View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Mobile Payments, are they secure?

With Apple Pay's UK arrival, many have raised questions over the security behind mobile payments.

By Cbr Rolling Blog

Mobile payments are expected to grow exponentially in the coming years. Recent research has revealed that more than 31 million (92%) of UK mobile users will make payments with their mobile device in 2015. With the launch of contactless payments across the UK and trailblazers like TFL accepting contactless payments for travel across the entire TFL network, everyone is becoming more and more familiar with the technology.

With Apple Pay launching in the UK this week, the idea of not having to dig into our wallets or purses for a card is becoming a reality. With phones usually in hand as we queue (heaven forbid we might strike up a conversation with another customer) all we have to do is touch our phone to the reader and we can walk away, without even looking up from Candy Crush! However, there are a number of security issues to overcome before mobile payments hit the mainstream.

Unlike mobile phones, there is inherent security built into your contactless card. Encryption, secure communication between your card and the terminal, as well as additional protections all ensure your data is not compromised. One of the main features is the Secure Cryptographic Element (SE) which is built into the chip on your card. This is used to make sure your details are safe during the transaction.

Apple v Android

With this in mind, Apple has included a Secure Element in their Apple Pay solution in the iPhone 6, iPhone 6+ and the Apple Watch. As Apple claims, on the Secure Element your token and its accompanying cryptogram are "isolated from iOS, never stored on Apple Pay servers, and never backed up to iCloud. Because this number is unique and different from usual credit or debit card numbers, your bank can prevent its use on a magnetic stripe card, over the phone, or on websites."

However, what happens in the fragmented world of Android and Windows where the phones are made by a multitude of companies? These phones typically do not include a SE, as each manufacturer would use their own hardware and it would be very difficult to include the required software libraries in the OS for all these different models.

Initially, the idea of using SIM cards to verify payments was put forward. In principle, this was a good solution; Everyone has a SIM card, it can be used to store cryptographic keys, and can be called upon by the mobile payment app when it is needed at the time of payment. Most importantly it can be isolated from the OS, and any potential malware that could infect the device. Unfortunately the MNOs (Mobile Network Operators) own the SIM card and control the allocation of these and what software can be installed on them. In a time when their revenues are in decline, with huge consolidation in their market, they wanted a piece of the mobile payments pie. As a result, the SIM approach never really took off, such as Barclays Quick Tap which was closed last year.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Solution? Google IT

Enter Google, the owner of the most widely deployed operating system for mobile devices on the planet, Android. They have devised a potential solution. They have developed a software based system of emulating a SE (Secure Element) on a device which has none. This is called HCE, (Host Card Emulation) and makes a mobile phone act like a smart card. This allows, for example, a mobile phone to be used in a payment transaction at point-of-sale instead of a contactless smart card.

Based on this, you’d think Android’s solution would be a game changer, making mobile payments available to everyone, not just owners of Apple Phones! However, if you dig a little deeper, all may not be as it seems. Android is widely reported as the most infected mobile OS in use at the moment – a recent report by Symantec says that 1 in 5 Android apps contain Malware. This HCE solution is based in software and is accessible from the main OS through a series of API calls. If we have learned anything from recent cyber security breaches, it has to be that anything running software is vulnerable.

Bank on innovation

So what can be done? Currently the liability of a fraudulent payment remains with the card issuer, which in most cases is your bank. As a result, banks are looking at ways for users to use their online banking app to pay directly from their account, bypassing the need for an intermediary service.

For this to be effective, user behaviour must be taken in to account as much as the technology, for the reasons detailed above. Out of band device identification would also need considering as well as additional information points to flag any suspect transactions – all without hindering the customer experience. For example, the mobile payments application should be able to monitor the status of the device, checking for malware or other suspicious behaviour that may be manipulating the HCE process to steal data. The app could then send this information, outside the payment process via the device’s internet connection, to the issuer. Here the validity of the transaction could be determined using historic usage patterns, device fingerprinting and so on.

Regardless of the chosen approach or solution, it is this level of innovation and attention to security which providers need to show to ensure our transition to advanced mobile payments is a smooth and secure one.


By Gary Newe, Technical Director, F5 Networks

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.