[Dave Birch] The mobile wallet is much in the news at the moment and, since I’ve been to three different meetings about mobile wallets in the last three days, much in my mind as well. I don’t think it’s an exaggeration to say that the mobile wallet is inevitable, and I also think it’s fair to say that the mobile wallet appears to meet the needs of stakeholders (including consumers and retailers) in a way that “simple” mobile payments do not. One particular area where this is true is security, even if some of the stakeholders don’t realise it. 

Security tops the list of consumer concerns about mobile payments. Half of all American consumers say potential security and fraud significantly influence their likelihood to use smartphone technology to make purchases in the future.

[From Study: Consumers Unlikely to Abandon Wallets in Favor of Paying With Smartphones — NEW YORK, Feb. 29, 2012 /PRNewswire/ —]

So when you talk about moving to a mobile wallet, some people will say “sounds great, but what if I lose my phone or it is stolen?” without really thinking through the security risk analysis. If they did, they would see that things in a mobile wallet are far more secure than things in a leather wallet.

Your credit card is a data string, not a physical piece of plastic: why not enclose that data—and the privileges and responsibilities it unlocks—in a remotely accessible mobile container with an extensive system of checks and balances that has a much healthier respect for that data?

[From How A Stolen Wallet Made Me A Mobile-Payments Enthusiast | paidContent]

There are three main factors here. First of all, you are much more likely to notice if your phone is missing than if your wallet is missing anyway. Secondly, since the wallet is smart, it can be rendered useless to criminals (it can require a PIN, or passphrase, or it can be set to only work in certain locations or whatever). And finally, it can be built online, so when you walk out of the shop with your new phone, your wallet will automagically reappear, which doesn’t happen with your leather wallet. As Cindy Merrit from the Atlanta Fed says succinctly

the mobile phone will be a much more secure payment device than the plastic cards we use today

[From Portals and Rails]

I agree. As we have long maintained, mobile payments are more secure than card payments. I further claim that the security of your virtual credit card inside your mobile phone is not only greater, but much greater than the security of your actual credit card in your back pocket. This is why I predict that the interchange rate for “phone present” transactions will, in the long term, be lower than the interchange rate for card present transactions.

In fact the bottom line is that the fraud figures have been improving, and I expect them to improve further still over the next couple of years as we begin the integration of cards and mobiles.

[From Digital Money: The fraud trajectory]

So nothing to worry about? Not quite. Security is still a problem. Just because there is a potentially secure platform available to implement a service doesn’t mean that the service will be implemented in a secure way, if you see what I mean, and it would be jolly useful if, once a secure way to implement something is found, the security went across services. (So, for example, that a common identification and authentication scheme might be implemented and used across a variety of banking, telecommunications, retail and other services.)

Different security deployments for mobile wallets may postpone widespread adoption
While, as noted in our 2011 mobile industry position paper, firms engaged in rolling out new mobile payments services have agreed that successful near-term adoption will rely on common standards for security and interoperability, free market dynamics dictate that all players in this new mobile ecosystem will not necessarily work together, motivated instead by a responsibility to create shareholder value

[From Portals and Rails]

This is why if you are, say, Visa and O2, then there is a long and complex path to a wallet and handset and SIM and secure element combination that can deliver security appropriate to mass-market, population-scale payments. Other apps might be able to cut corners and accept higher levels of risk, but these guys can’t. This necessarily implies that developing a mass-market mobile wallet such as the recently-announced O2 Wallet means paying proper attention to se curity and bringing world-leading expertise to bear on the process, products and services. 

We recognise that security is absolutely key in order for our customers to trust and want to use the service, so O2 Wallet has been trialed internally for months and has undergone extensive ‘stress-testing’ with the help of security experts Consult Hyperion,” said James Le Brocq, Managing Director at O2 Money.

[From Media – Consult Hyperion]

There are so many interesting issues to talk about here, at the cusp of telecommunications, technology and finance that it’s a great area to be working in.(I’ll be posting about using the O2 Wallet next week.) One of the issues that comes up all the time is trust. Will customers trust a mobile operator to deliver financial services? Can trust built up in one sector be transferred to another? What is the balance between trust and convenience? These are very real, and very hotly debated, issues in our space at the moment.

What about the Google (GOOG) wallet? Would people trust that? Yes, again.

[From Why Banks Will Continue To Lose Online Payment Market Share To Tech – Seeking Alpha]

Well, as they say, that was then and this is now. The much publicised security problem with the Google Wallet proves this point. It didn’t represent any real threat, no consumers lost money (and nor were they realistically likely to) but the story was all over the media, because they love that kind of story, and the nuances were lost. All that people remember is that there was a security problem with the Google Wallet.

As Google Inc. learned in the past week, the security problems with digital wallets are thorny and complex… Any misstep, however temporary, could erode the delicate trust banks and technology companies are trying to build around mobile payments.

 [From Google Wallet s Security Issues Could Strike Other Mobile Wallets – American Banker Article]

We use a risk analysis methodology — known as Structured Risk Analysis (SRA) — that we have specifically developed over the years to handle secure electronic transactions and to take account of the reality of an environment that involves not on technical and commercial risk but repetitional risk as well. We’ve used it on projects for customers ranging from central bank settlement system to manned space missions, so we think we know what we’re talking about. And we used it for M-PESA, as mentioned the book “Money, Real Quick“.

Consult Hyperion were at that time engaged by the Central Bank to carry out the very detailed operational risk audit which the Permanent Secretary in the Ministry of Finance, Joseph Kinuya, said had found the service “safe and reliable”.

[From Book corner – “Money, Real Quick – The Story of M-PESA”]

A sound risk analysis means that a system can be “balanced” so that expenditure on countermeasures can be directed appropriately  and it means that transactional systems can be engineered so that costs and benefits are clear and subject to informed management decisions. If you want to know how to do this, just give us a call.

 

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers


1 comment

  1. Though updates are not automatic and the user must initiate the update, they could come with malware by a rogue contractor at the carrier that packaged up the update, for instance.

    These are managed devices and as such, the user is dependent on the security elsewhere.

    When you put the ability to transfer and spend money on a mobile, you make it that much more interesting for an attacker.

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: