Consumers want mobile payments. So do the mobile carriers, device manufacturers and point-of-sale (POS) vendors. Amex, Visa, MasterCard and all of the other payment providers also have something to gain. Payment is the next frontier of mobile technologyand is becoming a hot area for innovation helping to make carrying a wallet obsolete.
But, recent high-profile security breaches aren’t helping us drive toward that reality. Even outside of the mobile arena, Firesheepdemocratized data theft for anyone inclined, and the recent challenges by PayPal via iTunes illustrate that no brand is safe or sacred.
Remember back in 1998 when people were scared about buying things online? We eventually figured out how to do it, and moreover, do it right.
We are now at the same crossroads with mobile. Mobile is a completely different animal however, and one that comes with a full host of new threats. We cannot simply apply our dated, web-based security best practices to the mobile domain. In fact, I’d argue that mobile security is critical to the maturation of the web itself, in 2011 and beyond.
Whether you’re a consumer, developer or investor delving into mobile payments technologies for personal or professional use, here’s why you should care and the top factors to consider when evaluating technologies in the coming year.
Security Is Not Sexy, but It Affects Your Financial Health
We, an industry of entrepreneurs, investors and builders of great software, too often turn a blind eye to the reality of security vulnerabilities. There are exponentially more of them as the pace of technology innovation quickens.
Security means directly addressing risks and the reality is we really don’t like people raining on our parade. To date, security and peace-of-mind has been represented as a checkbox, not a core competence or the make-or-break software issue that it should be.
Even the most well-respected brands have challenges in this regard –- as illustrated by PayPal and Bank of America’s mobile payment efforts.
In fact, the more and more we do on our mobile phones, the more enticing it becomes to take advantage of holes in mobile security. There is a huge opportunity to secure the mobile lifestyle and enable trustworthy payment applications.
Security is something we’ve focused on at my company, and it’s the reason we’re able to work so closely and effectively with point-of-sale systems and vendors in the hospitality industry. The security of our app is not just a feature; it’s the heart and soul.
Continuing to ignore the gravity of mobile security threats as the web matures substantially increases the likelihood that your credit card information will be stolen while your bar tab is open, while it’s being transmitted over the wireless networks, or while it’s stored in massive databases.
Even if a mobile payments provider or bank has the best fraud and theft protection, the odds are high that you will still need to request a new card from your bank and ensure that it doesn’t process any of the foreign charges before you can resume your life. In the worst case scenario, you have to navigate a slew of identity theft issues and dedicate unknown hours of precious time re-securing your personal data, identity and financial security — instead of living your life.
Payment Methods and What “Encryption” Really Means
There are many different options available to companies, services and apps when initiating a mobile transaction. These include:
- Web-based transactions (through the browser)
- SMS (via text messages)
- NFC (near-field communications, usually a sticker put on the phone and newly popularized because Apple and Google are rumored to be putting NFC inside of their next-generation phones)
- Tokenization (like paying for a ticket at a theme park, i.e. converting first into an alternate currency)
- And many more options.
These technologies will all succeed in completing a transaction, but they all rely on some type of encryption to enforce security along the way.
For all intents and purposes, encryption is a process by which information is transformed so that it is unreadable to anyone except those possessing the key or the decryption process. A wide variety of encryption processes or schemes have been developed and employed to safeguard our payment data.
To set your fears at bay, companies offer assurances of the “best” encryption technology, the best-guarded servers, or the standard certifications by McAfee and Symantec.
The truth is that today’s dominant approaches to mobile security date back to 1995 or earlier and seek to conduct mobile transactions in the same way as traditional transactions — by treating the phone like it is just another computer, adding in some extra encryption for good measure.
But, mobile has very different vulnerabilities, and although encryption is an important piece of the puzzle, it isn’t the whole solution.
Ask About Intermediaries
What you should look for is establishing a direct connection between your phone and the venue’s point-of-sale (POS) system (e.g. a cash register or payment console). Companies that do this mitigate threats from middlemen, and the fewer intermediaries, the better.
Also, you should care about whether your information is processed locally at a venue or pushed to a larger, third-party server farm somewhere else. The bottom line is that fewer steps and company touches is better. You might not always know explicitly whether this is the case, but you should get in the habit of asking.
Better Understand Where Your Data Lives
Above and beyond everything else, common sense dictates: If there’s enough money in the bank, someone will try to steal it. 7-Eleven only carries $20 cash at night for a reason.
Your payment data should solely be stored on your phone and not in someone else’s database with tens of thousands of other credit card numbers. It’s hard to steal from someone if there’s no money in the safe. This is the only thing that truly deters hackers from going after a big score.
Keeping your payment data solely in your phone is equivalent to keeping your credit card in your wallet.
For consumers, you can usually find out where data is being stored by perusing a website carefully or reading well-researched articles and reviews. Journalists are doing a better and better job of ferreting out where your data lives, and how it is being passed around.
For app developers and payments services, keeping the data out of their servers absolutely involves more work and clever engineering. It’s hard to avoid any third parties (whether for processing or hardware), because those third parties can make things a lot easier on a startup. It’s worth it to start down this path if you haven’t already, since consumers will increasingly demand it.
Be Confident the Data’s Encrypted
The very best approaches to mobile security never send your payment information in any way that an enabled hacker in proximity could intercept your data.
It should be a priority to have industry-standard encryption. Customer smartphones talk directly to the POS. Ideally vendors and companies won’t even need this extra data in the first place.
Your Cheat Sheet
In sum, the stakes are high when the smartphone replaces the wallet. We have to rethink where the data lives and who has access to it, convenience notwithstanding. We’re all responsible for asking the hard questions to be informed consumers when we support a carrier, manufacturer, vendor network and technology.
Here’s your cheat sheet for owning your mobile transaction financial health. I urge you to ensure that your credit card information is:
- Only sent to the venue’s POS system, rather than passing through third party services.
- Only stored on your phone, where it’s safest, and not in the cloud.
- Always encrypted when it is sent to the POS system, where the transaction is taking place.