Smurfs Offer Cautionary Mobile Payments Tale

The Smurfs may have an important security lesson for banks and credit card networks getting into mobile payments.

Capcom Interactive Inc. caught the ire of parental groups in recent weeks over its Smurfs' Village iPhone game, which is free to download but charges players to purchase additional features, like "Smurfberries," within the application.

Smurfberries can cost as much as $99.99 per wagonful.

Some parental groups criticized the game, as well as iPhone maker Apple Inc., after reports surfaced of children racking up large bills while playing the game. The uproar prompted Capcom to add a warning to the game's users. Apple has since tweaked a password feature in its mobile operating system so that users need to authenticate themselves a second time before buying items within apps.

There's a difference between making a purchase within a mobile app and using a mobile phone as a credit card replacement at the grocery store. But the Smurfs debacle highlights some of the inconvenient consumer perceptions that banks, card networks and other players are likely to encounter as they try to bring payments to cellphones.

Though consumers do not lose their liability protections when attaching a card to a handset, the onus is partly on them to safeguard their information as they would their plastic cards.

"To me this is less about classic security issues … and more about giving account holders the control that they really crave and lack," said James Van Dyke, the president of Javelin Strategy and Research in Pleasanton, Calif.

Van Dyke, who tracks payments security and fraud, said as more transactions are conducted electronically, there are more opportunities for consumers' information to be compromised or misused.

At the same time, consumers may not be as vigilant with emerging forms of payments tools, such as their mobile phone, as they need to be, which the Smurfs scenario suggests. Parents who gave their children their iPhone may have been shocked that it was even possible for their kids to make purchases within an app.

Bringing that same situation into the physical retail world prompts questions about what happens if a shopper loses his payments-enabled phone or has it stolen.

Right now there is no standard approach for how a consumer would initiate a transaction using their phone as the payment device. (The technology that is expected to make such activity possible — near-field communication — is in very few phones in the U.S.)

But software executives and analysts say banks and other companies vying for market share will likely give consumers choice around when to input a password or other credential.

"The beauty of the NFC environment is that the behavior is totally customizable, so a bank might say that a user has to input his passcode all the time before he can make a payment," said Deepak Jain, the president and chief executive of DeviceFidelity Inc., a Richardson, Texas, technology company working with Visa Inc. and MasterCard Inc. on mobile payments trials.

"A bank might say it's up to the user," Jain said. "If he's more security conscious he can choose his setting of the passcode."

Banks that are working with Visa using DeviceFidelity's memory cards, which contain a customer's payment account information, are testing different approaches.

One, which Jain declined to name, requires a consumer to enter information before each payment. Others are more open, he said.

Bank of America Corp., which plans to begin a pilot test soon using DeviceFidelity's technology and Research In Motion Ltd.'s BlackBerry devices, is testing "different types and levels of security" so it "can learn what our customers like best as we seek to strike a balance between security and convenience," a spokeswoman said in an email.

A spokeswoman for Isis, a mobile payments venture being developed by AT&T Inc., Verizon Wireless and T-Mobile USA, said in an email that the partners are "investing in strong privacy and security measures" but would not comment on specific features.

Lost and stolen cellphones in an NFC environment pose no more of a risk than a lost or stolen plastic card, some experts said. Limited liability clauses for fraud incidents that apply to plastic cards today would also apply to a virtual card.

Additionally, NFC allows tighter security of the actual data.

"There is substantially more security in any smartphone payment application than there is in any physical wallet application, like a plastic credit card," said David Schropfer, a partner with the Luciano Group, a Red Bank, N.J., consulting firm that focuses on the telecommunications industry.

Schropfer, the author of "The SmartPhone Wallet," said regardless, consumer perception of mobile payments security will play a role in how banks and others market future products.

The role that consumers play in ensuring that future mobile payments systems are secure was highlighted in a report that the Federal Reserve Bank of Atlanta and Federal Reserve Bank of Boston released on Friday.

"Consumers need to buy in to their role in ensuring a secure, private and efficient payments system, and correct the bad habits they developed online," the report said, noting that zero liability policies in e-commerce may have led to carelessness among some consumers.

"The mobile venue needs to be better," the report said.

Some say mobile payments systems are likely to be more secure because consumers are more aware of their phones and carry them at all times.

"If you compare people's awareness of their device to, say, a particular credit card in their wallet, people are much more aware of the loss of a phone," said Diarmuid Mallon, a senior product marketing manager at Sybase Inc., a subsidiary of SAP that develops mobile banking and payments software.

Google Inc. is working with MasterCard Inc. and Citigroup Inc. on a mobile payments system that would rely on NFC chips embedded in Android handsets, The Wall Street Journal reported Monday.

Richard Crone, the CEO of the payments consulting firm Crone Consulting LLC in San Carlos, Calif., said he expects such a system to include stopgaps that would address risks of lost or stolen phones.

"Mobile payments at the point of sale should … in order to provide consumer confidence, provide the opportunity for the consumer to not only confirm a purchase but authorize a purchase with a PIN or with a username or password," Crone said.

MasterCard and Google representatives declined to comment on the Journal story. A Citi spokesman did not respond to inquiries.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER