However, these opportunities carry certain risks, and it is important that all parties involved in mobile commerce – be it the consumer/payer, the merchant/payee, or the financial institutions – take appropriate steps to manage this risk. Though the amount of risk differs for remote mobile payments vs. “proximity mobile payments,” the presence and reality of risk remains the same.
The root of the risk
In proximity mobile payments (used for in-store mobile commerce), a mobile device carrying a chip or a magnetic stripe is used for payments in a physical store (with no PIN entry or signature). Unfortunately, there is currently a lack of technology standards in the industry, and a great variety in the ways the different manufacturers of payment chips and mobile devices allow communication between the buyer’s device and the seller’s reader. At best, this lack of standardization and integration slows down the adoption and growth of proximity mobile payment usage among the general public, hindering mobile commerce; at worst, it leaves the entire value chain bereft of the strongest possible defensive measures, leaving the industry more vulnerable to criminal attacks.
Remote mobile payment (in-home mobile commerce), on the other hand, is a slightly different story. As transmission of payment information depends completely on software-based security, it is vulnerable to every single threat that can attack a personal computer, tablet, or mobile phone – and we all know how numerous and malicious those threats can be.
As bad as the picture may look for desktop or laptop users, it can be even more worrisome for smartphone users, as the software available for protecting smartphones from malware is still at a lower level compared to the software currently available for protecting desktop computers and laptops. In addition, as devices are most vulnerable to malware when they are turned on, the limited time we keep our computers on likewise limits their vulnerability. Smartphones, on the other hand, are often kept on 24/7.
So yes, there is reason for concern. Fortunately, the payment and software industry have begun addressing these concerns. Another good news is that we are not starting from scratch.
Although mobile payment is a new technology, the risks associated with it are very similar to relatively older practices of contactless transactions and e-commerce transactions. Therefore, the tools we have used to control fraud in these old channels can be used to control fraud in mobile commerce as well.
An instrumental factor in keeping mobile transactions secure is the financial institutions. To protect their clients from fraud, financial institutions need to
- review their back office processes, to ensure that these support emerging mobile channels;
- adjust their fraud prevention alerts, tracking of spending trends, and other security methods, to react more effectively to potential mobile-based-fraud activity; and
- ensure that their software applications meet all the necessary certifications and requirements of the payment brands.
On their part, payment brands can prevent mobile commerce fraud by
- constantly reviewing and revising payment security standards so that they remain applicable and relevant to the mobile channel;
- regularly tracking and updating the certification of devices and third-party applications; and
- continually building partnerships between mobile network operators and financial institutions as they introduce secure payment solutions.
Mobile network operators are typically the customer’s first contact point when it comes to mobile commerce. To help prevent fraud, mobile network operators should
- ensure that all mobile phones that are used to make proximity payments have the required certifications and requirements of payment brands;
- include mobile security software automatically in their phones, so that the protection they provide is available in the phone right out of the box; and
- educate their customers about general mobile security.
Because the consumer holds the greatest risk for personal loss when it comes to mobile commerce, the consumer must also take responsibility for his or her own safety. Consumers can minimize their risk of becoming fraud victims by
- making sure the set a good, strong password for accessing payment applications on their phone;
- never ever sharing confidential information such as PINs and credit card numbers or even account numbers;
- downloading applications only when they are very, very sure the source can be trusted;
- being wary of responding to text messages from unknown numbers, even if the senders name themselves as a representing a trusted institution;
- physically safeguarding their phone as carefully as they do their wallets; and
- reporting immediately to the concerned institution if their phone ever gets lost or stolen.
Last but not the least among the players in fraud prevention is the vendor. They are, in fact, the very frontline in fraud defense. To meet this responsibility properly, vendors should
- ensure that they meet all PCI DSS and PCI PA-DSS requirements. This includes the installation of POS systems that are EMV compliant;
- limit their distribution channels to trusted sources only; and
- provide end-to-end encryption of data using protocols other than CDMA, GSM, and other mobile protocols.
Indeed, mobile commerce is still in its development stage, and much can still be done to manage risk and improve security in the mobile payments industry. However, considerable progress is being made towards increasing awareness about various risky scenarios and managing those risks, allowing mobile commerce to continue to advance quickly.