Week 4 - Security and Mobile Payments

Part of the big announcement on September 9, 2014 of the upcoming Apple iPhone 6 was the availability of the Apple Pay payments system.  Apple has waited quite a while to participate in one of the most popular mobile payments strategies available, near-field communication (NFC).  Most other smart phone manufacturers have included NFC capabilities in their devices for some time as evidenced by the Samsung Galaxy ad campaign some years back showing users touching phones to transfer songs.  For use in payments, the NFC equipped device is touched to a point-of-sale terminal and the user provides a secondary identification to complete the transaction.  Apple has included a additional hardware component in the iPhone 6 to lend it an extra level of security.  Other methods besides NFC can already be used to make payments, perform money transfers, or buy products using any smart phone device available.  But how safe is it?  Writing for c|net security, Charlie Osborne's article from September 15, 2014 titled Most mobile apps will fail standard security tests, Gartner says does not instill confidence in smart devices being able to withstand many of the security threats that are easily handled in other computing devices.  While the article is focused on discussing the ramifications to the increasingly popular bring your own device (BYOD) movement in the corporate world, many of the same concerns exist for mobile payments.  One of the main points of the article are that existing security testing methods, static application security testing (SAST) and dynamic application security testing (DAST) are mentioned, do not address the needs of the mobile device market.  The prediction made by Gartner is that in the next two years there will be an increase in endpoint breaches due to increased mobile device usage.  For mobile payments, and other areas as well, this implies a step or two backwards with respect to the level of security available on the device.  While Apple is famous for tightly controlling the applications that are available for it's mobile devices, mobile devices using other operating systems have already experienced a number of security issues.  It will not be a surprise if there are applications from Symantic, Norton, or other vendors offering anti-virus and other security features for mobile devices.  Until that time it appears that caution should be exercised when deciding to use mobile payments.  One final log to throw on the fire, telecommunication providers are also interested in participating in the mobile payments space.  However, these companies are not regulated in the same manner as banking institutions.  For example, a customer is limited to $50 liability for fraudulent charges to credit cards by banking regulations as long as the customer notifies their bank in a reasonable amount of time.  Currently there are not any regulations governing telecommunications companies on this or disputed charges.  Mobile payments are going to happen, and are already popular in other parts of the world.  But will this be similar to the initial days of online payments and purchases were security came after the fact and a large number of people were victims of fraud and identity theft?  So far events appear to be headed in this direction.