Payment services provider pago is rushing to defend the security of its offering after online claims it can be easily compromised. Pago is a payment solution using cellphone-to-cellphone transactions.
Tony Hughes, from online forum Geekzone, claims it took him just fifteen minutes to work out how to access other people’s pago accounts, since the authentication for the service relies on mobile phones’ unique identity features and nothing else.
In order to get into others’ pago accounts, an attacker would “clone” the identity of phones from both mobile phone operators in New Zealand. GSM phones are harder to clone than CDMA ones, according to an industry source Computerworld spoke to, as cloning requires the contents of the SIM card to be copied. CDMA operators use an electronic serial number in most cases, which can be changed remotely if customers request it over the telephone.
Without additional authentication, a person who has cloned a mobile phone could then access funds in someone else’s pago account.
However, pago general manager Marcus Robins says pago provides a full audit trail and that customers can view statements of transactions going back some 13 months.
“We know at all times where money comes from and goes to,” Robins says. He adds that pago has been subjected to stringent security testing externally and internally, but would not reveal who the external security testers are.
Pago is currently investigating Hughes’ suggested attack vector. A bank account is required to use pago, Robins says. He points out that the service inherits the customer identification that is required by law to operate financial facilities. This means anonymous use of pago isn’t possible.
Robins encourages people to take the same care with pago as they would with real-world cash. He says pago strongly encourages people to use security features such as PINs and keypad locks on phones, to make it harder for thieves. In case of theft however, pago’s terms and conditions state there will be no refund to customers.
Likening it to real-world money, pago is “digital cash”, according to Robins, who is at pains to explain that the service is not a bank. “That’s why we don’t pay interest on credit balances for instance,” he says.
The sole shareholder of pago is ASB Bank, but the provider operates on its own with separate management and board, Robins says.
Customers can put any amount of money into multiple wallets, because pago doesn’t want to limit it, Robins says. The maximum amount that can be withdrawn from the wallet each day is $200, but this can be set lower as well. It’s the low transaction value combined with a desire to make the service easy to use that led pago not to implement two-factor authentication, says Robins.
Pago customers can be as young as 14. Asked why the joining age was set so low, Robins says pago thought long and hard about it. He says that at 14 children can open bank accounts in their own name and take on other responsibilities like being home alone and baby-sitting others.
Due to its non-bank status, pago is not subject to the New Zealand Banking Association’s code of practice, so deposits are not insured against loss.
Asked if ASB would back pago should it fail, Robins says he assumes it would be in the bank’s interest to do so. However, the question remains as to whether funds loaded into pago would be treated as unsecured credit should the company be placed in receivership.
David Tripe, director of Massey University’s Centre for Banking Studies, agrees with Robins that the small transaction value has to be balanced against the cost of implementing additional security.
New Zealand’s largest online auction site, Trade Me, recently endorsed pago as a method of payment. Founder Sam Morgan says “If pago is easily compromised, Trade Me would review its decision to endorse it based on the information available.”