Businesses and individuals are increasingly using mobile platforms to reach a range of facilities using mobile access services (MAS). Users gain financial services through a subset of MAS, referred to for the purposes of this article as mobile payment services (MPS).
The speed and convenience of MPS attracts consumers and the reduced cost of doing business attracts service suppliers. According to a recent survey, over £4Bn worth of smartphone transactions were processed by Barclays alone in Aug 14.
The BCS Security Community of Expertise, asked me to have a go at answering this question. We were all pretty sure that the answer was going to be ‘no’. However, my view now, some two years and several technology developments on, is a qualified ‘yes’.
The ‘yes’ remains qualified because, in view of the likelihood and impact of fraud in this new marketplace, uncertainties remain about overall service security and unclear liability models. And the market is, to say the least, dynamic. So the buyer will have to beware for a long time to come.
Card payment services
In 2014, according to the UK Cards Association, credit card fraud in ecommerce cost £217M pounds, an increase of 14 per cent on 2013. This was against a total card transaction turnover of £2.32Bn and so the cost of fraud was some 0.1 per cent of the turnover. (These figures are surprisingly small when compared to Barclays’ above).
Much of this loss will have been carried by merchants and issuers, thanks to the strong liability protection the law provides for individual consumers. Credit cards are relatively simple devices, designed to perform securely the single function of authorising payments.
Mobile payment services
In contrast, smart device-based MPS offer services and vulnerabilities well beyond those offered by cards and are vulnerable to a wider range of attacks of increasing skill and power.
A lot of entities are involved in providing MPS. The stakeholders include chip manufactures, mobile device manufacturers, network operators, financial institutions and credit and debit payment processors. Liability for loss amongst the stakeholders appears unclear and subject to differing interpretations of the EU Payment Services Directive (PSD).
What drives suppliers to provide these services and so risk loss from such an unclear liability model? One reason might be that financial services provided over the internet cost 0.1 per cent of the cost of branch banking. The potential losses appear negligible when set against operational savings. But where does this leave the user who may suffer more than financial loss? And will this model work when the savings have been taken and the financial services industry is looking for more?
What are the issues worth bearing in mind as we consider the security of MPS?
The range of services offered
The wide range of MPS being developed is already proving attractive to users. Smartphone-based MPS offer not only point-of-sale facilities but can also deliver integrated services. Such applications can offer fast and easy-to-use services and reduce transaction and staff costs. But as they grow in sophistication, the number of interactions between services will rise and the overall security model will become more complex and fragile.
PINless (contactless) services are now widespread. Compared to PIN-based services, the user is vulnerable without the additional authentication provided by a PIN, although the industry is developing approaches to identity which should transcend that need.
Until this is done, contactless vulnerability may not merely result in the loss of money from a transaction, but the theft of an identity by, for example, man-in-the-middle (MITM) intercept attacks on the link between the mobile and the point of sale (POS) terminal, unless this link is encrypted.
The insecurity of mobile devices
Adoption of the generally accepted global platform standard for the secure element (SE, a sort of device security manager) in a mobile device remains patchy. As a result, there are many different SE designs in mobiles: this lack of standardisation means that you may not know how secure a device will be and against what criteria its security has been assessed.
Furthermore, it is not always clear how, within the device, payment credentials are isolated from unauthorised access. This largely stems from the inherent insecurity of many mobile operating systems, although this vulnerability is improving. Sensitive information on MPS devices may, therefore, be exploited through more general MAS vulnerabilities.
Vulnerability of mobile communications
Communications offer a range of attack options for criminals. Unsecured MPS transactions can be intercepted, replayed, altered, spoofed or simply blocked. NFC tags can contain malicious links.
Entertainment or transport ticketing services may allow the user device to read a quick response (QR) code from an advertisement for ease of booking; but rogue QR codes can be simply pasted over valid codes to seduce individuals to make payments to spoof websites. The ‘attack surface’ is complex and exploitable.
Difficulty in making applications secure
Ideally, payment applications should make use of core device security features, for example, shared libraries and hardware key managers such as SEs. These can be designed with the assurance that they will not share data between different payment applications on the same device. All this can be certified independently to published standards. But currently, although many devices and chips offer good security in themselves, this capability is not always activated.
Applications development is a weak point. It is extremely difficult to verify the security of a mobile app: writing secure software and correctly implementing cryptography is challenging and many app developers still do not consider security to be a priority. And even if an app is ‘secure’, the user may not be aware of whether it shares data with other apps, which are not. Not all apps running on the device may be designed even to call the SE, in which case their transactions could remain unsecured.
The confusing issue of liability
The financial services industry has matured its payment offerings over many years. Since 2007 the EU Payment Services Directive (PSD) has laid down a legal framework for payments. Interpretations differ as to the degree of UK user assurance that it offers.
During the preparation of this paper, some respected advisers assured me that ‘PSD lays down that the payment services provider holds liability for all financial (electronic and other) transactions conducted on behalf of individuals except in cases of user negligence. Payment services providers include not only banks and credit card companies but also BACS, CHAPS and other providers. This protection is currently legally enforceable in UK and throughout the EU’.
If this is so, UK law under PSD protects all individuals using MPS from financial loss. But other advisers disagree, making the point that the PSD is not fully incorporated into UK law. And all appear to agree that the PSD does not cover consequential losses: the impact of failure to deliver service or the wider consequences of loss of data or the impact of identity theft.
Furthermore, the PSD and UK law do not provide legal protection for transactions conducted on behalf of businesses. Large firms are normally capable of looking after themselves.
Not so SMEs: the drive for economy and speed may force small businesses to use MPS; many will not have the skills or resources to handle their vulnerabilities.
What can be done?
UK must continue to be a place where increasingly mobile IT-enabled business can be conducted securely and confidently. If users were to suffer losses unsecured by clear liability models the loss of business confidence could be dangerous.
In view of the importance of MPS to the UK economy, BCS SCOE suggested that ministers may wish to take a view on the issues here. However, for understandable reasons, the Cabinet Office and Department of Culture, Media & Sport (DCMS) advice was that government would be likely to take the view that intervention in such a fast moving market would do more harm than good. Equally unsurprisingly, the industry bodies consulted agreed strongly.
Some practical government sponsored support is evident: CESG Cheltenham is already underpinning several security initiatives. Communications-Electronics Security Group (CESG) provided informed help and advice throughout this investigation.
A good deal of work is now going forward in industry. A few of the players are:
- CESG’s ‘Secure by Default’ initiative
- The BSI Kitemark initiative for Secure Digital Transactions
- The Groupe Speciale Mobile Association (GSMA) Personal Data Programme which includes the initiative ‘Mobile Connect’
- FIDO (Fast Identity Online) provides an authentication service within the Mobile Connect Initiative
- Callsign is one of the many smart SMEs implementing a solution
- Get Safe and Stay Safe Online
- And, finally, the European PSD, which may or may not provide clarity on liability, could be an important piece of the jigsaw.
Are there too many initiatives looking at mobile security? Probably not at this stage, as many energetic and principled people see what they are able to do to help to secure this market and make a living.
A personal choice
Rapid advances in mobile technology are leading to a surge in mobile services, including financial services. Security features in devices are also evolving rapidly but are not always implemented. Users rarely notice this and so can be vulnerable to various forms of attack.
Government is shy of over-regulation in such a fast-moving market, so the fight for security in the user’s interests is left to industry, supported by CESG. Various firms and alliances are doing a good, but at this stage, necessarily messy, job of securing devices and networks.
At the centre of all this is the user. User education must continue to raise its game and ensure that users ask the right questions. Users need to know how to ensure that their devices are fully configured for security.
So, do the benefits of using MPS outweigh the dangers? The answer is a qualified ‘yes’, but has to be a personal choice. The ‘yes’ remains qualified because, in view of the likelihood and impact of fraud in this new marketplace, uncertainties remain about overall service security and unclear liability models.
The mobile market could be compared to the wild west in the late 19th century, which saw a long and poorly policed war between the good and the bad guys. Here we see the press reports when the bad guys win battles. The job of the market and BCS will continue to be, to ensure that when this happens, user losses and ill effects are limited; and most importantly, to learn from the experience.
The complexities of mobile working are, of course, compounded by the bring your own device to work movement, which is addressed in a separate BCS SCOE paper by Andrea Simmons, out shortly.