Perceived, real risks of Mobile Payments (Mobile Commerce)

Original Publication

This article was first published in October 2008 edition of CSO Pakistan, a sister publication of CIOPakistan.

Preamble

The world is never going to be perfect, either on- or offline; so let’s not set impossibly high standards for online – Esther Dyson

The society, in general, has always been cautious of new technology. Imagine how unfortunate had it been if in the 90s, electronic commerce over the public internet had been resisted by governments and businesses until a fool-proof security policy had been specified, designed and implemented?

We are sort of re-living that era for mobile commerce and mobile payments. This article looks into the various payment instruments we currently use and their ‘risks’. We then look for same risks for mobile based payment systems, and any additional risks that this new instrument may pose. We also dedicate a few lines to highlight the efficiencies of electronic payments.

Instruments of Payments

Let us look at the various payment instruments available to us. These combine to about Rs. 155 Trillion worth of payments in the fiscal year 2007-2008.

Category

Includes

Cash, cash equivalent

ATM, Cash, Cash Cheque

Plastic

Debit & credit card

Paper

Money Order, Cheque

EFT, Banks mostly

RTOB (Inter-Bank)

 

 

 

 

Areas of Risk

We next define the various risk types, and how they apply to various financial instruments.

Identity Theft:

Identity theft is also known as pre-issue theft where fraud takes place without the financial instrument getting to its rightful owner. In the US over 9 million people have been affected by ID Theft.

This usually takes place in societies where ‘application processing’ for new instruments (credit card, bank accounts) is highly automated. Once in possession of another person’s personal data (NIC, mother’s name, date of birth) one can ‘act’ as that person in the electronic world. And once the instrument is issued, victim may not be aware for months or even years and may even face criminal charges for crimes conducted using their identity (license for example).

However, this type of fraud is almost non-existent in Pakistan. There are too many checks and balances, mostly due to inefficiencies of our data systems and application processing, for this type of fraud to occur on mass level. There is only 1 publicly known instance where an e-banking account was created without the knowledge of account holder.

Skimming:  A small electronic device (skimmer) is attached to an ATM machine or POS device. When a card is swiped, the skimmer reads the magnetic strip. For ATM, it is used in conjunction with pinhole camera to record the PIN code punching.  Once scammers have card data, they can create cloned card and run up charges on your account. This fraud has recently affected all the major banks in Dubai – HSBC, SCB, Mashreq, Lloyds, Citibank, etc.

Snatching:

This is the most important risk area for any society with a large volume of street crime. The financial instrument is taken away from the victim with their knowledge.  In case of cash the consumer is liable for 100% of the loss.

In the case of cash cheque or credit card, if the instrument is misused (purchases are made, cheque is cashed) then the holder is 100% liable. In the case of an ATM card, if the PIN is secure then the person is completely protected from misuse. Otherwise they can lose up to their daily maximum for ATM transactions.

In both cases, victims can call their financial institute and cancel the instrument prior to its presentment.

Theft, Loss or Misuse:

The various instruments are affected the same way in general as ‘snatching’. But the account holder may not realize the loss for a few hours or even a few days, which increases the chance of credit card being misused, cash cheque been en-cashed, and ATM card getting used over multiple days.

Our banks have little or zero investment in pattern-detecting algorithms to notify the customer of unusual usage patterns. SMS alerts offered by few institutes can help to minimize ATM and credit card misuse.

Reduced risks for mobile payments

Due to the perceived and real risks of mobile payments, companies have ensured equal or better security measures for mobile payments that what is generally available for plastic cards or internet banking.

 

Mobile transactions are generally always protected by 2 factor or higher level of authentication (strong authentication). This is a step better than any internet banking implementation of Pakistan. Even the most basic mobile payment employs two factor authentications. It is also required by the SBP.

 

  1. ID Theft – the probability is same as any other electronic instrument and hence non-existent for Pakistani audience. In addition, there is no possibility of skimming in case of mobile payments.

 

  1. Snatching – the risk is lower as compared to any other electronic instrument. Due to multi-factor authentication, M-Payments are more secure than credit card. It is also more secure than ATM card, even if the PIN is compromised. Why? Because when someone withdraws cash using an illegally obtained ATM card, that cash is not traceable. But for M-Payments, the recipient of the illegal funds can be forensically tracked & prosecuted.

 

  1. Theft/Loss – if authentication information is compromised, it is possible for mobile payments to be initiated when the mobile device is not with the owner. There is lower risk than credit cards (due to multi-factor authentication), and the same as ATM. One could argue it is lower than ATM because we’ve all known to have left our wallet in the suit, but never our mobile. The payments can also be forensically tracked to recipient and potentially recovered.

 

Additional risks for mobile payments:

The probability of misuse increases anytime an additional instrument of payment is available. In this case one now has to worry about their wallet & their phone. But how often do you find yourself without the wallet or purse? And mobile? Most of us never go anywhere without it because we are always expecting a call or an SMS, and it keeps us busy during a boring meeting!

 

Secondly, mobile transactions are carried over Telco networks, where the encryption technologies to encrypt the channel end-to-end are not as standard as the ‘wired’ world. Man in the middle attack, spoofing, WAP gateways, SIM cloning are technology challenges that confront mobile payments in a unique way.

 

Finally, viruses and Trojans that have confronted the PC world for so long will soon find their way onto mobiles as these devices become powerful, connected, multipurpose and payment instruments.

Conclusion:

Compared to credit card

Mobile payments are always safer than credit cards due to multi-factor authentication and ability to forensically track electronic payments.

Compared to Internet banking

Mobile payments are always safer than Internet Banking due to employment of multi-factor authentication, including active possession of the phone.

Compared to ATM cards

Mobile payments are equally or more safe than ATM cards due to employment of multi-factor authentication and the ability to forensically track payments, not possible with cash withdrawn from ATM machines.

Steps to improve payment security

  1. Multi-Factor authentication should be employed whenever feasible
  2. Allow individual users to select lower per-day and per-transaction limits
  3. Migrate to Chip based Smart cards (and POS) as magnetic strips are prone to cloning
  4. Secure back-end systems to ensure data integrity, prevent intrusions
  5. Secure application processing to protect against identity theft – stop using Paper (many application processing applications, such as Experian, don’t have ‘print’ option)
  6. Investment in fraud detection systems to pro-actively protect the consumer
  7. Encourage presentment of an ID card for verification at POS purchase


Advantages of electronic payments over cash

From the consumer point of view, cash once damaged or lost, it is not recoverable and the loss is 100%. It is easy to run out of it and be left stranded. It is not easy to make cash payment unless you literally at a hands distance from recipient – hence no remote payments. When it is in your home or wallet, it has a negative rate of return (the inflation).

 

From society’s point of view - it costs a few cents to print every bundle of note. Cash is untraceable so it gives rise to underground and black economy. Cash is used in almost all illegal activities, from bribery to ransom payments. And in some rare cases, since currency is cotton based, it can carry diseases.

 

I wonder - If society could redesign payment systems, would we ever invent cash?

 

About the Author:

Farzal is passionate about delivery channels – from Branchless Banking and 24x7 Direct Insurance to Mobile Multimedia and Social Networking. He has worked at 4 start-ups in addition to Merrill Lynch and BearingPoint. He is a Director at amaana, teaches E-Commerce at IBA, consults professionally and lives at farzal@ciopakistan.com