What's The Hold Up With Mobile Payments?

By Philip Clarke
On Aug 01, 2013
Thursday, August 1, 2013

While Google Wallet, Visa's Isis Mobile Wallet and bank-specific mobile payment networks continue to show signs of growth, holdbacks indicate that the industry isn't committed to the security of common platforms such as near-field communications (NFC). While NFC's security issues (perceived and real) are easier to swallow, recent announcements that bring into question the security of secure socket layer (SSL) and even mobile subscriber identity modules (SIM) cards are chipping away at the foundation of what needs to be a trusted platform. A large portion of the consumer population either limits or eschews online purchasing altogether due to security and privacy concerns - selling them on mobile payments as a viable alternative to cash and credit cards is going to require more than exciting marketing.

Today, 62% of companies develop native apps. The majority of these are external facing, driven by the cost of developing multiple apps optimized for the mobile platforms consumers use the most - iOS and Android. Essentially, companies are looking for ways to leverage the popularity of mobility in ways that can keep the lines of communication open with current and potential clients. Mobile payments allow customers to make quick and easy purchases, by limiting the steps between their decision and the actual purchase of a good or service. In this way, apps are an ideal medium for companies and customers to interact. However, this requires that the underlying technology that makes mobile payments work is secure.

SSL, and its variants, including the widely used transport layer security (TLS) have recently been shown to have some glaring security holes by security experts. Specifically, the compression techniques that are used to serve up todays' webpages allow hackers to see the length of each compressed data stream. Essentially, this allows hackers to ferret out what is being compressed based on how long a compressed data string is, i.e. social security, credit card and other private numbers that use a fixed length. This latest exploit adds to a half-dozen issues that have been uncovered within SSL. Even as it has become en vogue for browsers to force SSL by default, these gaps are bringing to light the fundamental problems that remain in our browser-based and mobile payment systems. Compounding SSL's issues, researchers estimate that 500 Million+ SIM cards are easily dupe-able (fake duplicates), that allow hackers to use intermediary attacks that fool carriers and payment services into trusting faux short message service (SMS)s.

As the technologies that underpin mobile and online payments continue to be marred, these services – particularly mobile payments – will stay stuck in their infancy. For companies and consumers alike this is an inconvenience, and one that will cost companies sales opportunities. Long-term, these flaws could sour consumers on mobile payments even when the security of these platforms is bolstered, prolonging our wait for a realized vision of unified smartphones and payment services. In the interim, it looks like the security conscious shopper is stuck with credit cards. 

Research Tracks: