Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unresolved Issues Swirl Around Securing Mobile Payments

Posted by samzenpus on from the at-your-own-risk dept.

CowboyRobot writes "While many mobile payments startups are using both traditional and nontraditional authentication methods, regulatory uncertainty still exists around liability for fraud attacks on customers using mobile payments. Although there haven't been any public attacks from fraudsters on alternative mobile payments providers such as Square, LevelUp or Dwolla, anecdotal stories are already circulating among security experts and regulators of such attacks. One thing that still has to be worked out in this area is regulatory oversight. 'The regulators are not yet clear who owns the regulatory oversight for these environments. These technologies tend to fall through the cracks even in terms of card-present or card-not-present.'"

5 of 44 comments (clear)

  1. Phones by girlintraining · · Score: 3, Informative

    Phones aren't secure because most people don't put a password on them, and any app you run for mobile payments on top of that can be hacked, since once you have physical access to the phone, you're pretty well doomed.

    Just stick with the damn cards. If you lose it, your bank will send you a free replacement, and it's instantly disabled. The same cannot be said for access to your accounts with your phone, for which you will not receive a free replacement, and you may have to close your account since unlike a card, your login, password, social security number, date of birth, access to e-mail account, oh... and probably the phone number the bank would call you back at to verify your identity... are now all in the hands of the criminal.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:Phones by mlts · · Score: 2

      The ironic thing is that this can be easily addressed.

      All modern ARM chips have the ability to run multiple "worlds", one secure, one insecure. It would be nice to have the ability to have a secure world just for credit card payments, having it use two forms of authentication on that app (face, fingerprint, and/or PIN.) Then, the other world would have the usual phone apps. This way, even if a thief gets the phone and it is unlocked, the critical banking stuff is protected at a low level, and too many guesses at the PIN will result in the partition with the Square or PayPal app getting erased.

      On a more general level, it would allow a device to have one partition for work stuff, one for home.

    2. Re:Phones by stephanruby · · Score: 4, Informative

      Just stick with the damn cards. If you lose it, your bank will send you a free replacement, and it's instantly disabled.

      So this won't affect Square at all. Square is for accepting payments, by sliding a card through it.

      The same goes for LevelUP, LevelUP is the equivalent of keeping a photocopy of your credit card (both front and back) in your wallet. You lose your wallet, you've obviously lost your card.

      The only example where things get dicy is this Dwolla payment solution. Dwolla is for account to account transactions (without going through Visa or Mastercard). It's a lot cheaper because of this, but then, you don't have any of the traditional protections for fraud (unless they're spelled out separately specifically in their terms of use, which honestly, I haven't even bothered to read).

    3. Re:Phones by Shoten · · Score: 2

      The ironic thing is that this can be easily addressed.

      All modern ARM chips have the ability to run multiple "worlds", one secure, one insecure. It would be nice to have the ability to have a secure world just for credit card payments, having it use two forms of authentication on that app (face, fingerprint, and/or PIN.) Then, the other world would have the usual phone apps. This way, even if a thief gets the phone and it is unlocked, the critical banking stuff is protected at a low level, and too many guesses at the PIN will result in the partition with the Square or PayPal app getting erased.

      On a more general level, it would allow a device to have one partition for work stuff, one for home.

      This isn't actually so easy, it turns out. You're describing what's called MLS, or Multi-Level Security. The NSA has tried this on servers, on workstations, and most recently on phones. It's incredibly hard and the underlying system ends up either having security flaws or major usability issues, and either situation costs a fortune. They've ended up giving up on doing it for mobile devices; what they ended up with weighed over a pound and cost thousands of dollars per device. There are some features it has that wouldn't apply here...but the MLS challenge still has yet to be solved in a way that satisfies, on any platform. This "partition" you talk about has to be done in the OS, not the chip.

      Separating things in the chip isn't even half the battle. What, do you run two instances of the OS? Have two separate storage areas? IOS has sandboxing of applications built in, but half the point of solutions like Square is that they can run on multiple types of devices...what if it's Android? It's not just a matter of telling the chip, "oh, this is that OTHER reality..." and walking away proud. If there's not a sandbox around access...in storage, transmission (remember, devices like Square use the audio jack) or in temporary processing in memory, then you don't have separation.

      --

      For your security, this post has been encrypted with ROT-13, twice.
  2. security through insurance by mcelrath · · Score: 2

    So payment security comes down to insurance and legal liability? Fuck that. Truly secure transactions are well within or means, and have been for decades. I want neither to lose my money, nor to funnel billions to criminals through insurance premiums.

    Try again, you jokers.

    hint: chip and pin, two factor authentication, and private keys for cardholders are good starting points.

    --
    1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.