The European Union Agency for Network and Information Security (ENISA) published a report on security of mobile payments and digital wallets. (see the document attached)

The primary objective of this paper is the production of guidelines to assist mobile payment developers and mobile payment providers towards recommended security controls which if implemented would help ensure that consumers, retailers and financial institutions are all safeguarded from cyber threats.

A secondary objective is to define minimum measures that should be followed by mobile payment providers in the EU, and to provide security recommendations for organisations wishing to provide mobile payment services within the EU.

The use of a mobile to effect payment for goods and services represents a paradigm shift towards digital only payments and has been driven by consumers who wish to make purchases at retail stores or to transfer funds using their mobile “digital wallet”.

For most consumers the ability to pay by mobile offers greater convenience than carrying a traditional wallet with multiple credit and debit cards.

However, using a mobile wallet is not without risks. According to a 2015 survey among mobile payment users in the US “20 % affirmed their main security concern with regards to mobile payment is the possibility of someone intercepting their payment information or other data, while about 13 % feared their phones being hacked.”

Furthermore, another survey of more than 900 security experts concluded that only 23% of them believe that mobile payments are currently sufficiently robust at keeping personal information safe, nearly half of respondents (47%) felt that mobile payment applications offer no security and 30% of respondents were unsure.

Therefore, despite this push towards mobile payments, security concerns still remain of paramount importance and one could say that consumer discomfort with the current state of play has inhibited mass adoption.

The explosive proliferation of viruses and malware affecting mobile devices alongside the very real danger of lost or stolen devices has instilled a sense of uneasiness in the consumer mind about the implications of losing a large part of their digital lives.

If we add a second dimension of money to this and the risk of unauthorised payments should a mobile device be lost, stolen or infected with malware then suddenly our mobile devices may become guardians of our financial freedom and the implications of losing our mobiles or them being susceptible to hacking or other such malfeasance skyrockets.

In this document we have identified the following key threats:

 Mobile user threats - installation of rogue and malware applications, phishing and social engineering

 Mobile device threats - unauthorized access, lost or stolen device

 Mobile payment application and wallet threats - reverse engineering, tampering with the payment application and the use of rootkits

 Merchant threats - Point of Sale (POS) malware, Man-in-the-Middle (MiTM) and replay attacks

 Payment service providers’ and Acquirers threats - payment system compromise and data connectivity compromise

 Payment Network Providers Threats- token service compromise and denial of service

 Issuers Threats – payment authorization process compromise, token data compromise

 Mobile Payment Applications Providers threats – compromise of sensitive data, compromise of user profile managed in the cloud, token compromise and denial of service attacks

Given that the mobile payments are still a very nascent industry without clear standards and significant industry self-regulation it is vitally important that guidelines are produced to assist mobile payment developers and mobile payment providers towards recommended security controls which if implemented would help ensure that consumers, retailers and the financial institutions that underpin the ecosystem by processing and clearing transactions are all safeguarded from cyber threats.

This paper has precisely this as its primary objective and as a secondary objective to define minimum measures that should be followed by mobile payment providers in the EU, we aim to provide security recommendations for organisations wishing to provide mobile payment services within the EU.

The study also identifies a number of recommendations to mitigate the threats identified:

 Customers should follow a number of minimum security measures that should be required to securely use their application

 Mobile OS providers should ensure that their OS is regularly updated to fix any security issue identified, which may jeopardise the integrity, confidentiality or availability of the system or data

 Mobile payment application developers should provide visibility to the security measures applied to the application when offering it to the clients

 Mobile payment providers should have a reliable and accurate fraud monitoring system which reliably detects transactions outside the customer’s baseline