Security Bytes - November Payment Tokens
The past month has been a flurry of new tech handheld releases from various vendors including Apple, Google, as well as many of the other smartphone vendors. Many of the devices that have been released offer feature rich software and promises of keeping us more secure with every new generation of software and hardware. In light of the latest news of credit card breaches at many online and in store vendors, it is very timely that smartphone vendors are making a valiant effort to produce software and hardware that can be trusted to becomes a true digital wallet.
For many years consumers have been waiting for the opportunity to have a device with which one can purchase items with a single click or a wave of the device near a reader and without the need to present any other identity to the vendor at the time of purchase. Just think about the possibility this introduces from dining out to not worrying about handing over your credit card to someone and having them walk away with it momentarily out of your sight. All of the new phone vendors propose solutions to this security quandary with solutions that include biometric recognition (fingerprint scanner) or pin code entry on the device to confirm intent to access credit card information.
The next question that comes to mind is:
How does the information stored on the device stay secure?
This is the heart of the matter and vendors have come up with some good solutions. The two main players in this market have been Google with Google Wallet and the newer Apple Pay.
Without getting into technical details of the cryptography offered in each package offered by different vendors, the positive take away from both offerings is a reasonably secure system by which one can issue payments without direct disclosure or any credit card and allowing for convenience. I simple terms, both Google and Apple provide end users with a payment token that needs a pin code (Google) or a biometric authentication (Apple Pay) to be entered in addition to the NFC (Near Field Communications) token sent from the phone to the payment reader. This methodology eliminates the need for swiping of the card or handing a card over to a store clerk, where any information can be compromised. It appears that many card issuers are also following suit by issuing chip and pin cards that eventually will make the current magnetic stripe technology obsolete.
The best thing about having the payment tokens on your mobile device is that the device id (token) that is generated by the software remains encrypted on your device and without the additional input of a pin or biometric the token alone is totally useless. This two factor approach makes these methods much more secure and desirable vs. current payment methods. I am sure that these software payment technologies will mature over time and become the new standard for a more secure future. I am also sure that there will be those out there that will try to circumvent the new technology and try to compromise it. We all just need to stay vigilant and pay attention to any new threats as they emerge!
- Paul Mavrovic, CISSP