field has attracted thousands of thinly capitalized startups. “There’s a lot of two engineers and a goat,” says Richard Crone, chief executive officer of Crone Consulting, which advises the industry. Crone predicts the number of digital wallets that can be used in stores will double within the next 12 to 18 months and the number of mobile Web or in-app payment services will triple over the same period. “We have a lot of people competing to deliver the same service,” says Michael Belton, vice president for applied research at Optiv Security. He says that in the rush to get their product out, many developers are cutting corners.
Mobile app security provider Bluebox found vulnerabilities in all the roughly 10 unnamed U.S. mobile payment apps it examined last year. “Most of the time, the apps themselves aren’t using any kind of encryption to protect the data on the phone or to protect the data in transit,” says Andrew Blaich, Bluebox’s lead security analyst.
On March 2 the Consumer Financial Protection Bureau levied a $100,000 fine on Dwolla, a service that allows people and businesses to make and receive payments via a website or mobile app. The agency said Dwolla misled users by claiming that its data security practices “exceed industry standards,” while in a number of instances it stored and transmitted Social Security numbers and other sensitive information without encrypting the data. In a statement, the Des Moines-based company said “the CFPB has not found that Dwolla caused any consumer harm.”
The Federal Trade Commission, which regulates nonbank financial-services companies, won’t disclose whether it’s investigating any mobile-payments-related cases, but “it’s something that we are looking closely at,” says Duane Pozza, an acting assistant director at the commission’s division of financial practices.
Current laws may need to be updated to determine who’s liable in instances of fraud. The Electronic Fund Transfer Act doesn’t cover services not offered through traditional financial entities, such as banks and credit unions. Hughes, the professor, advises app users to read the fine print and consider whether they’re “satisfied with the level of privacy and security that provider is offering.” �Olga Kharif
million Number of people worldwide who will use their mobile phone to make an in-store purchase in 2016 The bottom line. Mobile payments technology is evolving faster than regulation, leaving some users exposed to fraud.
theft. “Jeff’s work provides a unique integration of cyber, criminal, competitive, and economic threat intelligence and analytics that hasn’t been done before,” says Bob Rose, an independent cybersecurity expert who advises several government agencies and corporations. “It gives senior decisionmakers a tailored view of the risks, findings, and recommendations.”
Johnson has spent the past nine months presenting his model and findings to government agencies, including the FBI. The U.S. government has new tools it can use against hacking, including a sanctions program created by executive order last year. He hopes his cyber-economic model can help build evidence for such cases, and ultimately increase the cost of hacking to China. �Dune Lawrence
The bottom line Squirrelwerkz says companies investigating hacks put too much emphasis on technology and too little on business analysis.