Let's stipulate two things. First, the general public will soon use smartphones to conduct all sorts of mobile commerce -- way beyond buying coffee and a scone. I'm talking banking, purchasing goods and services in person and online, paying bills, sending money to family and friends, and placing stock trades. While physical forms of payment aren't going away, all signs point to the increasing acceptance of electronic banking and payments for goods and services. That's true whether banks and retailers are ready or not.
Second, attention-grabbing negative headlines aside, digital currencies such as bitcoin will completely change the mobile payment landscape. Don't believe me? The IRS classified bitcoin as an "asset" for taxation purposes. The New York State Department of Financial Services has invited applications from entities interested in trading virtual currencies. When something is taxable and tradable, it's time to take it seriously. (By the way, "bitcoin" has two meanings. There's Bitcoin with a capital "B," meaning the P2P network platform, and "bitcoin" with a lowercase "b," meaning the currency, abbreviated to BTC.)
BTC, Ven (for which my firm, ValidSoft, provides a transaction authentication framework), Ripple, and dozens more currencies vary on code and architecture. Some are decentralized/peer-to-peer; others are centralized and managed by an administrator. Some, like BTC and Ripple, are demand-driven and trade like commodities -- which explains, in part, the volatility of their pricing. Others, such as Ven, are asset-backed, with value secured by a basket of currencies, commodities, and carbon credits.
[Where should app developers focus their mobile security efforts? Read Mobile App Development: 5 Worst Security Dangers.]
Crypto-currencies are naturals for mobile commerce thanks to their speed, portability, and ability to conduct global transactions at low cost. Transactions are instant, person-to-person, and free to transmit. The disruptive impact on the payments infrastructure will be massive.
These two trends are on a collision course caused by a lack of security. We'd better shift gears -- fast.
Before we place our trust
The security surrounding virtual currencies is wholly inadequate. Fraudsters long ago tuned botnets to mine bitcoin and sniff out the digital signatures of digital wallets. Emboldened, they turned their focus to exchanges, which now have become prime targets. Mt. Gox is the most recent catastrophic casualty, and as long as vulnerabilities remain, trust will be difficult to come by.
Device encryption is the simplest way of screening a connected device from prying eyes, and there are many off-the-shelf tools and products that do this. Apple recently introduced fingerprint biometrics; with Samsung, PayPal, and others following suit, biometrics soon will be a mainstream technology.
I believe that one of the most promising approaches is mobile biometric voice verification. It works on any network, on any connected device, and is extremely easy to enroll and use. It is tuned specifically for mobile devices
featuring short-duration speech. A typical mobile payment deployment, for example, would use a simple text-dependent model comprising a prompted short phrase or random number.
Voice biometrics is also the strongest form of authentication available, because it addresses multiple fraud vectors with a single check. These vectors include call redirect (also known as SIM swap fraud), device takeover, and, most importantly, voice blacklist checking, the ability to compare a voiceprint in real time with a known database of fraudsters' voiceprints. In addition, voice-based transaction verification can be used to overcome sophisticated fraud vectors such as man-in-the-middle and man-in-the-browser attacks.
Location checking can also be performed in conjunction. This can range from country-level analysis down to a 50-meter radius, which is essential for mobile-present transactions at the ATM or point of sale. Likewise, device recognition, another layer of invisible authentication, can be performed in real time, providing contextual information into the voice biometrics engine or, alternatively, operating as a standalone authentication layer.
The problem of security then shifts to user enrollment and authentication, verification, validation, and transmission. The technology is available today to solve these core issues, so the ball is in the payment industry's court.
On the matter of industry cooperation, regulation, and oversight, I am delighted to report that the first annual meeting of the Digital Asset Transfer Authority (DATA) was held April 9 in Washington, DC.
The DATA annual meeting provides an opportunity for digital asset companies and related organizations to chart the year ahead in digital currency, among other areas. Sessions and workshops focus on issues pertinent to the digital asset industry, including development of best practices, standards and regulatory issues, economic development opportunities, industry leadership, and international considerations. DATA has partnered with the International Finance Corporation (IFC) and the Council on Foreign Relations (CFR) to provide in-depth examination and discussion of critical issues affecting the digital asset industry. At the meeting, some of the foremost minds in virtual currencies gathered to discuss many of the issues I mentioned earlier.
I'm looking forward to reporting on the practical developments this unique opportunity will generate and to sharing such plans with InformationWeek readers in the weeks and months ahead.
As enterprises work on mobile commerce and mobility in general, remember this: Convenience without security is like swimming naked. And as Warren Buffet once said, "It's only when the tide goes out that you find out who is swimming naked." It is possible to combine the highest levels of security with the ultimate in user convenience and do it in a way that is, for the most part, invisible.
What do Uber, Bank of America, and Walgreens have to do with your mobile app strategy? Find out in the new Maximizing Mobility issue of InformationWeek Tech Digest.Pat Carroll is the executive chairman and founder of ValidSoft, a global supplier of cybersecurity and transaction authentication solutions utilized by banks, financial services companies, and governments to secure and authorize payment transactions. He has more than 25 years ... View Full Bio