Is the Mobile Payments Security Problem Solved?
One of the major stumbling blocks to widespread adoption of mobile payments is concern that inadequate security safeguards leave consumers vulnerable to theft of personal and financial information.
Researchers at the University of Alabama at Birmingham (UAB) announced they have created a verification mechanism using sound to help eliminate security weaknesses of Near Field Communication—a form of radio-frequency identification (RFID)—to help prevent security vulnerabilities via mobile devices.
Mobile payment security concerns arise around relay attacks, also known as “ghost and reader” or “mafia fraud” attacks.
For example, when a consumer is paying a bill at a restaurant, a hacker may intercept the consumer’s account information and transmit it to an accomplice making a purchase at another location, such as a jewelry store. The consumer’s account could be charged for both purchases, and by the time the fraud is detected, it may be difficult or impossible to apprehend the criminals.
The verification system developed by UAB researchers is designed to prevent these attacks by using a brief snippet of audio from the surrounding environment during the transaction to confirm that the user’s phone is physically close to the reader.
“If the audio signal between the phone and the receiver does not match, then the transaction is rejected,” says Nitesh Saxena, an assistant professor in the UAB Department of Computer and Information Sciences and a member of UAB’s Center for Information Assurance and Joint Forensics Research.
According to a UAB report, mobile device experts estimate that payments using Near Field Communication-equipped cellphones will account for $240 billion in spending worldwide in 2012 and more than $670 billion by 2015. Industry research analyst firm Juniper Research predicts that global mobile payments could reach $1.3 trillion by 2017.
The UAB results are highlighted in a paper—Secure Proximity Detection for Near Field Communication Devices based on Ambient Sensor Data—presented at the European Symposium on Research in Computer Security.