According to Alston Zecha, co-founder and chief operating officer of Anglo-German m-payments company Payleven, Payleven’s system is physically separated from the mobile device.
Instead of connecting directly via the mini-USB or its iPhone equivalent, it uses Bluetooth to connect wirelessly to the mobile device. In addition, card holders tap their PIN onto a keypad built into the Payleven device, not the mobile device, and the whole communication is encrypted from end to end.
Indeed, says Zecha, no data - encrypted or otherwise - is stored on the smart-phone either and Payleven’s system, he claims, meets current Payment Card Industry specifications.
“Card holder data never gets exposed to the ‘end point’. It’s fully encrypted and it takes advantage of all of that encryption technology that you get in shop terminals, so it doesn’t touch the device,” says Zecha.
Yet, at the same time that m-payment systems are proliferating, banks in the UK are also ratcheting up their terms and conditions. This may mean that card-holders could be held responsible for all losses arising from any fraud a bank claims has been perpetrated via such a device - whether it is by old-fashioned skimming, cloning and shoulder surfing (taking a note of the card holder’s number as they enter it) or by lapses in IT security.
“Due to the increasing use of mobile banking and ‘password memory’ software, we are updating our terms and conditions and suggesting a number of additional measures our customers can take to help protect themselves,” Santander told Computing in a statement.
It claims that customers will still be protected under the new terms and conditions, provided that “they have taken reasonable steps to protect their personal financial security”.
But someone who had used their debit card with the unscrupulous bearer of an m-payment system - purchasing something from a fly-by-night market trader, for example - may be regarded as having taken insufficient steps to protect their security and be penalised.
Don’t believe the hype
In some respects, the hype surrounding m-payment systems is not so very different from the hype around new internet payment systems in the mid-1990s. Then, companies like WorldPay rushed to sign up merchants as fast as they could - before realising that they needed to bring some degree of discipline to the process and cut out market sectors particularly vulnerable to fraud.
Furthermore, m-payment systems simply have not yet been subject to the kind of rigorous, independent testing that people like Mayes would subject them too.
At the moment, says David Emm, senior security researcher at anti-virus software company Kaspersky, there have not been any known attacks - successful or other-wise - against m-payment systems. There are, though, he notes, certain potential security flaws that have already been highlighted.
“Although the transaction itself may be encrypted, any card data that is stored in the phone’s memory, albeit temporarily, could potentially be captured by malware installed on the device. Right now, I’d say this is theoretical... [and] I’m not aware of any mobile malware that has targeted such devices. Of course, as mobile payments gain in popularity, it’s possible that cyber-criminals may begin to target such mechanisms,” says Emm.
Likewise, while Thomas Lippert, senior product manager at security software vendor Sophos is generally positive about the m-payment systems that he has seen, he highlights a number of shortcomings.
“If the devices are jailbroken or rooted, an attacker can influence the payment process, putting the credit card data at risk. Therefore additional security checks must be added to detect this and disable the device immediately for payment,” says Lippert.
He adds that the mobile devices that are being used as a conduit to take the payments also need to be secured in ways that a tradesman in the field, for example, who is also using it as his business phone, might find inconvenient. The app store needs to be blocked, says Lippert, as does any built-in NFC (near-field communication) and Bluetooth wireless communication, devices’ browser and any expansion ports that are surplus to requirements.
The devices ought to be regularly inspected, if owned by an organisation rather than a sole trader, and it almost goes without saying that Lippert also recommends anti-virus software to protect against potential malware.
“One further concern would be around the huge variety of such payment systems, which may not be properly secured in small shops and are usually operated by unskilled workers. It would be easy to ‘lend’ this device overnight to somebody for some extra money. They could make modifications, which wouldn’t be detectable to the user or operator, and could potentially skim a lot of cards,” says Lippert.
But perhaps consumers, too, could protect themselves from such threats - by offering to pay with cash instead. What-ever the costs and risks of handling cash, most tradesmen, at least, will probably still favour wads of cash until the day it is banned.