Let’s start with a few questions:
- Have you ever had your password exposed by hackers, such as was done with Adobe, Gawker, Cupid Media, Stratfor, Yahoo and Sony users?
- When you go to a web site to buy something, and they offer to store your credit card information, do you let them?
- If you answered yes to #2 above, what sites do you say yes to, and why?
- How many companies have direct access to your bank account, such as PayPal, other payment service, or a stock brokerage?
Have you been pwned?*
Let’s start with question number one. Has a password of yours been revealed by having an account hacked? You might not even know it. Troy Hunt operated a very interesting site called ‘;–have i been pwned? where he has collected many of the files stolen from web sites by hackers (and subsequently released online) and made an interface where you can search by username or e-mail and see if it shows up in any of the files. Adboe itself had over 152 million accounts compromised (and makes up the bulk of the accounts, but the site also includes Forbes, Gawker, Snapchat, Stratfor, Yahoo, Vodafone, Sony, Tesco, and more. Altogether right now it has 16 sites comprising 161,602,992 accounts that were compromised by hackers (who released the files). Go ahead, take a moment to search the site for your e-mail address and common usernames. You can even request to be notified if your e-mail address pops up in a future file that is added to the site.
What these security breaches show, besides the fact that these companies should have protected their passwords better (hashed with salt), is that people re-use their passwords too much, and use really weak passwords. I remember after one of these breaches getting an e-mail from a different company warning me that I was using the same password on their site, and thus they had automatically reset my password. That means that like Troy Hunt, that company downloaded the released password file, and ran a comparison with their own password database, sending out e-mails to customers that matched passwords in both databases.
Password Managers and Authentication Services
One solution to this problem are password managers. These programs generate random passwords for each site you visit, and thus if a password is compromised on one site, it cannot be used to access any other site. Some popular programs for password management are 1Password and LastPass. Like iCloud Keychain (described in The long goodbye to passwords) these programs store all your passwords in an encrypted database, and share them between multiple devices like your computer and mobile devices. On computers, these programs can utilize browser plug-ins to enable auto-fill of username and password info. However, since Safari on iPhone doesn’t allow plug-ins, these apps cannot integrate directly on the iPhone, and instead have their own browsers built in to their iPhone apps. iCloud Keychain can generate random passwords for new accounts online, but 1Password and LastPass have more customizable password generation systems that allow you specify which types of character are required (upper case, lower case, numbers, punctuation, etc.), how long the password must be, if you want to remove easily confusable characters (like O and 0). LastPass actually offers a web-based password generator you can use, give it a try now to see the kind of passwords it can create.
Another solution to the problem of passwords being hacked is not to give a site a password at all. A number of large sites offer authentication for smaller sites. Some of the biggest sites that do this are Facebook and Twitter. If you have an account on one of those sites, many other sites will let you log in using your Facebook or Twitter account, instead of having to enter a username and password. You go to a site, it asks you to authenticate, you click on a Facebook button for example, and it checks with Facebook and logs you in. The first time you connect your account, you’ll need to verify to Facebook or whoever that you indeed want to allow this site to use your Facebook account for authentication. Subsequently, you just click on the login button associated with the account (Facebook for example) and it verifies your identity and logs you in. The site never has access to a password, so even if they’re hacked, there’s no passwords to be found on their site. The deal here is that you trust the larger company like Facebook or Twitter more than the smaller company to keep your identity safe.
Do you trust web sites with your credit card info?
On to questions two and three. Do you trust any web site with your credit card information?
I haven’t done a poll, so I don’t know the answer to this one, but I imagine for most people there are sites they trust to keep their credit card data (Amazon, Apple, Google, PayPal, etc.) and there are sites they don’t trust. On some sites you will enter your credit card info to make a purchase, but when the site asks you if you want it to save your credit card details for future purchases, you say no.
It’s a simple calculation. Larger companies spend more on security, and you tend to trust them more with your financial information. There’s a second factor, however, and that’s convenience. For sites where you are making repeated purchases, having your credit card data on file is a big time saver. Buying $0.99 apps in the App Store or Google Play store would not be very convenient if you had to enter your credit card information every time.
At the same, the convenience factor can also trump security at times. If your favorite restaurant that you order delivery from twice a week offers to keep your credit card data on file, you might take them up on it. On the one hand, it’s not a big web site that would be targeted by hackers. On the other hand, it’s possible any employee of the restaurant might be able to access your credit card information. You have no idea what their security is – convenience is convenience however.
Let’s go beyond credit card information. Credit cards by their nature have some security features built in to them. You can always change your number if you think it’s been stolen, and credit card companies usually offer some protection from having to pay fraudulent charges. Credit card companies also spend a lot of time and money bolstering their automated fraud protection software.
This leads us to question number four – which companies do you allow to directly access your bank account?
For most people, the only answer is PayPal. PayPal built their business not only by making an easy way to transfer money between people and businesses, but by building algorithms that could detect fraudulent transactions and making the system safe. When you set up a PayPal account, you generally link it your bank account, with a credit card as a back up.
As mobile payments ramp up, I think more companies will try to move into this direct connected space, to allow them to do payment processing at the cheapest possible rate. Some companies currently want the credit card in the middle, to lean on their fraud protection and other security features. If there’s a credit card in the middle, you can add on their security features, but you also are allowing potential revenue to flow to the credit card companies.
Near Field Communication (NFC) and iBeacons
It’s not a coincidence that all the credit card issuers like Visa (payWave), MasterCard (PayPass) and American Express (expresspay) have all moved into NFC-based mobile payments. These systems don’t change anything – you’re still paying with your existing credit card. They’re just adding a convenience factor, and trying to lock you into using their credit card to make you payments (wouldn’t you use the easiest payment system you have?). Visa has gone one step further and built their own online payment system (V.me) as well, which competes directly with PayPal.
These companies realize that payments are going mobile, and are increasingly done with cell phones. Early efforts to use NFC in cell phones, including Google Wallet, basically failed. This is due to early NFC efforts being tied to the carriers. Google recently announced that any Android phone running a version of the OS earlier than KitKat (4.4), i.e. the latest version, will no longer support Tap & Pay (the ability to tap a payment terminal in a retail store with your phone to approve payment). The reason for dropping support for one of the defining features of Google Wallet in older versions of the OS is that they’ve completely overhauled how they handle payment, disconnecting from the carrier and moving to the cloud using a technology called Host Card Emulation (HCE). The technical details are not that important, but Visa and Mastercard have both also thrown their support behind HCE. It can’t be long before other payment processors like American Express also support the technology.
While Google and credit card companies have pushed NFC as their enabling technology for mobile commerce, Apple has assiduously avoided NFC. Instead, Apple has pushed its own solution, based on Bluetooth, called iBeacons. iBeacons is not only a technology to enable commerce, but a major enabling technology that allows retailers and other businesses to detect the presence of customers, make offers to them based on their location in a store, and other very powerful features. Apple has been slowly deploying this technology in it’s own stores, several other retailers, and sport locations like baseball stadiums. iBeacons allow baseball stadiums to detect a customer with seats in the nosebleed section, and offer them quick upgrade to better seats right on their phone when they enter the stadium. Retailers could see that a customer entering the store bought a razor previously, and offer them a discount on blades. As the range of NFC is so short, these kinds of applications are not possible. Apple is also laying the groundwork for retailers to deploy this technology for their own benefit (gaining knowledge about customers, being able to offer deals to them, etc.) while also building in the ability to accept payments. Right now retailers see NFC-based solutions as a cost they may not recover, while iBeacons offer a useful solution to retailers who happily will enable payments through their iBeacons. iBeacons are not an Apple-only technology (rather iBeacons is an Apple trademark and standard, but other companies like Google could offer support as well if they’re not locked into NFC as their only solution).
Becoming your preferred method of payment
In the end, all of these initiatives are focused on controlling the flow of commerce in the coming decades. The credit card companies have more or less controlled the majority of commerce for the past few decades, but they know change is coming. New players are moving into the space. There was a time when only the big credit card companies could manage payments globally. Today Apple, Amazon and Google operate stores and process payments in over 150 countries each. Currently these payment still get routed through credit cards, but who says they have to stay that way?
It’s no secret that PayPal has been trying to partner with Apple for their future commerce efforts. PayPal has already partnered with Samsung for their forthcoming Galaxy S5 phone, that will allow payments to be made via PayPal using the fingerprint reader on the S5 for authentication. Apple already offers payments using the Touch ID fingerprint reader on the iPhone 5S (5S/S5 – kind of annoying, no?) for their own store, but not yet for third-party stores. PayPal wants to be the clearinghouse for those third-party payments, but Apple could either continue to direct purchases to account-connected credit cards, or set up its own payment processing system in competition with PayPal.
Companies are positioning themselves to be your preferred method of payment. Companies like Apple, Samsung, PayPal, Amazon, Visa, and Google are all trying to make sure they are the conduit for your mobile purchases. In this race I think some companies have advantages over others. Apple and Google already operate stores in over 150 countries each, and thus are close to being ready to offer global payment services. Both companies have their own mobile operating systems and can push commerce-related features into the devices that run their operating systems.
PayPal already has the service, but can be circumvented by device companies, which is why they are working so hard to insert themselves into the device manufacturers solutions (like they have with Samsung). Carl Icahn has been trying to get PayPal spun out as it’s own company to realize its full value separate from parent-company eBay. As things heat up in this space, perhaps we could instead see PayPal bought from eBay to further mobile payments from one of these companies.
Amazon operates a global store (although their physical goods are only sold in ten countries, their app store is available in 198 countries), as well as a global wireless network (Whispernet) which could be useful for such efforts. In addition to Amazon’s existing tablets, expect Amazon to offer phones and other personal devices soon. I believe that devices will play a part in the success of mobile payments, which is why the companies controlling the most devices that people use will have a major advantage.
I believe that wearable devices will become key in mobile payments. Smartphones are great, but a watch, bracelet or ring is even better. If you can authenticate yourself using some form of biometrics on a wearable device, and can wirelessly approve payments in retail stores, this creates the third factor (as I described in my earlier article The long goodbye to passwords) that is necessary for secure transactions.
The companies that can both offer payment services (Apple, Amazon, Google and PayPal) and those that can control the devices (Apple, Amazon, Google, and Samsung) will have a major advantage in the upcoming battle for your wallet. For the companies that don’t have enough influence on both the payment side and the device side, expect partnerships to develop.
In the end, the companies that will succeed, will do so by convincing you that they are the company you want to trust with your identity. This company will know what you buy, who you buy from, will have access to your biometric information in some form, and you will need to trust they will never be hacked. For this reason, it’s unlikely that a startup company without these other capabilities will win this war. There may be more than one company who win, but it won’t be a huge number of companies. Just like there are a limited number of credit card companies today, there will be a limited number of mobile commerce companies that take over the market as well.