Despite the surge in mobile phone usage, and the innovative payment technologies that have come of age in mainstream usage, some consumers remain reluctant to completely embrace the latest payment technologies. In fact, it’s been found that only 52 percent of North Americans have used mobile payments; and just 18 percent use them regularly.
The reason? Mobile and the latest payment technologies are broken when it comes to security and innovation. There’s evidence to support these concerns.
ISACA is a nonprofit that works toward the development, adoption and use of globally accepted knowledge and practices for information systems. Last year, ISACA conducted a global survey that included 900 member cybersecurity experts to examine the biggest security risks for its 2015 Mobile Payment Security Experts. ISACA found;
- Just 23 percent of the experts surveyed said they believed that mobile devices are secure enough to keep personal information safe.
- 47 percent claimed that mobile payments are not secure.
- An overwhelming majority 87 percent anticipated an increase in mobile payment data breaches over the next year.
Despite these concerns, there’s no slowing down the growth of mobile usage. It’s projected that by 2017 there will be 4.77 billion mobile phone users worldwide, so it’s imperative we resolve security concerns involving new payment technologies. Hackers are persistent and can adapt their techniques to breach payment technologies. If you’re up to speed on the common security concerns, at least you can have a head start on these cybercriminals.
Vulnerable payment technologies
Whether it’s your mobile device, wearable gadget or home automation, hackers will exploit any security vulnerabilities. Don't assume the latest payment technology has figured out all of its security flaws. Keep your personal information safe by following basic security measures like having a strong password and changing it frequently, using two-factor authentication, encrypting data, promptly installing software updates and only shopping on sites you know are safe.
Phishing scams, which are scams where an email or website attempts to steal information from you, have been around for years. And, they’re probably not going away anytime soon. As previously written, phishing is still an effective attack because of human error. Even if you were were using software that blocked phishing emails, a legitimate email could still pass through. Because you believe that you’re protected, you’ll willingly open the email. In most cases using common sense can prevent phishing attacks in the first place.
There are a number of security concerns that can be traced back to the people that you know. Such concerns could come down to a disgruntled employee, an uninformed family member or an employee who has had his or her personal device hacked.
Basic measures like encrypting data, training employees/family members, monitoring devices and terminating access to employees who are no longer with you are places to start to prevent any human error.
Using public wi-fi
Tapping into public wi-fi is a nice perk when you are out and about. The problem is that public wi-fi risks hackers have access to your unsecured data. To keep yourself protected, consider using a VPN and SSL connections. Don’t forget to turn off sharing and wi-fi when these services are not in use. Having a security solution wouldn’t hurt either.
While some attacks like phishing have, and will continue to be, a concern, you should also keep up with the latest security threats. For example, it’s predicted that in 2016 "extortion hacks" or "ransomware" will become more commonplace. As Wired explains, these are hacks “where attackers threaten to release sensitive company or customer data if the victim doesn’t pay up or meet some other demand.”
Other potential threats include hackers changing or manipulating data, hackers figuring out chip and pin frauds, a rise in IoT botnets and attacks going through more back doors. Staying on top of these trends and educating yourself about these trends and joining a webinar such as "Trends in Information Security and Their Impact on You" can help thwart potential security breaches.
Even though you may be able to address any security concerns for either your business or personal accounts, companies involved with payments are also attempting to put any former security concerns to rest.
Apple Pay gained a lot of traction when it was released in 2014. And, one of the highlights, besides your being able to easily make a purchase on your Apple device, is that Apple Pay is secure. In fact, Apple claims that payment transactions are only between you, the merchant and your bank. Users “must have a passcode set on your device and, optionally, Touch ID.” Furthermore, when you use payment information, it’s encrypted to form a tokenization.
Apple put a lot of effort into making Apple Pay secure, but there have been several instances of people taking advantage of its security flaws. For example, hackers have been able to simply enter a stolen credit card number and place it into a Apple Pay Wallet. Vijay Balasubramaniyan, CEO and cofounder of Pindrop, tells PYMENTS that this is because of a “bad security design.” One way the company could address this is by using blockchain technology that would require all transactions to not only be recorded in a public ledger, but prevent double spending -- because once a coin is spent, it’s gone.
If you’re not an Apple user, then you probably have a Samsung device. Samsung Pay is similar to Apple Pay in that it’s a mobile wallet for specific mobile users that works in almost every POS system. As CNET reports, “Samsung Pay does not store the account or credit card numbers of cards on the device, instead using tokenization for transactions.” The article adds, “Each time a purchase is made, the Samsung Pay handset sends two pieces of data to the payment terminal. The first is a 16-digit token that represents the credit or debit card number, while the second piece of data is a one-time code or cryptogram that's generated by the phone's encryption key.” If you lose your device, you can remotely erase all information on the device.
Hackers have attempted to hack Samsung. LoopPay was attacked in 2015, but Samsung Pay was not affected thanks to security features like digital tokenization, its KNOX security framework and fingerprint authentication. Just as happens with Apple Pay, the inclusion of third parties, such as banks, still presents security issue. Again, Samsung could welcome blockchain technology where transactions are directly between the two parties.
Due is my personal company, and security is it's something we've been working tirelessly on. Due is an innovative payment service that comes with features like setting-up recurring invoices. The company also offers a mobile wallet for users. We comply with the requirements established by the Payment Card Industry Data Security Standard (PCI DSS), which ensure that customer information is secure. The company also provides additional security features like 256-bit SSL encryption, as well as certification from security leaders like VeriSign and Norton.
The first hurdle we've encountered is validation. The validation isn't for more users but for regulators to enable companies like ours to function globally. Additionally, as with most ecash payment companies, the company could begin to incorporate the latest mobile wallet security advancements, such as accepting tokens like bitcoin or using biometrics to authenticate transactions.
Google Wallet has been around since 2011 and allows people to store payment information, like credit cards and bank accounts. With Google’s mobile wallet you can quickly send and request money from anyone in the world and then cash it out at your bank. Google encrypts data using a Secure Socket Layer so that your full information is never shown. Users are also required to create a PIN in order to access their wallet. Furthermore, Google Wallet provides 100 percent fraud protection.
Google Wallet seems incredibly secure. But, as mentioned several times already, dealing with banks and credit card companies always leaves the door open for potential security breaches. Besides embracing cryptocurrencies, Google Wallet might want to start to use biometrics as an added layer of security.
Finally, there’s the popular Venmo app. Unlike the already discussed mobile wallets, Venmo gives you the power to send and receive money directly to friends or family members. Venmo, which is owned by PayPal, is a bit vague on its security features by simply stating that it uses “advanced security systems and data encryption” to keep users safe. However, the company has made efforts to update its security. For example, in early 2015 Venmo began using multifactor authentication (MFA).
Venmo has had its fair share of security breaches but has evolved with its growing user base.. Obviously, that’s an area where the company could start improving if it wants to improve security. Because Venmo is used between two parties, it’s a prime candidate for digital coins like bitcoin which would allow users to send and receive payments without banking or credit card information.
Payment technologies may offer a wide range of security features, but ultimately it’s up to you, the user, to ensure that your data is protected and remains secure. This can be accomplished by following these security tips:
- Only use proper and unique passwords. Stay away from common passwords like "123456."
- Use multi-factor authentication.
- Encrypt sensitive data.
- Back up your data often both online and offline.
- Update security software like anti-virus software and firewalls.
- Provide employees with their login credentials.
- Make sure that all mobile devices have wipe capabilities.
- Educate employees by hiring an expert or having them attend webinars like "Why do people fail the CISSP exam – and what you should do to prevent yourself from failing."
- Use common sense through moves like shopping from reputable merchants and never falling for any “it’s too good to be true” scams.
Finally, be sure to follow all these tips as part of your normal routine and learn to keep an eye out for the aforementioned vulnerabilities. This is not a one-time deal. With hackers and fraudsters continually developing new ways to break into payment technologies, it's important to make sure that you look at the above tips as an ongoing process.
While many of the above technologies have stopped criminals in their tracks, the companies behind those technologies also know to keep a vigilant eye out because fraudsters do not give up. In the meantime, don't be afraid to use these payment technologies because they offer significant benefits and are using the most advanced security layers available.