What C-stores Need to Know Before Going Mobile

It's probably a given that every convenience store in the United State accepts credit cards, but probably just a few, if any, have used a mobile payment system. There are good reasons for that.

While no form of payment is totally secure -- cash can easily get stolen, checks can be forged and people can commit fraudulent charges with credit cards -- using a mobile device to make payments is such a new and emerging trend that the risks are not so apparent. Although measures are being taken to address mobile security flaws, hackers have already had success at intercepting the mobile payment process and diverting the funds to make fraudulent charges.

As mobile payment systems become increasingly popular with consumers, they will become more of a target for cyber thieves. Near Field Communication (NFC) is a subset of radio frequency identification (RFID) that limits the range of communication to within four inches. NFC payments -- used by both Google Wallet and Isis -- are set to triple, and mobile contactless payment transactions are expected to reach nearly $74 billion worldwide by 2015, according to mobile research firm Juniper.

Although most smartphones in the market today don't have NFC capability, 50 percent of them will by 2015, according to Gartner, a leading technology information research firm. In the meantime, there are other mobile payment systems available, which consumers are already adopting.

But how safe are these mobile payment options? Unfortunately, they can all be used fraudulently. According to news reports, Square, the mobile payment system that allows consumers to make credit card charges on their phones, has been hacked twice, and a security firm recently exposed a Google Wallet vulnerability that allowed hackers to bypass inserting a personal identification number. Mobile credit transactions made over wireless transmissions can be intercepted by anyone who is digitally eavesdropping on the line.

Ideally, NFC should be secure as it is unlikely that an outsider with a tool called a "reader" could gather someone else's credit card, due to the "four inches or less" communication range. However, it may be possible to create readers with more power and longer ranges, specifically to intercept NFC data from a farther distance. That data could then be used by cyber criminals to perform transactions without ever having the credit card number in hand.

Aside from NFC, there are other aspects of mobile phones that also handle two-way communication and are vulnerable to attackers who could intercept information. Mobile phone payments won't be secure until the mobile phone has more security controls such as antivirus software, file integrity monitoring -- which verifies that program and operating system files have not been compromised -- and controls to prevent consumers from "jailbreaking" their phones. Many mobile phone owners "jailbreak" or modify a phone's operating system to allow installation of unauthorized third-party applications. For example, a smartphone that uses a specific operating system may limit users to downloading only applications that are authorized by the phone maker. If a user jailbreaks the phone in order to download unauthorized software, that could destroy safety controls and the warranty.

Some of the mobile payment plans hold merchants accountable for fraudulent charges, and there are many ways those charges could happen. A thief could steal someone's mobile phone, which could contain credit card information for numerous cards. The thief could then use that information to make charges online or in person. Although paying with a mobile phone often requires a user to enter a password, passwords do not guarantee security. A thief could use computer tools that scan thousands of random numbers to discover the rightful owner's passwords within minutes.

Already, retailers are merging mobile applications and loyalty programs, and convenience stores are also developing mobile applications for customers. Any applications your company develops or provides should be checked by a third-party Internet security provider to check for vulnerabilities in the application.

One well-known retailer created an application that allowed the customer to put the store's cash card on a smartphone. The application created a bar code with the cash card's number. It was later determined that if a thief standing in the retailer's checkout line was to see the barcode and take a picture of it with a cell phone, he could then flash that barcode to use the funds in the account associated with the bar code.

To explain a little more, once someone uses a cell phone to take a picture of someone else's bar code, that bar code is on two phones. It's on the phone of the rightful owner who paid cash for it, and it's on the phone of the thief who snapped a picture of the bar code. That thief could then use all the funds in the account associated with that bar code.

Because mobile payments are so new, it's too early to tell what all the risks are. But there are steps you can take today that will help mitigate risks posed to your customers and your business. The Payment Card Industry (PCI) Security Standards Council has not yet developed standards for payments made with mobile phones and tablets, but recommends that merchants assess their risk with the help of their Qualified Security Assessor (QSA).

Here are some additional tips:

• If you accept mobile phone payments, check the customer's identification. Some of the mobile payment plans display the device owner's photograph on the phone each time a charge is made. If the mobile payment does not display the owner's photograph, check the person's driver's license.

• When building a mobile payment system, work with a reputable, professional company with lots of experience. Then, before you begin using the system, make sure a third-party security provider tests it for vulnerabilities and flaws.

• Before you accept a mobile payment or use a mobile payment system, know how your processor is going to handle fraud. You should know who is liable, how fraud will be investigated and what, if any, penalties there are for merchants that have unknowingly signed off on fraudulent transactions.

• Review the mobile payments acceptance guidance for merchants and vendors by clicking here.

Product Strategist Dale Gonzalez and Senior Security Engineer Eric Browning are information security experts at Dell SecureWorks. The company offers mobile consulting and mobile application security assessments, and works with organizations of all sizes to help them protect their information technology assets, comply with regulations and reduce security costs.

Editor's Note: The opinions expressed in this column are the author's, and do not necessarily reflect the views of Convenience Store News.