Saturday, September 1, 2012

Mobile payment systems approaching boiling point

In my recent Computerworld column, I talked about the state of mobile payment systems today, as well as some near-term developments that are coming down the road. There's so much at stake for everyone--merchants, customers, and the payment card industry--that an "oops" could cost us all dearly.

Merchants and the payment card industry have a lot at stake in monetary terms, but we consumers also have much at stake. A blunder at this point could cost us precious time.

I believe all of us stakeholders appreciate the vision of mobile payments and how they could simplify our lives. Wouldn't it be wonderful to finally be able to ditch our wallets and have all of our important credentials on our digital devices? OK, that could be some time off still, but just consider it for a moment... What single thing in your wallet couldn't be represented digitally? Someday. I, for one, would welcome it.

And of course, that utopian vision of a better tomorrow places an enormous burden on our ability to secure things. The transaction systems must be secure. Our mobile platforms must be secure. At the very least, we simply must do better than we've ever done in the past. And there's much that can go wrong.

In the US, the payment card industry is plagued by an arcane design based on magnetic strip readers in the point of sale ("POS" -- and they were named this without an apparent hint of irony) terminals. The biggest problem with the existing system is that the merchant gets full access to the customer's account information, leaving it wide open to fraud. I've personally been burned by that multiple times, forcing me to change my card numbers with dozens of merchants each time. POS indeed.

Elsewhere in the world, the prevalent system is called "EMV" (after the three primary backers of the system: Europay, Mastercard, and Visa) or "chip and pin". The big advantage with EMV is that the merchant does not have access to the customer's account information. But even that system isn't without its perils, as demonstrated by some graduate researchers at Cambridge University a couple of years ago.

No, if we're ever going to succeed at deploying a digital wallet system that we can truly have faith in, we're going to need to do better than both of these.

And that brings us to mobile platforms. Both Android and iOS contain various pitfalls that the digital wallets are going to have to carefully avoid. System caches that store keystrokes, screenshots, etc., are just the beginning.

We hope that the folks in the back rooms implementing the various aspects of digital wallets right now are paying close attention to the mistakes of the past so that we can avoid them in the future. If they're going to make mistakes, let's at least ensure they're new mistakes and not the ones we've seen in the past.

That's a tall order, of course. Gunnar Peterson (@OneRaindrop) and I (@KRvW) will be discussing many of the pitfalls to avoid and how to avoid them in our upcoming Mobile App Security Triathlon, taking place on 5-7 November 2012 at the Fairmont Hotel in San Jose, California. We hope to see many mobile wallet developers there!

Cheers,

Ken van Wyk

1 comment:

  1. You have pointed out some great points I believe all of us stakeholders appreciate the vision of mobile payments and how they could simplify our lives. Wouldn't it be wonderful to finally be able to ditch our wallets and have all.
    Thanks
    iPod touches

    ReplyDelete