By: Mark Raleigh, Director, Core CARD Software, Inc.
Mobile wallet is becoming a hot item in the payments space.Many payments industry experts see a promising market for the technology.Here’s a quick look at some of the high level questions around security of using a mobile wallet.
1. How does it work?
Typically, a mobile wallet is just another form factor, replacing or supplementing the need to hold plastic. Your phone can be used to complete a transaction at the point of sale through NFC (near field communication). The phone would use an application to provide the details necessary to complete the transaction and validate the user’s identity. The mobile wallet may be linked to an existing debit or credit account through a bank or card issuer or it may be a pre-paid account. Existing technology is used to forward the transaction information through the proper channels for authorization and settlement.
2. Is it safer than using a regular debit or credit card?
A typical mag-stripe card has built in safe guards to protect the holder from fraud when the card is used. A chip card typically has more safeguards than a mag-stripe card. A mobile wallet used in a transaction provides the possibility of some new security benefits and possible new security concerns. A mobile wallet may be able to more securely store personal information needed in the transaction – by storing information encrypted on the SIM card like a chip card does. Also, the mobile wallet application can be password protected. Thus there are two layers of security built into mobile wallet: at chip level and at application level. Another argument that proponents make in favor of mobile wallet is that it takes about 12 hours for a person to notice his/her lost or stolen credit card but it takes only about an hour to realize that you have lost your phone. Mobile wallet looks secure on paper but so did magstripe cards in the beginning. Mobile Wallet is not without its security challenges. Since the card information can be accessed by wireless RFID readers, sniffing card information during the transaction is a possibility. The current marketplace for mobile wallet applications could possibly favor speed to market over security at first. When (not if) security flaws are revealed and exploited, there will no doubt be a need to put an emphasis on security no matter who controls the application on the mobile wallet. The new form-factor can go either way on the potential for fraud. While the security of using a phone to store personal information may be healthier than a mag-stripe, it may depend on the phone and the application itself.
3. What if my phone is stolen?
Ok, so you’ve got an application on your phone that can help you transact with merchants using NCF. Your application is setup, you’ve entered some important information (including your card number) needed to help the application interact with the point of sale terminal. Depending on the security you have setup on your phone and application, a thief or hacker could gain access to this information. You lose your phone. What should you do? If a person has access to the lost phone it is possible they can use your mobile wallet feature under some circumstances. It would be wise to report your phone stolen and/or un-enroll your accounts from mobile wallet with your issuer or phone provider. Your mobile network carrier can also disable the wallet over the air if the authorized user notifies promptly. This can help prevent fraudulent use.
4. When will we know more?
With the big players completing launches of their wallet services very soon, some already in use, it is only a matter of time before security of the technology is going to be exploited. Those applications that are not secure may quickly lose market share to those that are. So, wait and watch a year or two until a few risk takers and early adopters vet the options out.