The Smurfs may have an important security lesson for banks and credit card networks getting into mobile payments.
Capcom Interactive Inc. caught the ire of parental groups in recent weeks over its Smurfs’ Village iPhone game, which is free to download but charges players to purchase additional features, such as “Smurfberries,” within the application.
Smurfberries can cost as much as $99.99 per wagonful.
Some parental groups criticized the game, as well as iPhone maker Apple Inc., after reports surfaced of children racking up large bills while playing the game.
The uproar prompted Capcom to add a warning to the game’s users. And Apple has since tweaked a password feature in its mobile operating system so users need to authenticate themselves a second time before buying items within apps.
There is a difference between making a purchase within a mobile app and using a mobile phone as a credit card replacement at the grocery store. But the Smurfs debacle highlights some of the consumer perceptions that banks, card networks and other players may encounter as they try to bring payments to cell phones.
When it comes to mobile payments, the onus is partly on the consumer to safeguard their information, observers say. “To me this is less about classic security issues … and more about giving accountholders the control that they really crave and lack,” says James Van Dyke, president of Javelin Strategy and Research in Pleasanton, Calif.
As consumers conduct more transactions electronically, they face more opportunities in which their information may be compromised or misused, says Van Dyke, who tracks payments security and fraud.
At the same time, consumers may not be as vigilant with emerging payment tools, such as their mobile phone, as they need to be, which the Smurfs scenario suggests. Parents who gave their children their iPhone may have been shocked that it was even possible for their kids to make purchases within an app.
Bringing that same situation into the physical retail world prompts questions about what happens if a shopper loses his payments-enabled phone or someone steals it.
No standard approach exists for how consumers would initiate transactions using their phones as the payment device. The technology that is expected to make such activity possible–Near Field Communication–is in very few phones in the United States.
But software executives and analysts say banks and other companies vying for market share likely will give consumers choice around when to input a password or other credential before waving and paying.
“The beauty of the NFC environment is that the behavior is totally customizable, so a bank might say that a user has to input his passcode all the time before he can make a payment,” says Deepak Jain, president and chief executive of DeviceFidelity Inc., a Richardson, Texas, technology company working with Visa Inc. and MasterCard Worldwide on mobile-payments trials.
“A bank might say it’s up to the user,” Jain says. “If he’s more security conscious, he can choose his setting of the passcode … every time or every fifth time … or never.”
Banks working with Visa using DeviceFidelity’s microSD memory cards, which contain a customer’s payment account information, are testing different approaches.
One, which Jain declined to name, is requiring a consumer to enter information before each transaction. Others are more open, he says.
Bank of America Corp., which plans to begin a pilot soon using DeviceFidelity’s technology and Research In Motion Ltd.’s BlackBerry devices, is testing “different types and levels of security” so it “can learn what our customers like best as we seek to strike a balance between security and convenience,” a BofA spokesperson said in an e-mail. Options include requiring a PIN, SiteKey–BofA’s online authentication system–and “transaction-level authentication.”
A spokesperson for Isis, a mobile-payments venture being developed by AT&T Inc., Verizon Wireless and T-Mobile USA, said in an e-mail the partners are “investing in strong privacy and security measures” but would not comment on specific features.
Lost and stolen cell phones in an NFC environment pose no more of a risk than a lost or stolen plastic card, some experts say. Limited-liability clauses for fraud incidents that apply to plastic cards would also apply to a virtual card.
Additionally, the use of NFC technology has other benefits, such as tighter security of the actual data transmitted between a payment device and a terminal.
“There is substantially more security in any smartphone payment application than there is in any physical wallet application, like a plastic credit card,” says David Schropfer, a partner with the Luciano Group, a Red Bank, N.J.-based consulting firm that focuses on the telecommunication industry.
Regardless, consumer perception of mobile-payments security will play a role in how banks and others market future products, says Schropfer, author of The Smartphone Wallet.
A report the Federal Reserve banks of Atlanta and Boston released on March 21 based on a series of meetings between banks, card networks, wireless carriers and other players over the past year highlights the role consumers play in ensuring future mobile-payments systems are secure.
“Consumers need to buy in to their role in ensuring a secure, private and efficient payments system and correct the bad habits they developed online,” the report notes, adding that zero-liability policies in e-commerce may have led to carelessness among some consumers.
“The mobile venue needs to be better,” the report states.
Some say mobile-payments systems are likely to be more secure because consumers are more aware of their phones and carry them at all times.
“If you compare people’s awareness of their device to, say, a particular credit card in their wallet, people are much more aware of the loss of a phone,” says Diarmuid Mallon, a senior product marketing manager at Sybase Inc., a subsidiary of SAP that develops mobile-banking and payments software.
Google Inc. is working with MasterCard and Citigroup Inc. on a mobile-payments system that would rely on NFC chips embedded in Android handsets, The Wall Street Journal reported March 28 (see story).
Richard Crone, chief executive of payments consulting firm Crone Consulting LLC in San Carlos, Calif., says he expects such a system to include stopgaps that would address risks of lost or stolen phones.
“Mobile payments at the point of sale should … provide the opportunity for the consumer to not only confirm a purchase but authorize a purchase with a PIN or with a username or password, not just simply tapping and going,” Crone says.
MasterCard and Google spokespeople declined to comment on the Journal story. A Citi spokesperson did not respond to inquiries.