
2011: The year your mobile phone becomes your wallet - gaiusparx
http://money.cnn.com/2011/01/19/technology/mobile_payments/index.htm
======
jim_h
How secure is this? Waving a device near something to complete a money
transaction seems too easy.

At Defcon 18, there was a presentation on how to access RFID from long range
(<http://www.youtube.com/watch?v=nEBrslz0Xf4>). It makes me nervous that other
people can also do this stuff.

There are already cards that do NFC, such as MBTA (public transportation)
Charlie cards and American Express credit cards. However once NFC becomes even
more common, will this invite the bad kind of hackers to bump up their efforts
to steal your money?

So, how secure is this?

~~~
exit
a phone can show you a "confirm this payment" prompt though, which i imagine
puts it a step above paypass/oyster card type pieces of plastic.

~~~
jim_h
A phone can also have a virus or trojan horse app on it. Even easier to take
your money if you can get access directly on the phone. Forget radio waves,
just get the user to install an app on there that will transfer funds over.

I think all of the smart phone operating systems have had a trojan horse app
on them at some point. Most of them probably just did simple things before
like a backdoor, making phone calls or stealing info. If your phone also
controls your money...

~~~
drdaeman
Considering that traditional credit card security is based on just knowledge
of simple shared secret - (card number, name, expiry date, cvv2) 4-tuple, and
considering this secret is shared with everyone you do business with, this is
still certainly more secure.

Also, trojans still have to compromise the OS security. It's not the same deal
as with non-secure information (like spyware games accessing the contacts
list, just because users don't care about app permissions) - the certificate
store will be certainly guarded way more carefully.

~~~
jim_h
With more users 'jailbreaking' or 'rooting' their phones, it's not as 'secure'
as before. The point of doing those things is to break the phone's security
and allow you to do more things. What if the creator decided to put in a
little extra code.. or it introduced more vulnerabilities..

* I'm not trying to make you guys paranoid. Just wondering about the possibilities and playing devil advocate.

~~~
drdaeman
Well, not exactly, "jailbreaking" is about user gaining access to a phone, not
applications. I don't know the details (I don't own iPhone or Android device,
and N900 comes with root access almost out-of-box), but I believe pure
jailbreaking shouldn't hurt OS security mechanisms too much. I may be wrong,
though.

However, you have a point: classic "dancing bunnies" problem[1] is certainly
out there. Promise average user nice things, ask him to do some cryptic
actions, and he'll happily follow your instructions without really
understanding any consequences.

[1]: <http://en.wikipedia.org/wiki/Dancing_bunnies>

------
Loic
For the past five years, I have been paying parking in my city with my mobile
phone using a simple SMS without any transaction fee. A small city of 20000
inhabitants lost in the former East Germany.

I suppose 2011 is more the year where you will pay $5 for your Latte with your
mobile phone on the condition to have an account with an organization charging
you a percentage when loading your account, plus a small transaction fee and
doing the same to the shop using this system.

I am sarcastic, maybe the effect of going through a PCI DSS compliance
extortion scheme yesterday. Out of topic technical bonus point, the SSL
ciphers allowed for your server to be "compliant":
!EXPORT:!eNULL:!MEDIUM:!LOW:TLSv1:SSLv3.

------
zach
It's never going to be as entertaining as when your wallet becomes your mobile
phone:

<http://www.merlinmann.com/phoneguy/>

------
bherms
2011 may be a big year for changes in the way we bank, with BankSimple
releasing and this technology finally making its way to the US.

It's no secret that the banking industry is screwed up. It will be interesting
to follow how this industry changes as new startups and technologies are
applied to traditional banking models. Hopefully somehow I end up with more
money in the process :)

------
motters
My understanding of mobile phone security is that it's somewhere between
abysmal and non-existent.

------
zokier
Almost 10 years ago: <http://press.nokia.com/PR/200109/834842_5.html>

Is 2011 also the year of Linux on desktop?

~~~
Peaker
Soon there will be more smart phones than desktops, and most of those run
Linux, so the desktop has become irrelevant :-)

------
seanfchan
The thing is how secure is any of our payment methods today? Can't credit
cards be replicated as well?

~~~
fakespastic
Yeah, but the attacker needs access to the magnetic sensor in order to install
a ripping device. Physical security prevents it in most cases. In the case of
a phone, how could you prevent playback attacks? Say I walk up to a Coke
machine and authorize a $1.00 payment, and someone nearby is able to capture
that protocol stream. All they'd have to do is play it back to the Coke
machine after I leave, and at that point they are welcome to unlimited corn
syrup swill. I'm no cryptographer, but I can't think of any way to mitigate
it. Something like SecurID, whereby you are given a new token code every
minute, might work, but the intervals for new codes would have to be tighter,
unless you plan to stand around and monitor everyone else's purchases for the
entire interval. This is one for the _really smart_ guys to figure out, and I
expect that someday, it will become reality. Can't wait.

------
richcollins
Unfortunately we'll still have to carry our wallets until our ID is on our
phone as well.

------
funthree
No thank you.

------
BluePoints
I use Venmo - I love Venmo - I can't wait for it to become bigger.

