This research series presents an in-depth examination of mobile payment systems, a rapidly evolving form of financial technology. We will provide an overview of how they are used in China–where they are taking off faster than anywhere else in the world–and what implications their security and data protection practices may have for millions of users, by presenting a case study on Alipay.
Mobile Payment Systems
Mobile payment systems (MPS) are transforming global consumption, with smartphone users increasingly relying on these applications for their daily transactions. Some of the most popular applications include Google Wallet, Apple Pay, and Alipay. They are used not only to transfer money between individuals but also to pay salaries and bills, and make cross-currency remittances. Non-bank entities, including Tencent and Alibaba, have relied on their existing broad consumer bases in areas such as e-commerce to expand into the mobile payments arena.
Mobile payment systems generally require users to sign up for an account using their phone numbers and bank account information. Aside from making and receiving payments, some MPS now store medical records for hospital bill payment. Through data collected from peer-to-peer transactions, companies can offer value-added services such as risk mitigation and consumer analytics. Collected payment data (e.g., how often a person receives money or how much that person regularly spends) can be analyzed and used for direct marketing purposes or sold to third parties. As more countries move to a cashless society model with businesses and even banks rejecting cash, MPS will be extremely important in the future. While these platforms make a host of interactions more convenient and efficient for users, they also carry risks involving the transfer, collection, and storage of one’s personal data. A substantial amount of personal data on one platform also raises the risks that these MPS will become an increasing target for law enforcement agencies looking to gain personal information for commercial, intelligence, national security, law enforcement, and anti-money laundering or terrorist financing purposes. China presents a complex and instructive case study of the ways in which highly concentrated mobile payment providers wield major control over troves of sensitive user data.
Mobile Payment Systems in China
Perhaps the most striking example of swift, widespread adoption of mobile payments has occurred in China, where in 2015 Alipay (a subsidiary of Ant Financial, which was spun off by Alibaba) had approximately 450 million users and 68% market share, while Tencent’s Tenpay is growing quickly and has captured 20% of the domestic MPS market. Purchasing domestic and international travel tickets, booking doctor’s appointments, and hailing a taxi can now all be done from within an individual mobile payment app. The prevalence of MPS in China has enabled hospitals, public transportation systems, and even embassies to rely on them to serve users. These apps are expanding their payment and location-tracking services in Europe, Southeast Asia and other jurisdictions to cater to both Chinese tourists abroad as well as local users.
The speed with which MPS platforms have taken off in China has left the government racing to fill regulatory gaps, prompting questions about what kinds of top-down rules are being proposed to guarantee security and privacy in China’s MPS, and what consequences they may have for users and MPS-partnered companies in China and abroad. The question of actual enforcement of privacy laws, regulations, and policies also looms large in a state that is still struggling to devise an effective system for protecting data privacy. In light of recent Chinese government interest to harness the power of big data for pervasive societal surveillance and management, what types of information do MPS companies actually collect from their users and how do they use this information? What internal policies have they implemented to ensure that users’ data privacy rights are respected? How secure is this information? How is this information being shared with third parties, law enforcement agencies and government organizations (e.g., to detect money laundering and terrorist financing)?
Case Study: Alipay
Alipay is the most widely-used MPS app in China and the most ambitious in its overseas expansion. The app automatically rolls out new technical features often, and is participating in the pilot program to create a nationwide social credit system that uses data derived from the app to generate individuals’ credit scores.
The Alibaba Group is an e-commerce platform based in China, through which businesses and consumers can sell to and purchase from one another. Alipay was launched in 2004 as a payment service for The Alibaba Group, and describes itself as a provider of ‘payment processing and escrow services’ that can be used to process payments on Alibaba’s platforms. Most of the transactions on Alibaba’s platform use Alipay.
Although Alipay was originally a subsidiary of Alibaba, which is incorporated in the Cayman Islands, it was spun off in 2011 into a separate entity under Ant Financial Services in order to comply with Chinese licensing rules that made it prohibitive for foreign-invested companies to operate non-bank payment companies in China. Alipay is now a domestic PRC-owned entity. Ant Financial Services entered into an agreement with Alibaba that governs the relationship between the parties, whereby Alipay provides payment services to Alibaba on preferential terms.
In 2016, Alipay stated that it was expanding into Europe to allow Chinese tourists overseas to pay for goods and services abroad. Sabrina Peng, president of Alipay International, stated that “The vision is targeting two billion people within next five to ten years, not only in China but other countries too.” In line with this aim, Alipay has launched an international version, available for users living outside of China. Alipay retains a separate Chinese domestic version for users in China.As the Citizen Lab has demonstrated in the report “One App, Two Systems: How WeChat uses one censorship policy in China and another internationally,” the separation of domestic versus international versions of a single Chinese app, with each possessing differing functionality that does not always draw attention to itself, is not a new phenomenon. The findings from that report raise the question of whether or not the Chinese version of Alipay is tracking Chinese users who travel abroad without notifying them that such monitoring is taking place.
Retail Data Trail
Some of the services Alipay has come to offer in China that make it so unique involve coordination with well-known foreign retailers and hotels, as well as with municipal Chinese governments. Chinese tourists in the United Kingdom, France, Germany, Thailand, Japan, and Taiwan can now find point of sale (POS) retailers in these countries that accept Alipay. The app geolocates the user and makes additional recommendations for nearby sightseeing. Upon leaving several European countries, Chinese tourists can now apply at customs for tax rebates on their Alipay-enabled purchases, with refunds being applied directly to their Alipay accounts.
The data trail left by users’ transactions at home and abroad can paint a finely detailed portrait of how they spend their money and time. The extent to which Alipay shares such data with the Chinese government is troublingly unclear in light of the wealth of citizens’ data the company has acquired. Moreover, as Alipay and similar platforms become increasingly essential to users, the threat of government suspension of these accounts may arise. For example, the state could request that Alipay suspend accounts of activists and other individuals, effectively chilling free speech. Greater information from the MPS providers, such as through a transparency report, would be needed to inform users of the level of access and cooperation with state and law enforcement agencies. This kind of disclosure is highly unlikely to occur, especially as Alipay and similar social credit-dispensing services come to cooperate more closely with the Chinese government. As the “One App, Two Systems” WeChat report has shown, the “extraterritorial” control that the state can wield through these apps over Chinese citizens abroad has become far too valuable to the Chinese government to be relinquished.
New and Increasingly Personalized Services
Non-traditional services that Alipay has begun to offer include hospital bill payment, student loan disbursement and management, and a new form of health insurance for “good samaritans.” Alipay has collaborated with China Development Bank (the state’s policy bank) to offer interest-free loans to college students, with Alipay again managing the application and repayment processes. At hospitals that have paired with Alipay, the app’s “pay after treatment” function allows those who lack health insurance to pay their medical bills. There are plans to partner with health insurance providers to enable those who do have insurance to simply pay the remaining balance of their medical visits. Alipay has also partnered with hospitals to make health services more efficient and “[p]atients can link their Alipay account to the hospital’s service, allowing them to register online, pick up medical reports and of course pay using their Alipay wallet.”
These examples raise concerns about the kinds of personal data Alipay collects and how such data could be used. For example, the collected health records could be accessed by affiliated Alibaba insurance companies, affecting the user’s ability to obtain health insurance. Moreover, the in-app student loan and health services are normalizing the sharing of highly personal data, with significant digital security ramifications.
Risk Environment Applicable to Alipay
How is the data secured?
Given the unprecedented scope of the data collection in the new features Alipay has begun to offer and related potential security concerns, it is critical to reflect upon past incidents in which the company’s security measures have lapsed. It is worth noting that in 2011 when Alipay was still being used on PCs, the company had partnered with UC Browser, whose security flaws the Citizen Lab has investigated and publicized. On December 28, 2011, it was reported that 15 to 25 million Alipay accounts had been hacked. The company’s public statement was that only account IDs, rather than passwords and financial information, were stolen.
In January 2014, the company apologized for an incident in which a former Alipay employee downloaded 20 GB of user data including Alipay usernames, contact information, and purchases, which he and accomplices then sold to competitors. Also in 2014, the industry journal China Information Security [中国信息安全] carried an article explaining in detail the process through which a hacking group made a successful spoofing attempt that inserted malware into what looked like a genuine Alipay security update. This spoofing enabled them to “invade websites and engage in two types of mobile phone phishing to obtain users’ real names, ID numbers, Alipay account passwords, other information, and finally their money.”
In 2015 Caixin reported that an Alipay user had posted on Sina Weibo that his account had, unbeknownst to him, been used to authorize payments to five different e-commerce websites. At around the same time, in comments on this post, other users claimed to have found the same issue with their accounts, and stated that they needed to contact Alipay to remove these erroneous charges. It was unclear whether or not this occurred as a result of a hack, with an Alipay spokesperson simply referring to it as a “design flaw.” The same Caixin article noted that Alipay has had friction with the central bank and other Chinese regulators before, given the company’s penchant for adopting new technological features ahead of the pace at which the state can verify their security. In early 2016 there were posts on the Chinese version of Quora, named Zhihu, alleging that the Alipay app has secretly taken photographs of users as well as downloaded and executed unauthorized files. In some cases screenshots of these processes are provided. Finally, on January 10, 2017 Alipay confirmed on their official Sina Weibo account that they had addressed a major security issue in which users could reset their passwords by identifying their recent purchases and people they knew, a feature that enabled friends to access without authorization one another’s accounts. The company’s wholly inadequate solution was to only enable these forms of user verification for password reset from an individual user’s personal phone. The history of Alipay’s data breaches and the company’s cavalier attitude toward user security are troubling given the scope and amount of personal user data the app collects to conduct financial and other transactions.
QR Codes and NFC
Many of the clashes Alipay and other mobile payment services in China have had with regulators involved new technical features that the government has not deemed to be fully secure. For example, Alipay began to use quick response (QR) codes for users to make payments in taxis and at POS merchants in 2012. In March 2014, the People’s Bank of China (PBoC), China’s central bank, ordered Tencent and Alibaba to suspend the use of QR codes and virtual credit cards for payment due to concerns over their security vulnerabilities and the state’s inability to regulate them. Risks cited included the ease with which virtual credit cards can be duplicated, prior cases of identity and financial theft made through the use of QR code payments, and the ability to link barcodes with phishing websites. At the time the government also expressed the fear that the use of virtual credit cards could undermine the shift toward nationwide real-name registration. It was also during this period that state-owned banks imposed caps on the amounts of money that third-party payment tools could allow users to transfer. A Xinhua article about the suspension noted that there had been past incidents in which users’ personal information and funds were stolen during transactions involving QR codes. Feng Xinya of the PBoC stated that the bank “asked the relevant online payment service providers to submit documents analyzing the security of their virtual credit card and QR code payment services… we will undertake a security risk assessment,” and that the QR codes that merchants used could easily be altered and instead used to link to phishing websites. The government additionally placed restrictions on how much money users could spend within mobile payment apps to curtail risk. State regulators ultimately offered no clear explanation for why payment apps were ultimately allowed to resume use of this technology.
The temporary suspension of QR codes encouraged payment apps to pursue installation of the infrastructure to use near-field communications (NFC) instead, which involves equipping smartphones and vendors with the technology and an understanding of how the system uses magnetic induction for devices within close physical range of one another to communicate. At present it appears that the major Chinese mobile payment applications use both QR codes and NFC.
Studies on security and privacy issues of QR codes and readers provide a sense of some of the concerns the Chinese government may have initially had. One study of popular QR code reader apps on Android and iOS phones found that “many QR code scanners relay user data back to developers regarding the content scanned, the time the item was scanned, and even the global positioning system (GPS) coordinates of the smartphone at the time, as well as numerous other data elements which may be of interest to the particular application developer.” Were research on the security of Alipay’s QR code scanning functions to be conducted in the future, researchers could begin by questioning if the app’s readers are capable of identifying QR codes that had been tampered with in order to lead users to malicious websites that sometimes ask for credit card information. Does Alipay have a black- or whitelist system in place to prevent repeat attempts at phishing? Although Alipay presumably collects the same data by other means to provide location-based and additional services, it is still important to question the security of the in-app QR code readers that conduct millions of transactions per day.
It is likely that regulatory battles between mobile payment apps and the government will continue to crop up, especially regarding new capabilities such as biometric payment authentication. In 2015 Alipay’s own Chief Security Architect Xu Tian stated that “through use of fingerprint and facial recognition, among other forms of biometric authentication, we will heighten the user’s operating experience and sense of security, largely raising the threshold for account theft and the cost of attacks, and effectively lowering the user’s risk factor.” Back in 2014, Alipay collaborated with Huawei to provide payment services in which users’ fingerprints could verify payments on the latter’s Ascend Mate 7 phone, a partnership that may raise eyebrows given concerns about Huawei’s possible connections to China’s military and its dealings with sanctioned states. Months later, the fingerprint authentication system was extended to iPhones as well. The following year, Alibaba’s Jack Ma demonstrated the use of a potential new Alipay feature known as “Smile to Pay,” in which a user can take a selfie that uses facial recognition to authenticate a payment. According to Caixin, in March 2015 “the People’s Bank of China has already started working on Alibaba’s request, in the wake of a central bank meeting with online technology experts in January. The central bank has also started crafting a regulatory framework that would open the door to experimental programs that test the security and usefulness of biometrics for Internet users who want to open bank accounts online.” In May 2015, the central bank declared that the security of the transmission of biometric data had to be evaluated, and a technical standard for its use determined, before it could be used in traditional banks. How this reflects upon mobile payment apps and other non-traditional banking services is as yet unclear.
Investing in Security
It is important to also consider Alipay’s previous and ongoing efforts to keep users secure. According to Xinhua, “In 2013, Alipay blocked about 150,000 phishing websites, and assisted the police against 16 network gangs with more than 10 million yuan involved, resulting in 35 arrests.” In April 2014 Alipay set up a 40 million RMB fund that the company said would be used to cooperate with the government, banks, other e-commerce companies, and security software providers to protect users’ security and data. The vice president of Alibaba’s Microfinance Service Group has said that this fund will be focused on “anti-money laundering, anti-malware, and user information protection.” Alipay also started a 10 million yuan fund with Shanghai 863 Information Security Industry Park Co. Ltd in 2014, to work toward improvement of information security. The results of these investments have yet to be publicized, as is the case with Alipay’s 2014 announcement that it would launch a program to “share its risk control capacity with all organizations involved in the Internet security industry… to help them improve their capability and speed up their research and development process.” It remains unclear how such a program would operate in practice, or what measurable contributions Alipay has made to improving user data protection through any of these recent investments.
Alipay exemplifies how MPS are providing services that have the potential to collect highly sensitive personal data. The speed with which MPS platforms have taken off in China has left unanswered many questions of how users’ data privacy and security are protected. The success of Alipay in China may inspire the adoption of similar applications elsewhere in the world, and therefore merits closer attention from the security community and policymakers alike. As fintech in China transforms models of application ecosystems into becoming more centralized, single-stop hubs for all of one’s needs, it is critical to question what the companies who are the custodians of hundreds of millions of citizens’ data are doing to ensure it is being acquired and used lawfully. Previous data breaches and lapses in Alipay’s security suggest a strong need for improved security practices. Our next article focuses on an expanding national program to analyze these hordes of user data for assigning “social credit scores,” an issue that further complicates questions of security, legality, and the imposition of morality on Chinese technology users.