.jpg)
Invisible payments inside mobile apps problem
Monday, June 19, 2017
|
Richard Harris |
How mobile invisible payments security can be implemented and mobile app payment fraud avoided.
Have you ever wondered how Uber automatically charges you for your ride without making you pull out your credit card or sign a receipt? "Invisible payments" like these are a growing trend and aside from ride sharing, the technology is now being implemented by companies with Amazon and major restaurant chains.
For brands, invisible payments enhance the consumer experience, as they remove any friction in the buying process. You pick what you want and you are done. Everything will be billed to you.
However, invisible payments are susceptible to hacker attacks because hackers can insert malware in the app and intercept user information, including credit card numbers, and credentials. Proper invisible payment security varies from mobile app security. In this article, Rusty Carter, security expert and current Vice President of Product Management at Arxan, will examine invisible payments and offer suggestions for how best to ensure protection when using them.
Carter: Simply put, invisible payments are seamless transaction platforms built into apps that consumers use to go about their day. The goal of invisible payments is for businesses to de-emphasize the transaction process and make purchasing goods and services as simple as possible - ideally with one scan or swipe of a finger.
Carter: If you have used Uber or Lyft you've already implemented invisible payments into your day-to-day life. While this process is still in its infancy, trials are happening everywhere. From the Amazon Go grocery store prototype to Dash, Reserve, and Tab for restaurant chains, a wide range of companies are moving to an invisible payment method to enhance customer experience and bring businesses into the 21st century. Even companies like ToneTab are implementing invisible payments to streamline the process of paying a bridge toll. What's more, some offerings are now including a gamification element to the payment experience, offering discounts to those who use their service or acting as a paperless "scratch card" loyalty program. In today's on-demand economy, users require an environment with little friction, so companies are quick to adopt such methods for payment, despite potential security concerns.
Carter: Invisible payments are especially susceptible to hacker attacks because hackers can insert malware into the app and intercept user information, including payment information and credentials. As invisible payments become more second nature to consumers, this is especially hazardous. If their information is stolen, the flow of day-to-day life will be disrupted, and once notified of fraud, users will have the timely task of manually updating each of their invisible payment apps with their new payment information.
Carter: Invisible payment attacks can have many of the typical mobile attacks characteristics, and may focus on exfiltration of user data, keys and API information in order to create replay-type attack opportunities. What is unique about potential invisible payment attacks is the amount of choice the attacker has to generate financial gain from the attack, including but not limited to re-distribution of a fully-functional app impersonating the real version and connected to the real system that steals credit card numbers or other personal information.
Carter: Companies need to secure their apps at the binary code level, as well as protect the communication between the app and sensors/servers. Leaving this code vulnerable opens up the entire app to potential for compromise and reverse engineering, and as a result, leaves customers that trust the organization with their payment and financial information in unknown peril from theft or unauthorized charges.
Carter: Users should be highly vigilant about the apps they download. Under no circumstances, should an individual download an app if they are unclear about its security level. Make sure to read the fine print and know how the app provider plans to protect against hackers. Once downloaded, users should check their accounts regularly to make sure that they do not receive any unauthorized charges. Users should not compromise their operating system (root or jailbreak), and should follow good practices like turning on encryption of their device and of course, having a screen lock! Hackers make a living by flying under the radar and stealing small amounts of money at a time.
Carter: Although not quite mainstream yet, as IoT expands and wearable connected devices become the norm, the era of invisible payments is coming. It will be critical that everyone from organizations to users be proactive about security. With the adoption rate increasing so quickly, it makes it even more difficult for businesses and consumers to catch on and learn proper security protocol, likely leading to some major security incidents and growing pains. However, over the next five years organizations and users will learn how to properly secure and monitor their invisible payments and will grow to increasingly trust it as a primary component of their purchasing routine.
For brands, invisible payments enhance the consumer experience, as they remove any friction in the buying process. You pick what you want and you are done. Everything will be billed to you.
However, invisible payments are susceptible to hacker attacks because hackers can insert malware in the app and intercept user information, including credit card numbers, and credentials. Proper invisible payment security varies from mobile app security. In this article, Rusty Carter, security expert and current Vice President of Product Management at Arxan, will examine invisible payments and offer suggestions for how best to ensure protection when using them.
ADM: What are invisible payments and how do they work?
Carter: Simply put, invisible payments are seamless transaction platforms built into apps that consumers use to go about their day. The goal of invisible payments is for businesses to de-emphasize the transaction process and make purchasing goods and services as simple as possible - ideally with one scan or swipe of a finger.
ADM: How are companies implementing invisible payments today?
Carter: If you have used Uber or Lyft you've already implemented invisible payments into your day-to-day life. While this process is still in its infancy, trials are happening everywhere. From the Amazon Go grocery store prototype to Dash, Reserve, and Tab for restaurant chains, a wide range of companies are moving to an invisible payment method to enhance customer experience and bring businesses into the 21st century. Even companies like ToneTab are implementing invisible payments to streamline the process of paying a bridge toll. What's more, some offerings are now including a gamification element to the payment experience, offering discounts to those who use their service or acting as a paperless "scratch card" loyalty program. In today's on-demand economy, users require an environment with little friction, so companies are quick to adopt such methods for payment, despite potential security concerns.
ADM: How can hackers exploit apps with invisible payment features?
Carter: Invisible payments are especially susceptible to hacker attacks because hackers can insert malware into the app and intercept user information, including payment information and credentials. As invisible payments become more second nature to consumers, this is especially hazardous. If their information is stolen, the flow of day-to-day life will be disrupted, and once notified of fraud, users will have the timely task of manually updating each of their invisible payment apps with their new payment information.
ADM: How are attacks on invisible payments different than other mobile app attacks?
Carter: Invisible payment attacks can have many of the typical mobile attacks characteristics, and may focus on exfiltration of user data, keys and API information in order to create replay-type attack opportunities. What is unique about potential invisible payment attacks is the amount of choice the attacker has to generate financial gain from the attack, including but not limited to re-distribution of a fully-functional app impersonating the real version and connected to the real system that steals credit card numbers or other personal information.
ADM: What should companies do to better protect themselves?
Carter: Companies need to secure their apps at the binary code level, as well as protect the communication between the app and sensors/servers. Leaving this code vulnerable opens up the entire app to potential for compromise and reverse engineering, and as a result, leaves customers that trust the organization with their payment and financial information in unknown peril from theft or unauthorized charges.
Rusty Carter, Vice President of Product
Management at Arxan
Management at Arxan
ADM: What should users do to ensure that their apps are effectively protected?
Carter: Users should be highly vigilant about the apps they download. Under no circumstances, should an individual download an app if they are unclear about its security level. Make sure to read the fine print and know how the app provider plans to protect against hackers. Once downloaded, users should check their accounts regularly to make sure that they do not receive any unauthorized charges. Users should not compromise their operating system (root or jailbreak), and should follow good practices like turning on encryption of their device and of course, having a screen lock! Hackers make a living by flying under the radar and stealing small amounts of money at a time.
ADM: How will invisible payments change in the next five years?
Carter: Although not quite mainstream yet, as IoT expands and wearable connected devices become the norm, the era of invisible payments is coming. It will be critical that everyone from organizations to users be proactive about security. With the adoption rate increasing so quickly, it makes it even more difficult for businesses and consumers to catch on and learn proper security protocol, likely leading to some major security incidents and growing pains. However, over the next five years organizations and users will learn how to properly secure and monitor their invisible payments and will grow to increasingly trust it as a primary component of their purchasing routine.
Become a subscriber of App Developer Magazine for just $5.99 a month and take advantage of all these perks.
MEMBERS GET ACCESS TO
- - Exclusive content from leaders in the industry
- - Q&A articles from industry leaders
- - Tips and tricks from the most successful developers weekly
- - Monthly issues, including all 90+ back-issues since 2012
- - Event discounts and early-bird signups
- - Gain insight from top achievers in the app store
- - Learn what tools to use, what SDK's to use, and more
Subscribe here
