Mobile payment systems: A disaster waiting to happen

The apps may be well thought out, but until security improves in the underlying security of the devices they run on, look out

When I saw the Computerworld article about Square touting how it is going to replace cash registers with iPads, I was dismayed that there was no discussion of security. And Square's app isn't the only payment app that makes me anxious. While I admit that I would find applications such as Square Register and Google Wallet useful, turning mobile devices into credit cards or credit processing systems is foolish at this time.

OK, some of these payment applications are pretty cool. Square Register could be really convenient for small-business people, making accepting credit card payments practical for businesses that make few transactions. For some small companies, that could be a competitive edge. Likewise, applications like Google Wallet that let you pay for things by having your smartphone communicate with a terminal consolidate another function onto a device that people always have with them.

But cool only takes you so far.

First, let's take a look at Google Wallet, which to me represents the greatest chance for disaster. Google touts three primary security features: a PIN to use when making a purchase, a special chip for storing your credit card on your phone and PayPass technology to ensure that the credit card number is encrypted when being transmitted to the payment devices.

All of that probably sounds great to the layperson. But it is great only if the phone itself is fundamentally secure, and that this is far from the truth. We have already seen malicious Droid applications, and it is widely acknowledged that Google doesn't adequately vet Droid applications from a security perspective. A smartphone's operating system controls the exchange of data between programs, input/output devices and all of the other hardware components. If malicious software ends up on your phone, it can easily capture your PIN every time you enter it to pay for something. Even if you assume that the credit card is completely secure when it is on the special chip, it is still vulnerable when you are entering the data and every time you access the data when you make a payment. And before the PayPass technology can encrypt and transmit the data, the data must make its way through the operating system.

In security terms, this is like putting an airbag on a motorcycle. If the motorcycle crashes, it is possible that the airbag might help, but there are so many other things that could go wrong.

It's true that PCs and other payment systems have been subjected to the sorts of attacks that I am concerned about in regards to cell phones. And, yes, there have also been attacks against point-of-sale systems. Nonetheless, there is a complete void when it comes to security tools and awareness for cell phones. All you need is a malicious Angry Birds, and it will make the Heartland data breach seem like a footnote.

The Square applications carry pretty much the same shortcomings as Google Wallet. Square's Card Case app certainly is no better -- and it doesn't have a secure storage chip or PayPass encryption ability. On top of that, it offers the location-based ability to run up a tab. Card Case also relies heavily on the native operating system, which is a major security concern. It doesn't take a genius to predict that as iPhones and iPads become a preferred platform for financial transactions, they will become a preferred platform for cybercriminals, and the malware targeting these platforms will increase exponentially. As Willy Sutton told us long ago, criminals follow the money.

To a certain extent, I am less concerned about the Register application. But has anyone pointed out that companies that use an iPad as a register must not use it for anything else? Any device that is used for Internet browsing or accessing other data and applications is at significantly greater risk for exposure to malware. With that said, though, there is still the concern raised by the fact that very few iPads and Android tablets use even minimal security.

And any sort of financial transaction requires much more than minimal security. When you get down to it, Google Wallet and Square rely on insecure platforms for their foundations. Until there are significant improvements in the underlying security of smartphones and tablets, it would be foolish to use these technologies. And that underlying security is out of the hands of Square, though it is something that Google and the other platform developers must address.

Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site, irawinkler.com.

Read more about security in Computerworld's Security Topic Center.

Tags mobileGoogletelecommunicationMobile and WirelessMalware and Vulnerabilities

Show Comments