2012 was the year of the mobile wallet, with a number of different groupings – such as Project Oscar between Vodafone, O2 and Everything Everywhere – staking their claim as industry leaders.
But if 2012 focused our attention on wallets, 2013 is going to be the year of mobile payments more generally. Consumers are increasingly coming to terms with the concept of paying for things on their phone, whether that’s through apps for shopping or banking, by accessing various accounts through the web browser of a phone, or having downloaded virtual versions of things such as store credit cards.
Because of this, and because of consumers’ desire for convenience and the near ubiquity of the mobile phone, I am confident that we’re going to see a transition towards mobile payments next year that’s even faster than analysts are predicting. Traditional transaction methods remain woefully inadequate in meeting the needs and wants of consumers, and mobile opens up a whole new world of opportunity to address this.
However, at the moment the mobile payments industry is still all about a race for market share. In 2012 we didn’t see a single technical standard emerge, so groups continue to form and fight to position themselves as the de facto standard. This situation is likely to continue until a body such as the Electronic Transaction Association emerges as a unifying power. The question for me is whether, in the midst of this competition, we’re going to see some of the fundamentals, such as security, failing to be addressed in a coherent way, with customers losing out in the process.
Of course there are risks with mobile payments that need addressing. Only this month, the weakness of certain payment authentication methods was highlighted, when the Eurograbber Trojan defrauded customers across Europe out of more than €36m.
This Trojan, which capitalises on the weakness of SMS-based transaction verification, shows that hackers can, in quite a straightforward way, infiltrate the mobile channel. If mobile is going to take off in as big a way as many hope, that also needs to be addressed.
Whilst the idea of utilising the customer’s mobile phone for security is absolutely valid, the delivery mechanism needs to be carefully reviewed.
For instance, interactive voice verification techniques are far less susceptible to mobile Trojans – and provide a far smarter means of authentication – than SMS / one-time password generation. However, even voice can be compromised by certain specific types of attack (such as SIM swap) and that’s why it’s so important to take a multi-layer approach that includes a number of invisible detection techniques to combat such attacks. Solutions do exist to securely enable the increasingly ubiquitous mobile phone to remain an effective authentication tool.
This is so important because the world has already changed. Mobile payment technology is going to become even more mainstream in 2013 and we can’t rely on old systems to support a new approach. As more and more people use the mobile channel for payments and banking, the opportunity for fraudsters will grow too, and it’s likely that the volume of hacking and the number of attacks on this channel will increase. So a new approach is required, as is a new security model that’s multi-layered and multi-factor, where the complexity is hidden but the flexibility is high.
That means a model with a built-in assumption that any traditional security method can be compromised; a model that allows complete discrimination at an individual transaction level, and at the right price-point relative to the value of the transaction and the perceived risk of that transaction; and a model that provides "low or no" customer friction. This isn’t fiction, it’s the reality that many forward-thinking organisations are already contemplating or implementing, and in 2013 it’s set to go main-stream.
Pat Carroll, CEO of ValidSoft