Mitigating the security risks of mobile payments without sacrificing user experience

mobile banking


Mobile banking and payments is exploding: Juniper Research predicts there will be more than 1 billion mobile banking users worldwide by 2017. Simultaneously, the roadblocks to mobile banking, commerce and online payments (NFC, BLE, QR) are being eclipsed by solutions such as host-card emulation and secure-elements, clearing the way for sustained, dramatic growth.

With this growth comes risk, and mobile devices are an all too tempting target for criminal hacking. The financial services and commerce industries are prime targets and require the highest degree of security. According to research firm RiskIQ, more than 11% of Android applications for banking and finance contain malware or suspicious code.  RiskIQ analyzed some 90 application stores and discovered circa 350,000 applications related to banking, of which more than 40,000 were deemed suspicious in some manner. More than 21,000 applications were found to contained adware, 20,000 Trojan malware, 3823 spyware, 209 exploit code and 178 malicious JavaScript.

Risks can materialize in multiple forms of attack

In addition to malware, there are multiple types of risks which can result in unauthorized users gaining access to your money through your mobile device:

  1. Device or identify theft
  2. Device hacking
  3. Malware and application tampering
  4. SIM spoofing
  5. Man-in-the-middle attacks

Device and identity theft in the simplest form does not require anything else than a person stealing your smartphone and then using your application for unauthorized transactions.  PIN codes for unlocking the phone or the application are not overly difficult to come by, especially since a many users choose easy-to-guess PINs, such as 0000, 1111 or 1234.

Device hacking does not necessarily require theft of the device, because ever more sophisticated means of gaining unauthorized access your mobile device are being devised.  As one common example, this can take place through malicious USB chargers offered at “free” USB charging stations.  By exploiting the USB connection to the device, unauthorized code can be run on the device to access all information in a mobile device.

Malware is widespread and application stores are full of suspicious applications. Users may be lured into thinking they have downloaded and installed a genuine application from their bank or payment service provider, but the application actually collects the user’s access codes or redirects the activity to the hacker’s server to collect sensitive information which can be used to access a user’s financial information.

SIM spoofing is conducted by gaining access to information on a SIM card through illicit means.  According to one German researcher, a flaw in the encryption technology used by some SIM cards can be exploited to take control of the device.  Once the encryption is cracked, illicit software is installed on the breached SIM which can send stealth text messages, direct calls that the user is making to a different phone number or authorize pre-installed applications to a specific phone number.

Similarly, man-in-the-middle attacks can result in permanent manipulation of a device by a hacker. Many applications are vulnerable to these even very simple attacks which force a permanent re-direction of any web traffic to the hacker’s own server.  Open source intelligence suggests that organized and resourceful groups of malicious actors are actively targeting mobile devices.  Common manipulations include phishing attacks, attempts to create man-in-the-middle application stores, and “impersonating” an application. The use of mobile signal interception technology may have been used when targeting victims.

Mobile banking could do with increased security 

Many mobile banking applications currently rely on two-factor authentication, often using username and password.  Sometimes this is augmented by use of a one-time code known as Transaction Authorization Number (TAN) for added security.  TANs are provided to users through multiple means:  some use paper-based lists (often in the form of a pre-printed set of codes), others are sent to users as one-time-PIN (OTP) codes over SMS, or even provided through a TAN generator which runs on a chip or a card (which generates random TANs).

Mobile payments are becoming tokenized, but…

Secure elements are a physical storage for storing user information in the mobile device, and has been a mainstay for secured transactions.  HCE is a newer mobile on-device technology heavily backed by Visa and Mastercard that permits a phone to perform card emulation on a Near Field Communication (NFC)-enabled device without relying on access to a secure element.  There has been much hope around Host Card Emulation (HCE) as an alternative path to contactless payments that have no reliance on secure elements, with credit card data being held in the cloud.

Moving sensitive card and personal data out of physical secure element into the cloud solves business problems by reducing the complexities on costs and integration to existing systems. However, passing encrypted card data every time a user wants to transact is simply not feasible from both a security and user experience point of view.  Tokenization, a process in which sensitive information is replaced with a randomly generated unique token or symbol, is one of the main security measures to make HCE cloud-based mobile payment transactions secure. But tokenization has vulnerabilities for attack, and are far from immune from SIM spoofing, man-in-the-middle attacks, and other malicious breaches of security.

Protecting from multiple threats without sacrificing user experience

Typical mobile security solutions only cover one particular risk area. As an example, one-time-pin (OTP) or other single-usage token–based solutions do not protect from malware.  For instance, a corrupted application may pose as a legitimate mobile banking application, but pass on login information to a hacker who can request OTP on behalf of the user; this means the same malware can read the otherwise legitimate OTP and pass it on to the hacker who can then make the unauthorized transaction.

A more effective security solution will provide comprehensive security with multiple factors to confirm that the person making the transaction is truly the authorized person, and not an imposter. This requires using a combination of multiple verification factors such as device information, user information, usage data, application, SIM and network data to create a 360” profile in the service which can be used for user and device integrity verification.  Any deviation from the factors would immediately cause either a risk alert or a direct blacklisting of the user or device.  This type of single solution is able to protect against a wide variety of risks such as malware, spoofing, and man-in-the-middle attacks, and can be used along with various payment and transaction scenarios such as mobile banking, NFC payments and other types of mobile payments.

In terms of user experience, the traditional methods of utilizing TANs always require cumbersome actions from the user. Receiving OTP code via SMS requires having to write, copy or remember the code, return to the site and enter it, can often result in annoyance and errors due to the dozen plus clicks.  Physical TAN generator equipment (such as dongles) can be a hassle for the user to carry around at all times.  Paper-based lists can be stolen or lost.

With Mistral m-Aegis™, security is ensured in the most user friendly fashion possible, with a single click being all that’s required of the user.

Mistral Mobile’s m-Aegis™ provides a 360” mobile security solution combining multi-factor verification with extreme ease of use. The solution uses multiple factors which consist of multiple unique verification points to detect any risks of the user or device identity having been compromised. As part of the transactions, whether each or only selected ones, the solution will compare the factors which device is providing to the expected factors and manage the deviations according to the risk configurations. Outcomes can be either risk flags or even automatic transaction blocking for the device. From the user perspective the verification can be handled fully invisibly, or the user can be provided with visible verification results. The solution can be used to protect mobile payments, mobile banking and mobile commerce.

Forget hard-to-use one-time-pins and other single-factor security solutions – they are dead.  No more trade-offs between level of security and usability.


Leave a Reply

Your email address will not be published. Required fields are marked *

About Thinking Aloud

“Thinking Aloud” reflects the emerging trends and varied outlook of the rapidly evolving internet and communication sector. An IAMAI publication, this is a part of the market education initiative of the association.

Read More

Internet & Mobile Association of India,

28, 1st Floor, Okhla Industrial Estate, Phase – III, New Delhi-110020 (India)
Call: +91 011-46561690