile payments actually encompass a number of different technologies. "Mobile wallets" are generally apps that access stored credit, debit or loyalty card information, as well as coupons and other retailer deals. For instance, a Starbucks app lets you scan a barcode on your phone to earn loyalty points toward free treats. Near field communication (NFC) is a chip technology that allows information to travel via radio waves between a card or device and an NFC payment terminal.

Canada is leading the mobile payment move in North America. MasterCard Canada launched its MasterPass mobile wallet this month, on the heels of an NFC-enabled mobile debit demonstration by RBC Royal Bank at a Toronto-area McDonald's restaurant. The demo showed how BlackBerry users can directly debit funds from their bank account by holding their smartphone close to an Interac Flash payment terminal.

RBC and Scotiabank both plan to roll out free mobile debit transactions in the near future. Another big-five Canadian bank, CIBC partnered with telecommunications giant Rogers to launch an NFC payment network last year. The Rogers suretap wireless service turns a CIBC credit card holder's smartphone into a mobile wallet.

Conflicting opinions about NFC
Quorus Consulting Group's 2012 Cell Phone Consumer Attitudes Study reports that 24 per cent of Canadian cell phone users are interested in the notion of swiping or waving their phone at a point-of-sale scanner, up from 18 per cent in 2011.

Nevertheless, major stumbling blocks hinder NFC payment technology from winning mainstream acceptance in Canada. The Quorus study found that among smartphone users who did not use mobile banking or payment solutions, 62 per cent cited concerns about general security, privacy, identity theft and other types of fraud.

To clarify the facts on NFC payment security, we spoke with Trac Bo, leader of the technology risk management services for MNP, a professional services firm. Bo and his team provide clients with specialized expertise in information technology governance and audit, as well as in addressing IT security and privacy challenges.  trac-bo

Q: Are security risks the reason mobile payments aren't mainstream?
Trac Bo:
I think there's probably a handful of reasons why the adoption of the technology hasn't necessarily taken over. It's difficult to pin this on security in and of itself. But certainly security and the risk of losing sensitive financial data is an issue, as are potential privacy concerns around location-based marketing.

Another big factor that may have slowed the growth of adoption is the fact that there are a lot of technologies out there today. New technologies get introduced quite quickly, and I think consumers may be confused about what mobile payment services are available, and what their options are.

Q: When first introduced, NFC was vulnerable to hacker attacks. Is it still?
Trac Bo:
The vulnerabilities and the threats are still there. But I think over the last couple of years, there has been increased focus on implementing security controls, and mobile payment technologies have caught up with some of the initial threats. The keys to managing some of these risks and concerns are significantly dependent on the strengths of the data encryption. Because of the implementation of the appropriate encryption technologies, I think risks have been mitigated to an extent.

There are other compensating controls that wireless carriers and the banks have implemented to mitigate some of these concerns. For example, Rogers suretap has a $50 limit per transaction. Certainly, banks are implementing controls on credit card fraud through real-time analytics. As the transactions are coming through, the banks have very sophisticated algorithms to detect potentially fraudulent activity. Some of these other controls that are not directly part of smartphone technology serve to protect the consumer.

Q: Is a lack of mobile phone anti-virus software a problem?
Trac Bo:
There was a lack of anti-virus software on the smartphones early on. With the emerging technologies, after the widespread adoption and growth of the smartphones, that probably made smartphones a lucrative target for hackers to try and infect the smartphone device. That said, the security aspect and anti-virus solutions are slowly catching up and there is now anti-virus software available for the various platforms.

Aside from immature demand, probably another reason why anti-virus solutions were slower to catch up is the variety of the different available platforms out there, making it challenging for anti-virus vendors to present cost-effective software solutions to the market.

Q: Does security for mobile devices differ from that for "tap-and-go" credit cards?
Trac Bo:
The key difference between a "tap-and-go" credit card and a mobile device is the fact that, with a mobile device, you expose yourself to additional vulnerabilities on the mobile device platform as well as on the installed apps. When you're talking about a "tap-and-go" credit card, security concerns are limited to just the card chip and the NFC technology.

For example, when your iPhone is infected with a virus, that virus could potentially put a keylogger [keystroke recording software] on your smartphone and capture your PIN and passwords. More recently, I became aware of a potential risk where, if your mobile device is hacked and infected, your infected device could also activate and steal information from credit cards in your wallet.

Q: How can consumers help defend against NFC security risks?
Trac Bo:
Consumers should pay close attention to how they actually use their mobile device. You can have the best technology in the world, but if users share their PINs, passwords and other confidential data, then transaction security can always be compromised.

Also, consumers need to be careful about potential rogue point-of-sale processors where they pay with their mobile device. If you scan your mobile phone onto an unauthorized terminal that captures payment information, that financial data becomes easily stolen. I think the consumer should be aware of all security aspects surrounding mobile payments, and be smart about managing those risks.

See related: New contender enters mobile payment ring; 4 things you need to know about PayPass technology, Rogers and CIBC launch ‘Mobile Wallet'

Published April 25, 2013

Most recent Product Features Stories