Thursday 27 October 2016 | RSS



    News in brief

    Cyber experts unsure of mobile payment security

    News in brief

    Just one in four cybersecurity experts (23%) believe that mobile payments are secure and can keep personal information safe, the 2015 Mobile Payment Security Study from IT professional association ISACA has found. 47% say mobile payments are not secure and 30% are unsure. “87% expect to see an increase in mobile payment data breaches over the next 12 months, yet 42% of respondents have used this payment method in 2015,” the association says.

    Filed by Email Rian Boden Published • Last updated 28 September 2015, 13:51

    • Willam Hugh Murray, CISSP

      The issue is not whether mobile payments are “secure” in any abstract or absolute sense but whether they are more secure than the broken magnetic stripe technology that they replace. Clearly yes.

      Related but separate is whether they are as secure as the EMV card technology with which they compete. Arguable. However, since many mobile payment systems rely on the same standard protocols as EMV, they certainly can be.

      Moreover, mobile payment systems can deal with many of the limitations of EMV such as “card not present” and “in app” transactions.

      I have seen few mobile payment applications that are as secure as they might be or even as I would have them be. This is not because of any limitations in the mobiles but in the legacy systesms that they mimic and with which they must interface. For example, they might implement one-time tokens that are valid in only one merchant location and for only a few minutes. They do not do this now because the brands and issuers do not support such tokens. (Some issuers are not even fully supporting EMV,)

      Finally, there is the issue of which mobile payment systems one considers. There are dozens already deployed around the world. They do not all implement the same level or method of security.

      Surely there will be successful attacks, some of which are even efficient (cost less than the value of success). However, I would clearly prefer to deal with such problems using a device wih a display, keyboard, multiple radio connections to the public networks, and multiple biometric sensors that with an EMV card.

      All that said, few members of ISACA have given the issue enough thought for me to put very much reliance on their collective response to a survey.

      Have a nice day and do not worry.

    More headlines...