Cellum Insights

The top five mobile payment security risks

Guest post by Cellum Senior Advisor Balázs Dobos

In every area of technology rapid development inevitably produces new vulnerabilities and risks. Whether the technology involves cars, airplanes, spaceships or software, moving forward means identifying and neutralizing such vulnerabilities, if possible by having the producer and users of the technology cooperate in making it as safe and reliable as possible

In the case of new payment technologies it is crucial to understand that discovering system vulnerabilities will not give users greater confidence, even if the flaws identified do not involve meaningful risks. Instead, anxiety and prejudice tend to trump facts and small disappointments overshadow big positive developments. As a result, companies often choose to hide their mistakes or take dangerous, calculated risks in an attempt to avoid panic – or simply to cut costs. Our goal at Cellum, however, is to eliminate all such vulnerabilities in advance, and to involve users in our drive to maximize safety in mobile payments. That is why we have decided to highlight what we believe are the top five most common risks and vulnerabilities associated with m-payments:


1. Risks connected with vulnerabilities in GSM- or CDMA-standards that are used by service payment providers. For reasons of convenience many providers are for example using messaging protocols with the data transmission system. But they do not provide the desired level of security of encryption – which makes it possible for fraudsters to intercept streams and “sniff” them on the fly. Any sort of data can leak this way, especially payment authentication information. By contrast, Cellum’s technology uses a special double 2048-bit electronic signature and encryption for the whole data stream traveling to and from your mobile device, which makes such fraud impossible because of the time needed for decryption. Moreover, this digital signature is unique for every single registered device.

2. The second vulnerability involves spy and malware programs, which can intercept information entered by the user on the device, such as a PIN-code, a password or any other payment data. Protect yourself from this threat by using an antivirus software and by only downloading applications from trusted sources. Cellum’s application incorporates knowledge and device possession-based double form authentication, so even if the password is stolen, the device and the SIM card has to be copied to imitate a real transaction.

3. Risks associated with substitution of the POS-terminal device, as in the case of near-field communication (NFC) technology. IT security expert Charlie Miller has developed several such devices based on the Android operating system. These hacked terminals can be used from a distance of 20 centimeters from your device – a distance suitable for a train, lift or any crowded place – allowing malware to be uploaded and run on your device, and facilitating fraudulent NFC transactions. This vulnerability exists because of problems with the technology itself, and has been overlooked by operators seeking to quickly enter the market. Cellum guards against this threat by using DESFire technology with 256 bit AES encryption and authentication.

4. In the absence of bilateral system authentication in mobile payment systems users face a risk from false payment data requests. Thus, it is always worthwhile to pay extra attention to the source of the payment request.

5. Last but not least there is the simple threat of physical theft of the device. If you do not block your m-payment account speedily after losing possession of an associated device, fraudsters can attempt to use it to pay for goods or services or to transfer money from your account. This problem is especially acute for service providers which store all your security information on your device and do not demand the proper authorization for transactions. For its part, Cellum’s application requires a six-digit alphanumeric mPIN code to inititiate the digital signature needed to complete any transaction.

While these are the basic risks and fears associated with the use of m-payment systems, always remember that it is a fast-moving field and that ensuring safety is always a two-way process. At Cellum we have processed over 100 million m-payment transactions over the past decade with a 0.00% fraud rate, but we know that holding on to this record requires 24/7 vigilance.