Can We Trust the Security of Mobile Payment Solutions?

Kim Mays


You Can't Detect What You Can't See: Illuminating the Entire Kill Chain

CurrentC is yet another type of mobile payment system that was created by Merchant Customer Exchange (MCX) and uses QR codes to transfer data and payment. The system was dreamed up even before Apple Pay by a group of big retail store chains to help them to get around the charges from credit card companies that are doled out whenever a customer pays with a credit card.

The app is available in both Google Play and Apple iTunes app stores. Companies that support CurrentC, the merchant members, are required to use the system exclusively—no Apple Pay or Google Wallet. Reviewers of the app already point out that it requires too much information up front and it has already been hacked at least once—not exactly the types of reviews you want to pop up first thing on the download pages.

TechCrunch has deemed the system to be “clunky.” Its description of how it works goes like this:

Rather than NFC, CurrentC uses QR codes displayed on a cashier’s screen and scanned by the consumer’s phone or vice versa to initiate and verify the transaction. The system is also designed to automatically apply discounts, use loyalty programs, and charge purchases to a variety of payment methods without passing sensitive financial data to the merchant.

The system can be used on any smartphone, including those running iOS and Android. With this system, credit card information is stored in a “secure cloud-hosted network,” according to the MCX blog. Retail stores are then not required to store credit card or bank data, and the data also does not reside on the mobile device. After the QR code is scanned, a token number is sent to the bank, which then translates the data and charges the user. The merchant is notified of the approval and the transaction is complete.

CurrentC will allow users to decide which data can be shared with merchants, but as TechCrunch reports, “it may share info with your device maker, app store, or developer tool makers.” The system will also compile your health care information, which sounds a bit odd and may be off putting to many users. It claims the information will be from any transactions with health care providers, but this still seems like a bit of a privacy issue.

CurrentC claims on its website that it will “soon be all over town.” And though it doesn’t list the retail establishments where it will be available, the MCX site lists Sears, Sam’s Club, Publix, Michael’s, 7-Eleven, Circle K, Kmart, Kohl’s, Olive Garden, Walmart, Old Navy and Target among the “network of America’s favorite merchants.”

But What Do Security Experts Say?

We all know that companies can tout a lot of things about their products that users may or may not completely understand. So what do the real security experts have to say?  Several experts gave ITBusinessEdge their opinions about the available mobile payment technologies, how they work and how well they protect user data.

Puneet Mehta, co-founder and CEO of MobileROI, believes that NFC technology is the most secure option at this time. In an email interview, Mehta explained why he feels Apple Pay has raised the bar on secure mobile payments:

“NFC is the most secure option at this point. Apple Pay uses NFC and iOS devices have made the transaction even more secure by handling it with dedicated secure hardware on the device. Apple has set the new standard for privacy in the mobile payment field. It has created an environment in which no transaction data can be traced back to an individual, a one-time use code is used in lieu of a debit or credit card number, and touch ID or complex passcodes can be set up to ensure data security.”

SnoopWall CEO Gary Miliefsky agrees that NFC appears to be the best hope for mobile payments, but he thinks that NFC technology may require a little more help to provide continued secure transactions. Miliefsky explained it this way:

“NFC holds the best chance at successfully providing secure transactions but not alone. Eavesdropping on Bluetooth and even ‘bluetooth skimming’ has been around for years now … it’s a more powerful wireless protocol that can be eavesdropped further away. However, even with NFC, the key is to deploy strong encryption and multifactor authentication. NFC is really a simple protocol to move data over very short distances. NFC alone like QR or Bluetooth is risky … Adding security wrappers to the use of NFC including encryption is the key. “

But that doesn’t completely discount QR-based technology. Andrew Sudbury, co-founder of Abine, which provides tools to protect online privacy, thinks the whole question of mobile payment security is complicated and complex. He pointed out in an email that mobile payment solutions based on NFC and Bluetooth would both broadcast communications between the smartphones and the POS system. On the other hand, “QR code payments run the signal from the mobile device to the payments provider and back into the merchant.” Sudbury feels that may actually be more secure, “in theory.”

Sudbury also said, however, that at the moment, Apple Pay is quite secure for two reasons:

“First, [with Apple Pay] it’s probably more likely to really be you making the payment.  Apple has strong authentication that the device is able to generate the payment, there is hardware built into the phone that makes it hard to spoof.  So you need your phone, and you’re likely to notice that if it’s missing and/or also have a code to access your device. If somebody has hacked your Google account then they can most likely access your Google Wallet (unless you have 2nd factor authentication etc.). Second, Apple uses a tokenization system conjunction with participating card issuers.  So stores never get your full credit card number. This is also true for Google Wallet, but they are emulating this by paying merchants directly when you make purchases with your Google Wallet - it’s not as integrated with the credit card system.”

Who to Trust?

It seems that of the options available now, Apple Pay may have the lead in providing security to its users. Though, Google Wallet also uses NFC technology, and if you trust Google to protect your credit card data, the technology seems fairly safe. 

For those Apple iPhone users who are curious about Apple Pay, it does require the use of Touch ID and the NFC antenna that is available only in the new iPhone 6. Those users with older phones are out of luck and must upgrade to use the service.

CurrentC isn’t currently available for use, so it may be awhile before consumers actually get to the chance to try it out. But if the MCX site’s information holds true, it may be the only mobile option available at some of your “favorite retailers.” The company still has some work to do to get its system on track and convince users to give it a try. Right now, it seems to be getting a lot more bad press concerning the push for its networked merchants to stay exclusive and block other mobile payment options, which will be difficult to overcome once users develop a negative association with the brand in their minds.

In an upcoming article, we’ll look at the challenges to mass adoption of mobile payment solutions and discuss the ease of usage with a few brave souls who’ve already tried out some of the mobile payment options.

Kim Mays has been editing and writing about IT since 1999. She currently tackles the topics of small to midsize business technology and introducing new tools for IT. Follow Kim on Google+ at google.com/+KimberlyMays6 or Twitter @blumoonky.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Mar 5, 2015 5:25 PM Bobby44 Bobby44  says:
I absolutely do not trust Applepay! That does not mean I do not own Apple shares, I just do not trust the service. Also not a Google fan. Bad enough I use Pay Pal where I have a lot more control over transactions. I still believe in CASH. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.