1. Mobile PaymentsA brief history of [in]security

2. Mobile payments at the tillQR codes/bar codesBluetooth beaconsNFC contactless 3. Mobile payments landscape in Canada Mobile payments growing faster than card-basedcontactless payments 22% of smartphone owners made a paymentwith mobile phone (most via online banking) 4/10 of those mobile payers do more than onepayment per month on their phone Barriers to in-store payments: only 1 in 6 phoneshave NFC today. (But 1 in 2 by 2018). Fragmented wallets: need a specific bank on aspecific carrierData from Technology Strategies International Inc. Canadian Payments Forecast 2013 4. Canada at a tipping pointConsumeradoptionTechnologyenablementMerchantsupportAddedvalue 5. Bar code / QR code payments Starbucks introduced payments feature to app in Canada inNovember 2011 Simply add a gift card or buy a new one, then display bar code tobarrista to complete a transactionBenefits Can work on any smartphone. You just need adisplay, not NFC. Rely on existing gift card infrastructure. Customers already familiar with using gift cardsget it. Ties in to loyalty program that awards gold stars.Popular option Starbucks has 12 million mobile users in U.S. and Canada (July) 15% of all U.S. sales made via the app 6. Double double down onmobile payments Tim Hortons updated TimmyMe app to include mobilepayments in December 2013 Similar to Starbucks, bar codes are an option. Also, NFCpayments on BlackBerry devices. Trial period focused on several stores in St. Catherines areaSecurity question: Whats in a bar code?... 7. Donut hole or loop hole? TimmyMe app asks for the 16 digit numberdisplayed on the back and the secret codebehind the scratch-off part But only the 16 digit number is encoded inthe bar code The bar code is a PDF 417 code that can begenerated by Internet tools and mobile apps A bar code bandit could read the 16-digitnumber, generate own bar code, wait forsomeone to load money to the accountI buy a card in TorontoI tell the 16-digitnumber to Jude inVinelandJude generates PDF417 bar code withfree appJude buys crueler andcoffee at Timmys,displays bar codeTransaction approved.My Card is debited$2.59Our vulnerability testing process 8. TimmyMe: secured Low risk security vulnerability: you lose the $20 you are willing to store on a card Low motivation for thieves to steal coffee and donuts; no access to credit card data Principle of building trust for mobile device as a payments gateway Tim Hortons did fix the problem when it publicly opened up payments acrossCanada by adding encryption to the bar code It did not receive any reports of lost money due to the flawThe other guys? We are currently in a very small pilot market whichhelps control the exposure, unlike some of ourcompetitors who are widely using this sametechnology throughout North America. 9. Hands free payments A Bluetooth low-energy beacon communicateswith an app on your phone Customer signs in on phone to authenticate, canstay signed-in Cashier sees customerinformation on POSterminal and checksthem out Payments processed viaPayPal account 10. Security issues with BLE transactions Long-distance transmissions between mobiledevice and beacon could be intercepted.Could hackers use UUID for gain? Denial of service attacks overload POSterminals or mobile device with BLE signalsand disrupt payments Considered a card-not-present transaction 11. PayPal = incumbent 12. Conan on Apple PayBecause the company Iwant to trust with mywallet is the same onethat leaked my nudephotos on iCloud. 13. Apples patent for tokenization 2009 14. Apples developer guide to Apple Pay - 2014 15. How could it be hacked? 16. Not impossible but Thief has to steal your device with tokenstored on it Log into your account and access passbook Successfully mould your fingerprint ontoweird gel stuff Use fake fingerprint at a checkout withoutdrawing suspicion Avoid having device disconnected frompayments via Lost my iPhone app 17. Wheres Touch ID in this picture? 18. Thank youHave a coffee on me.6086 9932 5718 3454**Requires generating your own PDF 417 bar code. Be sure not to type spaces when inputting the number.