news image

Why the PayPal logo is not enough to secure your mobile payments app?

18 Mar 2016

Veselin Borisov, Security Engineer at Imperia Mobile and Radoslav Gaydarski, COO at Imperia Mobile commented on the things we need to know about mobile security and financial transactions at Security Expo 2016 held on March 17th in Sofia.

Welcome to the digital age, where pickpockets are more likely to steal you smartphone than your wallet (and if you are that unlucky, they will take both). Electronic payments opened the door to comfort while closing the one to the endless queues at cash desks. Technology went one step further and now mobile transactions are inseparable part of the everyday reality. A growing number of businesses rely on platforms such as PayPal as they become a synonym of reliability. In purely marketing terms, using third party providers of financial services can boost the trustworthiness of you app. However, we should ask ourselves are there other issues to worry about when we go mobile with our money.



How do mobile payments work?


When you pay via mobile devices, your lord and savior is the Security Element (SE).  Think of it as an embedded chip, or removable hardware such as microSD or a sim card that practically encrypts your data and makes it very hard to steal. The SE has three main components – the Java Card Runtime Environment (JCRE), Proximity Payment System Environment (PPSE) and Payments Application. JCRE is a technology designed to provide security of smart card transactions. One of its main features is the isolation of the user’s data. Basically, JCRE acts like a firewall and restricts the communication between the different sources in a transaction.  In other words, online stores do not have access to customers’ bank details. The Proximity Payment System is based on a register of authorized applets, which is editable only from the SE administrators. The last component – the payments application contains the most valuable data – the user’s details. The payment application is practically responsible for the actual payment and for this reason it uses dynamic card verification codes. Such DCVV are generated virtually and are used for the so-called contactless payments. To sum up, the SE provides three layers of security, which makes it quite tricky to break.



The Risks


There are several soft spots when it comes to mobile payments that go beyond a PayPal account. SE is a multi-level security technology. Yet, claiming that SE is unbreakable is like saying that Titanic is unsinkable. To date, users cannot expect full protection. There is always a risk. The tricky part is that if somebody wants to obtain a user’s data, he or she should do so via targeting separate devices individually. In other words, it is technologically possible, but practically infeasible.


One of the riskiest scenarios is using a device that has been jailbroken. Jailbreaking an iPhone is a stairway to heaven for many users as the access to media and apps is unlimited. Yet, pimping up a smartphone, usually comes at a very high cost, and by cost we mean opportunity cost. Jailbreaking practically removes manufacturers’ restrictions and, apart from the benefits, it makes a mobile device an easy target for cybercriminals. Additionally, rooted devices face the risk of both hardware and software attacks, where sensitive pieces of information may become available to third parties via malicious apps or physical devices.


As technology surprises us on a daily basis, security measures become more sophisticated. The Security Element, mentioned above, is quite advanced measure for protecting sensitive data. However, we should not exclude the scenario where a mobile device gets lost or stolen. In such situations, the worst that can happen is open access to your PayPal account. Security goes in the trash as the additional key you need to provide is usually sent by SMS.     



Summing it up


So are mobile payments a functionality or unnecessary risk? Truth is that mobile transactions are not that different from their web counterparts from a technological perspective. If we compare the amount of times we have shopped online and the amount of times we got hacked, we might get a sigh of relief. On top of that, biometric marks and the digitization of credit cards are becoming a reality, which adds another level to the reliability of mobile transactions.