History tells us that safety and security are afterthoughts. From the Gold Rush at the end of the 19th century to the technology Gold Rush at the end of the 20th, the rush for riches was so great that the idea of security was thrown to the wind. Revenue assurance only came to the Mobile table once the rush for customers had subsided and the focus moved from top line revenue to bottom line margin.
It is happening again. As the rush for market share of the payments market heats up, companies large and small are inventing new ways of transferring funds – paying people – easily. This aim for easy to use, attractive products creates a potential nightmare for consumers; easy is seldom secure. The whole concept of mobile wallets, while attractive, means that when someone steals your phone, they steal your wallet too – worse, you can’t phone for help! It is not just NFC that is at ‘fault’ here, although it is an obvious example. If you have your credit card or bank details stored in a mobile phone you have a monetary instrument and that is attractive to Bad Guys.
The potential of NFC is enormous. It will enrich and enable the whole shopping/living experience of millions of people and will create opportunities for operators and third parties that we can only imagine. It is the difference between shopping in a warehouse and walking the aisles of Macy’s or Harrods.
For a moment, though, let us step to the Dark Side. As you walk into the store, your phone lets the store system to pick up your details as you walk inside its co-ordinate boundaries. Google have quietly patented a face recognition technology that enhances this ability. No records exist, until a transaction takes place, but when you walk through the door into the store, you have opened the door into your phone. This means that your phone, and therefore your wallet, can be cloned. A Disgruntled Shop Assistant could potentially steal your details or there may be a Bad Guy in the store with you, and it is possible for him to clone your phone while simply standing close to you.
Another threat is the excellent concept of the QR code or NFC tag. Again, they are easy to produce – three clicks and the means to produce are in front of you. Point your phone at a QR code or NFC tag and it is possible, easy in fact, for someone to take control of what happens next. They could have designed the code so that you are re-directed to a site that is fizzing with malware, that can empty your phone of all its information, sends this to a clearing house and on to other Bad Guys. The very ‘connectedness’ of the ubiquitous mobile device could potentially be harnessed to launch Distributed Denial of Service attacks of unprecedented scale. Unlike having your ‘wallet’ stolen it is likely that you will not even know that it has happened. And this gives the Bad Guys a real head start. You will not know when it happened, who did it, and, frankly by the time the authorities are involved the ‘who, when and where’ will be entirely academic
As with the new acknowledgement that people need educating about online security, it is time that we take a very serious look at the security of new technologies that are making payments easier. There need to be standards and accountability, as there are in the credit card industry. If your credit card is stolen the liability lies with the credit card company – as long as you report its loss in a timely manner. Not so, yet, with the phone company – or if so, accountability is patchy at best. If your phone is stolen and you receive a huge phone bill as a result of someone else’s online shopping spree, the phone company has no liability and it is their discretion alone that will let you off or not.
There are some ideas emerging. Many of them revolve around a second stage authentication and one of the most promising is that when you use your phone to pay, a photo of you will appear on the terminal in the store. This works fine as long as a) there is a photo of you on your phone and b) your kids have not borrowed your phone!
As with any Gold Rush that can create riches and a better life for consumers, security is likely to remain an afterthought. But in this connected world, where one person can steal the identities of 100 million others, this is no longer acceptable. There are too many people, too much money at risk. We need to have security built in.