Information technology is central to our everyday lives. Through our mobile phones it’s even enabling cash to be replaced when buying everything from a cappuccino to a cinema ticket. However, there is one fly in the ointment preventing us from moving to a cashless society based on our mobiles, and that is the question of security. As the recent high-profile hacking of Sony Pictures shows, information technology systems are not invulnerable to security attacks. Yet if we are to use our mobiles as wallets, there will need to be complete confidence in the system’s security.
There are a number of secure systems in place and in development to ensure only transactions carried out by the authorized account holder are allowed. But before discussing these, what is the logic behind mobile payments and why the excitement?
By the end of 2014 there will be 2.3 billion mobile broadband subscriptions, according to the International Telecommunications Union. This is potentially a vast number of people, which is growing rapidly, who could access the technology for making mobile payments.
The global growth of mobile payments is impressive. Mobile payments are expected to grow by 60.8% annually from 2011 to 2015, totalling more than 47 billion transactions, according to World Payments Report.
In Kenya, the take up of mobile payments technology has been staggering. Since 2007 when Kenya’s M-Pesa mobile banking was launched more than 17 million Kenyans have joined the network or over 50% of the population, making transactions of around £733 million per month.
However, take up of mobile payments has been less swift in developied countries compared to the emerging markets, despite high smartphone penetration. In the UK, one in four users would be reluctant to use their smartphone as a credit card mainly due to security concerns. Across the Atlantic, according to an Ernst & Young report, 57% of US smartphone owners had no intention of using mobile money transfers compared with 24% in India.
Mobile payments take place through a Near Field Communication (NFC) chip buried within the mobile phone. This chip is similar to that found in a credit card or debit card used for wave and pay transactions at an NFC terminal at a retailer or on public transportation networks. Communication between the phone’s NFC chip and terminal can only take place up to a distance of 7cm. However, a recent survey by YouGov found that 56% of UK respondents did not believe that NFC payments were safe. These fears are not based on fact, as levels of fraud are very low, with only £14,000 of card fraud in 2012 arising through contactless payments, according to the UK Cards Association. And these frauds were attributed to bogus courier payments.
People are becoming more familiar and confident about mobile payments. Take for example Barclay’s Pingit mobile smartphone app, which since its launch in 2012 has attracted 2.5 million users, making transactions of £1 million a day.
The success of such systems depends on a compromise between ease of use and security tight enough to make loss an extremely low risk. Too many passwords and codes and people will give up using mobile payments.
Operators of mobile payments systems use a number of techniques to ensure security. Banks will hold all the users ID and account details. These details are not passed on to the billing company or merchant and when a transaction takes place, a token – and not the actual transaction details, is sent from your phone to the bank, then the shop sends a token to the bank and the bank pays. This security procedure is called tokenization.
Biometric technology is the next security step, and it’s now being integrated into mobile devices. Apple has introduced fingerprint recognition technology into its Apple i Phone 5s and i Phone 6, as a part of its Apple Pay mobile payments system.
The critical credit/debit card details such as card number, expiration date and CVV security code are stored in the phone’s iOS Passbook. This information is tokenized and encrypted and stored in a dedicated chip.
Voice recognition is another biometric used for authentication with Barclays using voice recognition for its Wealth services customers, according to the FT.
However, biometric technology is not infallible for ensuring ID – for example, it is possible, but not easy, to lift a fingerprint from a coffee cup. Mobile payments security will use a combination of methods such as fingerprint and a five digit PIN. It also is able to go further, using dynamic data analysis it could implement additional security measures, such as questions to check ID, if the mobile location didn’t typically fit into your established patterns. This is similar to when your bank flags up a security concern when you go abroad on an unplanned trip and take money out from a cash machine.
It is impossible to make a convenient payments system totally secure. But given the arsenal of security measures available and the intense development effort being made to keep ahead of the fraudsters, transaction risks will be very low and not unlike what is currently accepted with card payments.
So, given almost everyone has a mobile and the overwhelming convenience of mobile payments, it will be only a short time before we all have mobile wallets.