If I owned a retail business or any business that has direct financial transactions, I’d be very interested in mobile payments — anything to make it easier for people to come to my business and spend their money, right?
Mobile payments are headline news right now because of a joint venture between some major companies like Target and 7-Eleven to develop the Merchant Customer Exchange, which will allow customers to pay via smartphones.
The idea isn’t unique, of course. Google has offered its Google Wallet for a while now, and companies like Square offer credit card readers for phones.
But to me, the question of mobile payment offerings returns to one primary question: Are mobile wallets secure?
The answer is probably not. Mobile payments, like the new Merchant Customer Exchange, rely on near-field communication (NFC), which allows two devices to connect when close together. However, at this year’s Black Hat conference, researchers showed just how easy it can be to exploit NFC and take over the device. According to The New York Times, Charlie Miller, a security researcher at Accuvant and serial smartphone hacker, showed just how easy it is to abuse NFC:
In front of a packed audience, he successfully hacked three smartphones using N.F.C.: a Samsung Nexus S, a Galaxy Nexus and a Nokia N9. In each case, he was able to access photos, send texts, browse the Internet and even make phone calls from the phones, without laying a finger on them.
He also demonstrated how it is possible to use NFC to install malware on a phone.
Financial data is what crooks want most, and as the NYT aptly pointed out, while NFC is supposed to make our lives easier, it also makes things easier for bad guys. Credit cards have had their own shaky security history, and I can’t help but wonder if mobile payments will be the catalyst for another major credit card breach.
And then there is the general lack of security for mobile devices. I thought this statement in an ABC News article said it best:
"Security is only as strong as the weakest link," said credit and cyber-security expert Adam Levin of Credit.com. "Humans are the weakest link. You may be able to take advantage of great deal but that requires storing information in your cell phone."
As I pointed out earlier this week, BYOD security is tenuous at best, so we know that many smartphone users already are not taking enough steps to protect their device. Now add the risks of NFC and mobile payments and your company data being accessed by the phone, and you have what could be a security nightmare.
Yes, it is a bit of a doomsday scenario from me. I do think that mobile payments are going to be the future of financial transactions, but right now, security is too uncertain and there are a lot of risks involved. It is an area where if you are going to proceed, do so with caution.