The Green Sheet Online Edition
October 26, 2015 • Issue 15:10:02
Probing mobile app security flaws
How secure are mobile-payment apps, and who makes sure the companies behind them are doing all they can to keep merchant and consumer data safe? The Clearing House, an advocacy group owned by the world's largest commercial banks, is raising those questions and others in a new report titled Ensuring Consistent Consumer Protection for Data Security: Major Banks vs. Alternative Payment Providers (www.theclearinghouse.org/publications/2015/ensuring-consistent-consumer-protection-for-data-security-white-paper).
The report argues that while these providers are subject to some data-security requirements, they don't face the more extensive regulatory oversight banks do when it comes to cybersecurity. That makes it easier for security flaws to go undetected until a breach actually happens.
I recently interviewed Gary Miliefsky, Chief Executive Officer of SnoopWall, a company that specializes in cybersecurity (www.snoopwall.com), and I believe his insights would be of interest to your readers. "These alternative-payment methods certainly are providing something that consumers want, which is a convenient way to make payments," Miliefsky said. "But I don't think most of those consumers would be too thrilled to know that these companies might not be subject to the same demanding data-security requirements their banks deal with." Waiting to act after a breach happens is too late, because at that point, customers are at risk of becoming victims of fraud or identity theft. "Unfortunately, a lot of companies don't realize just how vulnerable their apps are and what the potential is for leaking their customers' personal information," Miliefsky noted.
In its report, the Clearing House made several recommendations and observations, including these related to legislation that would establish additional data-security requirements for alternative-payment providers:
- Data Security Act of 2015: This proposed law would establish flexible and common-sense standards for firms of all sizes to follow to secure consumers' sensitive financial information and prevent breaches. The law would also give the Federal Trade Commission express enforcement authority in this area, while making clear that the standards are not applicable to financial institutions already subject to similar requirements from banking regulators.
- More resources: To exercise any new authority successfully, the FTC would need more resources to properly staff investigations and enforcement actions.
- Better security: Additional legislation might make it clear that alternative-payment providers are subject to the same type of scrutiny with respect to data security as banks. That could be done by directly giving the FTC or the Consumer Financial Protection Bureau examination authority, or by directly requiring the CFPB to enact rules defining larger participants in the alternative-payment industry.
If they aren't already, and regardless of any proposed legislation, the alternative-payment providers should look into better ways to protect their mobile apps from hackers intent on doing harm, Miliefsky said. "These alternative-payment apps are a great convenience," he said. "But if they aren't secure, the result could be a huge inconvenience for their users."
Brittany Thomas, News and Experts
Thank you for bringing this to our attention. If they haven't already done so, our readers will want to alert their merchant customers to potential data security issues associated with the mobile apps they may use.
Would you like to alert our readers to important issues in payments? Let us know at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.