Mobile payment systems: A disaster waiting to happen
The apps may be well thought out, but until security improves in the underlying security of the devices they run on, look out
Computerworld - When I saw the Computerworld article about Square touting how it is going to replace cash registers with iPads, I was dismayed that there was no discussion of security. And Square's app isn't the only payment app that makes me anxious. While I admit that I would find applications such as Square Register and Google Wallet useful, turning mobile devices into credit cards or credit processing systems is foolish at this time.
OK, some of these payment applications are pretty cool. Square Register could be really convenient for small-business people, making accepting credit card payments practical for businesses that make few transactions. For some small companies, that could be a competitive edge. Likewise, applications like Google Wallet that let you pay for things by having your smartphone communicate with a terminal consolidate another function onto a device that people always have with them.
But cool only takes you so far.
First, let's take a look at Google Wallet, which to me represents the greatest chance for disaster. Google touts three primary security features: a PIN to use when making a purchase, a special chip for storing your credit card on your phone and PayPass technology to ensure that the credit card number is encrypted when being transmitted to the payment devices.
All of that probably sounds great to the layperson. But it is great only if the phone itself is fundamentally secure, and that this is far from the truth. We have already seen malicious Android applications, and it is widely acknowledged that Google doesn't adequately vet Android applications from a security perspective. A smartphone's operating system controls the exchange of data between programs, input/output devices and all of the other hardware components. If malicious software ends up on your phone, it can easily capture your PIN every time you enter it to pay for something. Even if you assume that the credit card is completely secure when it is on the special chip, it is still vulnerable when you are entering the data and every time you access the data when you make a payment. And before the PayPass technology can encrypt and transmit the data, the data must make its way through the operating system.
In security terms, this is like putting an airbag on a motorcycle. If the motorcycle crashes, it is possible that the airbag might help, but there are so many other things that could go wrong.
It's true that PCs and other payment systems have been subjected to the sorts of attacks that I am concerned about in regards to cell phones. And, yes, there have also been attacks against point-of-sale systems. Nonetheless, there is a complete void when it comes to security tools and awareness for cell phones. All you need is a malicious Angry Birds, and it will make the Heartland data breach seem like a footnote.
More by Ira Winkler
- Ira Winkler: My run-in with the Syrian Electronic Army
- A simple cure for the cybersecurity skills shortage
- Ira Winkler: 6 failures that led to Target hack
- Ira Winkler: The RSA Conference boycott is nonsense
- Electronic privacy? There's no such thing
- Guys, stop creeping out women at tech events
- Ira Winkler: Stupid users, or stupid infosec?
- We're missing out on the value of security awareness
- Are your security professionals qualified?
- Ira Winkler: Press falls short in reporting on chip hack
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!