"Phoney" Security Dooms NFC Payments as "Disaster Waiting to Happen"

In an article posted on InfoSecurity.com they report what the folks at NFC Data, Inc. have known for years...namely that several industry experts claim that mobile phones are reliant on insecure platforms and it would be "foolish" to utilize them for NFC payments. 

The story below provides the reasoning behind why NFC Data designed, developed, patented and is releasing to the market, a secure NFC enabled device (reader/writer and viewer.)  Utilizing biometrics, along with an encrypted PIN Pad (hard-wired to the CPU) the SDK slot allows for unlimited expansion which means that Sqwizz  can store "unlimited" cards and PINs for anytime use.  

Are mobile wallets secure enough to stop cybercriminals?

03 June 2011 - InfoSecurity.com

Pan-European cellular giant Telefonica O2 has this week announced plans to launch a mobile wallet system using NFC (near field communications) technology, but a number of pundits are saying that, whilst the NFC technology is secure, mobile handsets are not... read more

According to Ira Winkler, president of the Internet Security Advisors Group, NFC payments are a disaster waiting to happen. Any sort of financial transaction, he argues, requires much more than minimal security.  When you get down to it, he says, NFC-driven systems on mobile phones are reliant on insecure platforms, namely the mobile phone. "Until there are significant improvements in the underlying security of smartphones and tablets, it would be foolish to use these technologies", he says in his latest security blog.

Related articles

• Broadcom says up to 15% of all phones sold next year will have NFC (intomobile.com)
• NFC is more than just mobile money (venturebeat.com)
• SCM Microsystems releases new NFC reader module for commercial app developers (silicontrust.wordpress.com)
• CNBC Interview: Protecting Your "Digital Wallet" (mylookout.com)

Mercator Report: Authentication at the Edge: NFC, Smartphones, and a New Model for Payments Confidence

Security is an integral part of NFC Data's, Sqwizz

Boston, MA -- With NFC on the near-term horizon, the number of smartphones in the U.S. with this new security capability will number in the tens of millions within a year. This flood of highly capable devices will provide new security and fraud mitigation possibilities for payment accountholders, financial institutions, merchants, government, and other enterprises.

Growing in popularity with consumers, these devices offer the critical convenience features necessary for consumers to participate in security steps such as PIN entry to specific apps, fingerprint reading, etc.

Mercator Advisory Group's new report Authentication At the Edge: NFC, Smartphones, and a New Model for Payments Confidence examines the potential of the smartphone in security applications as it evolves to include hardware-based security via NFC, NFC's Secure Element card number storage, as well as potential biometric applications.

Findings of this report include:

• Projections for the installed base of NFC-equipped smartphones in the North American Market by Q1/2012.
• Context-specific, layered identity authentication provides a solid approach that does not break existing relationships among transaction participants.
• As e-commerce merchandising and payment methodologies move into the physical point of sale environment, these clicks-at-bricks transactions will require strong payment credential authentication.
• The availability of NFC facilities improves authentication services for m-banking, e-commerce, m-commerce, and POS payments.
• Biometrics managed at the edge of the network by the device owner offer new layers for authentication surety without imposing the challenge of biometrics management on participants.

"Authentication is the heart of payments and online security. Smartphones with hardware-based security capability, especially via NFC and fingerprint readers, will give consumers, enterprise users, and the government unprecedented control over their payment and security interactions," statedGeorge Peabody, Director of Mercator Advisory Group's Emerging Technologies Advisory Service. "The payments network has done an excellent job with network-based intelligence, but it is time to put intelligence into the devices accessing those networks from the very edge. Smartphones with hardware security features bring contextually appropriate authentication power to the problem of risk-based assessments.

One of seven exhibits in this report:





This report is 29 pages long, with seven exhibits and three tables.

Companies mentioned in this report include: Broadcom, Apple, Isis, AT&T, Verizon Wireless, T-Mobile, Discover, Barclaycard, Gemalto, Giesecke & Devrient, AisleBuyer, Facebook, Amazon, Google, SK Telecom, First Data, CASSIS International, TSYS, Visa, MasterCard, Discover, Microsoft, Prime Sense, Omnicom, Barbarian Group, Cheil Worldwide), and Razorfish, Publicis, ID-U Biometrics, Disney, Blue Planet Apps, Bank of America, and INSIDE Secur.

Members of Mercator Advisory Group have access to this report as well as the upcoming research for the year ahead, presentations, analyst access and other membership benefits.

Please visit us online at www.mercatoradvisorygroup.com.

For more information and media inquiries, please call Mercator Advisory Group's main line: (781) 419-1700, send E-mail to info@mercatoradvisorygroup.com.

Follow us on Twitter @ http://twitter.com/MercatorAdvisor.



About Mercator Advisory Group
Mercator Advisory Group is the leading, independent research and advisory services firm exclusively focused on the payments and banking industries. We deliver pragmatic and timely research and advice designed to help our clients uncover the most lucrative opportunities to maximize revenue growth and contain costs. Our clients range from the world's largest payment issuers, acquirers, processors, merchants and associations to leading technology providers and investors.

Related articles

• TazTag debuts NFC Android tablet at CeBIT (android-tablet.org)
• How NFC Shopping Will Save You Money While You Wave Your Phone Like A Loon (fastcompany.com)
• Visa invests in Square credit card reader (intomobile.com)

Payments News Roundup April 1-15th

ONLINE AND MOBILE PAYMENT SYSTEMS

NFC Data Introduces Encrypted NFC Reader/Writer and Viewer
The anticipated proliferation of Near Field Communication technology has prompted a fledging company to create a device that features contactless functionality consumers would use to make payments, store loyalty cards, and communicate with NFC-enabled smartphones and posters. NFC Data Inc.’s Sqwizz device is a key fob that looks similar to popular small MP3 music players. The front of the device features a light-emitting diode screen and scroll buttons to navigate a menu. The back has a secure PIN pad consumers would use as a security measure to access and use the device’s multiple areas.
Isis outlines US contactless m-payments pilot; Sprint preps rival service. AT&T, Verizon and T-Mobile say their mobile commerce joint venture will begin piloting its contactless payments technology in Salt Lake City in early 2012. Meanwhile, Sprint Nextel, which is not part of the JV, hopes to beat its rival telcos to the punch by rolling out a similar service by the end of the year.

With Payfone, AmEx Bolsters Its Mobile-Payments Initiative. Displaying its newfound mobile-payments fervor for the second time in just over a fortnight, American Express Co. on Wednesday announced it was investing in a startup called Payfone Inc. and would integrate Payfones technology with its new Serve mobile-pay platform. Founded in 2008, New York City-based Payfone uses a consumers mobile-phone number to authorize purchases. Its system potentially could make it easier for AmEx to capture more payment transactions and expand abroad, especially where conventional payment cards are scarce.

Secure Vault Payments Will Go Mobile Later This Year with Bar Codes, Exec Says. The new application will rely on so-called Quick Response (QR) bar codes to interact with users handsets. Users will then be able to pay from their checking accounts using SVP, a system that lets consumers pay billers or merchants by authorizing automated clearing house transactions. Once the user has scanned a QR code for SVP displayed on a bill or on a screen, his handset will take him to an authentication page, says Brierley-Jones. This method mimics the existing SVP flow for e-commerce transactions, in which consumers selecting SVP at checkout are directed to a page where they enter their online-banking credentials and then authorize a transaction they want to do with an online merchant.

Visa Boosts Spending Visibility and Makes Compliance Easier for Businesses. Visa IntelliLink Compliance Management converts commercial card transaction data into information that card program managers at government agencies and private sector enterprises can use to minimize and deter commercial card misuse, such as using cards for personal expenses. A complement to the Visa IntelliLink product suite, this new service gives organizations a more detailed view of commercial payment program data, complementing existing card management and issuer reporting systems for a 360 degree view of commercial payment solution activity.

BANKS AND BANKING

La Caixa introduces contactless ATMs. Instead of inserting their cards in a slot in the ATMs, customers tap their contactless plastic against a reader and enter their PIN.

CREDIT, DEBIT, GIFT & PREPAID CARDS

Bridge2 Solutions Adds Virtual Gift Card Delivery Giftango Selected to Power Solution. Giftango Corporation, a virtual eGift card company, will power virtual gift card delivery for Bridge2 Solutions. Giftango fulfills virtual gift cards through incentive and loyalty channels.

How POS Cash Back on Debit Is Crimping ATM Transaction Growth. The Fed, which asked respondents for data for 2006 to 2009, says point-of-sale debit transactions, both of the signature and PIN variety, grew at a compounded annual rate of 14.8% in the study period. PIN debit, which accounts for the overwhelming majority of cash-back transactions at the point of sale, grew 15.6% to 14.5 billion transactions in 2009. About one in 38 total debit transactions included cash back.

Prepaid Programs Reshape Healthcare. The Centers for Medicare and Medicaid Services (CMS) does allow health plans to issue payment cards to seniors for the purchase of OTC items at drug and grocery stores, but only if the retailer can identify the eligible items and limit the payment card to those items. Retailers have a significant interest in working with the health plans and in most cases have point-of-sale systems capable of identifying and netting out the eligible products, but until recently no such card solution existed.

E-Gift Cards Breathe Life Into Closed-Loop Market. In recent years, the open loop gift card market has grown swiftly while its closed loop counterpart has been stagnant. Last year, the Mercator Advisory group said the closed loop card market would grow at a compound annual rate of 26.7 percent over three years, but over the past few years that segment has seen only about 1 to 2 percent growth annually.

Wells Fargo to Pilot EMV Chip Technology for International Travelers. Wells Fargo & Company (NYSE:WFC) is piloting the Visa Smart Card, which includes the traditional magnetic stripe along with EMV chip technology, helping increase card acceptance worldwide. The pilot is the industrys first chip program by a national bank and includes 15,000 Wells Fargo consumer credit card customers who travel internationally.

SECURITY BREACH

Legal eagles present a relatively soft target with troves of valuable corporate intelligence that cyberspies crave. Attackers find law firms an attractive and relatively soft target for gathering the intelligence they want on a new weapons system or software, for example. Firms that represent clients in mergers and acquisitions, or civil litigation, are getting hit, including when their clients are involved with deals involving Chinese companies.

Better Business Bureau Warns Of First Phishing Attacks In Wake Of Epsilon Breach. If you are a customer of one of the companies that had email data stolen, the BBB is warning you to be on the lookout for phishing emails. An email sent from a fake “Chase Bank,” one of the companies whose data was compromised, warns that “your account will be deactivated or deleted if you do not update your profile immediately.” The email instructs you to update your account by clicking on the link provided. “Although the email sounds urgent since it appears to be from your bank, do not click on the link and input your bank account number or social security number.

Phishing email titled ’2011 Recruitment Plan’ hit RSA user inboxes, stole user credentials — but no word on exactly what the attackers grabbed. Turns out the targeted attack that exposed RSA’s SecurID technology started with one of the oldest tricks in the book: a phishing email with an infected attachment, according to new details revealed today by RSA and security analysts.

Related articles

• The 2011 Contactless Monkey Award Finalists - Trailblazing & Innovation (krowne.wordpress.com)

Verifone CEO on Securing Mobile Payments

See Video here: VeriFone CEO on Securing Mobile Payments

Start-Up Says Fob Is Key to Contactless Payments

American Banker  |  Wednesday, March 2, 2011

By Will Hernandez

NFC Data Inc. is reintroducing the key fob form to contactless payments with its Sqwizz mobile decoupled debit card.

Sqwizz looks similar to popular small MP3 music players. A contactless decoupled debit card would sit at the front of the device. Users would link the card to any checking account via the automated clearing house system.

Though many companies are working to build contactless into mobile phones, NFC Data argues that this development path for the technology does not eliminate the audience for other forms.

"There are a lot of compelling reasons why NFC [phones] can be complemented by a device that fits on your key chain and not cannibalized by the phone and vice versa," said Ken Mages, NFC Data's co-founder and co-chief executive.

NFC Data, of Chicago, has an agreement with a Silicon Valley-area company to distribute 100,000 Sqwizz devices in August, Mages said.

NFC Data is positioning Sqwizz as more than just a payment device. It also is intended to mimic functions an NFC-enabled smartphone might perform, but at a lower cost.

For example, Sqwizz can communicate with near-field communication tags in smart posters, exchange data with NFC-enabled smartphones, store multiple loyalty cards and redeem coupons.

The front of the device features a light-emitting diode screen and scroll buttons to navigate a menu. The back has a secure PIN pad consumers would use as a security measure to access and use the device's multiple functions.

<>

www.ePINDebit.com www.e-PINDebit.com www.iPINDebit.com www.PINDebit.mobi