NFC security standards, perception must be improved

Near-field communications security standards still not on par with rest of industry, hacks, and flaws holding back consumer acceptance, industry watchers advise.
Written by Ellyne Phneah, Contributor

Near-field communications (NFC) payment security is good enough on the general level, but adherence to security standards of the IT industry and user perception that it is secure are still not present, industry observers noted, and companies in the payment ecosystem should get on board.

According to Tarik Huasin, business development director of mCommerce at Sybase 365, while the current security posture of near-field communications (NFC) was already "adequate", there needed to be improvement in leveraging the existing standards for traditional payments. This includes the implementation of protocols such as the Triple Data Encryption Standard (3DES) for secure end-to-end payments, he remarked.

John Devlin, group director for security and identity at ABI Research, also added that a key focus for payment and other secure services vendors should be to make sure they adhere to the strict standards and specifications built into NFC devices, he remarked.

Huasin further elaborated that NFC applications could not be completely secure if devices were not. He likened it to the Internet, which was not secure on its own but relied on protocols such as Secure Socket Layer (SSL) to ensure secure transmissions.

He explained that platform providers such as Apple and Google, with upcoming NFC services, must ensure that the platforms, where applications are running, are robust enough to support NFC mobile payments. However, it has been difficult to keep up with security, due to the fast-moving nature of operating system platforms on mobile.

"Service providers and their partners must pay careful attention to security as this is an issue for many potential users, any bad perceptions created now through flaws and hacks could hold back user acceptance."

--John Devlin
ABI Research

NFC not perfect yet
Huasin and Devlin were responding to the news last month, where researchers managed to reset the PIN used on a Google Wallet account.

Huasin noted that the hack had been "disappointing" to the mobile payment industry, creating a negative perception around mobile wallets. However, he maintained these glitches were inevitable as the NFC industry is still in its infancy and experimenting with new technologies.

When approached by ZDNet Asia, Google reiterated a Feb. 11 blog post by Osama Bedier, vice president of Google Wallet and Payments, that it encouraged users not to disable important security mechanisms such as the phone lock screen and that the company was taking actions such as toll-free assistance to help protect their users.

"Mobile payments are going to become more common in the coming years, and we will learn much more as we continue to develop Google Wallet," Bedier wrote.

Devlin noted that security was the main area of doubt for consumers who were aware of mobile wallets but have yet to try them. According to him, the messaging by service providers has not been put across effectively.

Housewife Lye May Chok, for one, confessed that there was a "lack of education" on how mobile wallets were used and as such, she would not trust the service for payments.

Zann Tan, a student, also added that she did not understand the technology behind mobile wallets as service providers had not been able to explain it "in layman terms". "I would use it only if I knew why it was secure before the service comes out," she said.

Involve ecosystem, improve security perception and practice
Huasin advised that banks and traditional payment processors should get on board so that there would be more 'robust' testing of the system, and adoption of tried and tested payment security methods.

Only when more institutions and stakeholders "in the ecosystem" were involved, would the NFC industry then more likely spot issues and fix them, he said.

Devlin also added that to improve the poor perception of NFC security, the messaging from service providers must raise awareness over its security level--such as promoting how they made use of Europay, Mastercard and Visa (EMV) certifications and standards.

"Service providers and their partner need to pay careful attention to security as this is an issue for many potential users, and any bad perceptions created now through flaws and hacks could hold back user acceptance," he said.

For one, Southeast Asia's largest bank DBS had collaborated with Singapore telco StarHub and transport transactions company EZ-Link to develop an interoperable mobile NFC infrastructure and mobile payment service, which will be launched later this year.

StarHub also told ZDNet Asia that this upcoming NFC service will follow industry standards for secure payments and the different payments schemes of VISA and MasterCard.

Yeong Mun-Ling, the telco's vice president of business strategy, added that the company would focus on promoting how its device would be more secure--being tied to the SIM card instead of mobile devices.

Consumers must also learn to exercise "common sense" in using mobile payments, such as locking their mobile phones screen or not leave their mobile wallets lying around, Devlin noted.

"If using payment services, people need to learn to treat their mobiles as they would their wallet, as well as applying common sense in terms of avoiding phishing emails and malware," he said. "Promoting this in ahead of contactless services launching could make consumers become more aware and change their behavior accordingly."

Editorial standards