Mobile phone payment systems: are you mad?

Posted by mikehawkes on Oct 12, 2007

Paying for goods and services via your mobile is gradually getting easier. In London, you can pay for parking by sending a plain text SMS; in Sweden, you can pay for taxis and coffee using another text-based payment mechanism; ticket providers now send m-tickets for lower-value events. Generally, we see companies dabbling with mobile payment mechanisms. Many of these systems use standard messaging services and these provide several means of attack from inbox/sent item message snooping (if you leave messages on the handset, you could consider them as open as leaving them on a piece of paper) through to more technically challenging attacks such as over-the-air snooping (your mobile ‘phone is a radio when all is said and done), cellular interception or installing covert snooping software, viruses etc. By far the easiest way to do this is via Bluetooth and most viral attacks on mobiles use either Bluetooth or WiFI to propagate themselves. Some assume that mobile ‘phones will also support payment via near-field communication devices incorporated within handsets. There are models that support NFC but consumers have to consider how much value to associate with a device that anyone can wave over a till. However, we do see trials with major card companies such as Mastercard and Visa starting in coffee shops in the US. If mobile telephones become the standard device for managing personal finance, risk management services have to improve. Potentially, having everything on a device that is open to wireless data transfer could cause considerable problems. Having an effective security framework by limiting who has access to information and what data devices store becomes ever more critical than before. Losing a ‘phone and having things in plain view could compromise your duty of care – and, in the case of parking, if your device contains home address, credit card (or payment) data and the time you are away, then this is an ideal invitation to someone to attack you for your handset. But, who says you need physical access? If this is done by snooping via cellular interception or Bluetooth, for example, users wouldn’t even know their data was compromised.