Mobile security modality

[Dave Birch] No, I’m not sure what it means either, but we have a project helping a customer in the field of security, so I’ve been looking at the issue of perception and reality. In particular, I’ve been looking at the way that consumers see mobile (in the context of activities that require security, such as banking). I came across this:

Security concerns were found to be a major hindrance to take-up of mobile services, with just five per cent considering mobile handsets offer a “very secure modality”.

[From Finextra: UK consumers shunning m-payments]

I doubt that 0.5 percent of U.K. consumers know what a “very secure modality” is — I know I don’t: my dictionary says that “modality” means “a particular mode in which something exists or is experienced or expressed” — so we probably shouldn’t read too much into the absolute figures. But, nevertheless, there is concern about security in the mobile world (not just for payments) and we need to address the issue if we want to see a growth in m-transactions. Pointing out to people that mobile phone transactions are more secure than, say, credit card transactions on the web, isn’t the right way forward. The people interviewed are not carrying out a detailed risk analysis and coming to an informed view of countermeasures, they are reacting to their perceptions. By this reasoning, perhaps we should be developing some “security theatre” to make mobile deliver the right feedback, the right image, the right modality. I don’t think a little picture of a padlock is going to do it. I rather like the old proxmity payment demo we had on the original Nokia 3220s: the lights flash green when it’s ready for a transaction, the light flashes as it’s making a transaction and the lights go green or red depending on the outcome.

It is not, incidentally, merely uninformed members of the public who think that security is a serious issue in mobile. A leading security expert says the same:

“Contactless” payments made via mobile phones pose the greatest future threat to the security of consumers’ financial details, a leading security expert says. Around 52 million consumers will adopt new mobile technologies to pay for everyday goods and services by 2011, according to a recent study by analysts at Juniper Research… But Greg Day, an analyst at security specialist McAfee, believes the technology will yield immense opportunity for data fraudsters. “It makes me quite nervous. It’s to this type of contactless small payments arena that smart data criminals will turn: if they just take a fiver from everyone, rather than larger sums from fewer people, they’ll still make a fortune.

[From Mobile phone payments pose huge fraud risk | Personal Finance | Reuters]

I’m not sure this is quite the embryonic crime wave that Greg anticipates. If a nefarious commuter were to bring a carefully concealed but entirely bogus POS terminal in to close proximity to my rear end on the train (where I am typing this) they might, indeed, be able to snaffle ten pounds from my Barclaycard OnePulse card. But the only place the credit could go to is a merchant acquiring account. And when I see the mountebank merchant on my statement at the end of the month and complain to Barclaycard, they will give me my money back so I don’t care anyway. And if the commuting conman were to execute the very same blag on a hundred unsuspecting travellers, then the acquirer would undoubtedly notice something odd when the chargebacks come rolling in and point the Police in the right direction. It’s just not a great business to be in, from the criminal’s point of view.

I can understand people being concerned and, as I’ve said, we need to address these concerns. But that doesn’t, conversely, means that all of the concerns are valid or have equal weight. Personally, I find some of them most odd and suspect they stem from the fact that mobile payments are simply new. For example:

There are no physical records of mobile payment transfers. While electronic tracking it is technically possible, the sender or receiver or both may have already transferred money and destroyed the phones. If prepaid phone is used the mobile phone company can not even fully identify who the person is who used the cell phone. Even with regular cell phone subscribers, the use of false identification to obtain subscriber status is relatively easy.

[From National ACH: Mobile Payments Hinder Law Enforcement]

There are no physical records of mobile phone transfers? Where are the physical records of ACH transfers? If I use (say) M-PESA to transfer money to my cocaine dealer once a week then not only do M-PESA have a record of all of the transfers (albeit in electronic form), the phone company knows where we both were at the time. How is this bad? The argument that people might use false ID to obtain a mobile subscription or use a prepaid phone is no different from the argument that criminals obtain bank accounts in false names. Which I’m sure they do. And in any case what would the point be? Suppose the CIA notice that my prepaid phone is sending money to Osama bin Laden a couple of times a week: then the fact that they don’t know who I am, but they do know my phone number — and therefore the phone numbers of everyone else I’ve been talking to or sending money to, and pretty much where I am — sounds useful to me. Much more useful than knowing that I showed up a Western Union office with a bogus ID and walked out with the untraceable cash.

Anyway, it’s the security of the system as a whole that’s important, not the security of one components. One rather obvious factor that I think should be taken into account when assessing the overall security of the system is that whereas I have no idea where my American Express card is (I took it out of my wallet to buy a British Airways ticket and must have left it somewhere around my desk) I know exactly where my mobile phone is. As has long been known, phones are more important than cards.

A poll of 2,367 people indicates that more than one-third would choose to bring their mobile phone with them rather than their wallet, laptop, or other items if they had to choose.

[From Report: Mobile Phones More Important Than Wallets – Mobile Blog – InformationWeek]

So if someone steals my phone and PIN, in order to send money to their cocaine dealer but pretend it was me, I’ll notice it’s gone and use Nick’s phone (he’s sitting next to me) to call and cancel it. If someone steals my wallet, maybe I’ll notice tomorrow.

Let’s not get hysterical.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]