Wave-and-pay technology useful to users, crooks
With many firms jumping into wearables, not even Apple is safe from fraud
Peter Li, co-founder of Atlas Wearables Inc., liked the virtual wallet one of the company’s partners built into his fitness bands for a demo earlier this year.
“You just walk up, wave your wristband,” said Li, who’s also chief executive officer of Austin, Texas-based Atlas. “There’s a huge application for what a wrist tracker can do for buying things within the gym, getting gym access.”
Yet Atlas, which makes bands that monitor users’ workouts, is still debating whether to add the payment capability to its next-generation products — partly due to security concerns.
As smartwatches, bands and other wearables multiply and more include payment functions, the potential for theft and hacking grows. Right now, there’s little agreement about the best way to proceed. Companies are testing a variety of tools, from pairing devices with phones to measuring a user’s heart rate for verification.
“I have to think a while to think of a single wearable that’s truly secure from end to end,” said Brian Witten, a senior director at Symantec Corp., which sells cybersecurity software.
Users like the convenience of having their wallets on their wrists. At Walt Disney World, tourists wave their MagicBands to pay for food or get into their hotel rooms. A jogger or worker wearing an Apple Watch doesn’t need to carry cash or a credit card on a run or lunchtime walk.
Researcher IDC predicts shipments of wearables will grow more than fourfold to 237 million units in 2020 from about 80 million this year. Between 30 per cent and 40 per cent will have payment functions in 2019, compared with 2 per cent today, said Roger Kay, president of Endpoint Technologies Associates. With hundreds of companies jumping into the business, security and privacy protections vary widely, and even the most trusted companies aren’t risk free. Immediately after Apple Pay made its debut in 2014, fraudsters used stolen credit card data to make purchases. Apple and its bank partners have tightened controls over the service, which lets consumers pay by tapping their iPhone or Watch on a store terminal, and reduced this type of fraud.
Still, opportunities for theft will grow with the industry.
For starters, wearables are among the least secure of all smart devices. While many phones require a fingerprint to OK a payment, 69 per cent of wearable-device owners don’t bother setting up a password for the products, according to a survey released in March by identify-management provider Centrify.
“The devices themselves can be compromised,” Witten said. “They can be used to track users, even halfway around the world,” potentially letting would-be burglars know their intended victims are on vacation.
Symantec’s research shows “the majority” are vulnerable to breaches, he said.
Last year, some accounts of Fitbit users were compromised because the wearers used the same usernames and passwords on a number of websites, according to a report by security blogger Brian Krebs.
Fitbit had since started monitoring user activity patterns: If someone’s behaviour changes dramatically, that’s a sign the account has been compromised, Marc Bown, senior security engineer, said in an interview. The company can alert the user, get passwords reset and contact law enforcement.
Fitbit’s gadgets don’t make payments right now, but might one day.
“We are always exploring additional things, potentially including payments,” Eric Friedman, the company’s chief technology officer and cofounder, said in an interview.