Mobile security: the coming battle of hardware versus software

According to security experts, there are several paths forward for mobile payments, each with its own security implications

apple watch pay
Credit: Shinya Suzuki

I'm starting to see signs for Apple Pay and Google Wallet everywhere I go. Google just announced its Android Pay platform and deals with AT&T, Verizon and T-Mobile to pre-install it on Android phones. Samsung is gearing up for its own payment system, Samsung Pay, Walmart is planning its retailer-focused CurrentC system, and PayPal, about to spin off from eBay, has been buying up payment technology vendors and can't be counted out yet.

For consumers, the decision will likely boil down to whether they own an iPhone or an Android phone, and which apps are easier to use and accepted by most merchants.

Merchants are upgrading this year anyway, as part of a mandated transition to chip-and-pin or "smartcards" and might as well bite the bullet and go all the way to mobile payments while they're at it. Fortunately, they won't have to decide between supporting Apple's platform or Google's -- adding support for one automatically means that they'll be able to accept the other.

But what about the back-end technology at work? How do they stack up in terms of security?

According to security experts, there are several paths forward, each with its own security implications.

Hardware versus software

The main distinguishing characteristic between Apple Pay and most other mobile payment platforms is that Apple Pay uses hardware-based security, a "secure element" inside the phone, protected against tampering.

On the iPhone, this is combined with a fingerprint scanner for additional security.

According to Adam Kujawa, head of malware intelligence at Malwarebytes, no unencrypted personal information is transmitted.

The only security problems reported so far are with initial onboarding, where scammers were able to talk call center operators into adding stolen credit cards to their iPhones.

In addition, thieves might, theoretically, be able to fool the fingerprint scanners and make unauthorized purchases, said Kujawa.

But the biggest downsides of ApplePay aren't so much technical, he said, as practical. The phones are expensive, and there's no way to make a payment, for example, if the iPhone's battery is dead.

The chief alternative to the secure element is HCE, or host card emulation. It's the software alternative to hardware-based security, and uses a cloud-based tokenization process.

"From a security standpoint, HCE provides the best protection because the encryption and communication of your financial information is in the hands of a bank and there is no connection between payment info and the device itself, in case it gets stolen," said Kujawa.

However, it could be that malicious apps will be designed to hijack the HCE process and steal money from users.

The ideal combination, said Kujawa, would be a secure element on the device, combined with HCE, combined with biometric authentication.

Mobile versus web

With all the discussion about ApplePay and what Google and Samsumg might or might not do, what actually happens on the ground is that most mobile payments have nothing to do with any of these technologies.

Instead, they are simply web-based payments made via browsers on mobile devices, or dedicated apps. For example, Amazon has a shopping app for smartphones and tablets, and PayPal has a mobile app that lets you send money to friends.

According to San Francisco-based payments company Adyen, these kinds of mobile payments account for 27 percent of all online payments in the first quarter of this year, a growth of 39 percent compared to the same period last year.

A small subset of these mobile payments are for local purchases -- you can pay for your Starbucks coffee for example, or your Uber ride, by using their respective apps. These are in-person mobile payments, and totaled $3.74 billion in the U.S., according to Forrester Research. But Forrester expects them to grow faster than other kinds of mobile payments, to reach $34.2 billion by 2019.

Security-wise, the big downside to that approach is that of any web-based payment system, said Andrew Blaich, lead security analyst at Bluebox Security. If there was a data breach, hackers could potentially steal all the saved financial information about users.

"And if someone steals your username or password they can impersonate you and make payments under your name," he said.

In addition, the mobile apps themselves could be compromised, said Andrew McLennan , vice president at Metaforic, a mobile security company. This has already happened with both the Starbucks and Uber apps.

Hackers can download the apps, root their devices, switch off wireless connectivity if necessary and then spend all the time they need to take apart and analyze the apps.

"Once they have done this they can weaponize what they learn for later, mass attacks -- from simple theft to more insidious harvesting of personal data for future use, far removed from the original app," said McLennan.

It's not either-or

Because of the way that NFC technology works, if a terminal accepts one payment system, such as ApplePay, then it will automatically accept others, such as Google Wallet. And web-based payments, such as those of Starbucks and Uber, don't depend on specialized payment terminals at all.

That means that neither customers nor retailers will have to choose.

"I think everything will co-exist," said Jerry Irvine, CIO at Prescient Solutions. "It's not whether NFC or HCE are better than one another, but do they fulfill the requirements of secure payments as defined by PCI and banking institutions -- and both of them do."

"And you're not going to get away from companies taking payment over the Internet," he said. "If you look at Startbucks, their application over the years has not been the easiest, has not been the best, but it's the biggest thing out there right now. If people want to use something, they will use it."

This story, "Mobile security: the coming battle of hardware versus software" was originally published by CSO.

Related:
ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon