Mobile payment systems: A disaster waiting to happen

The apps may be well thought out, but until security improves in the underlying security of the devices they run on, look out

When I saw the Computerworld article about Square touting how it is going to replace cash registers with iPads, I was dismayed that there was no discussion of security. And Square's app isn't the only payment app that makes me anxious. While I admit that I would find applications such as Square Register and Google Wallet useful, turning mobile devices into credit cards or credit processing systems is foolish at this time.

OK, some of these payment applications are pretty cool. Square Register could be really convenient for small-business people, making accepting credit card payments practical for businesses that make few transactions. For some small companies, that could be a competitive edge. Likewise, applications like Google Wallet that let you pay for things by having your smartphone communicate with a terminal consolidate another function onto a device that people always have with them.

But cool only takes you so far.

First, let's take a look at Google Wallet, which to me represents the greatest chance for disaster. Google touts three primary security features: a PIN to use when making a purchase, a special chip for storing your credit card on your phone and PayPass technology to ensure that the credit card number is encrypted when being transmitted to the payment devices.

All of that probably sounds great to the layperson. But it is great only if the phone itself is fundamentally secure, and that this is far from the truth. We have already seen malicious Droid applications, and it is widely acknowledged that Google doesn't adequately vet Droid applications from a security perspective. A smartphone's operating system controls the exchange of data between programs, input/output devices and all of the other hardware components. If malicious software ends up on your phone, it can easily capture your PIN every time you enter it to pay for something. Even if you assume that the credit card is completely secure when it is on the special chip, it is still vulnerable when you are entering the data and every time you access the data when you make a payment. And before the PayPass technology can encrypt and transmit the data, the data must make its way through the operating system.

In security terms, this is like putting an airbag on a motorcycle. If the motorcycle crashes, it is possible that the airbag might help, but there are so many other things that could go wrong.

It's true that PCs and other payment systems have been subjected to the sorts of attacks that I am concerned about in regards to cell phones. And, yes, there have also been attacks against point-of-sale systems. Nonetheless, there is a complete void when it comes to security tools and awareness for cell phones. All you need is a malicious Angry Birds, and it will make the Heartland data breach seem like a footnote.

The Square applications carry pretty much the same shortcomings as Google Wallet. Square's Card Case app certainly is no better -- and it doesn't have a secure storage chip or PayPass encryption ability. On top of that, it offers the location-based ability to run up a tab. Card Case also relies heavily on the native operating system, which is a major security concern. It doesn't take a genius to predict that as iPhones and iPads become a preferred platform for financial transactions, they will become a preferred platform for cybercriminals, and the malware targeting these platforms will increase exponentially. As Willy Sutton told us long ago, criminals follow the money.

To a certain extent, I am less concerned about the Register application. But has anyone pointed out that companies that use an iPad as a register must not use it for anything else? Any device that is used for Internet browsing or accessing other data and applications is at significantly greater risk for exposure to malware. With that said, though, there is still the concern raised by the fact that very few iPads and Android tablets use even minimal security.

And any sort of financial transaction requires much more than minimal security. When you get down to it, Google Wallet and Square rely on insecure platforms for their foundations. Until there are significant improvements in the underlying security of smartphones and tablets, it would be foolish to use these technologies. And that underlying security is out of the hands of Square, though it is something that Google and the other platform developers must address.

Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site, irawinkler.com.

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securitymobileGoogletelecommunicationMobile and WirelessMalware and Vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ira Winkler

Computerworld (US)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?