Secure Mobile Payment Systems - Recommendations for Building, Managing and Deploying
Source: Visa Europe
Visa Europe shrewdly recommends the time-honoured principles of protection, detection and prevention to head into the future with your mobile held high and ready to pay without fear of fraud. The following is a condensed version of their findings and recommendation that developers and handset manufacturers should heed to keep mobile payments more secure and ensure that transactions made on the go don’t end up going wrong for both consumers and retailers.
When designing a mobile payment system, security should be considered in its widest context, and not limited to the software component. It’s crucial also to find the right balance between security and accessibility, and collect and monitor transaction data intelligently.
The following recommendations are based on 3 principles: Protection from attacks, detection of fraud and prevention of fraud.
The problem with mobiles
Mobile handsets have a number of inherent flaws with regards to security. Some are due to their portability, e.g. they’re easy to lose, and have limited input capability. Others, to how the user perceives them: they are after all chosen for functionality rather than security. These flaws render them vulnerable to malicious users.
There are a number of attack vectors within mobile payment services. The top 10 risks have been identified by the Open Web Application Security Project (OWASP). However these risks are only concerned with software security. Fraudsters take a broader perspective; they’ll attack you from any angle.
Protection must be based on layered defences. Then, when something goes wrong, there is a second (or more) line of detection and defence.
Some mobile OS flaws have been used to mount attacks. The South Korean NH Nonghyup Bank’s mobile application was targeted with a malicious upgrade, by leveraging a master key Android vulnerability.
The mobile risk ecosystem
The mobile payment application is likely to be the most common entry point for attackers. The defence for such an intrusion could be implemented on the server side, where controls could spot potential malware.
With person-to-person services, strong server side monitoring control can be implemented on the funds transferred to recipients. This can spot a suspiciously high amount of transactions to the same recipient. This can provide both fraud mitigation and early detection of malware.
Is the entity trying to use the service the legitimate user? Measures to help ensure this are most effective in the field of prevention. Areas to explore include the provision of secure authenticated channels, user education, and an easy means of communication 24/7.
The mobile application
This is software that fraudsters can easily acquire. They can also access the code of the application and its functional specifications.
The main objective is to protect the security assets, or more generally, the application data. This is best achieved with white-box cryptography, together with application code obfuscation. In combination with regular updating of sensitive data, this provides a first layer of defence.
The importance of secure design is fundamental. As MSDN put it: “It’s not just the code.” Secure software should include, for example, effective penetration testing (pentest), and the protection of data in transit. In addition, the application can be leveraged to detect fraud. Examples include GPS location, device fingerprinting, SIM card swap detection, and debug mode (device) detection.
There are capabilities on the backend side that can protect from, prevent and detect attacks. These include ensuring a secure device migration process, limiting the number of login attempts, and disabling dormant users (or flagging them as high risk if reactivated).
The fraud engine
A fraud engine is paramount to security. Effective examples will include velocity checks, transaction monitoring, and fraud/attack intelligence.
Processes and assessments
The following have proved effective in the protection and prevention of attacks; risk reviews, communicating risks to key stakeholders, and security incident management. It’s also worth the time to detect and take down fake applications.
To read the full article click here - Secure mobile payments