Microsoft Wallet enters the mobile payments fray: Is the industry secure?

The launch of Microsoft Wallet for Windows 10 users this week marks the latest entry from a major OEM into an increasingly booming mobile payments market. The new offering is only available to Windows Insiders members who have signed up for experimental updates so far, but it shows a clear commitment to take on Apple, Android and Samsung.

Digital payments have proven so popular with consumers that MasterCard predicted this week that cash would be effectively extinct within 20 years, so it’s little surprise the tech giants are so keen to stake their claims.

As a cloud-based solution, Microsoft Wallet will be more flexible and easier to update, but is also exposed to greater risk if cryptographic keys or binary code are not sufficiently secure. Consumer financial data is highly prized by cybercriminals as a tool for theft and fraud, but our research has found that most payment apps contain potentially serious security flaws.

Our 2016 State of Application Security Report took a look at the most popular banking and payment apps for Android and iOS around the world and assessed their security controls. An alarming 92 per cent of the apps we tested had at least two of the OWASP Mobile Top 10 Risks – an industry guide used for identifying critical mobile security risks.

A lack of binary protection was the most prevalent security issue in 98 per cent of the apps we tested, which means that the binary could potentially be accessed by attackers and used to infiltrate the app or create a corrupted copy. Insufficient transport layer protection was also an issue in 91 per cent of the apps, exposing financial data to the risk of being intercepted during transmission – obviously a key risk for payments apps communicating with other systems.

Microsoft’s decision to include reward and membership cards is a potentially interesting feature for users, but also exposes a wider scope of personal information, enabling hackers to build a more complete picture of people for use in fraud activity.

It is fundamentally important that Wallets and other mobile payment apps are adequately prepared for the cybercriminals that will already be looking for vulnerabilities in the app and the way it communicates with the cloud server and other systems. They need to adopt advanced security measures as standard if they are to be trusted not only by consumer users, but also by the banks and retailers they operate with.

One of the most essential measures is to equip the app with self-protection security controls. This effectively creates a self-aware app that is able to identify threats and take immediate action in real time. Alongside this, code obfuscation can prevent reverse-engineering attempts by transforming code into unintelligible gibberish.

Finally, among the elements being targeted by hackers are the cryptographic keys, which enable encrypted data to be deciphered and are used for everything from binding devices to accounts to proving user identity. White-box cryptography is an extremely effective security method to counter this threat, and cryptographic key data in the Host Card Emulation solutions used by payment apps has shown to be safeguarded even after 160 hours of independent intrusion testing.

While we are aware of a handful of organisations that are taking best practices approaches to mitigate risks to their apps, the reality is that the majority of payment apps remain exposed and vulnerable. However, given the acceleration and sophistication of the risks targeting payment applications, organizations will likely soon view binary and other application security controls as a standard app development practice.