Mobile Payment Security

Today Mobile has become one of the most widely used medium for conducting various online transactions including online payments. The immense use of Mobile has forced Information systems security professionals to look cautiously at recent innovations in mobile payments due to massive data breaches of payment card data and the ever-increasing number of identity theft crimes.
Some of the mechanisms empowering advancements in mobile payment technology include:

  • Tokenization. Secure mobile payment applications—or mobile wallets—do not transmit a card’s primary account number (PAN), instead sending a randomly generated token to the point of sale (POS) terminal and payment network. This token safeguards the consumer’s data while in transit. “Tokenization is the security solution that is pushing mobile payments ahead of card payments in consumer sensitive financial information protection in the continuous race to stay ahead of hackers and other threats”.  The tokens can be configured to only work for transactions that match specific criteria for an exact period of time, specific retailer and certain monetary amount. Only the issuing bank and authorized entities can securely map tokens back to the original payment card data.
  • Device-specific cryptograms. The cryptogram ensures that the payment originated from the card-holder’s device. If a hacker obtains mobile payment transaction data, the cryptogram that is sent to the POS terminal with the token is unable to be used on another mobile device. This helps render any stolen data unforgeable and useless.
  • Two-factor authentication. This provides an additional layer to guard against mobile payment fraud by utilizing two independent mechanisms for authentication. Among the common credentials used are something the user knows e.g. a password, something that the user has e.g. a card and a biometric such as a fingerprint, voice print or facial recognition.

How Mobile Payments Work

A mobile payment is a contactless point of sale (POS) transaction between a consumer’s mobile device and a merchant’s POS device. Another name for mobile payment is proximity mobile payment, which emphasizes the consumer’s physical presence at a POS device. The consumer taps his/her mobile device on, or hovers it over the merchant’s POS terminal to make a payment. Popular uses of mobile payments are at a retail location.
Mobile payment applications on the consumer digital device are sometimes referred to as mobile wallet applications because they can store information for multiple payment cards, much like a personal wallet. Secure mobile wallets do not contain the card primary account number (PAN). These mobile wallets send a randomly generated token, instead of the PAN, to the POS terminal and payment network, ensuring protection of the consumer’s sensitive financial information while in transit.
Mobile Device Security Architecture
The basic areas include:
Normal Operating System (OS) and Application Environment
An open software environment that runs device and third-party software. The normal OS and application environment has very low security, a large amount of accessible memory and a high processing speed.
Secure Element (SE)

A tamper-resistant, secure hardware environment that can host multiple sensitive applications and data. The SE provides the same functions as the chip on smart payment cards. The SE is in the form of a universal integrated circuit card (UICC) (SIM card), a microSD card or an embedded SE in the phone circuitry. Access to the SE to host thirdparty applications or to store sensitive data for these applications must be requested from the mobile device manufacturer for embedded SE and from the mobile network operator (MNO) for the SIM card.

Trusted Execution Environment (TEE)

A secure area of the main processor in a mobile device that stores, processes and protects sensitive data and authorized security software, known as trusted applications. The TEE has a high processing speed, which is faster than the SE, and a more accessible memory than the SE. Trusted applications have controlled access to security resources and services, including cryptography, secure storage, secure clock, trusted user interface (TUI) and SE interfaces, via TEE application program interfaces (APIs). The TEE APIs allow applications in the normal OS and application environment to access and exchange data with a trusted application that is running inside the TEE. The TEE has a higher level of security than a normal OS and application environment but is not as secure as an SE. To bolster TEE security, limited use keys (LUKs) can be changed frequently. The mobile wallet authentication personal identification number (PIN) can be processed through the TEE and compared to the reference value in the SE, which is more secure than processing the PIN through the normal OS and application environment.
Mobile Payment Ecosystem
The major stakeholders in a mobile payment ecosystem include:

  • Merchants—Retailers, transportation providers and vending machine/kiosk providers
  • Cardholders—Mobile payment users
  • Service providers—Card payment networks, payment processors and mobile wallet application providers, such as Android Pay, Apple Pay and Samsung Pay
  • Token service providers (TSPs)—Can be independent from the card payment network or payment processor, or can be integrated with a card payment network or payment processor. TSPs are authorized to provide payment tokens to registered token requestors.
  • Issuers—Payment card issuing banks
  • Acquirers—Merchant banks
  • Payment card brands and their payment networks
  • Mobile device manufacturers
  • Mobile network operators
  • POS terminal manufacturers

Security Considerations

From a security point of view, mobile payments can seem daunting at first look. Not only are much of the technology and underlying mechanics behind them somewhat complex, but also the payment life cycle and ecosystem can seem relatively “closed” from a traditional security “blocking and tackling” point of view. Meaning, for a merchant accepting mobile payments from customers, many times the security organization does not have direct control over the POS; likewise, in the case of an enterprise allowing mobile payments in employer-issued mobile devices (or using a corporate card on a bring your own device (BYOD) device), these are oftentimes out of the direct purview of the security organization. As a result, the temptation may be for security practitioners to conclude that the mobile payment process itself is out of their scope—or to approach the area with reduced diligence relative to that which they would demonstrate in another area or with technology components that they have more direct control over.
However, this may not always be the best approach. Instead, it is advantageous for the security practitioner to evaluate the specific use case and, just as they would with any other technology adopted by their enterprise, evaluate points of attack, specific countermeasures that might raise the bar for those avenues of attack, and areas where they can deploy controls that support or complement those inherent in the mobile payment platform/s they are utilizing. Doing this, of course, depends on use case. Following are some key areas that security practitioners may wish to specifically evaluate in a mobile payments scenario.

Points of Sale

For security professionals who are part of a merchant enterprise, one of the most critical areas is the POS, even without mobile payments as part of the purchasing process. Compromising the POS has occasionally led to large-scale breaches.
As such, introduction of a mobile interaction point to the POS is an area that is important for security professionals to consider. First, an upgrade to the POS can impact existing environments and controls. For retail locations where the POS may require an upgrade or refresh to support mobile payments, it is important to evaluate the security of that platform—from a configuration, network architecture and overall hygiene standpoint—to ensure that the new platform or upgrade has the same hardened, robust configuration and appropriately performing security controls as expected. Keep in mind that in addition to ensuring that POS terminals are appropriately hardened and use a robust configuration, the supporting infrastructure (such as network connectivity) that they use can also be investigated to ensure ongoing resilience and a robust configuration.

Mobile Device Hygiene

Non-merchant enterprises that are embracing mobile payments for enterprise users have a different set of challenges. In this case, there is not a POS to worry about; however, enterprise users do employ mobile devices for payment. Obviously, because payment is involved, it potentially raises the stakes for these devices from a security standpoint. Bear in mind that these might be enterprise-issued devices (i.e., mobile phones procured by the enterprise for employee use), but there might be other situations in which this is not the case. For example, use cases might include a BYOD device used for payment, a personal mobile wallet loaded with a corporate card or any number of potential configurations. As a result, practitioners may wish to implement mechanisms to keep those devices in a known, hardened and reliable configuration in situations where they are to be used in a payment context. They might, for example, seek to ensure that a “rooted” or “jailbroken” device is not employed as part of a mobile payments transaction flow—or ensure that only approved wallets are allowed to be installed on mobile devices. Numerous tools in the marketplace promise to help to do this, for example, enterprise mobility management (EMM) platforms, mobile device management (MDM) platforms and mobile application manager (MAM) tools. Antivirus software may be a requirement on mobile devices to protect against malware that attempts to execute fraudulent purchases using the mobile wallet. These are, of course, only a starting point, and specific countermeasures should be evaluated by the practitioner in light of the specific usage, their particular security requirements and other unique factors to the enterprise.

Governance Considerations

Three primary governance areas should be considered: risk management, organizational policy and regulatory compliance. The following sections discuss each of these areas in further detail.

 Holistic Risk Management

Security practitioners may wish to evaluate the risk areas of any enterprise-, usage- or technology-specific factors they have and conduct a risk assessment and risk treatment exercise the same way that they would with any other technology. Once their risk treatment plans or mitigation measures are in place based on that analysis, ongoing monitoring of the risk control measures and changes in the threat landscape ensures that the risk stays controlled over time.
Organizational Policies and Procedures

The governance structures that are in place might need to be reevaluated. As the codification of management intent, as a practical matter this means that policy might be impacted. Specifically, policies and procedures relating to mobile device use, payment acceptance for merchants, etc. might need to be revisited in light of mobile payments being introduced. Some highly regulated environments, such as the financial industry, are required to update their policies to support new processes or technologies. A practical step could be to systematically evaluate existing policy in light of mobile payments: Does existing policy address mobile payments or is new policy required? Do existing policies/ procedures preclude a mobile payment scenario? If so, how can they be adjusted?
Regulatory Compliance

Regulatory compliance posture in an enterprise may be impacted through adoption of mobile payments. This could be potentially a positive or a negative impact depending on the specific circumstances. For example, a merchant upgrading the POS from a legacy implementation to something newer to support mobile payments could be an improvement from a compliance standpoint—a newer POS might support features like tokenization or point-to-point encryption (P2PE) of cardholder data while the legacy implementation might not. Alternatively, in a situation in which mobile devices are used as a POS, regulatory compliance (and compliance reporting) might become more complicated. As a consequence, practitioners may wish to bring the compliance personnel in their enterprises into the mobile payment discussion early to discuss possible impacts and the enterprise’s response to those impacts.
Suggested Controls

Mobile payments can impact the enterprise significantly, regardless of the specific discipline/role within which practitioners operate. To help practitioners prepare for mobile payment usage, the following table outlines several suggested controls that practitioners may wish to consider for their own use. Note that this is not intended to be an exhaustive list and not every control will be appropriate for every enterprise or situation. As always, practitioners should evaluate the specifics of their usage and implement controls based on their own risk profile and unique factors.

Configuration management

Ensure that points of sale and/ or supporting devices are kept in a hardened state and known configuration.

Establish a known-good configuration for points of sale and leverage technical measures to ensure that this configuration is enforced.

Observe configuration management system and interview administrator personnel to ensure technical settings are appropriate to ensure known-good configuration.

Vulnerability assessment and penetration testing

Ensure that points of sale and/ or supporting devices are appropriately patched.

Leverage vulnerability scanning tools to locate vulnerabilities in critical devices such as points of sale to ensure that these issues are appropriately remediated

Review the results of vulnerability assessment and/or penetration testing activities. Ensure that testing is conducted periodically and that issues identified are addressed.

Application security process management

Ensure that applications that intersect the mobile payment usage are robust and hardened.

Utilize a robust application development process and/ or application security development approaches that engender secure development (e.g., threat modeling)

Interview software development staff and/or review process documentation for any mobile payment supporting software to ensure that any in-house developed software is developed using a robust process with a focus on building security into the process.

Application security testing/ scanning

Ensure that the point of sale or other mobile paymentaccepting applications are robust and hardened.

Utilize application security scanning software (i.e., dynamic or static testing tools) or employ application-focused security testing to ensure that applications supporting the mobile payment process are secured.

Review the output of a sample of application scanning results and/or testing reports. Ensure that artifacts examined are timely and reflect ongoing/ periodic use and that identified issues are addressed.

Risk analysis: tokenization

Ensure that the token service provider and its token vault utilize a model commensurate with organizational risk tolerances.

Conduct a security review of tokenization methodologies in use for mobile payment models supported. Implement compensating controls as needed.

Interview security team members and/or review artifacts of risk analysis. Ensure that risk analysis was performed.

Security awareness training

Ensure stronger fraud prevention and effective user education and awareness

Integrate mobile payment concerns into employee security awareness training.

Review security awareness training materials. Ensure that training addresses mobile payments. For organizations that allow mobile payments using corporate-issued phones, ensure that awareness training covers mobile device policy; for organizations that provide mobile payment acceptance, ensure that awareness training covers security-relevant point of sale procedures.

Mobile device configuration management

Ensure that the following status and features exist on the mobile device:

• No root/jailbreak

• Latest OS version and/or patch release

• On Android device, antivirus software for additional risk mitigation

• Strong two-factor authentication

• Full device encryption is turned on

For organizations allowing mobile payment from employee or corporate-issued phones, implement a mobile device management system or utilize an equivalent mechanism or process to ensure that mobile device configuration is managed.

Interview system administrators and/or review configuration for mobile devices management tools. Ensure that procedures and/or tools are geared to ensure appropriate configuration for all devices that will be—or potentially could be—used for mobile payment transactions.