Tuesday, October 30, 2007

Insecure mobile payments

A visiting professor of HKU, when preparing a talk on e-commerce, came across my earlier article on the Octopus card. The subject was relevant to his talk so he asked me for the source of the information. I duly referred him to the two newspaper articles I read in January this year. Professor Roger Clarke delivered his talk at HKU on 25 October. The subject of the talk was on the the security of mobile payments. I append below the main points of his presentation.

Before the age of information technology, monetary transactions depended on cash, cheques, and instructions and arrangements on direct credits and debits. These have been in use for a long time and we could fully appreciate their advantages and disadvantages. They are reasonably secure but are sometimes slow and cumbersome. Then credit card was introduced. It provides only low-grade security even when used at point-of-sale. The insecurity is much more problematic in MOTO (mail-order and telephone-order) transactions, also known as 'card not present' transactions. But the convenience of credit cards is greatly appreciated by consumers; and merchants are forced to bear the risk arising from fraud.

When information technology was mature by the end of the last century, financial institutions introduced new computer-assisted services to the customers such as automatic teller machines using account cards. Such services employ stronger form of authentication, usually a PIN in addition to the physical hard-coded cards, both need to be protected by the customers and the bank's internal system.

After the Internet was born, the first wave of Internet commerce started in the late 1990s. From the very beginning, Internet payment mechanism is a great challenge. Many approaches have been tried, but most payments continue to depend on credit cards, which is a scheme considered not sufficiently secure even in 'meatspace' with fixed-connection mainframe systems. Credit-card transactions over the Internet adopts the same low-security approach as MOTO transactions, although the transmission of credit-card details has increasingly been protected using channel encryption (Secure Socket Layer). On the other hand, Internet banking has matured into a relatively secure set of services. Financial transactions over the Internet have emerged with secure banking infrastructure that could provide most of the protections. A range of other electronic payment schemes were proposed in the late 1990s, including electronic cash, micro-payment, electronic payment instructions and stored-value cards. None survived. There are many successors and they vary from highly insecure to moderately secure.

As we enter the mobile payment era, using a wide array of wireless networks, we inherit the characteristics of the payment schemes that are already in place. Most significantly, credit card payments which are insecure become even more so when conducted using handheld consumer devices. In many cases, debit payments prove to be much more susceptible to fraud because of the context in which data is captured, and the reduced capacity of handheld devices to implement the protections that are expected in Internet banking applications.

The current wave of e-commerce is mobile/handheld/wireless. People expect everything to be done quickly, simply and intuitively. It appears that many modern consumers have a cavalier attitude to risk even when making payments, and particularly when making frequent payments of relatively small sums of money.

The chip inside Hong Kong's Octopus Card, which has been in use for a decade, is now inside many Japanese mobile phones. RFID Tags for paying road tolls are well-established. Visa has announced trials of its payWave and MicroTag technologies, embedded in key-rings. Other approaches, such as those from Paybox, PayPal and RingGo, let people use their mobile phones to communicate payment instructions. Common to all of these schemes are security weaknesses that represent risks to the consumer. The most apparent threat is unauthorized transactions, variously through errors, rogue devices, rogue transactions, and capture of authenticators by malware that has been infiltrated into the consumer device. There is an enormous range of vulnerabilities that consumers cannot be expected to take responsibility for infrastructure that they neither understand nor control. The key elements of a secure approach to mobile payment are not sufficiently satisfied by the new payment mechanisms that are currently being proposed, developed, deployed and in some cases even used.

We need to know more before we can judge whether mobile payment mechanisms are secure enough to attract consumers to use them in the first place and to keep them comfortable with using them once they have started. There is also a dire need for the providers of technology and services to take responsibility for the insecurity inherent in their schemes, and not try to impose liabilities on consumers. Mobile payments can be faster, more convenient and less of an obstacle - not only for consumers but for thieves too.