Trouble is brewing in mobile payments

Now that big-box retailers have stuck their fat fingers into mobile payments, can the next major credit card breach be far behind?

With mobile payments, it would seem that we're entering yet another new battlefront located at the corner of technology, crime, and our wallets. Forgive me if I use past as prologue and predict that this will not go well, at least for the short term.

Payments via NFC (near-field communications) have been possible for a while now, and we've had payments via RFID for even longer. However, the United States is still mired in the card-swipe era, while most of the rest of the world has moved on to chip-and-pin or tap payments, which are rooted in the established technology of point-of-sale payment processors. That means you have a physical item such as a credit card or fob. When you wave that item by a scanner and tap the scanner to confirm, the device is authenticated and charges are made to your account via a clearinghouse.

Now, however, there is a major war brewing between smartphone companies and retailers over how to make it simple and secure to use a smartphone to authorize payments at physical retailers. Essentially, at least in the United States, the idea is to skip the traditional methods altogether and head straight to mobile-based payments.

Both Apple and Google are heavily involved. Apple's new Apple Pay framework has been developed to allow iPhone users to essentially upload their credit and debit cards to their phone, then select the appropriate card to use when making payments. By waving the phone over a sensor with your finger on the phone’s fingerprint scanner, you validate the charge. Apple stands in the middle, both paying the retailer and debiting your bank account or charging your credit card.

In for a penny, in for a pound, paying for goods and services in this method seems to be the way forward. But in order for mobile payments to happen, everyone needs to work from the same playbook, including the retailers themselves.

Naturally, the retailers don't want to play ball. They are developing their own mobile payment system called CurrentC that would be offered to customers as a smartphone application, allowing the same basic functionality, but delivered in a significantly different way on the back end -- a way that appears to be worryingly insecure.

The upside for retailers in this game is sizable. If they can move their customers over to their payment system, they can essentially shortcut the banks and payment processors, saving a few percent on each purchase made. At scale, that translates into a lot of money staying with the retailer instead of going to a payment processor.

However, it's not feasible for every retailer to produce and maintain their own infrastructure to handle payments like this, so a number of large retailers (including Walmart, Target, and Best Buy) banded together to create CurrentC. With enough large retailers on board, the group hopes to make CurrentC the de facto standard.

Given the amazingly poor data security that large retailers like Target, Home Depot, and others have demonstrated, you might see where this could be a problem. In fact, it's already a problem. CurrentC has already lost data to malicious attackers.

I've noted before that we have a fundamentally broken method of dealing with customer data loss events. We have no restrictions on the data collected by large retailers, and no substantive penalties are imposed when retailers lose data on millions of their customers.

Nearly everyone who has had a credit card or debit card and made purchases at a big chain store has had their ID and card information stolen. The numbers are in the many hundreds of millions, and new reports of further data loss are frighteningly frequent. Only last month I had to replace my debit card because I bought lightbulbs at Home Depot. Last year, it was a credit card I used at Target. The time before, another card had to be replaced because of retailer data loss, but the bank wouldn't name the retailer.

These blatant and repeated failures cause financial harm and distress to millions of people every year, yet they are still not being dealt with at any level that might cause some change in the industry. I say that a data loss event should result in the retailer paying a $25 fine to every affected customer. That would certainly get some attention in the 100-million-plus losses, but would also have to be accompanied by mandatory reporting legislation.

These events need to be handled at a legislative level, but will unfortunately take more time and more data loss events. In the meantime, these same retailers want us to trust them with direct access to our bank accounts and other financial instruments.

To state it plainly, the same companies that have suffered massive breaches of customer credit card data due to their lax security practices now want even more of our sensitive data, and to provide even more avenues for fraud and identity theft. As part of that goal, they are actively blocking other payment types, such as Apple Pay and Google Wallet.

If CurrentC succeeds, it will be despite all reason and recent history. We can only hope that some sanity is reclaimed in this mess before more innocent bystanders lose their data.

Meanwhile, at a cafe somewhere in Europe, a hacker with a laptop and a botnet grins, orders Champagne, and prepares for a new haul of identities, courtesy of your big-box stores.

Copyright © 2014 IDG Communications, Inc.