[Dave Birch] Lots of people were talking about “payments in the cloud” ($Cloud) at the last event I went to (the WIMA NFC conference in San Francisco). The basic idea is that your payment credentials are stored somewhere in the cloud and you access them from your PC, mobile phone, iPad or wristwatch whenever and wherever you need them. So here’s what I maws just musing over in connection with a project some of our guys are working on at the moment. Are a username and password secure enough to make this a scale solution? Well, let’s look around at the $Cloud examples that we already have.

iTunes gift cards worth $200 are now sold on a Chinese Website for merely $3. But that’s not a crazy sales promotion from Apple — it’s actually a group of Chinese hackers who broke Apple’s gift certificate algorithm and are now using a key generator to sell bargain gift cards on the Internet.

[From Hacked: $200 iTunes Gift Card for Only $2.60 | PCWorld]

After all, usernames and passwords are not particularly strong form of authentication. But then neither is the magnetic stripe, and yet there are billions of them is use all around the world despite the fact that they can be copied at will. Generally speaking, even in the US, payment card fraud is manageable even through magnetic stripes are so trivially counterfeit able, so one might imagine that could payments based on username and password might have similarly manageable levels of fraud too, since there will be all sorts of fraud prevention and detection built in to the cloud.

Just added a $25 gift card I received yesterday, and this morning it was cleaned out.

[From iTunes store account hacked: Apple Support Communities]

That back end has got to be quite sophisticated and is time-consuming and expensive to build, but if you are only going to rely on a password to secure your payment system, then you are going to be attacked all the time, just as the experiences of existing cloud payment services bear out.

I got the emails this morning about a purchase on a unauthorized device. 2 games were downloaded and a crap load of in game add ons to the total of $124. They shut down my account and I had to go in and reset my password this morning. After a email and phone call they are refunding all my money as they can clearly see and know it was not one of my devices.

[From iTunes store account hacked: Apple Support Communities]

Now, of course, while the payment system is “closed” and the goods that are being purchased are virtual, then the losses can be tolerated even if the system is attacked all the time. But once the payments can start crossing boundaries, then there are real problems.

The new pact means that if a customer purchased $20 worth of Ghost Recon Credits on Facebook, Facebook would still earn its 30 percent cut of the revenue, but players would be able to access the points in the Ghost Recon game on Apple devices. The reverse is true as well.

[From Surprise! Facebook Credits and Apple’s iTunes Play Nice With Each Other. – AllThingsD]

Now having to refund third parties hurts much more than cancelling some digital purchases, so in this example it’s hard to see how either Facebook or Apple can go much further. Passwords either won’t scale at all, or will scale but in a very expensive way. We need an alternative key to the cloud. Personally, I’d rather use my phone and a PIN. This seems to me to be the right balance, an effective way of implementing two-factor authentication (2FA) in the mass market. Typing in my username and password is annoying on a phone and, since viruses and trojans will undoubtedly cause the same problems in that world as they do on PCs, not really that much of a barrier to the bad guys. The main $Cloud service that I use is PayPal and they get around the username/password problem by using the phone: when I log in to make a payment, as I did this very morn, they send an SMS to my phone. The SMS contains a six digit code. It’s not a perfect solution (there are vulnerabilities in the SMS solution) but it’s good enough to tip the risk balance away from the bad guys. Thus the PayPal $Cloud is already chip and PIN, it’s just that the chip is the SIM card and the PIN is six digits instead of four.

Thinking along these lines, the natural synthesis is to have the mobile operator provide some kind of (preferably PKI-based) digital identity infrastructure for the $Cloud guys to use — since it would be cheaper and better for them to have access to a SIM-based digital ID than to build their own — and build value-added payment services on top of.

That is why solving digital identification is almost the same as building a fraud-proof digital payment system.

[From Mobile Banking: Digital identification and mobile payments]

Is this the long-term solution then, the SIM and PIN? No. I think I’ll stay with my longer-term predictions about the phone/payment nexus. Surely voice will be both the interface and the biometric of choice: your private key will be protected inside a secure element, it will authenticate your voice pattern and pass both the voice and the identification (as a standard digital certificate) off to a server for execution. Imagine using a future version of Siri that could authenticate via voice identification as well as execute instructions by understanding what you are saying. Apple probably has.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers


Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: