The route to safer mobile payments with carrier billing

Mobile payments are fast and convenient, but fears around data security may be putting the brakes on more widespread consumer adoption. For the most part, those concerns are perhaps unfounded – if the right level of safeguards are in place, mobile payments can be made considerably safer than equivalent cash or card transactions. Dheeraj (Raj) Soni, President of Payments at DOCOMO Digital explains:


To begin with, modern smartphones have evolved to deliver sophisticated identity and access mechanisms like biometric fingerprint readers, iris scanning and facial recognition capabilities that make it harder for anybody other than the owner to use the device. Those defences can be further strengthened by secondary layers of protection in the form of pin numbers, patterns and passwords – essentially with forms of two-factor (2FA) or multi-factor authentication (MFA). Many smartphones also come with remote lock and wipe capabilities that disable access and delete stored information in the case of loss or theft.

When it comes to payments apps themselves, mobile wallets (eWallets) tend to encrypt any sensitive details like credit/debit card numbers, VCC numbers and expiry dates, while others make sure none of those details are stored on the phone itself. Some providers also use randomly generated token numbers which are not visible to the merchant when transactions are processed and are unique to each individual purchase.

…malware targeting smartphones and other mobile devices grew 50% percent year on year in the first half of 2019.

However, that doesn’t mean mobile payments are entirely immune to problems. Earlier this year retail chain 7-eleven launched an investigation into its mobile payments security after hackers stole 55 million yen from Japanese customers just a week after the firm’s payment app was launched across its 21,000 stores – a breach blamed on a lack of two-factor authentication in the app’s design.

A survey of 1200 IT security executives across Australia, Germany, India, Japan, the Netherlands, New Zealand and the UK conducted in November last year [2018] suggests concerns around mobile payment and smartphone security have not been completely allayed. The 2019 Thales Data Threat Report – Global Edition compiled by research company IDC identified common fears around hackers using mobile payments apps for account takeover and account fraud, as well as potential exposure of personally identifiable or payment card information (cybercriminals can fool users into downloading modified or disguised versions of eWallet apps that hide malware, for example).

Others doubt the strength of the authentication and merchant on-boarding protocols used by mobile payment apps, and see potential threats in jailbroken and rooted smartphones, cloned apps, malware, the use of mock locations for GPS verification data and clandestine installation of remote access software on the device. There is also evidence to suggest that some consumers may be put off using mobile payments because they are worried that criminals will use their photos to invade devices, apps and accounts which rely on facial recognition as part of the authentication mechanism.

Fortunately, there are multiple security tools and processes available to consumers, merchants, banks and payment providers which can minimise the risk of cyber criminals getting access to personal data, stealing funds or initiating fraudulent transactions when using mobile payments to buy goods and services.

Those include strong encryption, 2FA/MFA and strict password compliance, as well as using virtual private networks (VPNs) and avoiding public WiFi hotspots when inputting financial information for making transactions. The use of mobile malware clients too can reduce the chances of smartphones being infected by viruses and other malicious bits of code that could steal personal information that can be used elsewhere.

The Cyber Attack Trends: 2019 Mid-Year Report published by endpoint security firm Check Point earlier this year suggests malware targeting smartphones and other mobile devices grew 50% percent year on year in the first half of 2019. It attributes a key driver for this growth to a sharp rise in use of mobile banking and payment applications, with cybercriminals architecting and distributing malware – including the Triada, Anubis and Lotoor variants – deliberately designed to help them steal payment data, login credentials, and ultimately funds from customer bank accounts.

Elsewhere Alipay has reduced the chances of facial recognition algorithms being cracked by using 3D facial modelling and adding a second layer of password protection to stop hackers using photos, videos or software simulation to spoof access.

Mobile payment providers can also use sophisticated AI-powered threat intelligence engines to monitor mobile transactions in real time for evidence of fraud. DOCOMO Digital’s Billing Risk Manager was recently adopted by Turkcell to adjust user spending and subscriptions based on realtime monitoring of customer behaviour for example, learning bad debt thresholds to plug revenue leakage from its OTT business.

Ultimately no form of digital data is completely unhackable – determined, well-resourced cyber criminals will sometimes find a way.

Juniper Research too has pointed out the risks presented to sensitive financial data by techniques such as clickjacking or iframe masking in mobile web browsers can be mitigated by iframe blockers and intelligent fraud risk assessment tools.

Many regard direct carrier billing (DCB) orchestrated by telcos and mobile operators as one of the more secure methods of mobile payments currently available. When a purchase is made via DCB, fraud can only be committed if the perpetrator actually has access to and control of the device. Most DCB platforms use 2FA for sign-in and transaction authorisation, with a one off, per transaction pin number adding additional security. Third party payment providers often use threat intelligence and real time transaction monitoring to identify potentially fraudulent payments based on behavioural analysis and combination of data factors such as location, transaction amount etc.

Personal financial information is kept hidden from merchants and not transmitted during the transaction or stored on the device. A maximum allowed purchase value of £30 in most cases tends to limit the financial damage while telcos can enforce daily, weekly or monthly spending curbs that limit the attraction to hackers which have to work hard for comparatively little reward.

Ultimately no form of digital data is completely unhackable – determined, well-resourced cyber criminals will sometimes find a way. But in many respects, mobile payments are the most secure method of conducting financial transactions currently available to buyers of digital and physical goods and services and their security is likely to improve even further over time, especially with the innovation happening in this space.


Dheeraj (Raj) Soni, President of Payments, DOCOMO Digital