Mobile Shopping Still Awaits Security
Way back in January 2011, I talked about a dawn of mobile payment systems that seemed about to break. A year and a half later, it appears to have been a false dawn, but light is starting to spread on the horizon.
One system that I mentioned back then did come to pass. The Starbucks system that lets you pay via iPhone is up and running and seems to work adequately, though as far as I can tell, it hasn't been a roaring success.
My observations are hardly scientific (and back in December, Starbucks claimed that 26 million transactions had been conducted using its mobile-payment app, making it the largest such program in the U.S.), but I rarely see other Starbucks customers using their iPhones to pay at Starbucks. It could be that people just don't want to go to the hassle of setting up an account -- you have to register a Starbucks account and tether it to your credit card. Whatever the reason, I hardly ever see anyone but me using the system at my local shop. (See also "New Point-of-Sale Strategy Boosts Service and Security").
Regardless of whether people are clamoring to pay for their morning brew with their iPhones, the mobile-payment market is getting more crowded. One player, Square, is offering a mobile payment app that lets customers pay for goods at Square-using merchants with a minimum of fuss. This could be a success, since small merchants that have steered away from accepting credit cards are attracted to another Square offering, a miniature credit card reader and app that works on many varieties of smartphone.
An attractive aspect of Square's mobile-payment app is that the merchant never sees the customer's credit card number, unlike with the Starbucks system. Actually, it's about to be just like the Starbucks system, since Starbucks has announced that it will be rolling out Square shortly to its stores. (It isn't clear whether that will replace Starbucks' existing payment system or augment it.) If I'm correct about why Starbucks' system hasn't been widely adopted, the Starbucks deal is sure to boost Square's position as a mobile-payment purveyor.
And just recently, a group of major retailers including Wal-mart, Best Buy, Lowe's and CVS announced a system called Merchant Customer Exchange (MCX). While the details of that system aren't yet clear, it should further increase the visibility of mobile-payment options. Of course, PayPal and Google Wallet are also part of the mobile-payment space. And if that doesn't sound like enough, here comes Apple, whose iOS 6 will feature Passbook, an app that could help bring multiple systems together for use with many merchants and can also handle things like sporting-event tickets, concert tickets and airline boarding passes.
So, clearly, vendors are lining up for mobile payments. The question is whether consumers will do the same.
What's the Holdup?
Security could well be a deciding factor. I firmly believe that the security of these systems absolutely cannot be an afterthought. A massive security failure of any of these could cause equally massive losses for all. Consumer confidence is fickle, hard-earned and easily lost.
As an enthusiastic consumer of technology that makes my life easier, I look for some basic attributes and features in a payment system. These include the following:
Don't show the merchant the account number. This is one area where the "chip and pin" payment systems used pretty much everywhere in the world except the U.S. excels. I've personally been burned by the theft of credit card account numbers more than once, and I'm all too familiar with the inconvenience of having to update my credit card information with all the merchants I frequent. That model was antiquated 20 years ago and hasn't improved with time.
Make it hard to eavesdrop. As much as I like the convenience of using the Starbucks app to buy my morning cappuccino, I don't like that the barcode system it uses can be observed and replayed by a determined attacker. OK, that's not a likely scenario, but it can happen, and it makes me keep my barcode covered for as long as possible. Like credit card numbers that are easy to steal and use, reused and observable barcodes aren't a good idea.
Strongly authenticate the merchant to the customer and the customer to the merchant. Failing to do strong authentication between the chip and the terminal is the problem I wrote about in the chip and pin system, as discovered by Cambridge University researchers a couple of years ago.
Failures of these basic principles could well enable attackers to break our new mobile-payment gizmos, and we'd all lose if that came to pass. The lure of payment systems that are secure to the consumer as well as the merchant is enormous. I'd love to get rid of that relic of the 19th century, the wallet. But if consumers feel that they are much more secure carrying money in their wallets, mobile payments will never get off the ground in a big way.
And I for one want them to. We were promised the Jetsons, and too often it feels like we're getting the Flintstones.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Virgnia.
Read more about mobile payments in Computerworld's Mobile Payments Topic Center.