Multi-Unit Franchisee Magazine Issue III, 2012 | Page 72
Security
By Gary Glover
Smart Patrol
Mobile payments fraught with security problems
T
he rapidly expanding mobile payments market is attractive to merchants because of the low entry barrier to
obtain a smartphone or tablet device. Dozens of companies, acquirers, and payment entities offer mobile
payment solutions, and hundreds of thousands of merchants use
them. Despite its convenient and futuristic qualities, the mobile
platform was not designed as a secure application environment
and seriously lags behind in payment security.
If I were a hacker, I would invest my time in devising ways to
attack mobile smartphones. Think of the sensitive data stored
or entered in your smartphone, such as bank login information,
credit card numbers, and your personal information. Because it
is connected to the Internet at all times, a smartphone is at great
risk for malware designed to grab sensitive information. There
are two principal problems I see in processing payments through
personal mobile/tablet devices.
Problem 1: The apps
The drawback with processing payments through a personal
smartphone is that application installation cannot be controlled.
App stores do their best to thoroughly review apps, but it’s almost
impossible to guarantee every app will play nicely in the sandbox.
A point-of-sale transaction using a smartphone requires a card
reader (e.g., Square) to read the data from the card’s magnetic
stripe. Hardware may clip into the audio input port or access the
phone keypad. On most mobile platforms, access to incoming
data from input devices may not be locked and could potentially
be read by another running app. That rogue app could be listening for and intercepting unencrypted credit card numbers.
Here’s a real-world example. A merchant who accepts credit
cards through their iPhone downloads a flashlight application
written by an ill-intentioned hacker. This hacker wrote the application to periodically “wake up” to listen for data via the audio
port. When the iPhone is used to accept payments, the malicious
code embedded in the flashlight app could potentially gain access to incoming payment card data from the unencrypted card
reader or from the phone keypad, and send the card numbers
back to the hacker who developed the flashlight app.
Problem 2: The phones
Mobile payments blossomed overnight before the phone industry was truly ready. Smartphones were never designed for data
security like full-fledged computers are. To truly secure the mobile payments space, smartphones must change. In the future,
payments may be processed on a separate secure chip integrated
into phone hardware, inaccessible by other applications. When
that happens, secure processing on mobile devices will be no
problem. But until that time, security for mobile payments is
extremely limited.
Best practices for mobile payments
The best scenario for merchants who wish to accept mobile pay-
68
Multi-Unit Franchisee Is s ue III, 2012
ments is to dedicate the use of a smartphone or tablet solely to
payment processing. This means the ability to install apps, access
phone settings, send or receive texts, make or receive a call, or
take photos must be disabled. When the device is on, it strictly
runs the POS application, and at the end of the day all devices
are collected and kept in a secure location. If done correctly, this
solution can be completely PCI compliant. I have personally seen
taxicab companies successfully implement this mobile payment
solution. The disadvantage of device dedication is it completely
defeats the purpose of owning a smartphone that doubles as a
communication device.
How can I safely use my personal device for
mobile payments?
The safest option for usi