Security Risks Analysis of Mobile Payments

With the development of mobile internet as well as the rise of online shopping, a variety of mobile payments (such as magnetic stripe e-card and near-field matching payment) are increasingly introduced; and each claims it secure. But we-consumers are the finally payer, so it is necessary to have a knowing of these payments.

1. Digital certificate technology
Storage security certificate on the mobile client; and build a SSL connection when accessing payment server, which ensures not accessing phishing sites; and through session key negotiation mechanism, the data transmitted over the Internet are ciphertext. The technology mainly handles the middle attack on the network; but can’t deal with the monitoring of payments and theft of user credentials keys from Trojan stationed on the phone.

2. Username and password
Username and password is the most traditional identification method. The password setting requires both complex and easy enough to remember, which brings great trouble to user memory and password storage, so users usually adopt birthday, telephone number as the same password for multiple applications. Under current computer technology, it is easy to crack the code forcibly; in addition, password input on the phone terminal is easy to be stolen by Trojan virus. For the consideration of complex password, so each application would offer a password recovery mechanism. However, the mechanism becomes the focus of attackers; using fake identity to retrieve the user’s password makes it easy to control users’ account in hand.

3. Captcha
Captcha refers to entering randomly generated code during transaction to prevent data from being repeatedly attacked. Sometimes, the verification code could be involved in the transaction activity; sometimes, it only adds trouble to users. Captcha was originally designed to force users to participate to prevent background operation of Trojan. With the development of image recognition technology, the current verification code is very vulnerable!

4. OTP
OTP (One Time Password) is a one-time one-password security technologies; each transaction uses different password. The earliest OTP is a scratch with many preset password above; using one according to the coordinates UI prompts. Then Digipass came out; each transaction password is generated by the Digipass password, and synchronizes with server. Some OTP would ask to to enter a challenge number, which is generated by the transaction data, and could participate in transaction. OTP technology is mainly to prevent the risk of passwords being stolen, but it can not guard against Trojan tampering transaction data on trading terminal.

5. Cellphone blinding and SMS verification
Binding the user’s mobile phone and account is a security means almost all current methods of payment would use. It can achieve the following functions:
A: Message tips on transaction information enable users to find unauthorized transactions as soon as possible, which is afterward safety;
B: Transaction verification message lets users’ phone participate in the transaction to prevent Trojan attacks;
C: Password recovery message sends verification information to cellphone to verify user information;
D: Trading links SMS sends transaction address directly to cellphone to prevent user to enter phishing sites. From security perspective, phone blinding way belongs to second channel technology, namely supposing attackers can not launch attack on two channels simultaneously, to ensure transaction safety. Cellphone, as the precondition of the second channel, is based on service provider trusting holders’ identity. But the question is: do you really trust the identity of the phone holder?