In the wake of the Target data breach in late 2013, which exposed the credit and debit card accounts of 70 million holiday shoppers, both investors and merchants have started searching for alternatives to upgrade outdated payments technology.
Are mobile point of sale (mPOS) systems part of the solution, or do they carry security risks of their own?
mPOS generally safer than traditional POS systems
A lot of focus has been placed on the need to roll out Chip & PIN credit cards in the US, but the security problem can also be attacked from another angle: the operating system.
The reason the Target data breach was possible is pretty straightforward: POS systems are actually PCs with a peripheral, such as a card terminal. Those computers run Microsoft Windows, and it has been speculated that this is the route the hackers used. Before the Target data breach, Visa received reports and confirmed the existence of malware called “Dexter”, which is able to steal sensitive data. Dexter affected only Microsoft Windows systems.
To fight this malware, Visa recommended merchants use anti-virus software, review its list of malicious domains and IP addresses, and block them in their firewall rule sets. In other words, the whole protection process is difficult, multi-tiered and requires information to be passed to many stakeholders in the retail chain, so the potential for problems or weak points in the system is high.
mPOS systems provides security updates in the cloud
Mobile payment service companies providing mPOS systems have acknowledged this issue and built their own systems on mobile platforms iOS and Android. Since mPOS systems are based on the cloud, the security update is done simultaneously on all (mobile) devices, as long as readers download the latest version of the App.
To read the card data, most mPOS systems require a card reader attached to either the audio jack of the phone as is the case with Square in the US, or via Bluetooth. However, since the hardware attached to the smartphone or tablet has the same function as the payment terminal attached to the traditional Windows-based POS system, the transaction data is protected both at software and mobile platform levels.
iOS ahead in security
But which platform is the most secure? Well, the mobile OS market is a two-horse race between the iOS and Android operating systems (OS), with the latter currently enjoying a huge majority (70 per cent) of global market share.
Market share does not always guarantee security, and in fact all mobile OS security reports rank Android as the platform most targeted by malware. To put that into numbers, F-Secure’s mobile threat report is a good resource, which states that Android accounted for 99 per cent of all new malware threats that emerged in Q1 2014.
The same F-Secure report mentioned only one emerging malware type for iOS, which propelled Apple’s mobile OS to the top of the most secure mobile platforms alongside BlackBerry. As Apple’s security report reveals, iOS was created with security at its core.
But if you are an Android user, it does not mean that your smartphone or tablet cannot be used securely to receive payments.
Security measures for Android
This leads to the question: if you are a merchant using an mPOS system, how can you protect your Android device?
- The first part of the answer is pretty straightforward: since the OS is the target of malware, it is a good idea to install an anti-virus program on your device to scan all apps you download. There are several good free anti-virus programs to choose from.
- Even with a virus program, do your best to only download legitimate apps without viruses. Android allows you to download apps outside Google Play, but it is not always a good idea. Even on Google Play there have been examples of apps with malware, so make sure you only download well known and tested apps.
- Lock your phone: it may sound surprising, but manual installation of malware is still the most common. By always locking your phone, you can prevent others from meddling with it.
iPhone users: keep your device up to date
There is one exception though: when a user jailbreaks the device. By doing so, the user deletes all the security measures Apple took to secure the device from viruses by applying code signing. By jailbreaking the iOS device, the user disables most of the code signing checks, opening the door to malware and viruses. If you buy a used phone, make sure it has not been jailbroken, and if you decide to jailbreak your own phone, you had better know what you are doing.
So protect your iDevice; always make sure you are running the latest version of iOS.