Guest Analysis: The Mobile Misconception
Brandon Barney, CISSP
July 22, 2013 – Touted as the future of payments, mobile point of sale (mPOS) has the potential to forever change the interaction between business and consumer. mPOS enhances the customer experience, minimizes processing costs, and amplifies convenience.
It’s easy to see how mPOS convenience assists micro-merchants like small pizza delivery chains and local farmers markets, but it has also begun to gain traction with well-known retailers. In 2012, J.C. Penney, Costco, Sephora, and REI announced initiatives to use tablets and smartphones to enable mobile checkout. Some even plan to eliminate all stationary point of sale systems in the next few years. According to a March 2013 statement by J.C. Penney CEO Ron Johnson, 25% of all J.C. Penney in-store purchases are made using a mPOS system.
Although mPOS adoption is gaining momentum, mobile security continues to lag behind. Many in the payments industry are enthusiastic and ready to implement mPOS without considering the baggage of security issues inherent to mobile. As a security specialist, I’m very concerned about the lack of mobile security know-how among payments industry professionals.
There is a strong security misconception about mobile devices. Because smartphones and tablets are highly technological and advertised as ‘safe’, many misinterpret that as automatically ‘secure’ without requiring any action on the part of consumers or merchants. Although there are robust technologies that can make mobile devices secure for payments, many don’t realize that action is required to enable such capabilities. Mobile devices are created for convenience, the prime antagonist of security in the absence of an informed consumer or merchant. Compared to a typical POS terminal, while overshadowing it in technological capabilities, mobile’s processing security levels —without the use of additional user or merchant-enabled technology – might not be up to par.
Due to a variety of hard-to-regulate factors, mobile devices have the potential to be riddled with multiple vulnerabilities. Listed are a few such factors:
- Android app markets are highly unregulated. Through such markets, malicious criminals can easily install new apps or repackage old apps with malware to steal data processed through a mobile device.
- Merchants that manually type customer payment data with their mobile keypad bypass encryption they may otherwise have had using an encrypt-at-swipe hardware reader.
- Mobile users don’t regularly install updates to their operating system or apps, which usually contain patches to fix susceptible security holes.
- The majority of smaller to mid-sized organizations lack the employee and organizational security policies that regulate a mobile processing environment.
Just as a merchant and ISO/acquirer are liable for payment data breaches via traditional processing methods, mobile POS breaches may also pose a serious business threat. Since the same PCI regulation rules apply to mobile transactions, it is in an acquirer’s best interest to regulate the security of their merchants’ mobile devices. This can be achieved through mobile scanning app programs, such as SecurityMetrics MobileScan, to ensure merchant devices are tested and vulnerabilities remediated.
The craze of mPOS will only increase with time, and likely exponentially. The best way for industry leaders to start regulating mobile security is through education. Advocate the regulation and importance of mobile security in your individual job in order to protect customer transactions, merchant business, and the payments industry.
[spacer height=3] [divide] [spacer height=3] Brandon Barney is the Security Support Manager at SecurityMetrics .The views expressed in the posts and comments of this blog do not necessarily reflect those of ETA.