Payments on the Move:
Mobile payments are the weakest link

Consumers are turning on to payment by mobiles but levels of fraud are higher, posing a threat to retailers and banks.

After years of jostling between telcos and banks in the US and Europe, m-payments look likely to make a breakthrough in 2011.

Orange and Barclaycard in the UK and a consortium including Barclays, Discover Financial Services and AT &T in the US are working on bringing point-of-sale mobile payments to consumers this year.

The focus has now shifted from arguments about how banks and telcos might share revenues to making m-payments work and, crucially, mitigating security risks.

Security is an important issue for mobile payments because they have not benefited from the years of fine tuning applied to card payments and internet banking.

Fraud is on the decline in countries across the world following the introduction of global standard EMV smart card technology. Point-of-sale fraud has declined substantially because cards are virtually impossible to clone and PIN codes have replaced signature verification.

Instead, it is shifting into the fastgrowing world of e-commerce, where mobile payments are starting to play a bigger role. Mobile payment-accepting retailers in the US are experiencing higher levels of fraud than their online and bricks-and-mortar counterparts, according to research conducted by Javelin Strategy and Research in October. Mobile-payment accepting merchants experienced fraud levels of 1.13% of total revenue, compared to 0.83% for online-only merchants and 0.86% for online and bricks-and-mortar merchants. As the volume of mobile payments grows, this discrepancy will become more of a pressing problem.

Reducing this fraud is important for all stakeholders: consumers, banks, retailers and telcos, according to Harko Robroch, managing director of Riscure, a Netherlands-based technical security specialist.

“It matters to all parties,” he says. “As a merchant, you constantly decide whether to accept payments and you should understand the risks involved because fraudulent transactions cost money. For banks, they want to operate the best payments systems possible. If you have one service that is not sensitive to fraud and another that is, then you can see which one merchants and consumers will prefer.”

The level of fraud risk on mobile payment transactions depends on the type of mobile payment transaction. M-payments can be made via text, remotely through a mobile browser, or through proximity payments, where a phone is passed close to a reader to make a transaction at the point of sale.

Most of the current emphasis in m-payments has been on these proximity transactions, which are achieved using Near-Field Communication (NFC) technology, and are considered the most secure. There have been over 100 trials of the technology worldwide in all of the world’s major economies.

Robroch says mobile NFC payments face many of the same security concerns as contactless cards, which have been introduced widely in Turkey and more recently into Europe. These include eavesdropping, where observers try to obtain confidential information about transactions at a distance, and denial of service, where third parties may try and disrupt a transaction in some way.

The most important mobile phonespecific security issues include provisioning, which refers to the secure download of payment applications onto their phone’s SIM or secure chip, and the protection of that data once it is there.

These issues are mitigated by the appointment of Trusted Service Managers (TS Ms), usually a technology provider with specialist knowledge of both banking and mobile security. TS Ms can help service providers distribute and manage contactless services for their customers using the networks of mobile operators.

The preference for downloading payment applications onto the SIM or a separate NFC chip installed in the handset is because data stored on these elements is much harder to attack or corrupt than if stored on software within the mobile device.

“Banks would prefer for the payment application to be based on the mobile phone itself, rather than the SIM card,” says Robroch.

“The problem from a security perspective is mobile phones are a very open platform and hard to secure. This has been a big discussion between the banks and telcos: which functionality can they place in the phone’s open environment and which can they put on a smart card or SIM card?”

For remote mobile payments, which allow the purchase of goods or services online through mobile web browsers or applications, this is a particular concern.

One solution is to outsource completely the storage of the payment information on the mobile phone, as UK-based mobile banking business Mobank has done. Run by former First Direct and Egg banker Steve Townend, Mobank provides a frontend system which customers of any bank can use.

Once a user provides their card details to Mobank and downloads its application onto their phone, payments are authorised through a four-digit PIN and the user’s unique telephone number. Its banking and payments platform links back to the consumer’s account when payments are executed. Transactions appear as ordinary internet purchases on the bank statement.

Mobank holds the customer payment details fully encrypted at an independent third party, NTT DoCoMo, an established player in Japan’s m-payments market.

“The first company that can persuade consumers that banking on your mobile is secure is going to have a tremendous advantage,” says Townend.

“Everything else about it is so much quicker and more convenient than internet or branch-based banking.”

After years of stalemate in negotiations between telcos and banks, it looks like 2011 will be the year mobile payments finally enter the mainstream. The race is now on for providers to convince consumers and merchants that their platforms are secure.

Back to Special Report contents page
Back to Magazine contents page