I had an interesting discussion with Bob Howard (BBC Money Box) this morning concerning the current
situation with GetCash service by NatWest. At the end, I felt that it would be important to draw a clear line between "mobile payments are not safe" and "badly implemented mobile payments are not safe".
Mobile-related frauds are now getting close media attention, and not without a reason. NatWest have been offering cardless cash withdrawals for years. If any fraud did occur with that service, it was of little interest to media.
Enter the mobile payments and things shifted into a different universe. Every mobile phone with GetCash app is a lucrative fraud target - find a hole in the app (for example, via malware) and get an instant reward in cash.
What did NatWest do wrong, in my opinion?
Every banking card issued by NatWest conforms to the EMV ("chip and PIN") standards. Those standards (not without some issues, though) were collectively thought-through, developed, tested and implemented by a consortium, not by a single company. The underlying
architecture is sound, there is "secure element" involved, EMV protocols represent "good practice" etc - in a nutshell, EMV works, and it works well.
Why do banks, when it comes to a mobile-based version of that same card, re-invent the wheel? Why do banks think their IT departments are filled with "mobile payments" Da Vincis who can outsmart EMV? Why do banks, well familiar with the advantages of "chip",
deploy mobile solutions using the equivalent of a magnetic stripe?
Is it greed? As in "why pay mobile operators or another party for access to secure element if we can simply keep fingers crossed". Or arrogance? As in "we know better" (than Google, for example). Or ignorance? As in "we are using world-class fraud management
tools that cannot be beaten even by well-funded and extremely well-organised fraudsters". What do the banks gain by going it all alone?..
Incidents like GetCash fraud are damaging to the mobile payments industry as a whole. How many times would a consumer need to be stung by a mobile-related fraud to stop even think about using a mobile phone for payments and banking?..
We need to get media on board to help us educate the consumer that it's badly implemented mobile payments that are not safe.
If it's not secure, it's not safe. And there is no "secure" without "secure element" (ask Visa or MasterCard why they don't allow PIN entry via mobile). As simple as that. Anyone doubting that will pay the price.