The use of mobile payments is on the rise! According to industry data, mobile wallets are used by more than two billion people globally, with many millions more adopting mobile payments every year. In 2021 a total of 25.7% of Point of Sale (POS) payments were performed using mobile wallets and 44.5% of eCommerce transactions were performed using mobile wallets, increasingly replacing cash and contact-based payments.
The pandemic only accelerated the adoption of mobile wallets. But this increased adoption has also gotten the attention of attackers and criminal organizations and heightens the need for robust, state of the art, application security.
What are mobile wallets?
Mobile wallets enable consumers to use their smartphone, smartwatch, and other smart wearables (e.g. ring, bracelets) to make contactless payments over NFC1, MST2, and QR codes. Often mobile wallets also offer related functionality such as membership and loyalty cards, gift cards, peer-to-peer payments, and in-app payments.
Since the introduction of Apple Pay and Google Pay in 2014, many banks and fintech companies worldwide have introduced mobile wallets. While Apple has not enabled third-party developers to use NFC on its iPhones, Google has. This led to a wide development of mobile wallet solutions for Android by dozens of technology providers and banks.
In practice, there are two types of mobile wallets:
- OEM (Original Equipment Manufacturer) wallets: These mobile wallets are produced by the smartphone vendor and secured by the proprietary hardware security technology (e.g. Trusted Execution Environment or Secure Element) on the device itself.
- Third-party wallets: Third-party apps, like PayPal, do not have access to the proprietary hardware security technology on the device. Third-party mobile wallet developers include both technology providers which typically provide payment software development kits (e.g. a HCE3, SDK) and parties that have integrated payment SDKs (Software Development Kits) in the final mobile payment application.
Are mobile wallets secure?
In order to reduce the risk of fraud, HCE mobile wallets use tokenization. Tokenization is a process where sensitive information, e.g. the credit card details such as the PAN4, is replaced with a token. A token is a randomized sequence of numbers that can be limited in the way it’s used — for example, the number of times it’s used and the payment amount for which it’s used.
While HCE and tokenization are designed to reduce the risk of fraud, mobile wallets still process payment data which can be abused by malware and criminal organizations to perform payment fraud. Though payment tokens can’t be reverse-engineered back to your credit card number, theft of these payment tokens enables criminals to perform fraudulent payments at the expense of legitimate mobile wallet holders.
The future of mobile payment security
As with cash, checks, and cards, mobile wallets are subject to fraud and abuse. With the increased adoption of mobile wallets and the non-stop growth of using smartphones for everything and payment purposes in general, mobile wallets are becoming an increasingly attractive target for attackers. This trend is also clearly visible in the increase of exploited zero-day mobile vulnerabilities, up 466% in 2021, and the vast and growing amount of mobile malware with over 2 million new strains in 2021.
In order to secure mobile wallets, Original Equipment Manufacturers (OEMs) have the option of using hardware security capabilities as mentioned above. But for third-party mobile wallet developers, this isn’t a viable option as a result of fragmentation in OEM technology and limitations OEMs place on using the platform security capabilities. Secondly, reality has shown that the OEM platform technologies, like Trusted Execution Environments (TEEs) embedded in smartphones, are subject to attacks with a continuous flow of reported zero-day vulnerabilities and exploits.
As smartphones continue to be untrusted devices, mobile wallet solution developers need to protect the mobile wallet application and keep their security posture up-to-date and ahead of the continuously evolving attacker capabilities and attacker tooling.
How Zimperium enables mobile wallet security
Before launching for public use, mobile payment solutions must be certified by the card brands (Visa/MasterCard) or EMVCo. Zimperium’s Mobile Application Protection Suite (MAPS) helps mobile payment solution developers to build secure and compliant mobile applications, and get your app security certified and ready to be published quickly.
MAPS takes a holistic view of mobile application security, by helping your developers find and fix compliance, privacy, and security issues before the app is released, protecting your cryptographic keys and tokens so they can’t be extracted or stolen, keeping your source code and data safe from hackers, and protecting your apps from advanced attacks once they’re on the market. Delays in deployment are a critical stumbling block, and with Zimperium on your side, you can be confident that you’ll get it right the first time.
While security is a continuous cat and mouse game, Zimperium MAPS provides proven and ongoing protection for your mobile applications, even against the newest attacks and attacker tools.
Zimperium, Inc. is a global leader in mobile device and app security. The Zimperium Mobile Application Protection Suite (MAPS) helps enterprises build safe and secure mobile apps resistant to attacks. It is the only unified platform that combines comprehensive in-app protection with centralized threat visibility. The platform provides app shielding, key protection, app scanning, and runtime protection capabilities. Contact us today to learn how to secure mobile wallets.
1 Near Field Communication or NFC is a technology which allows two devices to communicate over the air in close proximity.
2 Magnetic Secure Transmission or MST is a technology where a magnetic field is generated in order to mimic the magnetic stripe on a credit card.
3 Host Card Emulation or HCE is a technology used in the payment industry to virtualize credit card information in software. Prior to HCE, payment transactions were mainly performed using Secure Elements (e.g. the physical chip on a debit or credit card).
4 Primary Account Number or PAN is the unique sequence of digits (typically 14 to 19 digits) printed on a credit card.