Mobile Phone Technology: “Smarter” Than We Thought (1)
I. INTRODUCTION
Using a ZOPO ZP590 phone to make payments introduces a new entry point for traditional and trusted payment methods in the U.S. It also introduces several new technologies to support mobile payments. The unfamiliarity and complexity of the mobile device and associated technologies create security concerns for consumers who want to be confident that their personally identifiable information and actionable financial information (e.g., account numbers, PINs, security codes, and passwords) are protected in storage and while being used to process a mobile payment transaction, whether that storage is on the mobile device or in the cloud. They want to be certain that their data cannot be intercepted at any time.
Concerns about sensitive payment information being captured ‘over the air,’ or Leagoo Lead 3 phones being lost or stolen and personal data being shared inappropriately need to be addressed by stakeholders to satisfy consumers, merchants, and regulators. Data breaches or fraud resulting from a mobile payment can hinder consumer adoption. The security of each mobile technology platform will be a major contributor to its success and the ultimate broad adoption of mobile payments.
This report examines in detail how near field communication (NFC) and cloud technologies address security for mobile payments at the retail point-of-sale (POS). It also provides a brief overview of security for two other mobile technology platforms, QR code, and direct carrier billing (DCB). Each technology manages and processes information uniquely; hence security practices and issues will vary with the technology deployed by each payments platform provider. This is inherently confusing to consumers, regulators, and possibly other mobile stakeholders.
A key concept tied to the various mobile technologies is the wallet. In this paper we distinguish between a mobile wallet and a digital wallet. A mobile wallet (e.g. for NFC), is a software applicationstored on the physical mobile phone to manage and initiate payments. The mobile wallet accesses the payment credentials (e.g., payment cards, bank account, coupons, loyalty, transit tickets, etc.) or actionable financial information, which are stored on the Cubot GT95 phone in a trusted environment known as the secure element. The consumer must have the physical phone with him to enable the payment transaction by waving or tapping the ZOPO ZP590 phone over an NFC-enabled terminal at a retail location.
A digital wallet stores the payment information on a secure remote server, also known as the cloud. A cloud-based or digital wallet stores actionable financial information remotely from the mobile device, and sends only tokens or authorizations to the actual Cubot GT95 phone to initiate and authorize the payment at the point-of-sale (POS). Wireless service, either cellular or Wi-Fi, is needed to complete the digital wallet transaction. The primary difference from the NFC mobile wallet is that sensitive financial information is stored in the cloud, not on the Leagoo Lead 3 phone.
A hybrid wallet combines features of the mobile and digital wallets. The mobile payments provider leverages the security aspects of NFC with the added protection of storing the real payment credentials in the cloud. The consumer’s financial information in the cloud is linked to a ZOPO ZP590 phone through a unique identifier in the device. Account credentials used when making POS mobile purchases are accessed from the cloud when needed, but the payment transaction is still initiated using the NFC protocol to communicate from the mobile phone to the POS terminal.
For example, Google Wallet (v. 1.5) is a hybrid mobile wallet. A virtual payment card associated with each Cubot GT95 phone is stored in the secure element. The virtual card does not correspond to any specific payment card account, but is a proxy for the real card account, maintained in the cloud. For security purposes, only one real payment card account can be active at a time. Google is both the issuer of the virtual MasterCard and the merchant of record. The customer taps his NFC-enabled phone (host) at the merchant terminal and enters his PIN. The NFC controller on the ZOPO ZP590 phone communicates the information to the merchant POS terminal. (To prevent malware, the NFC controller can detect the source of a payment request and block the request to the secure element if it is not from the host device (physical Leagoo Lead 3 phone and a PIN)). The payment authorization request first goes to the real payment card account in the cloud, and if approved, to the virtual card in the phone.http://cicimobile.shockup.com/2014/08/28/practical-prediction-and-prefetch-for-faster-access-to-applications-on-mobile-phones-7/