66% of Smartphone Users Do Not Password Protect Their Phone, Remaining Vulnerable to Security Threats

BOSTON - The weakest link in the mobile payments security chain may not be in the technology or the hardware, but rather, in the consumer.

"Mobile Phone Technology: ‘Smarter Than We Thought,'" a paper recently released by the Federal Reserve Bank of Boston, finds that the ultimate broad adoption of mobile payments will be largely correlated with the security of each mobile platform; consumer education and stakeholder collaboration will be equally crucial to promoting widespread adoption. Where consumers tend to apply the minimum protections, security providers need to anticipate problems and incorporate risk mitigation tools where feasible.

According to a recent report, almost 66% of smartphone owners do not password protect their phone.[1] Poor user security practices, such as saving log-on credentials, increase potential risk when credentials are authorized to access payment applications.

"While the efforts to secure mobile payments are ongoing, many consumers neglect to take basic precautions," said Marianne Crowe, VP of Payment Strategies at the Federal Reserve Bank of Boston. " Consumer education is essential to increase the adoption of mobile payments, because there are many benefits to mobile payments being done right."

The paper examines the primary security differences between the mobile wallet vs. a digital wallet. The mobile wallet accesses payment credentials in a trusted environment known as the "secure element" within the mobile phone: an encrypted chip with keys that can only be opened through using a password through point of production to point of sale. With the secure element in place, the consumer must physically wave the phone over the terminal at the retail location in order for the transaction to be approved. The financial information on the secure element is separate from application data, meaning that phone providers have the ability to wipe out only financial information should the phone be lost or stolen.

The digital wallet stores the payment information on "the cloud," a secure remote server. Using cellular or wi-fi service, cloud-based mobile solutions send tokens or authorizations to the smartphone to initiate and authorize the payment at the point of sale.

"Vendors are making great efforts to protect payment information behind the scenes," said Elisa Tavilla, Payments Strategies Industry Specialist at the Federal Reserve Bank of Boston. "For example, some new cloud wallets utilize geo-location technology to locate customers using the GPS function, which further prompts the customer's name and photo to automatically appear on the merchant terminal."

While the culprit of mobile and digital wallet security risks may be the consumer, not the technology, payments stakeholders are still on the hook for staying ahead of threats. The paper finds that collaboration amongst stakeholders is essential to identify potential vulnerabilities, share applicable data, conduct security analysis of weak points in the mobile process, and determine who is responsible for fixing such weak points. The authors advise mobile payment stakeholders to share responsibility and work cooperatively to enhance mobile payment security and protect consumer privacy.

The report was authored by Marianne Crowe and Elisa Tavilla of the Federal Reserve Bank of Boston. It is available on the Bank's website, (www.bostonfed.org) found at the following link: http://www.bostonfed.org/bankinfo/payment-strategies/publications/2012/mobile-phone-technology.htm

[1] "2012 Identity Fraud Identity Report: Social Media and Mobile Forming the New Fraud Frontier," Javelin Strategy , Research, February 2012.