New payment technologies have
the potential to make shopping online and
in store more secure, but banks, tech companies and shops
must first move to upgrade their systems efficiently and correctly, say cyber safety experts.
The payments industry is
working to make it faster and more convenient to move money around. Yet, if
implemented wrongly, this can make life easier for hackers too, the security
experts say.
“Many of these evolutionary or
revolutionary changes have been driven by convenience and ease of use, and
often accepting a certain amount of risk,” says Amit Mital, chief technology
officer of security firm Symantec.
Making the purchase of goods
more secure is a priority for retailers, banks and payment companies. In the
US, where payment card technology is less
sophisticated than in Europe, retailers have recently been hit by massive data
breaches, in which hackers have been able to steal tens of millions of
customers’ card and personal data.
The highest-profile technology
to hit the market is Apple Pay, which works with the iPhone 6s. It lets
shoppers store their credit card information on their iPhone and pay for goods
by tapping the phone on an in-store receiver. Because of a technology called
“tokenisation” experts say it is more secure than current card systems.
With tokenisation,
merchants receive data that obscures the shopper’s actual credit card number,
reducing the chance that hackers can steal usable data from merchants’ internal
systems. Because iPhones use fingerprint recognition to verify shoppers’
identity, it is also nearly impossible for a thief to steal an iPhone and make
a purchase.
“We do not see any concern on
our side in terms of security,” says Thierry Denis, president in North America
for Ingenico, a manufacturer of credit card readers.
But there is a catch. In the
first few months after Apple Pay’s launch last year, thieves have been able to
take stolen credit cards, load them on to iPhones, and go shopping. They have
not compromised the technology, but have got through the banks’ processes for
checking — during the Apple Pay set-up — that the customer adding the card to
his or her phone is the card’s real owner.
That fraud started showing up
within a month of Apple Pay’s launch last year, with the level of fraud seen
through the set-up far higher than that seen typically seen in credit cards,
according to Cherian Abraham, a payments analyst who wrote one of the first
blog posts to call attention to the issue. Given Apple’s sophisticated
technology, the fraud was a “surprise to all”, he wrote.
Mr Mital of Symantec said the
recent incidents of fraud on Apple Pay were “more of a failure in process than
in technology”.
Joe Majka, chief security
officer of Verifone, a manufacturer of point of sale terminals where shoppers
swipe their cards, says that better encryption on such devices could be a
security “game changer”, if widely adopted.
Like tokenisation, encryption
means that hackers cannot make as much use of data they might steal if they are
able to get into a retailer’s network.
Retailers have been slow to
adopt such encrypted systems for various reasons. Regulations in the US are
changing later this year and retailers will soon be responsible for the cost of
fraud if they do not accept chip-and-pin cards, which make transactions more
secure than when users just swipe their card.
But small retailers do not
often see fraudulent purchases and so may be reluctant to spend on upgrading,
without realising that their older systems mean they could be giving hackers a
way to steal their customers’ data, says Mr Majka.
For larger retailers, making
the shift takes work.
“When you talk to merchants
and [payment] processors,” says Mr Majka, “there are so many changes in their
systems, in their coding, that have to be made to accommodate an encrypted
transaction.”
Other innovations featuring
purely digital mobile payments via apps also face risks.
Cash-transfer app Venmo, which
is owned by PayPal, recently faced media reports highlighting how hackers could
access the app to transfer money to themselves.
Venmo has since added better
email notifications and is adding multi-factor authentication to make logging
in more secure. But the fact that this was already standard on services such as
Gmail underlines how companies do not always use the most secure solutions
available on the market.
Similarly, while US banks have
been rolling out the more secure chip-and-pin cards for many months in
anticipation of the regulatory changes this year, they are not yet available to
all consumers.
Mr Majka of Verifone replaced
his card recently and wanted a chip card. His bank, however, said he would have
to wait. “It’s a little disappointing,” he says.
No comments:
Post a Comment