How your mobile is about to replace your walletSweet Baby Jesus, NO!
The days of reaching for your credit or debit card could soon be over
New payment systems are also appearing on mobile phones. This week, the Payments Council banking body revealed the Paym service, which will allow users to send money to their contacts using just a mobile phone number. The service will be integrated into mobile banking apps or payment apps, with nine banks and building societies signed up to the system, when it launches next month or in May.
This is such an enormously bad idea that I'm not even sure where to start. Maybe with the problem that if you lose your phone, everything on the phone ends up in someone else's hands:
It seems that Philip and Tina Sherman have an affectionate marriage. In their case, this would include Mr. Sherman taking naughty pictures of Mrs. Sherman. Nothing wrong with that if that's your bag, baby. Just don't lose the phone:If you lose your credit card, you call the credit card company and you're covered for liability. Is that what happens here? Beats me. Do you read the EULA for the apps you install or do you just click Next?
An Arkansas man on Friday filed a lawsuit against McDonald's, alleging a restaurant location uploaded nude photos of his wife onto a web site. In the suit, Phillip Sherman said he left his phone at a McDonald's location in Fayetteville, Arkansas, and that a manager promised the phone was secured for him to retrieve it. After picking up his iPhone, photos of Sherman's wife Tina Sherman made their way onto a web site -- along with her name, address and contact information, the suit claims.Oops.
Maybe it's a lack of confidence in the security in the apps themselves:
Here chez Borepatch we simply won't do online banking, because I'm not convinced that banks have sufficient security in their online systems to stop massive fraud, or have processes in place to identify and react to it. In short, I'm quite unwilling to be a guinea pig for their new Web 2.0 e-Portal.Replace "Web 2.0" with "iOS and Android Apps" and every word remains pertinent here. I don't know how secure these apps are, and quite frankly I don't think that anyone does.
You shouldn't, either. The reasons include:
The Internet applications that banks are putting online are rushed into production, and therefore are probably not well tested. The Executive VP of online banking is in a hurry to "take the company 'e'", so time's a-wasting. It's hard enough to do basic functionality testing (do all the widgets work?), let alone figure out if security is well implemented. At the extreme, security isn't an afterthought; it isn't thought of at all.
The web 2.0 technologies that techies love so much (and which provide such a cool user experience) are brand new. People really don't know what the security implications of these technologies are. But everyone uses them anyway. How secure is the app? How would someone find out? How would you find out? Unfortunately, the answers are [sound of crickets chirping].
Credit card companies have been dealing with card fraud for decades. They understand how to find patterns much, much better than banks do. If you include telephone credit card ordering, the card issuers have been dealing with fraudulent orders for 30 or 40 years. Some of the most sophisticated data mining applications are in use at Visa and Master Card. Banks are new to this - if someone figures out how to transfer cash from online accounts, do they know how to identify this? Not clear at all.
It's getting worse, not better.
Maybe it's because a bunch of Android phones come with malware pre-installed at the factory:
A wide range of smartphones and tablets manufactured by Samsung, Motorola, Asus and LG Electronics have apparently been compromised with malicious apps before being sold to unsuspecting clients.I don't know who is liable if you install this app on a new phone that's pre-pwn3d from the factory. Is it the bank? The carrier? The factory? Beats me, but I don't want to have to find out because it was my bank account that got cleaned out.
The claim has been made by David Jevans, founder and CTO of Marble Security, who discovered the problem after a potential customer complained that the company's mobile security management platform detected Netflix apps on several of its employees' devices as malicious.
As it turned out, they were malicious, and were harvesting passwords and financial information and sending it to a server in Russia. The company claimed the apps were already installed on the devices when they bought them," Jevans told Jeremy Kirk.
As you can tell from the links included here, I've been blogging about this for a very long time. It's an enormously bad idea. I go into a lot of detail here:
What's wrong with this picture?My advice is to let someone else be the guinea pig. There's a reason that they call it the "Bleeding Edge" of technology.
Both my regular readers are probably thinking what's wrong is that we're going to get another rant about online banking. Well, yes you are, but that's not the point. Buckle up, because I'm about to roll out Borepatch's Second Law of Security.
Let's think about a brick-and-mortar bank ...