Electronic form of money has gained tremendous popularity among the common people and the corporates due to its convenience, speed, and ease.

potential-security-main

With the increasing penetration of smartphones all around the world, we have also witnessed the rise mobile financial solution like mobile payment system or digital wallet solution.

People are quickly migrating from using cards to digital wallets for making payments at various places.

However, there are few skeptics who feel that digital wallet is not a safe mode of payment for both users as well as the service providers.

However, wallets like Google Pay, Venmo, and Samsung Pay serves as best examples of a safe and secure digital wallet used all around the world.

But, we can’t totally ignore the security threats that it may pose. And if you’re looking to develop digital wallet solution, then this blog is most suited for you.

In this blog, we will discuss about the various security threats that a digital wallet may face and what could be its possible solution.

Potential user threats of mobile wallet application

Phishing attacks

Probably the most common type of attacks are phishing attacks. These are carried out by the phishing emails.

The prime objective of these attacks is to trap the user to disclose information.

Social engineering

In social engineering, the attackers steal the user’s data which is available in the public domain.

They either use it for the fraudulent payments or sell it to the underground market forums. Sometimes the attackers also use the stolen information as their identity.

Installing malware applications unintentionally

Attackers make the user to install malware with the help of malicious attachments that redirects them to the mischievous URL, fake access point, insecure Wi-Fi hotspots, and a network of spoofing attack.

That’s how they get access to the user’s information for mobile wallet payment.

Possible security measures

  • Refrain from the use of public Wi-Fi hotspots for digital wallet payments.
  • Educate and aware people about security threats.
  • Distinguish between the fake and real websites & access point.

potential-security-cta1

Mobile device concerns

Illegal access to lost or stolen device

If your mobile phone is lost or stolen then the attackers can easily get unauthorized access to all the data stored in the device.

They can also steal your fingerprints data which can be used in the authentication process of a fraudulent transaction.

Mobile device as a target

Mobile devices are more prone to attacks from hackers as they are an easier target as compared to the mobile app.

Once the device is in their control, they can use it for illegal activities like installing spyware, using sensitive data, fraud transaction, and many more.

Implementation issue

IT is a competitive field, in which you’ll see new functionalities releasing continuously.

Due to this, there’s a risk of running potentially immature codes which are highly susceptible to the security threats while implementing mobile payment solution.

Possible security measures

  • Keep your operating software updated.
  • Ensure to keep default security controls on your device.
  • Keep strong PINs and PIN lock.
  • Keep secured biometric data.

Mobile wallet application concerns

Reverse engineering

Reverse engineering assists the hackers to attack data such as encryption keys and hardcoded passwords.

Only attackers that possess a high level of understanding of digital wallet solution can accomplish that.

Tampering with the application and using the rootkits

The attacker can choose a backdoor to gain the access of login details. After obtaining the details, they can send it to the server controlled by the attackers.

This enables the attackers to upload or download any sort of data from the mobile payment application.

Possible security measures

  • Adopt secure coding practices along with automated and secure review manual through the tools.
  • Adopt integrity source code protections and Anti-debug.
  • White-box cryptography.
  • Provision secure application via trusted application stores.
  • Eradicate and eliminate rogue applications from all the unauthorized application stores.

Merchants threats

Uploading malware on POS

Once the malware is uploaded and installed on the point of sale (POS) contactless terminal, then the attacker can configure and steal transaction and payment data via the card readers.

Through POS malware, the attackers can get an insecure remote desktop access to the POS servers.

Moreover, the malware also affects the cryptography, thus increasing the possibility of a fraud payment.

Man-in-the-middle (MiTM) attacks against POS and POS servers

Attackers can also take advantage of weaknesses such as the absence of firewalls. This allows attackers to fully exploit the network security.

Relay attacks on NFC enabled POS

Any known attack against the NFC POS interface is known as the relay attack.

The relay software which is installed on the mobile has the ability to relay responses and commands between the card emulator which is installed as proxy on mobile POS and a secure element.

Possible security measures

  • Keep the POS software updated.
  • Change the default password on the POS system.
  • Use SSL between POI to POS connection point.
  • Configure and deploy firewalls.
  • Restrict the access of POS and POI to only authorized users.

Payment service providers threats

Compromise of running S/W on contactless terminals

Payment service providers provide various POS services for mobile payments such as the NFC powered POS terminals and the aggregated payment services for merchants.

The latter processes data from various channels that include online payments, contactless payments, and face to face payments.

Compromising payment gateways

PSP payment gateways offer themselves as an interesting target for all those attackers who are constantly looking to compromise the payment data and conveying it from the merchants to all the acquiring banks.

Compromise of S/W on POS servers

Attackers might look to attack on the payment gateway in order to break the security of POS terminals.

These terminals are provided to the merchants to host their network by the PSPs.

Compromise of data connectivity

Attacker might try to take advantage of insecure connections when merchant hosts the POS connection to PSP.

The threat is also there for the connection from the PSP to the acquirer.

Possible security measures

  • Fix vulnerabilities of S/W in POI.
  • Secure it with a default design.
  • Carry out vulnerability testing.
  • Patch S/W, H/W, and POI terminals.
  • Impose secure point to point connections between the PSP and acquirers, and the PSP and the merchant POS.

Acquirers threats

Compromise of payment processing systems

Attackers might obtain a massive amount of cardholder’s data, while they’re requesting the cryptogram and the token from the issuer payment network.

Malware installation for advanced persistent threats (APT)

Malware installation at the backdoors accompanied by remote access tools (RAT) through malware infection of the servers which are hosted at acquired network allows attackers to compromise the acquirer bank payment processing servers.

Rootkits installation

Rootkits are a major threat as they can be used by attackers to directly monitor and manipulate API calls.

Compromise of data connectivity

Attackers can take advantage of the insecure point to point connections between the acquirer and the issuer via a network service provider.

Repudiating the authority of mobile payment

Attackers can repudiate the payment authorization from an issuer by exploiting the design flaws in the implementation of the acquirer’s payment processing services.

Possible security measures

  • Impose and deploy advanced security standard measures along with second factor authentication for user access.
  • Enforce and ensure minimum privileges for user access.
  • Deploy fraud prevention, malware detection, and data leakage.
  • Use SSL/mutual authentication to secure internal point to point connections.
  • Make digital signatures compulsory for the verification issuer’s payment authorization.

Conclusion

In this blog we saw various types of threats that a mobile financial system might face. Moreover, we also discussed the ways to eliminate these threats.

Digital wallet solutions are still in its nascent stage and with time you’ll see it becoming more fast, secure, and convenient.

But you don’t need to wait till then, you can study all above threats and solutions properly to come up with a robust mobile payment system.

And if you’re looking for a ready-made digital wallet solution, then we’ve you covered there as well. Simply contact us to know more about our next gen digital wallet solution.

potential-security-cta2