NFC mobile payments: authenticating who – the user or just the device?
I can’t believe how fast this technology is developing. Everyone seems to be at it. Mobile is big and NFC seems to be flavour of 2011.
Well, I say you – but what I really mean is it doesn’t necessarily have to be you, just anyone who happens to have your phone.
And I’m really, really not happy about that.
The device security obsession – and why its failing us
Payment methods over the last thirty years all seemed to have moved one way. They’ve moved away from us and towards the device or payment medium.
Cheques were flawed, but at least you wrote and signed them. Sure they could be forged, so far from perfect. But every new method has moved away from personal verification and towards device verification.
There’s nothing to verify that the one with the code or device is the person entitled to hold it. How many couples give each other their card to fill up the car or get some cash from the ATM?
We demonstrate this glaring lack of financial personalisation nearly every day, but still the alarm bells haven’t rung.
Counting the cost of poor security
In reality, NFC merely joins a long line of payments methods with only the most tenuous connection to you personally.
Nothing about NFC – nor anything that went before it over the last thirty years – has tried to verify you are the one making the payment. And that must change. And change soon.
The banks do spend a lot of money – your money – trying to secure their systems. Their methods may be antiquated and ineffective, but it doesn’t come cheap.
Customers actually pay twice. First for the initial security model, then for any subsequent breach or regulatory fine imposed as a result.
But as the range of payment methods grows, that cost will become untenable. After all the banks are still supporting cheques, despite efforts to phase them out. How long can this ever increasing cost be passed on?
Let’s make this personal
I believe its now time the banks moved to a totally different security philosophy. And its called Social Engineering.
Social Engineering has been used by espionage agents, conmen and hackers for a long time. In that sense its not new. Its about using habits and behavioural patterns to gain knowledge without mechanical intervention.
In criminal circles, its used to extract passwords and gain access to information. But from a legitimate perspective, its used to ascertain if an action is normal.
Ironically, the card companies do check some actions – such as card use abroad. But its not applied beyond that.
Creatures of habit
We as a society do things in a certain way. We exhibit social patterns which fall within surprisingly uniform boundaries. We’re repetitive in our actions and the frequency of action is steady.
Security isn’t about spending more, its about spending smarter.
If we always verified the person making the transaction, it wouldn’t matter if they paid with animal skins or coloured glass. The transaction would be valid.
Securing the person would be infinitely cheaper than securing each new device. And then technology would be free to really develop!