Editor’s Note: The following article is reprinted from Network World.
Now that AT&T and Verizon have decided to turn smartphones into credit cards, you may be asking yourself, “Is this really a good idea?”
After all, it’s not hard to imagine some wily thief picking up the BlackBerry you left at a restaurant and going on a major shopping spree. How, exactly, do the carriers and device manufacturers plan to make smartphones safe to be used on a mass-market level for financial transactions?
The answer is that consumers will have to start adopting practices and applications that have traditionally been used by corporate users. While credit card transactions will undoubtedly be encrypted before being sent over networks, that won’t prevent someone from taking your phone and using it as his own credit card, or from hacking into your phone using malicious applications. In other words, the phone itself will have to be just as secure as the software used to complete credit card transactions.
“The integrity of a transaction is only as good as the device itself,” says Dan Hoffman, the CTO of SMobile. “You have to look at mobile devices in the same way you look at PCs.”
For starters, smartphone credit card users are going to have to install some form of remote-wipe application that will let them erase any and all data on their smartphone if they ever lose it. Although remote-wipe capabilities have been staples of Research in Motion’s BlackBerry devices for years, they’ve only recently come to more popular consumer devices such as the iPhone and devices based on Google’s open source Android operating system. In addition to remote wipe, users should subscribe to some sort of mobile backup service so they can retrieve their data to a new device after wiping out data from their old device.
But remote wipe and data backup capabilities are only part of the story. In an era where users can unwittingly download applications riddled with malware and viruses on their smartphones, they will have to be much more active in protecting themselves from malicious apps.
“With the proliferation of applications out there right now it’s difficult to sort out what apps are safe,” says McAfee CTO George Kurtz. “Among other things, we’re concerned about malicious apps that will be downloaded onto smartphone platforms that can sniff out credit card information and use those credentials to commit fraud.”
To prevent this, users need to not only take care in the types of apps they download onto their phones but to also install antivirus, antimalware and firewall programs onto their devices. Khoi Nguyen, the group product manager for the Mobile Security Group at Symantec, says that companies that run and manage application stores might also have to step up their games to ensure they aren’t inadvertently selling applications that will spread malware to their users. So while he says he admires the success of Google’s user-policed Android Market application store, he thinks Google might have to start taking more of a direct role in ensuring that applications on the store are safe, particularly in an era when more people will be using Android-based devices as personal credit cards.
“I think it’s a potential issue for Google going forward since anyone can publish an application on the Google market, and then only after the fact people may discover that it’s a malicious app,” he says. “At the same time, Google is trying to keep everything open and spur innovation so there has to be a balance there.”Kurtz says that if carriers, device makers and users take all the proper precautions — from remote wipe capabilities to complex password policies to preinstalled firewalls on smartphones — then there’s no reason that using smartphones as credit cards won’t become both popular and safe for users. After all, he reasons, the practice of using smartphones for payments is already common in both Europe and Asia.
“The U.S. is actually pretty late to the game,” he says. “You’re not going to be able to hold back having people use their smartphones for payments.”