How to Secure the iPhone Wallet
Let's start with the most obvious item on your checklist: Remote wipe. Most big smartphones, whether you're talking about the iPhone 4 or any device with Android Version 2.2 or higher, have the ability to let users remotely wipe all data from lost or stolen devices. This is obviously very important for any device that can make mobile payments since you'll need to quickly get any critical financial information off your device if it falls into someone else's hands. If you haven't familiarized yourself with this feature on your iPhone, you'll certainly want to do so before making any payments with it.
But you shouldn't feel secure only having remote wipe since it's entirely possible that it could take you hours to realize you've lost your smartphone -- after all, remember what happened with the poor iPhone coder who lost a prototype of the iPhone 4 in a bar. So in addition to remote wipe, you're also going to make sure you have a password system on your device that both requires complexity and has time-out features in place that will lock the phone for a certain amount of time if you enter the wrong password multiple times. And of course, you'll need to be ready to cancel any credit cards whose information you've stored on your phone. In other words, using your smartphone as a payment platform could be a real hassle if you aren't careful.
"The stakes are up now," says Frank Kenney, the vice president of global strategies at business software vendor Ipswitch. "Not only do you need to be more proactive, you need to be willing to do things like remote wipe your phone and you need to go back in and start to cancel cards through your phone."
Kenney also thinks that banks or credit card companies will have to develop applications that give mobile users more ready access to their account information so they can learn quickly whether an erroneous payment has been charged to their account.
"When you're waving your cell phone in a half dozen different ways you're going to want to check a lot more often and scrutinize those things," he says. "We're going to need technology that can deal with those massive amounts of information."
Jeff Nigriny, the CEO of identity management and security firm CertiPath, says he'll be interested to see how banks handle the question of liability with smartphone payment applications. In particular, he notes that since consumers typically face zero liability when they lose their credit cards, banks will have to make sure they have similarly favorable terms of service to lure users away from their plastic and toward their iPhones.
"You'll want to be clear on what terms and conditions you have with your credit card issuer," he says. "If they aren't pushing any liability on you, what do you have to lose? But the second somebody changes the liability equation, then it's time to back out."
From a security hardware standpoint, Nigriny says it would make the most sense for device manufacturers and software designers to separate the iPhone's payment function from other apps using a Trusted Platform Module (TPM) that can be used to securely store information using cryptographic keys. Nigriny says if effectively deployed, a TPM would effectively firewall the payment function off from the rest of the phone on both the hardware and operating system levels.
"Using a trusted computing platform type of chip makes the most sense since you know that your other apps won't bleed over into the trusted payment method," he says. "The entire defense community uses TPM because it's the best thing going right now... I have no idea if TPM will come with all smartphones but it would be insanely stupid not to do that."
Read more about anti-malware in Network World's Anti-malware section.