The discussion of Security in Mobile Payment

2 11 2011

Have you paid bills by your mobile facilities, such as cell phone, PDA or mobile PC? If you have, have you been worried about the security of your purchase or privacy information through the mobile payment and the safety of mobile facilities and systems?

Mobile purchase becomes more and more popular nowadays. “According to Gartner, 340 million global users will use mobile payments in 2014, with such transaction totaling $245 billion, up from $32 billion last year.”[1] This means the mobile-commerce market will enlarge almost eight times in 2014. Many companies have already focused on this business opportunity. Not only the traditional e-commerce companies, such as Amazon and e-Bay,but also some technology companies, such as Google, are working on platform and software to get an advantage in this potential market. This year Google announced that they planned to “start testing a mobile-payment system with the near-field-communication (NFC) technology, which lets consumers pay for products and services by tapping a device against a register at checkout, giving them an alternative to cash or physical credit cards.”[2] In the same year, Amazon and eBay also developed their mobile payment services (Amazon’s MPS and EBay’s ISIS) based on NFC.

NFC is a more advanced technology than RFID (Radio-frequency identification) and Bluetooth for its low-power consumption and higher safety. In NFC based payment system, the mobile device contains two smart chips, the normal SIM card and a separate NFC payment chip. The customer can make a pay by holding the mobile device in front of a NFC reader and entering a security PIN to authorize the deal, so the deal can be finished between a few centimeters. Although this can provide a certain level of safeguard for the customers, there are still bugs in the NFC payment system and design flaws in the NFC devices.

As all wireless signals, the signal of NFC can be eavesdropped with antennas. Data transferred in NFC is much safer than data transferred in RFID, but still has some possibility to be manipulated. Relay attack is also possible for NFC. The hacker can break into the communication procedure and forward a reader request to the victim. When then victim reply, the hacker will get the reply and use this message to analysis user’s information. The hacker can pretend to be the user to carry out some task or even modify the user’s setting. If you lose your phone, the potential security problem could be even worse than any kinds of attack. You provide a free access to your mobile phone. The attacker can decipher the NFC payment chip and make a deal using your device.

The way that making deals between NFC devices is one of the methods of mobile payment, which is called direct mobile billing. The other method is mobile web payment, which means customers can make online transactions by their mobile devices, such as online wallets, online banking and direct operator billings. As we know, the invention and development of Apple’s iPhone and Google’s Android smart systems make the evolution of the smart phone market. People can skim over the website more conveniently and quickly. Therefore, the customers have more chances to choose and buy what they prefer in the online market. At the same time, mobile payment is more popular than ever before. Compared with the PC systems, the smart systems of the mobile devices are still young and have many flaws, so they are easier to attack than PC systems. “Recent studies show that the world of mobile malware is dominated by Trojans and not by worms or viruses. The main reason for this is that Trojans do not need any propagation vector and simply rely on the user’s curiosity to download and install them.”[3] The attacker could make some utility programs or popular games to attract user’s interest. When the user download and install such programs, their mobile devices could be installed by a spyware or a malware. The spyware can collect the user’s information, including ID information, PIN data, incoming and outgoing data, to send to the attacker. There are some famous spyware or malware: Flexispy[4], PbStealer[5] and KeyLogger. The user should be careful when downloading application from internet, and install safeguard software to have certain level of protection.

Instead of traditional payment, mobile payment is a representative of future payment.  Bugs and insecurities will be solved sooner or later. The unsafe elements in the mobile payment systems and mobile devices cannot stop the development of m-payment.

__________________

[1]http://www.bloomberg.com/news/2011-03-31/amazon-com-said-to-be-considering-mobile-payment-service-for-smartphones.html

[2]http://www.bloomberg.com/news/2011-03-15/google-is-said-to-ready-payment-test-in-new-york-san-francisco.html

[3]  Shivani Agarwal, Mitesh Khapra, Bernard Menezes and Nirav Uchat”Security Issues in Mobile Payment Systems”

[4]F-Secure Malware Information Pages: Flexispy.A. (Online) http://www.f-secure.com/v-descs/flexispy_a.shtml.

[5]F-Secure Virus Descriptions : Pbstealer.A. (Online) http://www.f-secure.com/v-descs/pbstealer_a.shtml.

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: