The mobile payment space is a constantly evolving landscape. Innovation, and the increased adoption of smartphones, has resulted in the proliferation of businesses such as retailers and banks, and device manufacturers offering a wide variety of mobile payment solutions. For example, Apple Pay which enables consumers to make contactless payments in physical stores via their iOS smartphones.
In Singapore, leading fast food chain McDonalds allows users to register their Visa cards via its app, allowing them to make payments with a single click. Local telco Singtel launched a mobile wallet app called Dash which allows users to conveniently make bank transfers and pay for services with just one swipe.
While the integration of credit cards with various mobile payment platforms is inviting to the consumer, it also opens the door for more hacks and malicious attacks.
In May 2015, several Starbucks app users reported that their accounts were broken into by hackers, resulting in the misuse of their funds. The Starbucks app’s ease-of-use may have been convenient for users, but that came at a price. Without a two-tier security system (for example, an OTP system), it was at a significant risk of being hacked.
It is clear that security is just as paramount as innovation, but what are the prevalent issues that plague mobile payment apps?
Security cannot be left at the app level protection
“Critical transaction information such as banking keys and user keys are traversing through the mobile app on a real time basis, and mobile app developers are not security trained. Usually, they will just follow the best practices of programming security of the native operating system.,” says Benjamin Mah, Co-founder and CEO of the Singapore-based mobile security solutions startup V-Key, in an interview with e27.
Mah likens the protection offered by most mobile applications to that of the low security magnetic stripes that can be typically found on gift cards and hotel room keys. Citing how simple it is to disable certain security locks to install third party applications in the Android OS, Mah emphasises that mobile operating systems are just not built for financial grade security.
“Hackers will always be finding ways to exploit the vulnerabilities and compromise it on the application layer to access information on these mobile apps for financial gain,” he adds.
No mobile operating system is secure
Sure, some device OS such as the Android may be more vulnerable due to its open, customisable framework, but closed systems such the Apple iOS should have a fullproof security setup right?
While Apple’s iOS emerged as the most secure operating system in a spyware test; due to its closed system, it still has vulnerabilities – a back door, allowing encryption to be bypassed in order to access user data.
Apple claims that such a function is necessary for Apple’s IT department or other enterprise companies to troubleshoot technical issues, but it is a stark reminder that no device OS is completely secure.
“Nobody can guarantee the security of the physical mobile device because the device operating system is designed for interoperability and not security,”
So is there a solution to this conundrum? Mah believes the solution lies in the technology used in time-tested hardware solutions such as physical security chips. All that is needed is to port the technology from its hardware variation to software.
The solution – virtualise a tried-and-tested security system
“The trust foundation of V-Key’s technology is built upon on a decades-old security feature that we are all using today (in our credit cards) – the smart chip,” he says.
The smart chip in our credit cards contains a tamper-resistant security system, including a secure cryptoprocessor, code obfuscation, and other anti-tampering and debugging mechanisms which protect in-memory information. These allows for the establishment of an independent and true isolation out-of-band security.
According to Mah, porting this framework into a software app allows V-Key to create an independent and isolated tamper resistant security system within the app.
But isn’t all software still inextricably interlinked? If the device OS is compromised, would not the security of the apps suffer too?
“With the device OS being insecure, the question here is how do you build a Fort Knox [for the app]? What we need to do here is to stay ahead and be abreast of the APIs in the device OS that are exposed to the developers,” Mah says.
“But even a Fort Knox has doors. So what we do, instead of covering a big surface area like many app developers do through encryption or scanning for everything, we only scope out and secure the openings in the fort,” he adds.
Building a mobile payment system for all
In addition to constructing a robust mobile security framework, V-Key’s objective is also to enable banks and other financial institutions to “ubiquitously support all payment channels with quality end-user experience.”
Mah also believes that leading high-end smartphone players such as Apple and Samsung should not have a monopoly on the mobile payment space.
“We believe that mobile payment systems should be phone-agnostic. Whether you are using an entry level Xiaomi or Micromax smartphone, we want to be able to make mobile transactions secure and seamless for the end user. The whole idea here is that security is just an enabler just like how you consume electricity without needing to know the nuts and bolts of it,” he says.
The V-Key mobile OS, V-OS, was recently used to develop UOB’s Mighty app – a secured mobile wallet for all UOB debit and credit card holders. Customers are able to make transactions from the app via NFC—by tapping their phones against the merchants’ payment terminal and entering a PIN, or authenticating through an SMS OTP system.
Besides serving as a mobile wallet, UOB Mighty also allows users to book dining reservations.
The V-OS is accredited by IDA’s [email protected] programme – an initiative designed to assist in the growth of Singapore-based tech companies with an innovative product. The programme helps to strengthen their product robustness and provides an independent third party evaluation of the companies’ claimed product core functionalities and ability to deliver. During the evaluation process, the team will help companies to identify and fix technical bugs in areas of functionality, performance and security.
“The [email protected] team took time to understand our product and company. The evaluation was comprehensive but not onerous. Our company profile has also significantly increased, with higher interests and inquiries from government agencies”, says Mah.
Key challenges and future of mobile payments
“Mobile security can never be 100 percent foolproof. But at V-Key, we are definitely sure we can reduce the residual risk. Another challenge is the ability to scramble and update our software,” says Mah.
The future of mobile security, he says, will be reliant on dynamic updates. This means after a certain amount of transactions over a period of days, the firmware of the mobile payment app will be updated via a token transmitted wirelessly.
“Our product will incorporate a multi-factor authentication moving forward, where we will take in factors such as your location, how much you are transacting and at what frequency you are doing it to assess the security risk,” Mah concludes.
Disclosure: This article was produced by the e27 content marketing team, sponsored by [email protected] The views and opinions expressed in this article are those of the authors and do not necessarily reflect the position of [email protected]
Image Credit: Shutterstock