The popularization of mobile payments through services like Apple Pay, Android Pay and Samsung Pay bring with it some of the biggest security challenges faced in a generation. Yearly shipments of NFC-enabled mobile phones are growing at an incredibly rapid pace, from 756 million in 2015 to an estimated whopping 2.2 billion handsets by 2020 according to the research firm IHS Technology.
Unlike their plastic card predecessors, smartphones are essentially more accessible to hackers and fraudsters than are offline plastic cards. And unlike the chips in smartcards, the software on smartphones is open to inspection and vulnerable to attack, especially when the phone is rooted.
Android, being is the most popular Operating System for smartphones, is also the biggest target for hackers worldwide. According to the Verizon Data Breach Report for 2015, 96% of all mobile malware targets the Android platform, and over 5 billion Android apps are vulnerable to such remote attacks.
Compounding the problem is the sheer number of entities embedded in the mobile payment ecosystem. This volume directly adds to the complexity of its overall security architecture and correspondingly, to its growing number of potential points of vulnerability. OEMs, MNOs, chip makers, security service providers and OS and software developers all have unique needs and vested interests that may at times be in conflict, undermining the end-to-end security of the system.
Each of these actors have proliferated acronyms and terms such as SE, TEE, tokenization, LUK, white box cryptography and many more that add to the confusion, especially when each one is marketed as the “ultimate” security solution. But in truth, there is no single solution that can secure such a complex system.
The bottom line is that threats come from everywhere and security is only as strong as its weakest link. So what is the best way to provide end-to-end security for mobile payments?
Securing Mobile Payments with a Defense in Depth
Defense in Depth: A layered approach to securing mobile payments
In a “defense in depth” approach, no single security measure is thought to be bullet proof. Multiple security measures overlap to increase the security of the whole system. This approach requires that each security layer must present unique obstacles to the attacker in order to prevent or at least slow the progress of the attack. Another important function of these security measures is to detect and report an attack so that the administrator can take a proper response. These multiple layers of security measures work in concert and allow the defender time to respond to the attack and stop the attacker before sensitive security data has been breached.
In the mobile payments world, three major areas must be addressed:
1. Minimize the value of the reward for the attacker
The first line of defense in the fight against mobile payments fraud is to minimize the reward a hacker would gain from an attack. If the ROI of an attack is low, a potential hacker may then have reason to pause and re-evaluate his target. Tokenization and the use of limited keys are two main tactics used within mobile payments to help reduce the value of sensitive data and thereby discourage attacks.
2. Create an on-device software-based “secure element” to protect data
Leverage the secure element to store card data, keys and the cryptographic functions in the phone. In the absence of a secure element, leverage smartphone memory with additional security measures that can be used to secure sensitive data in phone memory. Such security measures may include code obfuscation, runtime measures, white box crypto and attack-aware security.
3. Use the smartphone as a security monitor
Always-connected devices can act as a security monitor, capable of continuously sampling information on the user, the device, and surroundings such as geolocation or merchant POS pairing. The phone is the source for unique data about the user and device and therefore security measures can include device profile and fingerprints, risk assessment management and user authentication.
Leveraging overlapping security measures that are implemented in parallel with one another eliminates a traditional “weakest link” vulnerability. If one security measure is breached, others remain in place to block the attack, minimize its impact, and report the breach to the host.
This layered approach recognizes that the security of a widely distributed system should never rely on a single “silver bullet”. And because of the dynamic and evolving nature of the threats, no approach will ever be perfect. However, this “Defense in Depth” philosophy is the best course of action for mobile payments security because it not only prevents known security threats, it also provides an organization with the time and resources to detect and respond to new attacks.
Learn more by reading our white paper: Securing Mobile Payment with a Defense in Depth