The success of mobile wallets influences the need for security

The rise of mobile wallets, accentuated by the pandemic, is attracting more and more interest from cybercriminals. But how do you secure them effectively?

The use of mobile payments is booming! According to industry data, more than two billion people worldwide use mobile wallets and several million new users convert to this mode of transactions each year. In 2021, 25.7% of point-of-sale (POS) payments and 44.5% on e-commerce sites were made using mobile wallets, increasingly replacing cash and wireless payments. contact.

The pandemic and physical distancing measures have accelerated the rise of mobile payment applications around the world. This development has fueled the interest of cybercriminals and therefore necessitated the use of robust, state-of-the-art application security.

What is a mobile e-wallet?

Mobile wallets allow consumers to use their smartphone, smartwatch and other smart accessories to make dematerialized or contactless payments via NFC1, MST2 and QR codes. Often, mobile wallets also offer related features such as membership and loyalty cards, gift cards, P2P payments (peer to peer) and in-app payments.

Since the launch of Apple Pay and Google Pay between 2014 and 2015, many banks and fintechs have launched mobile wallets. While Apple hasn’t allowed third-party developers to use NFC on its iPhones, Google has. This has led to widespread development of mobile wallet solutions for Android by dozens of technology vendors and banks.

The different types of mobile wallets

In practice, there are two types of mobile wallets:

  1. OEM wallets (Original Equipment Manufacturer): These mobile wallets are developed by the smartphone supplier and secured by a proprietary hardware security solution (Trusted Execution Environment, Secure Element, etc.) on the device itself.
  2. Third-party Wallets: Third-party apps, like PayPal, don’t have access to the device’s proprietary hardware security. Third-party mobile wallet developers integrate both technology vendors, who typically offer mobile payment SDKs (e.g. HCE3) or mobile payment SDKs directly into the app.

Are mobile wallets secure?

In order to reduce the risk of fraud, HCE (Host Card Emulation) mobile wallets use tokenization. This system used to secure credit cards consists of transforming sensitive data into encrypted tokens. They are replaced by a series of randomly generated numbers whose use may be limited (depending on the number of times it is used or the amount of the payment). While HCE and tokenization are designed to reduce the risk of fraud, payment data processed by mobile wallets can still be exploited by malware and criminal organizations. Although tokens cannot be replenished from a credit card number, cybercriminals can, in fact, steal them and make fraudulent payments at the expense of the real legitimate owners of mobile wallets.

The future of mobile payment security

Like cash, checks, and credit cards, mobile wallets are prone to fraud and abuse. Their adoption, which is expected to increase at a high rate between 2022 and 2029(1), makes them an increasingly attractive target for cybercriminals. The increase in mobile zero-day vulnerabilities (up 466% in 2021) and mobile malware (more than 2 million new strains in 2021) reflects this situation.

In order to secure mobile wallets, OEMs can rely on hardware security, as mentioned above. But for third-party mobile wallet developers, this option is not viable due to the heterogeneity of OEM technologies. Additionally, OEM platform technologies, such as trusted execution environments (TEEs) built into smartphones, are under attack with a steady stream of zero-day exploits and vulnerabilities.

Smartphones remain untrusted devices, so developers of mobile wallet solutions must protect the application, maintain their security posture, and anticipate the ever-changing capabilities and techniques of cybercriminals.

How to secure mobile wallets?

Before being publicly launched, mobile payment solutions must be certified by the card brands or EMVCo, the EMV standards body collectively owned by American Express, JCB, MasterCard and Visa. While security is a constant game of cat and mouse, developers of mobile payment solutions are strongly advised to be accompanied by mobile cybersecurity specialists. They will be able to create secure and compliant mobile applications – including protecting their cryptographic keys, tokens, source codes and data – and quickly obtain their security certification.

We would love to thank the writer of this short article for this outstanding web content

The success of mobile wallets influences the need for security

You can view our social media profiles here as well as other related pages here