Electronic form of money has gained tremendous popularity among the common people and the corporates due to its convenience, speed, and ease.
With the increasing penetration of smartphones all around the world, we have also witnessed the rise mobile financial solution like mobile payment system or digital wallet solution.
People are quickly migrating from using cards to digital wallets for making payments at various places.
However, there are few skeptics who feel that digital wallet is not a safe mode of payment for both users as well as the service providers.
However, wallets like Google Pay, Venmo, and Samsung Pay serves as best examples of a safe and secure digital wallet used all around the world.
But, we can’t totally ignore the security threats that it may pose. And if you’re looking to develop digital wallet solution, then this blog is most suited for you.
In this blog, we will discuss about the various security threats that a digital wallet may face and what could be its possible solution.
Potential user threats of mobile wallet application
Phishing attacks
Probably the most common type of attacks are phishing attacks. These are carried out by the phishing emails.
The prime objective of these attacks is to trap the user to disclose information.
Social engineering
In social engineering, the attackers steal the user’s data which is available in the public domain.
They either use it for the fraudulent payments or sell it to the underground market forums. Sometimes the attackers also use the stolen information as their identity.
Installing malware applications unintentionally
Attackers make the user to install malware with the help of malicious attachments that redirects them to the mischievous URL, fake access point, insecure Wi-Fi hotspots, and a network of spoofing attack.
That’s how they get access to the user’s information for mobile wallet payment.
Possible security measures
- Refrain from the use of public Wi-Fi hotspots for digital wallet payments.
- Educate and aware people about security threats.
- Distinguish between the fake and real websites & access point.
Mobile device concerns
Illegal access to lost or stolen device
If your mobile phone is lost or stolen then the attackers can easily get unauthorized access to all the data stored in the device.
They can also steal your fingerprints data which can be used in the authentication process of a fraudulent transaction.
Mobile device as a target
Mobile devices are more prone to attacks from hackers as they are an easier target as compared to the mobile app.
Once the device is in their control, they can use it for illegal activities like installing spyware, using sensitive data, fraud transaction, and many more.
Implementation issue
IT is a competitive field, in which you’ll see new functionalities releasing continuously.
Due to this, there’s a risk of running potentially immature codes which are highly susceptible to the security threats while implementing mobile payment solution.
Possible security measures
- Keep your operating software updated.
- Ensure to keep default security controls on your device.
- Keep strong PINs and PIN lock.
- Keep secured biometric data.
Mobile wallet application concerns
Reverse engineering
Reverse engineering assists the hackers to attack data such as encryption keys and hardcoded passwords.
Only attackers that possess a high level of understanding of digital wallet solution can accomplish that.
Tampering with the application and using the rootkits
The attacker can choose a backdoor to gain the access of login details. After obtaining the details, they can send it to the server controlled by the attackers.
This enables the attackers to upload or download any sort of data from the mobile payment application.
Possible security measures
- Adopt secure coding practices along with automated and secure review manual through the tools.
- Adopt integrity source code protections and Anti-debug.
- White-box cryptography.
- Provision secure application via trusted application stores.
- Eradicate and eliminate rogue applications from all the unauthorized application stores.
Merchants threats
Uploading malware on POS
Once the malware is uploaded and installed on the point of sale (POS) contactless terminal, then the attacker can configure and steal transaction and payment data via the card readers.
Through POS malware, the attackers can get an insecure remote desktop access to the POS servers.
Moreover, the malware also affects the cryptography, thus increasing the possibility of a fraud payment.
Man-in-the-middle (MiTM) attacks against POS and POS servers
Attackers can also take advantage of weaknesses such as the absence of firewalls. This allows attackers to fully exploit the network security.
Relay attacks on NFC enabled POS
Any known attack against the NFC POS interface is known as the relay attack.
The relay software which is installed on the mobile has the ability to relay responses and commands between the card emulator which is installed as proxy on mobile POS and a secure element.
Possible security measures
- Keep the POS software updated.
- Change the default password on the POS system.
- Use SSL between POI to POS connection point.
- Configure and deploy firewalls.
- Restrict the access of POS and POI to only authorized users.
Payment service providers threats
Compromise of running S/W on contactless terminals
Payment service providers provide various POS services for mobile payments such as the NFC powered POS terminals and the aggregated payment services for merchants.
The latter processes data from various channels that include online payments, contactless payments, and face to face payments.
Compromising payment gateways
PSP payment gateways offer themselves as an interesting target for all those attackers who are constantly looking to compromise the payment data and conveying it from the merchants to all the acquiring banks.
Compromise of S/W on POS servers
Attackers might look to attack on the payment gateway in order to break the security of POS terminals.
These terminals are provided to the merchants to host their network by the PSPs.
Compromise of data connectivity
Attacker might try to take advantage of insecure connections when merchant hosts the POS connection to PSP.
The threat is also there for the connection from the PSP to the acquirer.
Possible security measures
- Fix vulnerabilities of S/W in POI.
- Secure it with a default design.
- Carry out vulnerability testing.
- Patch S/W, H/W, and POI terminals.
- Impose secure point to point connections between the PSP and acquirers, and the PSP and the merchant POS.
Acquirers threats
Compromise of payment processing systems
Attackers might obtain a massive amount of cardholder’s data, while they’re requesting the cryptogram and the token from the issuer payment network.
Malware installation for advanced persistent threats (APT)
Malware installation at the backdoors accompanied by remote access tools (RAT) through malware infection of the servers which are hosted at acquired network allows attackers to compromise the acquirer bank payment processing servers.
Rootkits installation
Rootkits are a major threat as they can be used by attackers to directly monitor and manipulate API calls.
Compromise of data connectivity
Attackers can take advantage of the insecure point to point connections between the acquirer and the issuer via a network service provider.
Repudiating the authority of mobile payment
Attackers can repudiate the payment authorization from an issuer by exploiting the design flaws in the implementation of the acquirer’s payment processing services.
Possible security measures
- Impose and deploy advanced security standard measures along with second factor authentication for user access.
- Enforce and ensure minimum privileges for user access.
- Deploy fraud prevention, malware detection, and data leakage.
- Use SSL/mutual authentication to secure internal point to point connections.
- Make digital signatures compulsory for the verification issuer’s payment authorization.
Conclusion
In this blog we saw various types of threats that a mobile financial system might face. Moreover, we also discussed the ways to eliminate these threats.
Digital wallet solutions are still in its nascent stage and with time you’ll see it becoming more fast, secure, and convenient.
But you don’t need to wait till then, you can study all above threats and solutions properly to come up with a robust mobile payment system.
And if you’re looking for a ready-made digital wallet solution, then we’ve you covered there as well. Simply contact us to know more about our next gen digital wallet solution.