I will keep this blog post short and jump straight to the point (following our recent discussions with a number of key industry players who develop m-wallet platforms as well as phone-bound secure element solutions).
I would greatly appreciate readers' comments on the following two questions:
How many times would consumers need to be subjected to mobile payment fraud ("zero day" attacks, PIN-harvesting malware, NFC relay attacks, "small value" fraud, hostile takeover, etc.) and how much would those consumers need to lose, in order for them to
stop using - ever (!) - mobile phones for any financial operation?
How many companies that provide m-payment solutions can ensure that their users are fully in control of every (sensitive) transaction?
With regard to the first question, I had a chance to see "tricks" that allow - at least on a semi-theoretical basis - to commit types of fraud that go beyond the wildest imagination of any Chief Security Officer of any large bank. Some of the exploits and
"loopholes" are hard to implement in real life, but purely from a logistical point of view (e.g. withdrawing cash every minute from every ATM machine in the UK is far from trivial to stage. Physically...)
As to the second question, any secure element that resides on the phone, is - or can be made to be - "always on". Once (i.e. "when", not "if") a way is found to access and/or control that SE remotely, e.g. via resident malware, the user - and the bank -
would have no way of knowing that is happening, until after the event.
To put things into perspective, the annual level of attempted fraud against PayPal is around $500m. The level of "realized" fraud (oh, yes) is below $50m. That is the difference between being one of the leaders in payments and becoming a dead fish. Will
PayPal be able to remain that good in fraud management? Considering, for example, that PayPal now invites you to pay at a retail POS by entering your mobile number and PIN... (mine are 07777 111 000 and 1234, btw, in case you are too lazy to "shoulder-surf")