Hong Kong University Discovers Potential Threats in Mobile Payments

October 2, 2017         By: Steven Anderson

We all know by now that security in mobile payments is one of the biggest concerns that anyone has about using this technology. No one relishes the thought of paying for a candy bar with a mobile device one day and opening up one’s life savings to pilferage the next. A host of advancements have emerged in the interim, and have given us a very safe experience. Yet despite the advances, there’s still room for improvement, as a Hong Kong university study recently noted.

The Hong Kong university study found that there are several major loopholes to note within various mobile payment systems out there, loopholes that should be addressed as soon as possible. Reports suggest that the systems’ operators have already been briefed, and responses have already taken place, but it’s a cautionary tale sufficient for all concerned to keep watch on this new front. Hong Kong represents a comparatively small mobile payments market, especially as compared to the Chinese market, which boasted around $5.5 trillion in transactions last year alone.

The Hong Kong study covered four major forms of data exchange, including near-field communications (NFC), audio signals, magnetic secure transmission (MST), and quick response (QR) codes. What it found was that the token creation process could be interrupted by hackers using signal jammers, or by gaining access to a phone’s camera to record the image of a QR code.

Interestingly, Android Pay and Apple Pay were both immune to this threat as they used NFC communications. Only QR, MST and audio signals were vulnerable. Even the researchers noted that “absolute security” was impossible, and therefore some level of vigilance on the user’s part would always be necessary.

This is a vital point to take away from the whole proceedings: some amount of vigilance will always be necessary. That’s inescapable. It’s baked into the system. It’s no different than it is with credit cards or even with checks: we have to watch our own accounts for fraud, and we cannot expect the safeguards in place to always work forever without exception.

Granted, we can expect that advancements in security carry on, and that these work to address new problems as such emerge, but we’re still part of the security equation ourselves.