Is waving your smartphone over a store-counter gadget really a secure way to buy something?
Right now, such mobile payments—via Apple Pay and similar systems—are extremely safe and secure, thanks to layers of protections including PINs, fingerprint identification, cryptography, and the logging of transaction data.
Mobile payment systems use near-field communication, or NFC, to transfer payment information from the phone to a store terminal within a few centimeters. Whereas information stored on magnetic-stripe credit cards can be read by anyone with access to the card, mobile payment systems generally store the data in encrypted form on a special NFC chip and require the user to enter a PIN or even a fingerprint.
While newer credit cards also include a chip and require users to enter a PIN, mobile phones could still hold an advantage because they can log location and other data that could be used later to help prove whether a transaction was fraudulent or not.
To avoid major damage if retailers’ databases are hacked, Apple Pay and some others also give stores “tokens,” or encrypted strings of data about the purchase, without passing along the actual credit card numbers.
For now, attackers have easier targets than mobile payments, including magnetic-swipe systems and department store servers housing millions of card numbers. However, as credit cards become harder to hack and more payments are made on smartphone, mobile payments will increasingly attract thieves.
One route in might be malicious software that steals your phone’s payment credentials by getting beyond barriers imposed by Android and Apple’s IOS. An essential defense: partitioning off payment functions with software or, better yet, more secure chips. Chipmakers are already broadening their products to emphasize “walling-off” functions, with one example being ARM’s TrustZone.