Security Implications of Target’s Proposed Mobile Payment System

Leave your front door wide opened and see what happens. More than likely you’ll suffer a home invasion. Better yet, why not just hang a sign on your door inviting in violators?

Leave your network and computer systems unsecured and you are asking to be compromised. You’re advertising your vulnerabilities, and unless you fortify and strengthen technical safeguards, you too will become a sad statistic, one your clients will be ill-inclined to trust and one that could easily affect your bottom line adversely.

Batten down the hatches and take precautions

Target, after suffering a huge and widely publicized cyber-attack, has taken the events very seriously in an effort to provide consumers with improved confidence. Who wouldn’t, after somewhere between 40 and 70 million in customer’s credit and debit card data was breached? That included card names, numbers, expiration dates and CVV codes as well. Target was the victim of what has been described as rather unsophisticated malware.

Opportunistic cyber-attacks are more common than those directed, referred to as targeted, at a particular company or entity, an approach that might include multiple generic actions and multiple targets with the prospect of at least one or more hitting pay-dirt.

Malware isn’t even one of the most popular methods currently utilized by culprits, reporting only 2.7% of recent cyber-attacks. According to Hackmageddon October 2015 Cyber Attacks Statistics, the following summarizes recently reported cyber-attacks:

• * Unknown – 34.7%
• * Targeted – 18.7%
• * Website Defacement – 12%
• * SQLi – 12%
• * Hijacked Accounts – 5.3%
• * DDoS – 4% (Distributed Denial of Service)
• * Malvertising – 4%
• * Magento Vulnerabilities – 2.7%
• * Malware – 2.7%
• * Bitcoin Malleability – 1.3%
• * PoS Malware – 1.3%
• * Electronic Devices – 1.3%

Cyber-attacks against individuals and companies is growing at an alarming rate, faster than the U.S. GDP. Security breaches, according to the Global State of Information Security Survey 2015, increased 38% from just one year ago.

The breach to Target’s payment system brought to everyone’s attention how vulnerable we all are. The convenience of the internet and ecommerce means that financial information is available electronically, including to those intent upon stealing it.

Diminishing risk requires diligence by companies and individuals. Monitoring your credit card purchases closely and carefully, more frequently than the monthly statements, is a start. Even small transactions are initiated by hackers, so it’s important to review your purchases frequently and in detail. Check your credit report periodically as well.

Target’s security software systems did their job and raised the red flag but the human element failed. Six months prior, Target installed a $1.6 million malware detection system with 24/7 monitoring. The Target security operations center (COS), based in Minneapolis, MN, was alerted on November 30. The Target COS failed to heed the warnings.

Companies need to step-up their own monitoring as well. A Verizon study found that only 31% of companies identify breaches through self-monitoring. It’s even more abysmal for retailers, in the 5% range.

Balancing security with consumer convenience

The new strategy among retailers is the mobile wallet, and Target is no exception. The obsession with the smartphone as a mobile office, particularly among millennials, along with their growing buying power, provides sufficient momentum to retailers in particular to move the products forward. According to a recent U.S. Federal Reserve survey, the under 30 demographic is by far the dominant participant currently using the mobile wallet.

Target’s strategy includes the development of a mobile payment system. Sources have indicated that they may be ready to launch a mobile wallet during 2016, and have initiated a significant system test. Customers will be able to use it to make purchases with their mobile phone. CurrentC and Apple Pay are also said to be under consideration, and in various stages of development.

Walmart has announced the launching of Walmart Pay, their own mobile wallet, using QR codes to make the purchase transaction.

Target may have opted against QR codes to process their mobile payments. The criticism is that QR codes are not sufficiently secure and certainly no more secure than most existing online payment systems. NFC is considered a better risk. Near-Field Communication is a more secure process. It works in close proximity to the 2 devices both containing the NFC chip in a 2-way, or via a one-way communication where the device reads &/or writes to the NFC chip. The communication, both active and passive, create a secure channel and when sending uses encryption. Furthermore, the element contains a digital signature which is protected against software and hardware hacks, in mobile phones or in the cloud.

Still, concerns over the growth of identity theft cannot be minimized, and ensuring you select only the most secure of devices and aps particularly when accessing bank data and personal information must reign tantamount.

All and all, maintaining security remains a process, not an end in itself. It requires ongoing diligence to stay up to date and on top of the latest.