Today, we look at the last part of the mobile wallet infrastructure, which is that of the Payment Network Provider. This is where all of the mobile wallet payment transactions are finally processed and settled. In other words, this is leg where your payment to the Merchant comes back as “approved”, and from there, you are allowed to take your products and goods home with you.
Also, it is at this point that the highest levels of security are implemented, such as that of using tokens. Here we go:
From the standpoint of the Payment Network Provider
This subcomponent of the Mobile Wallet Infrastructure attempts to settle the transaction between the Acquirer and the credit card Issuer. In this regard, tokens are often created as a proxy for the actual credit card number. This is essentially a fictitious number which is used to hide or “mask” the actual credit card number.
It should be noted that the tokenization service is actually outsourced to a “Token Service Provider”. The Cyber attacker will primarily target this area, by trying to capture the token look up tables in order to determine how the tokens were actually mapped.
These look up tables contain such information as to how the tokens were individually created, and how the validity of the token was determined (in other words, checking for the integrity of it, and determining if the token has been altered in any way).
Another threat to this subcomponent is known as the “Denial of Payment Services” attack. This is similar to a Denial of Service Attack, but instead of flooding a server with malformed Data Packets, the Token Service Provider is bombarded with these types of Data Packets, in an effort to halt the token creation process.
In summary, these series of blogs have examined some of the subcomponents of a Mobile Wallet Infrastructure, as well as the types and kinds of Security threats and risks which are posed to it.
It is important to keep in mind that although the primary interface is that of the Mobile Wallet, there are a lot of other pieces which are required to make the entire process function smoothly.
In a way, the Mobile Wallet Infrastructure is much more complex than just a normal credit card transaction, as there are more Security mechanisms put into place to safeguard the financial information and data which is transmitted in the whole system.
But despite these efforts, the Cyber attacker will more than likely always find a way to penetrate a weakness or a vulnerability of it, and exploit it to the maximum possible.
For example, Google Wallet and Apple Pay are the most widely used Mobile Wallet platforms, and despite the enormous efforts which have transpired to make the transactions secure, researchers and even Penetration Testers have found a way to find vulnerabilities and weaknesses.
This will be the focal point of the next series of blogs.