SlideShare a Scribd company logo
Mobile Payments 
A brief history of [in]security
Mobile payments at the till 
QR codes/bar codes 
Bluetooth beacons 
NFC contactless
Mobile payments landscape in Canada 
• Mobile payments growing faster than card-based 
contactless payments 
• 22% of smartphone owners made a payment 
with mobile phone (most via online banking) 
• 4/10 of those mobile payers do more than one 
payment per month on their phone 
• Barriers to in-store payments: only 1 in 6 phones 
have NFC today. (But 1 in 2 by 2018). 
• Fragmented wallets: need a specific bank on a 
specific carrier 
Data from Technology Strategies International Inc. – Canadian Payments Forecast 2013
Canada at a tipping point 
Consumer 
adoption 
Technology 
enablement 
Merchant 
support 
Added 
value
Bar code / QR code payments 
• Starbucks introduced payments feature to app in Canada in 
November 2011 
• Simply add a gift card or buy a new one, then display bar code to 
barrista to complete a transaction 
Benefits 
• Can work on any smartphone. You just need a 
display, not NFC. 
• Rely on existing gift card infrastructure. 
• Customers already familiar with using gift cards 
“get it.” 
• Ties in to loyalty program that awards gold stars. 
Popular option 
• Starbucks has 12 million mobile users in U.S. and Canada (July) 
• 15% of all U.S. sales made via the app
Double double down on 
mobile payments 
• Tim Hortons updated TimmyMe app to include mobile 
payments in December 2013 
• Similar to Starbucks, bar codes are an option. Also, NFC 
payments on BlackBerry devices. 
• Trial period focused on several stores in St. Catherine’s area 
Security question: What’s in a bar code?...
Donut hole or loop hole? 
• TimmyMe app asks for the 16 digit number 
displayed on the back and the secret code 
behind the scratch-off part 
• But only the 16 digit number is encoded in 
the bar code 
• The bar code is a PDF 417 code that can be 
generated by Internet tools and mobile apps 
• A bar code bandit could read the 16-digit 
number, generate own bar code, wait for 
someone to load money to the account 
I buy a card in Toronto 
I tell the 16-digit 
number to Jude in 
Vineland 
Jude generates PDF 
417 bar code with 
free app 
Jude buys crueler and 
coffee at Timmy’s, 
displays bar code 
Transaction approved. 
My Card is debited 
$2.59 
Our vulnerability testing process
TimmyMe: secured 
• Low risk security vulnerability: you lose the $20 you are willing to store on a card 
• Low motivation for thieves to steal coffee and donuts; no access to credit card data 
• Principle of building trust for mobile device as a payments gateway 
• Tim Hortons did fix the problem when it publicly opened up payments across 
Canada by adding encryption to the bar code 
• It did not receive any reports of lost money due to the flaw 
The other guys? 
• “We are currently in a very small pilot market which 
helps control the exposure, unlike some of our 
competitors who are widely using this same 
technology throughout North America.”
‘Hands free’ payments 
• A Bluetooth low-energy beacon communicates 
with an app on your phone 
• Customer signs in on phone to authenticate, can 
stay signed-in 
• Cashier sees customer 
information on POS 
terminal and checks 
them out 
• Payments processed via 
PayPal account
Security issues with BLE transactions 
• Long-distance transmissions between mobile 
device and beacon could be intercepted. 
Could hackers use UUID for gain? 
• Denial of service attacks – overload POS 
terminals or mobile device with BLE signals 
and disrupt payments 
• Considered a card-not-present transaction
PayPal = incumbent
Mobile payments: A history of [in]security
Conan on Apple Pay 
“Because the company I 
want to trust with my 
wallet is the same one 
that leaked my nude 
photos on iCloud.”
Apple’s patent for tokenization – 2009
Apple’s developer guide to Apple Pay - 2014
How could it be hacked?
Not impossible but… 
• Thief has to steal your device with token 
stored on it 
• Log into your account and access passbook 
• Successfully mould your fingerprint onto 
weird gel stuff 
• Use fake fingerprint at a checkout without 
drawing suspicion 
• Avoid having device disconnected from 
payments via “Lost my iPhone” app
Where’s Touch ID in this picture?
Thank you 
Have a coffee on me. 
6086 9932 5718 3454* 
*Requires generating your own PDF 417 bar code. Be sure not to type spaces when inputting the number.

More Related Content

PDF
Mobile Payments: An IBM Point of View
PPTX
Mobile Payments revolution
PPT
Overview of Mobile Payment Systems
PDF
Mobile Payments
PDF
Mobile Payments Framework
PDF
Future of mobile payment and mobile commerce may 2013
PPTX
Secure mobile payment
PPTX
Peer to-peer mobile payments
Mobile Payments: An IBM Point of View
Mobile Payments revolution
Overview of Mobile Payment Systems
Mobile Payments
Mobile Payments Framework
Future of mobile payment and mobile commerce may 2013
Secure mobile payment
Peer to-peer mobile payments

What's hot (20)

PDF
Mobile payment
PPT
Mobile Payment fraud & risk assessment
PPTX
Mobile money, a development tool for benin powerpoint
PDF
Mobile payment technology 8.11.2014 final
PDF
Mobile payments, e-money and mobile credit in Japan
PDF
The Future of Mobile Payments
PPTX
Cost and Features to Develop e-wallet Mobile App
PPTX
E wallet.ppt
PPTX
E wallet
PDF
Future of Payments - Wallets (April 2014)
PDF
E wallet nfc service payment
PDF
Mobile Payment Trends 2014
PPTX
BlueHornet Webinar: The Rise of the Digital Wallet - New Opportunities for Em...
PPT
E wallet
PDF
Introduction To E- Wallet
PDF
Mobile Wallet functions
PPT
Mobile Payment Value chain and Business Models
PDF
Mobile Financial Services
DOCX
Digital wallet
Mobile payment
Mobile Payment fraud & risk assessment
Mobile money, a development tool for benin powerpoint
Mobile payment technology 8.11.2014 final
Mobile payments, e-money and mobile credit in Japan
The Future of Mobile Payments
Cost and Features to Develop e-wallet Mobile App
E wallet.ppt
E wallet
Future of Payments - Wallets (April 2014)
E wallet nfc service payment
Mobile Payment Trends 2014
BlueHornet Webinar: The Rise of the Digital Wallet - New Opportunities for Em...
E wallet
Introduction To E- Wallet
Mobile Wallet functions
Mobile Payment Value chain and Business Models
Mobile Financial Services
Digital wallet
Ad

Viewers also liked (6)

PPTX
Mobile payment
PDF
Banking and Modern Payments System Security Analysis
PDF
Mobile Payment Security Trends for the Future
PDF
The Top Issues in Mobile Payments Fraud
PDF
Security issues in_mobile_payment
PPTX
Mobile Payments - How is it done?
Mobile payment
Banking and Modern Payments System Security Analysis
Mobile Payment Security Trends for the Future
The Top Issues in Mobile Payments Fraud
Security issues in_mobile_payment
Mobile Payments - How is it done?
Ad

Similar to Mobile payments: A history of [in]security (20)

PDF
Google wallet
PDF
Contactless payments
PPTX
Mobile wallets Analysis
PPTX
Pitch Deck
PPTX
Google wallet
PDF
Mobile Payments Glossary
PPTX
Google wallet
PPTX
Digital wallet (e-wallet)
PPTX
Bitcoin ideas
PDF
Mobile Consumer
PDF
Mobile Wallet Platform 2015
PDF
Technology Trends in Finance 2016
PDF
NFC Presentation [Compatibility Mode]
PDF
Mobile payments - Short overview
PPTX
Circle plus payments slide deck
PPTX
E wallet
PPTX
The basics of mobile payments
PDF
PDF
Your Digital Dollars
PDF
CNIT 128: 9: Mobile payments
Google wallet
Contactless payments
Mobile wallets Analysis
Pitch Deck
Google wallet
Mobile Payments Glossary
Google wallet
Digital wallet (e-wallet)
Bitcoin ideas
Mobile Consumer
Mobile Wallet Platform 2015
Technology Trends in Finance 2016
NFC Presentation [Compatibility Mode]
Mobile payments - Short overview
Circle plus payments slide deck
E wallet
The basics of mobile payments
Your Digital Dollars
CNIT 128: 9: Mobile payments

Recently uploaded (6)

PDF
heheheueueyeyeyegehehehhehshMedia-Literacy.pdf
DOC
Camb毕业证学历认证,格罗斯泰斯特主教大学毕业证仿冒文凭毕业证
PPTX
ASMS Telecommunication company Profile
PDF
6-UseCfgfhgfhgfhgfhgfhfhhaseActivity.pdf
PDF
Lesson 13- HEREDITY _ pedSAWEREGFVCXZDSASEWFigree.pdf
DOC
证书学历UoA毕业证,澳大利亚中汇学院毕业证国外大学毕业证
heheheueueyeyeyegehehehhehshMedia-Literacy.pdf
Camb毕业证学历认证,格罗斯泰斯特主教大学毕业证仿冒文凭毕业证
ASMS Telecommunication company Profile
6-UseCfgfhgfhgfhgfhgfhfhhaseActivity.pdf
Lesson 13- HEREDITY _ pedSAWEREGFVCXZDSASEWFigree.pdf
证书学历UoA毕业证,澳大利亚中汇学院毕业证国外大学毕业证

Mobile payments: A history of [in]security

  • 1. Mobile Payments A brief history of [in]security
  • 2. Mobile payments at the till QR codes/bar codes Bluetooth beacons NFC contactless
  • 3. Mobile payments landscape in Canada • Mobile payments growing faster than card-based contactless payments • 22% of smartphone owners made a payment with mobile phone (most via online banking) • 4/10 of those mobile payers do more than one payment per month on their phone • Barriers to in-store payments: only 1 in 6 phones have NFC today. (But 1 in 2 by 2018). • Fragmented wallets: need a specific bank on a specific carrier Data from Technology Strategies International Inc. – Canadian Payments Forecast 2013
  • 4. Canada at a tipping point Consumer adoption Technology enablement Merchant support Added value
  • 5. Bar code / QR code payments • Starbucks introduced payments feature to app in Canada in November 2011 • Simply add a gift card or buy a new one, then display bar code to barrista to complete a transaction Benefits • Can work on any smartphone. You just need a display, not NFC. • Rely on existing gift card infrastructure. • Customers already familiar with using gift cards “get it.” • Ties in to loyalty program that awards gold stars. Popular option • Starbucks has 12 million mobile users in U.S. and Canada (July) • 15% of all U.S. sales made via the app
  • 6. Double double down on mobile payments • Tim Hortons updated TimmyMe app to include mobile payments in December 2013 • Similar to Starbucks, bar codes are an option. Also, NFC payments on BlackBerry devices. • Trial period focused on several stores in St. Catherine’s area Security question: What’s in a bar code?...
  • 7. Donut hole or loop hole? • TimmyMe app asks for the 16 digit number displayed on the back and the secret code behind the scratch-off part • But only the 16 digit number is encoded in the bar code • The bar code is a PDF 417 code that can be generated by Internet tools and mobile apps • A bar code bandit could read the 16-digit number, generate own bar code, wait for someone to load money to the account I buy a card in Toronto I tell the 16-digit number to Jude in Vineland Jude generates PDF 417 bar code with free app Jude buys crueler and coffee at Timmy’s, displays bar code Transaction approved. My Card is debited $2.59 Our vulnerability testing process
  • 8. TimmyMe: secured • Low risk security vulnerability: you lose the $20 you are willing to store on a card • Low motivation for thieves to steal coffee and donuts; no access to credit card data • Principle of building trust for mobile device as a payments gateway • Tim Hortons did fix the problem when it publicly opened up payments across Canada by adding encryption to the bar code • It did not receive any reports of lost money due to the flaw The other guys? • “We are currently in a very small pilot market which helps control the exposure, unlike some of our competitors who are widely using this same technology throughout North America.”
  • 9. ‘Hands free’ payments • A Bluetooth low-energy beacon communicates with an app on your phone • Customer signs in on phone to authenticate, can stay signed-in • Cashier sees customer information on POS terminal and checks them out • Payments processed via PayPal account
  • 10. Security issues with BLE transactions • Long-distance transmissions between mobile device and beacon could be intercepted. Could hackers use UUID for gain? • Denial of service attacks – overload POS terminals or mobile device with BLE signals and disrupt payments • Considered a card-not-present transaction
  • 13. Conan on Apple Pay “Because the company I want to trust with my wallet is the same one that leaked my nude photos on iCloud.”
  • 14. Apple’s patent for tokenization – 2009
  • 15. Apple’s developer guide to Apple Pay - 2014
  • 16. How could it be hacked?
  • 17. Not impossible but… • Thief has to steal your device with token stored on it • Log into your account and access passbook • Successfully mould your fingerprint onto weird gel stuff • Use fake fingerprint at a checkout without drawing suspicion • Avoid having device disconnected from payments via “Lost my iPhone” app
  • 18. Where’s Touch ID in this picture?
  • 19. Thank you Have a coffee on me. 6086 9932 5718 3454* *Requires generating your own PDF 417 bar code. Be sure not to type spaces when inputting the number.

Editor's Notes

  • #2: Opener: conduct an in-room survey of people who have used mobile payments by show of hands: Who has used a contactless payment via NFC chip with an app offered by a bank? Who has used PayPal to check-in-to-pay with their phone? Who has used a bar code display payment at a Tim Hortons? Who has used a bar code display payment at a Starbucks? Who has used another app I haven’t mentioned here yet? I’m a fascinated by mobile payments. On my phone I have Starbucks, Tim Hortons, SmoothPay, and PayPal.
  • #4: Almost all growth in mobile payments are e-commerce sales and online bill paying through banking apps It’s expected that by 2017 there will be 3 million regular mobile payment users in Canada By 2018 half of smartphone users will be able to make contactless payments with their smartphone Examples of mobile wallets in Canada today include: Rogers Suretap, which also requires a prepaid MasterCard account. Rogers also partnered with CIBC for its mobile payment app. CIBC later also added Telus to its carriers that support its mobile wallet. TD Bank offers its tap-to-pay app on Bell, Rogers and Telus networks, but requires a TD Bank Visa card. RBC offers its mobile payments app on the Bell network. Since the carrier must verify the identity to the mobile wallet owner because account information is embedded onto a device’s SIM card. The carrier must be involved to provision the card.
  • #5: Canadians must have phones that can make payments (often NFC enabled) Merchants must accept payments with the right POS systems Digital wallets must offer value you wouldn’t get from your normal wallet Once that friction is removed, consumer adoption is more likely Think of security as the glue that holds it all together. If merchants or consumers feel mobile payments aren’t secure, they will never adopt it.
  • #6: Show of hands again for users of Starbucks app? Who pays with it? Starbucks is regularly pointed to as the best example of executing mobile payments in the market
  • #7: Trial period started in Southern Ontario with displaying bar codes. Although the app was updated for everyone that had it installed and if you asked at other Tim Hortons you could sometimes use it. The security question at hand: if the method of payment is to display a bar code at the cash, how is that bar code generated?
  • #8: Darryl Burke, a security consultant based in Newmarket, Ont. that runs Burke Consulting tipped us off to this loop hole Like Starbucks, the TimmyMe app had the same apparent security measure of requiring an extra code behind scratch-off material to add a gift card to the app. But that information isn’t required to generating a working bar code in another app that generates PDF 417 bar codes.
  • #9: At the time of the breach, Tim Hortons issued this interesting statement to us at ITBusiness.ca Tim Hortons wasn’t the only one to struggle with this gift card conundrum. But we’ll come back to that later.
  • #12: PayPal processed $180 billion in transactions in 2013. $27 billion were mobile transactions, mostly ecommerce related. Just this week PayPal announced it’d be splitting away from parent company eBay next year. The reason is to focus on the mobile payments market.
  • #13: - PayPal sought to defend its position in the mobile payments market by poking fun at Apple for the iCloud hacking incident.
  • #14: They weren’t the only ones to make the connection between offering a digital wallet and the recent security breach. Speculation was that Apple might use its own BLE technology, iBeacon to enable mobile payments. This technology was included in iPhone models starting with the iPhone 5. But by using NFC and SE method, Apple can have “card present” transactions and a lower rate. So whereas PayPal relies on cloud technology to store payments information, Apple’s system does not.
  • #15: The thing is, your financial data isn’t being stored in the cloud with Apple Pay. No credit card data stored on Apple servers or sent to third-party Tokenization used to store cryptographic sequence that authenticates payment card information with payment processor
  • #16: Token is stored on secure element separate from rest of phone’s system TouchID required on iPhone 6 to complete payment – biometric authentication