Mobile payment systems: A disaster waiting to happen
The apps may be well thought out, but until security improves in the underlying security of the devices they run on, look out
Computerworld - When I saw the Computerworld article about Square touting how it is going to replace cash registers with iPads, I was dismayed that there was no discussion of security. And Square's app isn't the only payment app that makes me anxious. While I admit that I would find applications such as Square Register and Google Wallet useful, turning mobile devices into credit cards or credit processing systems is foolish at this time.
OK, some of these payment applications are pretty cool. Square Register could be really convenient for small-business people, making accepting credit card payments practical for businesses that make few transactions. For some small companies, that could be a competitive edge. Likewise, applications like Google Wallet that let you pay for things by having your smartphone communicate with a terminal consolidate another function onto a device that people always have with them.
But cool only takes you so far.
First, let's take a look at Google Wallet, which to me represents the greatest chance for disaster. Google touts three primary security features: a PIN to use when making a purchase, a special chip for storing your credit card on your phone and PayPass technology to ensure that the credit card number is encrypted when being transmitted to the payment devices.
All of that probably sounds great to the layperson. But it is great only if the phone itself is fundamentally secure, and that this is far from the truth. We have already seen malicious Android applications, and it is widely acknowledged that Google doesn't adequately vet Android applications from a security perspective. A smartphone's operating system controls the exchange of data between programs, input/output devices and all of the other hardware components. If malicious software ends up on your phone, it can easily capture your PIN every time you enter it to pay for something. Even if you assume that the credit card is completely secure when it is on the special chip, it is still vulnerable when you are entering the data and every time you access the data when you make a payment. And before the PayPass technology can encrypt and transmit the data, the data must make its way through the operating system.
In security terms, this is like putting an airbag on a motorcycle. If the motorcycle crashes, it is possible that the airbag might help, but there are so many other things that could go wrong.
It's true that PCs and other payment systems have been subjected to the sorts of attacks that I am concerned about in regards to cell phones. And, yes, there have also been attacks against point-of-sale systems. Nonetheless, there is a complete void when it comes to security tools and awareness for cell phones. All you need is a malicious Angry Birds, and it will make the Heartland data breach seem like a footnote.
More by Ira Winkler
- A simple cure for the cybersecurity skills shortage
- Ira Winkler: 6 failures that led to Target hack
- Ira Winkler: The RSA Conference boycott is nonsense
- Electronic privacy? There's no such thing
- Guys, stop creeping out women at tech events
- Ira Winkler: Stupid users, or stupid infosec?
- We're missing out on the value of security awareness
- Are your security professionals qualified?
- Ira Winkler: Press falls short in reporting on chip hack
- 8 realities about location-based apps
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts