[Dave Birch] No, I’m not sure what it means either, but we have a project helping a customer in the field of security, so I’ve been looking at the issue of perception and reality. In particular, I’ve been looking at the way that consumers see mobile (in the context of activities that require security, such as banking). I came across this:

Security concerns were found to be a major hindrance to take-up of mobile services, with just five per cent considering mobile handsets offer a “very secure modality”.

[From Finextra: UK consumers shunning m-payments]

I doubt that 0.5 percent of U.K. consumers know what a “very secure modality” is — I know I don’t: my dictionary says that “modality” means “a particular mode in which something exists or is experienced or expressed” — so we probably shouldn’t read too much into the absolute figures. But, nevertheless, there is concern about security in the mobile world (not just for payments) and we need to address the issue if we want to see a growth in m-transactions. Pointing out to people that mobile phone transactions are more secure than, say, credit card transactions on the web, isn’t the right way forward. The people interviewed are not carrying out a detailed risk analysis and coming to an informed view of countermeasures, they are reacting to their perceptions. By this reasoning, perhaps we should be developing some “security theatre” to make mobile deliver the right feedback, the right image, the right modality. I don’t think a little picture of a padlock is going to do it. I rather like the old proxmity payment demo we had on the original Nokia 3220s: the lights flash green when it’s ready for a transaction, the light flashes as it’s making a transaction and the lights go green or red depending on the outcome.

It is not, incidentally, merely uninformed members of the public who think that security is a serious issue in mobile. A leading security expert says the same:

“Contactless” payments made via mobile phones pose the greatest future threat to the security of consumers’ financial details, a leading security expert says. Around 52 million consumers will adopt new mobile technologies to pay for everyday goods and services by 2011, according to a recent study by analysts at Juniper Research… But Greg Day, an analyst at security specialist McAfee, believes the technology will yield immense opportunity for data fraudsters. “It makes me quite nervous. It’s to this type of contactless small payments arena that smart data criminals will turn: if they just take a fiver from everyone, rather than larger sums from fewer people, they’ll still make a fortune.

[From Mobile phone payments pose huge fraud risk | Personal Finance | Reuters]

I’m not sure this is quite the embryonic crime wave that Greg anticipates. If a nefarious commuter were to bring a carefully concealed but entirely bogus POS terminal in to close proximity to my rear end on the train (where I am typing this) they might, indeed, be able to snaffle ten pounds from my Barclaycard OnePulse card. But the only place the credit could go to is a merchant acquiring account. And when I see the mountebank merchant on my statement at the end of the month and complain to Barclaycard, they will give me my money back so I don’t care anyway. And if the commuting conman were to execute the very same blag on a hundred unsuspecting travellers, then the acquirer would undoubtedly notice something odd when the chargebacks come rolling in and point the Police in the right direction. It’s just not a great business to be in, from the criminal’s point of view.

I can understand people being concerned and, as I’ve said, we need to address these concerns. But that doesn’t, conversely, means that all of the concerns are valid or have equal weight. Personally, I find some of them most odd and suspect they stem from the fact that mobile payments are simply new. For example:

There are no physical records of mobile payment transfers. While electronic tracking it is technically possible, the sender or receiver or both may have already transferred money and destroyed the phones. If prepaid phone is used the mobile phone company can not even fully identify who the person is who used the cell phone. Even with regular cell phone subscribers, the use of false identification to obtain subscriber status is relatively easy.

[From National ACH: Mobile Payments Hinder Law Enforcement]

There are no physical records of mobile phone transfers? Where are the physical records of ACH transfers? If I use (say) M-PESA to transfer money to my cocaine dealer once a week then not only do M-PESA have a record of all of the transfers (albeit in electronic form), the phone company knows where we both were at the time. How is this bad? The argument that people might use false ID to obtain a mobile subscription or use a prepaid phone is no different from the argument that criminals obtain bank accounts in false names. Which I’m sure they do. And in any case what would the point be? Suppose the CIA notice that my prepaid phone is sending money to Osama bin Laden a couple of times a week: then the fact that they don’t know who I am, but they do know my phone number — and therefore the phone numbers of everyone else I’ve been talking to or sending money to, and pretty much where I am — sounds useful to me. Much more useful than knowing that I showed up a Western Union office with a bogus ID and walked out with the untraceable cash.

Anyway, it’s the security of the system as a whole that’s important, not the security of one components. One rather obvious factor that I think should be taken into account when assessing the overall security of the system is that whereas I have no idea where my American Express card is (I took it out of my wallet to buy a British Airways ticket and must have left it somewhere around my desk) I know exactly where my mobile phone is. As has long been known, phones are more important than cards.

A poll of 2,367 people indicates that more than one-third would choose to bring their mobile phone with them rather than their wallet, laptop, or other items if they had to choose.

[From Report: Mobile Phones More Important Than Wallets – Mobile Blog – InformationWeek]

So if someone steals my phone and PIN, in order to send money to their cocaine dealer but pretend it was me, I’ll notice it’s gone and use Nick’s phone (he’s sitting next to me) to call and cancel it. If someone steals my wallet, maybe I’ll notice tomorrow.

Let’s not get hysterical.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

3 comments

  1. Hi Dave,
    great paper here !
    Made me laugh a lot !
    I would kindly advise you to run very far away from the cybersphere, now that NSAs supercomputers have connected you with cocaine dealers and Osama BL.
    You’ve even mentionned those guys as close friends. You’re done, man, ready for Guantanamo ?
    (gasp, my answer now connects me to you…)
    Quick question : what would be your opinion about all those clever guys getting so hysterical ? Hmmm… another walled garden perhards ?!
    Best regards
    Looking forward to seeing soon.

  2. You are too kind Bruno, thank you for the comment.
    I’m not sure about the walled garden, because the tension between the goals of financial inclusion and KYC/AML is not yet being explored, but when it is I think that people will see that financial inclusion is the best result for society.
    The worries about mobile are because it is new.

  3. mobilephone free gift deal

    Did you know you can get a valuable free gift with your next contract moble phone… such as Wii, HDTV,top spec Laptops, Playstation, Tom Tom and much more? And its all from a name you can trust… Tesco! YOu’d be nuts to go direct to network with this…

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: