June 2, 2011
In Dave Talach’s blog post, he slams industry scare tactics around new mobile wallets. There is hype and it is understandable that NFC security nay-sayers unsettle Dave’s stomach.
But, unfortunately, we need to get ready for a turbulent ride.
Whether the phone is more secure than your cowhide wallet is not the point.
Consumers are irrational folk and will adopt a given technology based on criteria that are not purely technological and surely not logical.
In an Arc Worldwide study asking shoppers what matters most in the store, trust outgunned service, value, return policy and price.
Any security breach of the shopper and their shopping experience is a breach of trust.
Mobile trust is sacrosanct.
The phone is a particularly intimate device because it stores private addresses, secret texts, family photos and perhaps their accompanying health care and SIN.
The phone is an extension of my identity: a data orthodic.
The consumer perception is that all the personal content and context on the phone is indivisibly tied to any function or security element on the phone.
One New York Times article on mobile payment fraud and the mobile shopper will be waiting in the wings.
Google touts the new-age wallet as secure, but the industry knows that payment security is a relative and moving target.
For decades, cryptologists have tried to out maneuver fraudsters. There are always going to be vulnerabilities and mobile payment folk need to know that they have to balance the risk.
Fraudsters have continually been able thwart security measures.
In the face of this, banks have shown that they have a strong stomach for payment risk on new platforms.
Ralph Poore, chief cryptologist at Cryptographic Assurance Services, maps what he refers to as the “evolution of risk”: Branch = ATM = PC = Laptop = Phone.
Risk was relatively low when cash was handed over the counter at the local bank branch.
As banks expanded their reach electronically, they needed to develop processes to deal with vulnerabilities in the network.
ATMs needed to accommodate teller-not-present transactions.
Catalog phone orders needed accommodate card-not-present transactions.
As remote payment access moved online and now into the wireless space, with third-party operating systems and third-party applications, so have risk and vulnerabilities increased.
Risk has not only increased for the shopper, but for the entire payment value chain.
We have a recent anecdote in early in 2011.
There was a story in Mobile Commerce Daily’s Feb. 9 edition on “How to compromise the Starbucks Rewards Card app in 90 seconds.”
The Starbucks mobile stored-value program mirrored the functionality of the Starbucks plastic stored-value card.
Instead of swiping the card, the attendance scans the number off the phone via a 2D code.
The forger simply photo captures a Starbuck’s 2D code off an unattended phone and can proceed to debit the owner’s prepaid account at any Starbuck’s café.
What is interesting about this scenario is not the fraud.
Plastic stored-value Starbucks are stolen, lost or misused every day. What is of note is that the mobile misdemeanor gets more press.
Virtual payment is under more scrutiny, possibly, because we have such great expectations for this new medium. What will help the industry advance mobile payments?
We know that new payment channels are not immune to mobile fraudsters.
Jimmy Shah, mobile security researcher at McAfee Labs, points out in a blog post that Android apps can be reverse-engineered and a fraudster can possibly get access to the “secure element” chip and, ultimately, create a malicious app that emulates the official Wallet app to fool the “secure element” chip into giving up the shopper’s credentials.
As an industry, we need to focus on shopper confidence and do everything we can to mitigate a headline fraudster story in the near future.
The security industry that was somewhat reactive in the early days of ISO standards development needs to proactively address mobile security and push for global adoption.
The industry is thankfully not waiting for Washington to intervene again.
ISO Mobile efforts began in 2009. The initial vote failed, but recent revisions to scope led to New Work Item (NWI) approval.
The U.S. delegation is now working with France, Britain, Brazil, Finland, Kenya, Germany, Finland, Denmark and Russia to roll out ISO standards over the next year.
Hopefully, iron-clad standards will allow the industry meet the new shopper with confidence and not hubris.