Things that People Won’t Tell You about Mobile Payment

Mobile payments is the next “big thing”. So, how can we keep it from being so for hackers as well? As our metal currency culture moves from chip cards to mobile phones, where data and software are more vulnerable to hackers, how do we keep trust without hurting utility?

I read a post on LinkedIn which is named as Verizon’s Data Breach Report for 2015. It seems to tell the crowds that mobile devices are a growing target for hackers, with over 5 billion mobile apps that are vulnerable to remote manipulation. Most of this malware is just annoying rather than malicious, but as mobile payments become more and more widespread, something must be changed.

The powers most contactless transactions, such as ApplePay and Android Pay, presents a huge opportunity for hackers who are looking for a pot of gold target. According to market research firm IHS, the adoption of this technology — NFC, which is expected to increase from 440 million handsets in 2014 to 2.2 billion in just 5 years. And, as traditional personal computers decline in importance, this presents a new battlefield for hackers trying to monetize their efforts.

Unfortunately, mobile payments security is a lot more complex than simply adding a chip or an extra piece of software. But the many entities part of the ecosystem advertise various technologies as “the only solution” needed for securing mobile payments.

Apparently, the hackers didn’t get that memo. While I agree that the environment is relatively well understood and the tools for additional security are available, there are certainly some very real security issues that still need attention.

So what is the solution?
Secure elements?
Tokenization? Or perhaps end-to-end encryption is the cornerstone of security.

The answer is “Yes,” “Yes,” and also “Yes” .

Even the best available security measures have inherent weaknesses. And it is just a matter of time before a hacker figures out that should be an exploitable vulnerability within the existing security infrastructure. So, the most effective countermeasure in this environment is to deploy multiple defense measures between the attacker and its target. This security strategy is often called “Defense-underneath.”

Securing mobile payments is Defense-underneath

The “Defense-underneath” approach assumes that no single security measure is impenetrable on its own, and that is to say, the strategy utilizes various overlapping security measures to improve the security of the entire system. Each of these measures presents a unique obstacle slowing or ultimately preventing a hacker’s progress. These measures are complimented by other security features that defend an attack and report it to the administrator in order to analyze while respond instantly.

In the mobile payments security world, the overlapping security measures can be grouped in 3 different areas:

1. Minimize the reward for the HACKER:

The first line of defense is to as good as you can to cut down the reward a hacker would gain from an attack. If the ROI of an attack is low, a possible hacker may stop and re-judge his target. That’s why I think NFC has its advantage inside its gene. Tokenization, as it uses, and the use of limited use keys (LUKs) are two main tools used within mobile payments to help minimize the value of sensitive data.

2. Create an software-based “secure element”:

Roughly 25% of all breaches were attributed to memory scraping at merchant’s POS systems. Card data, tokens, keys and cryptographic functions must be protected so that they cannot be easily harvested or reused if stolen.

3. Use the Smart Phone as a security monitor:

The growing presence of mobile devices in the payments ecosystem indicates both challenges and opportunities in the world of security. Always-on devices can serve as a security monitor, being able to be continuously sampling information on the user, local connections, device, and etc.. Data such as geographical location, merchant POS paring, customer validation and devices integrity can be used both on device and at the host to validate every aspect of the transaction and the environment.

Leveraging overlapping security measures that are implemented in the same dimension with one another that largely reduces a traditional “weakest link” vulnerability. If one security measure is broken, others remain in place to block the attack, minimize its impact and report the breach to the host.

This layered approach recognizes that the security of a widely distributed system should never rely on a single “silver bullet”. And because of the dynamic and evolving nature of the threats, no approach will ever be perfect. However, this “Defense-underneath” philosophy is the best course of action for mobile payments security. because it not only prevents known security threats, it also provides an organization with the time and resources to detect and respond to new attacks.


That’s all I learnt these days and I share with your guys. If you know more about it, feel free to talk with me here.

If you liked this article, it would mean a lot to me if you shared it on LinkedIn or Twitter. Want more like this? Follow me on Medium , Twitter: and LinkedIn.

You may repost this article on your blog, website, etc. as long as you include the following (including the links): “This article originally appeared HERE. Follow OttowJR for more articles like this.”