As the government struggles to debate and decide how to handle the fiscal cliff, I continue to think of how to save the industry from the mythical mobile payments cliff. If you read the industry magazines they have been predicting mobile malware for years, and as this idea begins to snowball so to does the fear associated with anything that mobile touches. The reality is that mobile systems are arguably *more* secure than their desktop computer counterparts. Let’s examine how…
The key thing to remember is that desktop personal computers and mobile devices have two entirely different security models and attack vectors. Desktop personal computers enable the user full control of the system but they also enable each application to access the other application’s data and the ability for some applications to change other applications. They also enable applications from any source onto the computer. It enables extreme functionality at the cost of security.
Mobile devices on the other hand offer the following features by default that prevent many of the risks facing desktop personal computers:
- Application Provenance – This wonderful word means that applications must be signed by their creator. Apple (iOS) only permits applications onto the device that are signed by an Apple-issued digital certificate. In addition, the Apple App Store performs application verification to remove applications that try to perform malicious activity. Imagine if we had something like that filtering applications people wanted to load on their personal computer. Imagine the custom malware and rogue applications we could prevent from infecting and spreading on your home or work computer.
- Application Isolation (Sandboxing) – This wonderful feature means that one application cannot access or negatively impact another application or its data. This is an amazing feature that means even if a rogue application did get through the application store(s) onto your device it would not be able to cause much damage because it could not alter or change any other applications or access the data from those applications. Currently, if malware infects your home personal computer it has access to all your personal and financial data stored on that computer. If a bad-actor application were to get onto your phone it would, at worst be able to access your personal contacts or photos. It will not be able to access other applications that access your financial records or email.
- Host-based Firewall – Unlike most desktop personal computers and enterprise workstations that may only firewall at a corporate, department or group level each mobile device has a personal firewall installed and does not allow externally-initiated connections in. This means that each device is firewalled from the other device and that a compromise of one will not lead to a compromise of many, as is often the case in desktop and server systems. Imagine if each computer in your entire company was segmented from every other because they each had their own personal firewall. Now imagine that each computer was a stand alone device and not even on the same network as the others, meaning even-if-everything-else-went-wrong a compromise of one system would not lead to a compromise of more than that one system.
- Encryption – That’s right, by default mobile systems support the encrypting file system meaning data and applications on the mobile device are encrypted by default. You can’t say that about most desktop workstations.
Mobile commerce can be as simple as leveraging the mobile device as a communications channel or as elegant as an ecosystem of products and features that enable trusted transactions in many different forms. The difficulty is that many people, and even some data security professionals, are unaware of the risks and countermeasures involved in mobile phone security much less the security benefits of a mobile payments ecosystem.
The reason for going into incredible detail above about the mobile security architecture is because these days many people see mobile payments much like they did e-commerce. People were terrified that we were putting payments on the Internet, with all those hackers, and accepting payments without the customer ever presenting their payment card in person. Yikes! A similar feeling manifests itself for all things mobile.
But the world didn’t come to an end with e-commerce. In fact, many people see e-commerce data loss as considerably less than that of its card-present relative. One can argue that e-commerce transactions are actually safer than card-present transactions.
We should begin to view mobile payments for what they are: a different paradigm with different data and different risks. Imagine what having GPS can do to identifying fraud patterns. Things like geofencing can enable transactions only when the buyer is physically present at the seller. Or imagine if you didn’t even need the card to be present, much like the mobile analog to Amazon’s one-click checkout. You don’t even enter your card number because it’s already stored on the back-end systems.
That simple idea is where we begin to see the real benefit of mobile commerce. It ends up becoming more about the ecosystem of connected components that creates a more trusted transaction. It’s one thing to use a secure reader on your mobile device or use a secure application on the mobile device but when you start to layer these features you begin to see how the traditional layered security model can manifest in the mobile payment ecosystem.
So have no fear of a mythical mobile payments cliff. Mobile devices have security features that far eclipse those of their non-mobile counterparts. We should recognize that new technology will bring with it new data and by leveraging that technology and data can reduce the overall risk in a system. Instead of fearing a mobile cliff we should be embracing mobile payments as a way to increase acceptance and catalyze commerce in a time when we need it the most.