Comprehensive security must match demand for mobile payments

With the recent announcement that PayPal will team up with Android Pay to bring its services to the mobile payments world, and a survey highlighting mobile payment capabilities as the most in-demand technology for retailers, the industry is clearly in the midst of a boom. However, Promon claim that this continued proliferation can only be maintained if security considerations make up a key part of mobile payment implementation.

According to the survey, 65% of the IT managers and C-level executives polled cited mobile payments as being the most sought-after technology at their organisation. In the face of this sustained growth, it is crucial that businesses are mindful of the wider attack surface that this creates for cyber criminals, as well as the fact that user habits are still not up to scratch when it comes to responsible mobile device usage.

Tom Lysemose Hansen, founder and CTO at Promon, said: “There is no doubt that mobile payments are set to play an increasingly pivotal role in the way people make purchases in future months and years. Despite their inevitable benefits in terms of convenience and user friendliness, there remain security concerns that must be addressed before hackers capitalise on this rapidly growing adoption.”

To illustrate this point, separate research has pointed out that 34% of mobile users do not lock their devices, and of those who do, 62% use an easily decipherable code, such as 1234. This points to lingering security issues that are caused by individual user behaviour - as the number of devices embracing mobile payment methods increases, cyber criminals have a much broader attack surface on which to conduct their activities.

Hansen added: “With so many users neglecting to enforce strict security measures on their own devices, hackers have a potential entry point through which they can infiltrate a device, and ultimately access personal payment data stored within an app.”

To reduce the severity of this problem and to safeguard their reputations, Hansen believes that mobile payment providers, banks and associated businesses need to take a two-fold approach to security - encourage responsible user behaviour as a core tenet of their implementation and advertising campaigns, and take the initiative in securing their own apps.

Hansen said: “It is impossible for mobile payment providers and banks to monitor how every one of their customers is behaving. However, encouraging positive security practices can go a long way towards changing attitudes, and is a clear demonstration of an organisation’s commitment to comprehensive cyber security.

“Alongside this, mobile payment providers need to implement technology that protects individual apps from intrusion, regardless of any malware that may be residing on a user’s device. Run-time application self-protection (RASP) can work well here, by guarding apps both while they are running and idle. Such technology is simple to implement, and also aids mobile app development by ensuring security controls do not hinder the development process.”

He concluded: “With mobile payments continuing to surge in popularity, payment providers and their partners cannot afford to take any chances with security.”