Each year, many consumers have credit cards replaced due to data breaches, stolen card information, card theft and loss.
Even so, most people somehow still trust the swipe of the card. After all, we’ve been doing it for years. You would think that recent experiences with data theft and the inconveniences associated with card replacement would cause us to shun this nearly antiquated form of payment. But apparently, old habits die hard, because even though new smartphone-based, card-free payments are available, many consumers are still leery about the security of these new systems.
Instead of sticking our heads in the sand and ignoring new technology, let’s delve into mobile payment systems and study their new-fangled security implementations. Having the information in your hands will make it easier for you to make a decision on which mobile payment system seems safest to use—if you decide to use one at all.
What Exactly Is Meant by “Mobile Payments”?
Surely by now you’ve seen the ads for Apple Pay. It’s a form of “contactless payment technology” (read: no card swiping involved) where you simply hold your iPhone near the Near Field Communication (NFC) reader, place your finger on the Touch ID and voila! Payment is made with one touch. But how exactly does this work?
It involves using the iPhone’s Passbook feature. Many people already use it to store coupons, tickets, store reward cards and more. Apple now encourages iPhone 6 users to store credit card and debit card information, choose one to be accessed by default, and have that card number dinged for payment when using Apple Pay. According to The Unofficial Apple Weblog (TUAW), Apple pay can also use the same credit card listed in your iTunes account. Either way, when you make a payment, the credit card information is encrypted and “securely sent to the appropriate credit card network.” The card data is validated and then the network sends a “token” back to the iPhone.
For those of us who don’t know how tokens work, in Apple Pay, a token is a 16-digit number that is randomly generated. It’s used more like a placeholder for the actual credit card number. If someone were to steal this number, it would be useless. As TUAW says, “as an additional layer of security, there are mechanisms in place to ensure that the token itself is bound to the phone on which it’s stored and can never be used from another device.”
Apple claims it’s very safe—in fact, once it’s tokenized, no one can see your card number, and the cards you save in Passbook are assigned Device Account Numbers that are encrypted and stored in the Secure Element, which is a dedicated chip in iPhone, iPad and Apple Watch. When you start a transaction via Apple Pay, the phone sends the token to the NFC reader. That way, the reader, the store and anyone else involved can’t see or steal your card number.
The NFC reader then sends that token to the credit card network, which is where the actual card information will be connected to the token number. The network verifies the numbers and then contacts the bank that issued the card to authorize the sale. Once the bank approves, it sends a message through the network to the merchant and the transaction moves forward.
Sounds secure—maybe. But what about lost phones? Apple assures that using the Lost Mode or Wipe feature through Find My iPhone will completely disable Apple Pay.
Google Wallet is throwing competition Apple’s way. It’s the Android equivalent of Apple Pay. You can upload personal credit card information into the Google Wallet app, or you can obtain a Google Wallet Card from Google to use the payment system. Gift cards and store loyalty cards and coupons can also be added and accessed through Google Wallet.
The Google Wallet Card is kind of like a pre-paid credit card and is provided through Debit MasterCard. You upload money to the account either through “a recurring bank transfer” or just when your balance is low. It’s a free card to own, but you must control the money that goes into it. The card itself can be swiped like a credit card or used within your Android phone.
Unlike Apple’s Secure Element, Google uses Host Card Emulation (HCE), in which your card numbers are actually stored on Google’s servers. To use the smartphone-based Google Wallet, you open the app, select the appropriate card, tap your phone on the store’s NFC reader, and then payment information is exchanged with Google’s servers. Then, a one-time-use MasterCard number is sent to the merchant over the network to close the sale. In this way, your credit card number is never seen by the store’s cashier and never stored within the POS system. Unlike Apple Pay, though, Google stores your actual credit card information, which some feel makes its systems still vulnerable for a breach.
Once the sale is complete, the app sends notifications to your phone screen. Google Wallet provides fraud protection and states that it “covers 100% of verified unauthorized Google Wallet transactions in the US.” You can lock the app itself with a PIN for added security, and at wallet.google.com, you can view all of your transactions online. Google Wallet also claims that you can disable Google Wallet from your Google account via the web if your Android phone is lost or stolen. It sounds just about as secure as Apple Pay—if you trust Google to protect your data on its servers.
According to recent news stories, Google has sealed a deal with Softcard, which is the mobile payment system used by AT&T, T-Mobile and Verizon Wireless. With this agreement, the three carriers will sell Android phones that will come with Google Wallet embedded in the smartphones—much like Apple Pay comes with new iPhones. In this way, users won’t have to download an app to use the service and they can access it via these major networks.
Next page: A Third Option
CurrentC is yet another type of mobile payment system that was created by Merchant Customer Exchange (MCX) and uses QR codes to transfer data and payment. The system was dreamed up even before Apple Pay by a group of big retail store chains to help them to get around the charges from credit card companies that are doled out whenever a customer pays with a credit card.
The app is available in both Google Play and Apple iTunes app stores. Companies that support CurrentC, the merchant members, are required to use the system exclusively—no Apple Pay or Google Wallet. Reviewers of the app already point out that it requires too much information up front and it has already been hacked at least once—not exactly the types of reviews you want to pop up first thing on the download pages.
TechCrunch has deemed the system to be “clunky.” Its description of how it works goes like this:
Rather than NFC, CurrentC uses QR codes displayed on a cashier’s screen and scanned by the consumer’s phone or vice versa to initiate and verify the transaction. The system is also designed to automatically apply discounts, use loyalty programs, and charge purchases to a variety of payment methods without passing sensitive financial data to the merchant.
The system can be used on any smartphone, including those running iOS and Android. With this system, credit card information is stored in a “secure cloud-hosted network,” according to the MCX blog. Retail stores are then not required to store credit card or bank data, and the data also does not reside on the mobile device. After the QR code is scanned, a token number is sent to the bank, which then translates the data and charges the user. The merchant is notified of the approval and the transaction is complete.
CurrentC will allow users to decide which data can be shared with merchants, but as TechCrunch reports, “it may share info with your device maker, app store, or developer tool makers.” The system will also compile your health care information, which sounds a bit odd and may be off putting to many users. It claims the information will be from any transactions with health care providers, but this still seems like a bit of a privacy issue.
CurrentC claims on its website that it will “soon be all over town.” And though it doesn’t list the retail establishments where it will be available, the MCX site lists Sears, Sam’s Club, Publix, Michael’s, 7-Eleven, Circle K, Kmart, Kohl’s, Olive Garden, Walmart, Old Navy and Target among the “network of America’s favorite merchants.”
But What Do Security Experts Say?
We all know that companies can tout a lot of things about their products that users may or may not completely understand. So what do the real security experts have to say? Several experts gave ITBusinessEdge their opinions about the available mobile payment technologies, how they work and how well they protect user data.
Puneet Mehta, co-founder and CEO of MobileROI, believes that NFC technology is the most secure option at this time. In an email interview, Mehta explained why he feels Apple Pay has raised the bar on secure mobile payments:
“NFC is the most secure option at this point. Apple Pay uses NFC and iOS devices have made the transaction even more secure by handling it with dedicated secure hardware on the device. Apple has set the new standard for privacy in the mobile payment field. It has created an environment in which no transaction data can be traced back to an individual, a one-time use code is used in lieu of a debit or credit card number, and touch ID or complex passcodes can be set up to ensure data security.”
SnoopWall CEO Gary Miliefsky agrees that NFC appears to be the best hope for mobile payments, but he thinks that NFC technology may require a little more help to provide continued secure transactions. Miliefsky explained it this way:
“NFC holds the best chance at successfully providing secure transactions but not alone. Eavesdropping on Bluetooth and even ‘bluetooth skimming’ has been around for years now … it’s a more powerful wireless protocol that can be eavesdropped further away. However, even with NFC, the key is to deploy strong encryption and multifactor authentication. NFC is really a simple protocol to move data over very short distances. NFC alone like QR or Bluetooth is risky … Adding security wrappers to the use of NFC including encryption is the key. “
But that doesn’t completely discount QR-based technology. Andrew Sudbury, co-founder of Abine, which provides tools to protect online privacy, thinks the whole question of mobile payment security is complicated and complex. He pointed out in an email that mobile payment solutions based on NFC and Bluetooth would both broadcast communications between the smartphones and the POS system. On the other hand, “QR code payments run the signal from the mobile device to the payments provider and back into the merchant.” Sudbury feels that may actually be more secure, “in theory.”
Sudbury also said, however, that at the moment, Apple Pay is quite secure for two reasons:
“First, [with Apple Pay] it’s probably more likely to really be you making the payment. Apple has strong authentication that the device is able to generate the payment, there is hardware built into the phone that makes it hard to spoof. So you need your phone, and you’re likely to notice that if it’s missing and/or also have a code to access your device. If somebody has hacked your Google account then they can most likely access your Google Wallet (unless you have 2nd factor authentication etc.). Second, Apple uses a tokenization system conjunction with participating card issuers. So stores never get your full credit card number. This is also true for Google Wallet, but they are emulating this by paying merchants directly when you make purchases with your Google Wallet – it’s not as integrated with the credit card system.”
Who to Trust?
It seems that of the options available now, Apple Pay may have the lead in providing security to its users. Though, Google Wallet also uses NFC technology, and if you trust Google to protect your credit card data, the technology seems fairly safe.
For those Apple iPhone users who are curious about Apple Pay, it does require the use of Touch ID and the NFC antenna that is available only in the new iPhone 6. Those users with older phones are out of luck and must upgrade to use the service.
CurrentC isn’t currently available for use, so it may be awhile before consumers actually get to the chance to try it out. But if the MCX site’s information holds true, it may be the only mobile option available at some of your “favorite retailers.” The company still has some work to do to get its system on track and convince users to give it a try. Right now, it seems to be getting a lot more bad press concerning the push for its networked merchants to stay exclusive and block other mobile payment options, which will be difficult to overcome once users develop a negative association with the brand in their minds.
In an upcoming article, we’ll look at the challenges to mass adoption of mobile payment solutions and discuss the ease of usage with a few brave souls who’ve already tried out some of the mobile payment options.
Kim Mays has been editing and writing about IT since 1999. She currently tackles the topics of small to midsize business technology and introducing new tools for IT. Follow Kim on Google+ at google.com/+KimberlyMays6 or Twitter @blumoonky.