Pingit P2P mobile cash payment app security

Pingit allows users in the UK to send payments from one mobile to another in the UK – it’s a kind of P2P application. The Pingit app is of course free to download to any smartphone such as a BlackBerry, Android or iPhone. Note to my readers – Some in the media claim this payment method is revolutionary – PayPal have also had this type of payment service for some time – it uses email addresses or mobile numbers to send and receive money.

How does the Pingit app work?

The Pingit app works by setting up a direct link between a customer’s mobile phone number and their bank current account details. Once you have downloaded the app and setup the five-digit app passcode, you can then make a payment to a recipients mobile number (the recipient will need to download the app to receive the payment). Authentication is required to send a payment, so Pingit will require your Barclays debit card and the PINSentry tool. Sorry non-Barclays customers.

Note: To use Pingit, payments must range between £1 and £300 and the maximum anyone can receive in any one day is £5,000. This for me is where some of the issues currently reside (see below).

Some early issues

I’ve used Pingit and mistyped an amount and sent it to a friend hoping I could recall the amount before it was sent to the recipient. Unfortunately I couldn’t recall the transaction. It’s also easy to send £5, £10, £20, and £50 denominations so you will want to double check before you send. Also I’m not entirely sure how this works with my overdraft – does it alert me if I go into overdraft? One of my friends asked me can this service provide an SMS OTP for payment confirmation – well not so. SMS OOB (OTP) two-factor authentication for consumer systems will not work with the Pingit system as the OTP would need to be sent to another device – how many people have more than one mobile device? On the plus side, the banks do monitor account behaviour, as this is an integral part of their anti-fraud early warning system.

Some suggest mobile reverse lookup services might also pose a privacy risk. I don’t actually believe these services are a privacy issue as finding the full name and address of a mobile phone contract user is relatively easy to check (and your mobile phone data is often rented to marketing agencies – I here you sigh :(). More important has to be if someone knows your bank account details and has your full identity and is able to use the app without your knowledge. What are the safe guards here given this is a service all about convenience and speed? What about keystroke and navigation emulation on virtual keyboards? ‘Noising’ the text input field on a touchscreen mobile isn’t overly challenging either – this type of attack vector remains currently unresolved as does a possible ‘smudge’ attack.

As for future security options – I’d like to have the ability to place a threshold on what can be paid per day/month and the number of transactions I can send in one day/month. This adds an additional layer of application security and piece of mind if someone did decide to empty my current account in one day. My advice right now is, if you bank online you might want to setup online banking transaction email alerts on certain high amounts. Not all banks offer this service, however I suggest you contact your bank to find out.

Safe surfing folks!

This entry was posted in android, apple, blackberry, mobile and tagged , , , . Bookmark the permalink.

One Response to Pingit P2P mobile cash payment app security

  1. Pingback: RBS and NatWest launch new GetCash app feature | News | IT Security Magazine - Hakin9

Leave a Reply

Your email address will not be published. Required fields are marked *