Is Google’s m-wallet a disaster waiting to happen or a bulldozer that cannot be stopped?
Commenting on an article in Computerworld, Phil Lieberman, President and CEO of Lieberman Software, agrees that Android’s upcoming m-wallet (mobile phone wallet) is ‘a disaster waiting to happen’. The original article by Ira Winkler comments:
A smartphone’s operating system controls the exchange of data between programs, input/output devices and all of the other hardware components. If malicious software ends up on your phone, it can easily capture your PIN every time you enter it to pay for something. Even if you assume that the credit card is completely secure when it is on the special chip, it is still vulnerable when you are entering the data and every time you access the data when you make a payment.
Mobile payment systems: A disaster waiting to happen
Phil adds to this
Ira’s comments are bang on the money. Whilst it’s great to hear that m-wallet solutions will be Visa PayWave or MasterCard PayPass-compatible – meaning that the wireless data transmissions are encrypted – the problem comes if the smartphone itself in less than secure.
But are the doom-mongers correct? Well, yes they are – but any use of any computer for any purpose is a disaster waiting to happen. Since m-wallets will happen (they’re cool and useful, the two primary drivers for any commodity), the real question is whether the m-wallet is significantly less secure than any other method of payment. And I’m not at all sure this is true. Like everything else in security, it is user-behaviour that makes something more or less secure.
Phil comments that
…with large numbers of Apple iPhone users jailbreaking their handsets to escape network locks, it looks like that most flavours of smartphones will be susceptible to security faux pas for some time to come.
That’s what I mean about user behaviour. Using a jailbroken iPhone as an m-wallet is like walking through a crowded mall with an open bag and a visible purse/wallet: it is the user rather than the wallet that is at fault. So what are the alternatives to the m-wallet, especially since cheques are being phased out by the banks (and we can expect them to do the same with cash over the next couple of decades)?
For now we have cash in a purse. Well, that’s less secure than a smartphone. Most people realise that they have lost their phone within minutes, and can switch it off remotely in an instant. The cash in the m-wallet cannot be used.
Bank cards? Well, they’re hardly secure are they? They can be stolen/lost and cloned. Cambridge university has demonstrated a device able to trick the system into accepting any PIN number on any valid card. And contactless cards really are a disaster waiting to happen.
Mobile banking on a laptop? Just as easily lost or stolen; and just as easily hacked. Zeus/SpyEye anyone?
Personally I can see our entire lives migrating to smartphones. Our front door key, car key, kicking the house into action before we get home, e-government and proof of identity. Trying to stop this happening will be like standing in front of a bulldozer. The requirement is not to prevent it, but for the security industry to improve security, and for users to improve behaviour.
Which will leave me with a problem: I don’t have a smartphone; and won’t have one until they invent one that won’t fry my brains – or worse if it’s in my pocket.