The location of the digital wallet is a serious matter as it involves very different approaches to security and is at the core of the very different mobile wallet business models. PayPal’s digital wallet lives in the cloud where it stores its accountholder’s payment card credentials, bank account number, and more. Isis and all of those committed to the NFC secure element and the card emulation approach see the secure element on the handset as the only safe place to store a card number.
This article, written by Siva G. Narendra, CEO of Tyfone, takes the latter approach, no surprise as Tyfone makes NFC-based gear, most notably a microSD card with NFC and secure element storage capability. In the piece, Narendra explores the “on the handset” versus “in the cloud” dialectic and he makes the point that cloud-based schemes make for a tempting hacker target. As storehouses of millions of card numbers, they are far more tempting to hack than a single mobile phone with an NFC chip.
He errs, however, in suggesting that the current payment card scheme is superior from a security point of view. The history of data breaches over the last five years doesn’t support that contention. While processors have been breached, digital wallet operators, born of the Internet age, have had a good track record. Amazon, Apple, Google, and PayPal may make very tempting targets but thus far they’ve resisted, for the most part, the thousands of determined attacks they receive because they started with a clean sheet of paper when they deployed their systems. Meanwhile, the existing payments system continues to struggle with the reality of an Internet-based world and the intersection of those two worlds.
Narendra is 100% correct that security hardware is better than an all software approach. NFC’s role, in the future, may best be one used for hardware-based authentication, one of the uses of the federal smartcard program he references. The power of hardware-based authentication, combined with data analytics and the multi-sensor data stream pouring off of a smartphone could take payment security well beyond what NFC envisions today. To get an idea of that behavioral granularity – and the truly creepy potential of mobile data – check out Alohar. And then imagine what that data could do for payment security. That could make the on the ground versus in the clouds dialectic moot.