New payment technologies have the potential to make shopping online and in store more secure, but banks, tech companies and shops must first move to upgrade their systems efficiently and correctly, say cyber safety experts.
The payments industry is working to make it faster and more convenient to move money around. Yet, if implemented wrongly, this can make life easier for hackers too, the security experts say.
“Many of these evolutionary or revolutionary changes have been driven by convenience and ease of use, and often accepting a certain amount of risk,” says Amit Mital, chief technology officer of security firm Symantec.
Making the purchase of goods more secure is a priority for retailers, banks and payment companies. In the US, where payment card technology is less sophisticated than in Europe, retailers have recently been hit by massive data breaches, in which hackers have been able to steal tens of millions of customers’ card and personal data.
The highest-profile technology to hit the market is Apple Pay, which works with the iPhone 6s. It lets shoppers store their credit card information on their iPhone and pay for goods by tapping the phone on an in-store receiver. Because of a technology called “tokenisation” experts say it is more secure than current card systems.
With tokenisation, merchants receive data that obscures the shopper’s actual credit card number, reducing the chance that hackers can steal usable data from merchants’ internal systems. Because iPhones use fingerprint recognition to verify shoppers’ identity, it is also nearly impossible for a thief to steal an iPhone and make a purchase.
“We do not see any concern on our side in terms of security,” says Thierry Denis, president in North America for Ingenico, a manufacturer of credit card readers.
But there is a catch. In the first few months after Apple Pay’s launch last year, thieves have been able to take stolen credit cards, load them on to iPhones, and go shopping. They have not compromised the technology, but have got through the banks’ processes for checking — during the Apple Pay set-up — that the customer adding the card to his or her phone is the card’s real owner.
That fraud started showing up within a month of Apple Pay’s launch last year, with the level of fraud seen through the set-up far higher than that seen typically seen in credit cards, according to Cherian Abraham, a payments analyst who wrote one of the first blog posts to call attention to the issue. Given Apple’s sophisticated technology, the fraud was a “surprise to all”, he wrote.
Mr Mital of Symantec said the recent incidents of fraud on Apple Pay were “more of a failure in process than in technology”.
Joe Majka, chief security officer of Verifone, a manufacturer of point of sale terminals where shoppers swipe their cards, says that better encryption on such devices could be a security “game changer”, if widely adopted.
Like tokenisation, encryption means that hackers cannot make as much use of data they might steal if they are able to get into a retailer’s network.
Retailers have been slow to adopt such encrypted systems for various reasons. Regulations in the US are changing later this year and retailers will soon be responsible for the cost of fraud if they do not accept chip-and-pin cards, which make transactions more secure than when users just swipe their card.
But small retailers do not often see fraudulent purchases and so may be reluctant to spend on upgrading, without realising that their older systems mean they could be giving hackers a way to steal their customers’ data, says Mr Majka.
For larger retailers, making the shift takes work.
“When you talk to merchants and [payment] processors,” says Mr Majka, “there are so many changes in their systems, in their coding, that have to be made to accommodate an encrypted transaction.”
Other innovations featuring purely digital mobile payments via apps also face risks.
Cash-transfer app Venmo, which is owned by PayPal, recently faced media reports highlighting how hackers could access the app to transfer money to themselves.
Venmo has since added better email notifications and is adding multi-factor authentication to make logging in more secure. But the fact that this was already standard on services such as Gmail underlines how companies do not always use the most secure solutions available on the market.
Similarly, while US banks have been rolling out the more secure chip-and-pin cards for many months in anticipation of the regulatory changes this year, they are not yet available to all consumers.
Mr Majka of Verifone replaced his card recently and wanted a chip card. His bank, however, said he would have to wait. “It’s a little disappointing,” he says.