Mobile payments are being touted as the easiest, most convenient way to swap funds, make purchases and pay bills electronically from almost anywhere. With a mobile device, a user can pay for purchases or bills with a click of a button or waving the device near a point-of-sale system. This process makes payment and purchases easier for the buyer, but it introduces major risks for the financial institutions that offer the service.
This is not the first time mobile banking has been offered. A few years ago, mobile payments were starting to emerge as the next evolutionary phase in switching to electronic currency and digital identities. The mobile payment industry was plagued by limitation in technology and the high cost of adoption to both consumers and service providers. The wireless application protocol (WAP) 1.0 had major setbacks due to a major security gap between the mobile device and service provider, formally called the "gap in WAP."
Today, many of the technology limitations and security concerns of the past have been reduced and the mobile payment industry is emerging once again to take advantage of the changes. One important change is the adoption of the WAP 2.0 that allows for end-to-end encryption between the mobile device and the service provider.
There are risks that remain and before financial firms adopt a mobile payment program, they should consider the follwing key areas of adoption risk:
Third party providers: Mobile payment service providers provide a mechanism for consumers to move value from their existing accounts with banks or other regulated financial institutions. These service providers are a financial intermediary and are classified as money service businesses (MSBs). MSBs have to comply with the laws in the state in which they are incorporated. However, not all states have laws which regulate the activity of an MSB, so careful review needs to be applied during the selection process. If your financial company decides to use an MSB for mobile payment transactions, make sure to review and gain confidences with the MSB's information security practices.
Regulatory and legal liability: The United States currently has few safeguards against abuse of mobile payments. There has been little progress in formulating and disseminating guidance and the traditional money laundering countermeasures are not adequate to address the looming threat posed by abuse of mobile payments to today's e-banking and cashless system. There is little funding available to research and develop laws to date, which affects enforcement of the few regulations that are in place. Financial institutions must call upon their legal and compliance teams to develop the "rules of the road" for using mobile payment systems. The rules should include a thorough audit of the MSB's active security practices, Payment Card Industy Data Security Standard (PCI DSS) compliance findings, and developing a strong contract covering the areas of incident response and liability. In addition, if a financial institution participates in a political action group they should make sure to educate and inform their representatives of the need to develop laws and safeguards for their customers.
Fraud/loss prevention: Financial institutions must be able to monitor and track suspicious activities. The ability to do so requires that the transactions are transparent to the financial institution so intelligence can be gathered. This sometimes requires the assistance from government intelligence agencies and law enforcement. Unfortunately, these groups have little expertise in mobile payment technologies. Many countries do not have legal codes or regulations regarding the transfer of money via mobile phones. Mobile phone networks have security features that prevent law enforcement and intelligence services from detecting suspected illegal transactions. Technology is rapidly overcoming the government's ability to track the transfer of money, and can quickly overwhelm a financial institutions ability to remain compliant with the USA Patriot Act and the Bank Secrecy Act.
Given the dynamic nature and magnitude of security threats in the wireless environment, it is vital that financial institutions conduct periodic independent security vulnerability assessments of their mobile payment systems which focus on detection and response systems that identify suspicious transactions or payment behaviors. In addition, the financial institution must mandate that their third party payment service also conduct assessments for their review. These assessments should be triggered each time there is a significant change in the environment. Mobile payments fraud procedures should be designed to facilitate swift investigative actions to resolve any threats or abuse that are detected. This will help law enforcement and government intelligence agencies to assist your organization if the need arises.
Overall, the mobile payment industry has made some significant improvements in the viability and security of electronic payments but there are still some major risks to financial institutions adopting the service today. As the education and safeguards improve and as the technology becomes commonplace throughout the market, new risks and threats will certainly emerge to challenge today's improvements. Mobile payments can be faster, more convenient and have fewer obstacles, but this is also true for thieves as well. Financial institutions must weigh the risks and determine if now is the right time to strike.
About the author:
Rick Lawhorn, CISSP, CISA, has over 18 years of experience in information technology which includes an extensive security, compliance, privacy and legal background. Rick has served as the Chief Information Security Officer (CISO) for GE Financial Assurance, Chief Information Security Officer (CISO) for Genworth Financial and served in information technology leadership roles within Hunton & Williams law firm and the National White Collar Crime Center. He has been published in numerous international and domestic security magazines and currently serves on several advisory boards for new, innovative security products. He can be reached at email@example.com.