How smartphones can reshape the way we pay

Your phone could be the key to a truly secure way to spend your money

Target; Nieman-Marcus; Michaels. Lately, it seems that a week doesn't go by without some major retailer being forced to inform customers that their payment systems have been compromised, potentially affecting millions of cardholders and their finances. Of course, that's on top of the myriad scams that happen every day on a smaller scale and end up costing both consumers and businesses billions of dollars every year.

As plastic has increasingly replaced cash over the years, the financial industry has worked hard to tighten its grip over payment networks in an effort to curtail fraud--obviously, with mixed results. But that's due largely to the fact that the weakest links in the long chain of providers that make charging your credit card possible are outside of the industry's control. In the end, the best solution to this problem may already reside in your pocket: Your phone could be the key to a truly secure way to spend your money.

Would you like my wallet?

Despite the fact that it often gets a bad rap, the amount of technology that surrounds the plastic we carry in our wallet is something to behold. You could be ordering a latte in Shanghai and, with little more than a phone call, the coffee shop would be able to contact your American bank in real time to find out if your credit card is legit and if you have enough credit to cover your purchase.

Still, unlike cash, card transactions are inherently insecure: Handing over your Visa to store clerks is essentially equivalent to giving them your wallet, trusting that they will only take the money you owe them and return it to you. Of course, most merchants are honest, but the fact that every bit of information needed to take your money is encoded in the magnetic track of your cards means that all it takes is a small, hard-to-detect change to the hardware they use--either at the point of sale or in transit from the manufacturer--to turn them into hapless enablers of fraud on behalf of unscrupulous criminals.

Card networks have tried to combat this problem by implementing increasingly sophisticated solutions. For example, Visa, MasterCard, and their brethren have put numerous regulations (part of their PCI initiative) into place aimed at making retailers handle their customer data in a more secure manner, and even introduced chip-and-PIN technology (called EMV in the industry), which essentially places a tiny computer right on each card; its job is to mediate each transaction interactively, thus providing merchants with only the information they need to charge you once.

Fish and chips (and PINs)

Still, PCI and EMV have many practical limitations that often defeat their very sophistication. For one thing, they depend on retailer compliance and specialized hardware that is expensive to acquire and deploy; while widely used in Europe and Canada, for example, chip-and-PIN isn't due to be broadly rolled out in the U.S. until 2015 at the earliest. Even then, the infrastructure change will be at a significant cost to merchants, who are unlikely to welcome the investment in the current economic climate. And, until chips become mandatory everywhere, cards will continue to support old magnetic-track technology, which still leaves customers and merchants open to massive fraud.

Most importantly, cards must rely on the merchant to communicate with issuer networks; this makes them little more than passive participants in the process--and, if a flaw is found in the chip-and-PIN technology, it makes the merchants ideal targets through which criminals can continue to collect millions of cards that can be resold on the black market.

Enter smartphones: Unlike a credit or debit card, they are autonomously powered and can independently connect to card issuers over the Internet. Combined with their increasing ubiquity, their capabilities have the potential to change the way we pay for everything from groceries to online purchases in just a short few years.

Can you charge me now?

Because a smartphone does not need to depend on the merchant for communication and power, it can turn the payment process on its head: Instead of asking merchants to connect to card issuers on your behalf, the merchants themselves could ask your phone to connect directly to Visa and MasterCard, and authorize the transfer of money from your account to theirs.

Because the merchant never gets to see any information about your card, the opportunity for them to inadvertently become conduits for fraud is greatly diminished--as is their effective liability and your possible exposure to theft: It's relatively easy and cost-effective for a criminal organization to "bug" each store of a retail chain with modified hardware and collect large numbers of card data, but they'd have to compromise each user's device individually in order to achieve the same effect if we relied on them to process our transactions.The process could work like this: The cashier scans your products, and your total appears on the cash register's screen alongside a barcode that you can scan with your phone's camera. A dedicated app asks you to confirm the purchase with your PIN, then contacts your card issuer over the Internet and authorizes the transactions. The authorization is relayed to your merchant's cash register, and the entire process is completed in essentially the same amount of time taken by a traditional swipe transaction.

Best of all, a solution like this can be implemented largely via software, as long as a merchant's cash registers have a screen that can display barcodes--as most do. This means lower adoption costs, and a better chance to quickly react to potential flaws by fixing them with an update to their system that can be installed remotely.

Relying primarily on software also means that the inevitable flaws can be addressed in a more timely manner, since they do not require the replacement of physical devices: New versions of apps for both the end user and the retailer can be deployed in a matter of days using existing infrastructure like the App Store, instead of relying on costly swaps or mailing out of new cards.

A safe in your pocket

This model could easily be extended--virtually unchanged--to online transactions, reducing the requirement for customers to leave their credit card numbers in the hands of merchants who often have a hard time keeping them secure, despite their best intentions, and greatly increasing the safety of Web shopping for everyone involved with minimal investment.

In this case, instead of asking for your card information, your favorite website could, once again, show you a barcode that you could scan with your phone; you could then authorize your purchase just like at your local store. If you happen to be shopping on a mobile device, of course, this process would be even simpler--a link on the check-out page could just launch your dedicated "electronic wallet" software and allow you to complete the purchase more quickly.

Why involve mobile devices at all when you could be running the software directly on your computer? Because they are inherently more secure. Apple's institutional paranoia, with its sandboxing and app store limitations, in particular, is going to make iPhones and iPads prime candidates for this kind of service, since--as long as they are not jailbroken--iOS devices make it easy to run software that is resistant to data theft.

Mobile devices are also becoming the primary conduit through which new technology makes its way into the lives of most people. Few computer owners would bother installing a fingerprint sensor on their Macs and PCs, and yet tens of millions of people already use one every day just because the iPhone 5s comes with one. Against all odds, users of smartphones and tablets--devices built with less technical folks in mind--are becoming the early adopters of our time.

All this points to mobile devices in general (and iOS hardware in particular) as the perfect choice to upend the payment industry. All the pieces are in place, and the only thing missing is a player that has both the capabilities and the clout to push a solution on the industry--a role that would fit Apple to a tee, but that could also open the door for smaller players to bring innovative solutions to the forefront.

Join the CSO newsletter!

Error: Please check your email address.

Tags iPhonesTargetsecurityfinancial software

More about AppleMacsVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Marco Tabini

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place