Are mobile payments safe?

04 April 2023

By AusPayNet

A recent article in the Daily Mail warned Australians of "the dangers of saving their credit card details on their mobile phones so they have digital tap-and-go convenience." This blog considers these purported dangers – by reviewing specific payment-related statements in the article – and demystifies them, concluding in fact that mobile payments are safe.

Statement 1 - Your virtual phone wallet acts as a digital copy of your card, meaning if hackers can access your phone - they can potentially swipe your card details, too.

The article disagrees with itself on this (critical) point. It later states that "while a credit card is stored on the Wallet app, the actual card numbers aren't stored on the device or on Apple servers, meaning security risks are low."

To understand how this process works in more detail, it is worth recalling that card payments security has traditionally relied on two forms of customer authentication: "something you have" (the card) and "something you know" (which will be discussed shortly). On a physical card, there are three data elements:

• the Primary Account Number (PAN) – the 14- to 19-digit (but most commonly 16-digit) "long" number on the front (most commonly) or back of the card;
• the expiry date of the card;
• the Card Verification Value (CVV) – the three- or four- digit number found on the back (most commonly) or front of the card.

The first of these is used in all card transactions, both at point-of sale (POS) and in e-commerce (i.e. online). The latter are only used online. At POS, the "something you know" is your Personal Identification Number (PIN) for payments over a threshold; online, the "something you know" is the CVV.

Anyone stealing your card can therefore use those details online and can use the card itself under the PIN threshold (they could also potentially steal or guess your PIN). Similarly, anyone stealing the data elements used online, where they are stored in a readable form, can use those details again online, as unfortunately happens in large-scale data breaches.

Cards stored in digital wallets operate differently, and those differences make them more secure, not less. Digital wallets do not store the real PAN; instead, they store a token which represents the PAN. The token itself is a surrogate, non-sensitive value, unique to that device and stored in its secure element, which has no use if stolen. The token becomes the "something you have", and the "something you know" is replaced by "something you are" (a fingerprint or facial biometric). The article acknowledges this: "… Apple Pay purchases have to be authenticated with Touch ID or Face ID, so no information can be sent without the user authenticating it, as part of its design."

Together, the use of tokenisation and biometrics adds to the security of card payments. Indeed, tokenisation is also best practice in the storage of card details online, to mitigate the data breach risk mentioned earlier.

Statement 2 – 'I'm sure hackers do it everyday [sic] - find out either how they can copy it or steal that digital card and they could potentially use it.'

As noted above, digital wallets do not store the real PAN; instead, they store a token which represents the PAN. That token cannot be used use if copied or stolen.

Additionally, the relevant payments card industry protocols require a unique cryptogram per payment. This cryptogram is checked by the card issuer’s systems, making replay attacks (where card data is listened to in-flight and then reused in a separate payment) impossible.

Statement 3 – 'When you've got a tap-and-go with a card, the card has no internet connection: you tap it and all the information is done essentially offline, then the transaction is sent through the internet'.

Australia often leads the way in digital payments. One example is the fact that, contrary to the above, Australia uses online PIN, meaning that merchants’ POS terminals communicate directly with card issuer systems online. As a result, where a PIN is used, the card issuer is able to authenticate the consumer in real-time (hence you will see "approved" on the POS terminal a short time after you tap).

In the context of the article, the statement above could be inferred to mean that offline is safer. In fact, the authentication provided by online PIN provides a level of security over offline markets (e.g. the United States) where no or very basic authentication is used (e.g. no PIN, or signature).

As explained above, digital wallets go one step further, in using biometric authentication: "something you are" rather than just "something you know".

Statement 4 – Consumers have to tap their card in the right spot to make a payment, which … demonstrated how a criminal with a skimming device would need to stand particularly close to a customer to get their credit card details from the chip.

A common myth is that a criminal could stand close to someone and, using a skimming device, extract enough card data to make a counterfeit card or an online purchase. However, in fact, such mobile skimming devices cannot collect enough data from the card to clone a contactless card or complete an online purchase.

In the context of the article, the statement above could be inferred to mean that the risk of data capture is higher with digital wallets (perhaps due to some misconception around Near Field Communication, or NFC). In fact, a mobile phone’s NFC controller ensures that payments are only conducted with POS terminals which are in close proximity. And as noted above, card data is in any case tokenised.

Statement 5 – Apart from the risk of being mugged, cash may be the safest option.

Cash remains a valid payment method in Australia, albeit one that is – as the article notes – currently in decline, even though bank notes in circulation are at record levels.

Australians will form their own judgment on the risk of being mugged.

However, as the payment volumes cited in the article suggest, many Australians now prefer the security (and convenience) of digital payments, including those made through digital wallets.