From Paper To Plastic To Bits

Paying with your phone or other electronic wallets increases transaction security.

Josh Thurston, Security Strategist - Americas, Office of the CTO, Intel Security

June 8, 2016

3 Min Read
Dark Reading logo in a gray background | Dark Reading

In 2005, the police arrested a man who attempted to steal my identity and discovered a stack of credit card receipts in his car. All of the stolen receipts were carbon copies that captured the credit card info. By mere coincidence, I had just teamed up with four friends and launched a startup. Our company offered a solution to process secure transactions from mobile phones --not something that was common in 2005, pre-smartphone era.

I frequently think about the security of merchant processing. The medium for which we exchange currency has expanded and changed in many ways. Millions of dollars are exchanged by mobile devices daily, and new technologies have come about such as electronic wallets and new credit cards that are encrypted and use digital ink.

There are a lot of e-wallet options available for your phone and as standalone electronic cards. They are offered by banks, merchants, and of course major smartphone companies. These offer convenience, faster payment processing, and fewer cards to physically carry. But are they safe, and are they more secure? I say yes.

New Mediums Abound

New mediums for credit and debit transactions are quickly hitting the market:

  • Wallet apps use NFC (near-field communication) to communicate details to the point-of-sale (POS) terminal. E-wallets require a PIN or fingerprint touch to authorize a payment.

  • Recently the industry has seen an inventive plastic card that brings secure encrypted currency exchange. While the technology does not work at every merchant terminal, the success rates will get better as the technology matures. Two companies to check out are Coin and Plastc.

  • Physical cards can be tapped on the terminal. Physical cards that have this feature can be read from about 20 cm and will automatically accept payments for $50 to $100, depending on your bank. That means that unshielded cards can be tricked into debiting your account by someone walking by with a wireless POS terminal. Be sure to carry your tappable credit cards in a shielded envelope or wallet.

When using a physical payment card, the merchant gets your credit card number and other details, which they store and use to track your purchasing behavior. If their POS system is breached, which has happened many times, thieves can steal your number along with hundreds or thousands of others. When you use your e-wallet, the merchant just sees an identification token. This token is unique to the card and device, so they can still track anonymized purchasing behavior, but it becomes more difficult to connect to an individual. Since each transaction also requires a unique and calculated cryptogram, nothing stolen from the merchant’s POS system can be used to make other fraudulent transactions.

When not using your card, it is at risk of being lost or stolen. Until you report it, a physical card can potentially be used to make purchases. The number is clearly visible on the card, as is the verification code. On your e-wallet, the card information is not stored at all. The wallet receives a separate, device-specific token sent by your bank. This information is transmitted encrypted, cannot be decrypted by the phone, and the actual credit card number is not retained so your number cannot be retrieved even if a thief manages to guess your passcode. In addition, the “Find My Phone” features available can help track down your lost e-wallet or wipe all information from memory if it has been stolen, further protecting your payment info.

Eventually, lower fraud rates could lead to lower credit card fees and interest rates. It will probably take years for the majority of payment transactions to move to e-wallets and accept electronic cards, so it is not time to disable the security on your POS system just yet. And hackers will continue looking for ways to break or trick the system. But encouraging faster adoption of e-wallets and electronic cards looks to benefit everyone involved. 

About the Author

Josh Thurston

Security Strategist - Americas, Office of the CTO, Intel Security

Josh Thurston is a security strategist in the Intel Security Office of the CTO.  In this role, Thurston drives business growth and defines the Intel Security go-to-market strategy for the Americas, creating and communicating innovative solutions for today's complex information security and privacy challenges.

Prior to joining Intel Security, Thurston was co-founder of a merchant services company known for developing a secure mobile credit-card processing solution over digital wireless devices.

With over a decade at Intel Security, Thurston is an industry veteran with extensive experience in customer environments of multiple sizes and verticals. Thurston has worked side by side with engineering teams in product innovations, design specification, scalability testing, and product integrations. 

Thurston has educated security practitioners around the globe on security design and best practices and is a known speaker and participant in industry events. Thurston has a Bachelor's of Science in Business/e-Business.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights