HCE, APIs and Mobile Payment Apps – A New Opportunity for Fraudsters

Share Button

Over the past six months, there have been a number of changes in the way the big payment and mobile technology players have approached security for payment apps.

It had been widely anticipated that the launch of Apple Pay in October 2014 would have a big impact, in part due to the technical aspects of the service. Expectations that the launch would disrupt the current market where mostly founded on Apple’s ability to use their size, ecosystem and brand to influence the market.

Of course many guesses were extreme with wild suggestions that Apple would take over the mobile payment ecosystem causing a shift in the payments landscape. This wasn’t the case.

In looking back, there were challenges after the initial launch, including issues during registration, which led to supporting banks having to rethink their verification processes. See our previous blog post on this here.

However, six months post the launch of Apple Pay there have been major changes in payments and mobile technology landscape that promise to be the first of many.

–          Retailers in the US have seen NFC payments double.

Rival mobile payment systems with strong backing from retailers have lost exclusivity with customers. For example, MCX member Best Buy has recently announced that it will support Apple Pay later this year.

–          Apple Pay’s Global Expansion Has Forced Market Acceleration of Competitive Offerings

Suggestions of Apple Pay launching into new countries has accelerated efforts by competitors in those regions including those supported by banks such as Zapp in the UK.

Most recently Google, Samsung and Microsoft have made moves to up their competitive offerings by acquiring companies and launching new products. Samsung has plans to use NFC and technology from its recent acquisition of Looppay which will allow its solution to interact with magnetic stripe-only readers, ensuring an easier roll out in the US and other countries which haven’t yet rolled out EMV and contactless readers.

At this time, not much is known about Microsoft Pay though it does appear that it will use Host Cloud Emulation (HCE) rather than Secure Element.

Google has also looked to HCE technology in its move towards launching Android Pay, leveraging its recent purchase of technology and intellectual property from the makers of the now defunct Softcard app (previously named ISIS).

Host Cloud Emulation is great for both Microsoft and Google as it gets around issues related to control of the Secure Element which usually lies with the mobile network operators (not so for Apple who has its own SIM and secure element). Google previously experienced issues with gaining access to the Secure Element as the MNOs (Mobile Network Operators) made life difficult for payments apps other than their own (of which Softcard was one), however there appears to be more cooperation now with some of the same companies now helping Google by agreeing to pre-install Google Wallet on all Android phones.

So what is the result of the disruption?

First, it has become clear that mobile payments can work. While mobile payment services have been launched before, Apple Pay seems to have been the first to make an impression in the mainstream. Expectations now are that the uptake of such services is likely to grow exponentially as Google, Microsoft, Samsung and others join Apple with ‘Mobile’ Pay services.

Secondly, such services have proven to make our lives easier, removing barriers and allowing us to make purchases in new ways. In particular, Google has shown it is fully on board as it indicated it is planning to provide a mobile payments layer for use by any app or API allowing developers to make use of payments without being distracted from their company’s core business model and requirements.

This is great in principle but one thing that should be remembered is that giving trust and capabilities to mobile apps needs to be treated carefully.

Mobile Fraud Gets Creative

New, advanced security measures are being offered in such systems, but we should all remember that fraudsters are experts at finding simple ways of circumventing advanced systems.

We have already seen fraudsters using fake social media accounts to send customers to phishing websites which steal usernames and passwords and then infect devices with SMS intercepting software. This demonstrates that even the most advanced systems can be defeated through tricks and fakery.

Rather than trying to defeat mobile app security, fraudsters are creating fake versions of mobile apps and then using social engineering techniques to trick consumers into using their version of popular apps. Currently this trend is used mainly to target banking apps, but as mobile payment APIs become more prevalent and are used by more and more apps, then fraudsters will widen their net, targeting any app making use of such APIs or being used to enter secure details which will ultimately allow the app to be used.

By downloading a fake app instead of the real one, the fraudster can then perform a wide range of actions, from simply stealing information entered into the app, to asking for additional information, to modifying the information that is used by the app.

Additionally, multi-channel multi-layered attacks are also prevalent, not only targeting the mobile payment, but the entire process around it, including registration processes using email or device verification, account management online, and use of offline transactions where the available balance is not known.

To combat this, banks, retailers, and now any app using mobile pay APIs need to also take a multi-layered approach to combating fraud.

Monitoring for fake mobile application hosting, social media and phishing attacks, fake and malicious app installs, credit and debit card sales on black markets, and discrepancies in transactions performed, must all be present in any anti-fraud strategy in the modern ‘Mobile’ Pay world.

Leave a Reply

Your email address will not be published. Required fields are marked *