Commerce is certainly heading ever more towards the E. While alternative digital currencies still hover on the verges of mainstream today, the speed of their adoption indicates a positive future for e-money. Credit cards are already becoming out-dated as a form factor. In fact in many parts of the world the plastic card itself has simply become an emotionally comfortable way to get people to pay using NFC (PayPass, payWave etc.) and it does not take a large leap of faith to imagine the transition to the mainstream of the logical next step of e-wallets on an NFC enabled mobile device. Many financial institutions already offer NFC “stickers” to slap on the back of non-NFC enabled devices but the battle is still on for the dominant form-factor for delivery; SD cards, external devices (stickers or sleeves), embedded hardware, Cloud (via QR) or SIM integrated technology all have roles to play, some as short-term bridge technologies, some as the basis for longer-term solutions. For the foreseeable future, these digital links to traditional currency will vastly outnumber the alternative digital currencies.
If you do use digital currencies or NFC, how to secure those e-wallets? Mostly e-wallets are held on mobile devices that are no strangers to vulnerabilities from an Operating System perspective. On the app front Google’s own e-wallet was easily subverted through an escalation of privileges attack. The dominant platform, Android, suffers not only from vulnerabilities, but also from fragmentation. This means that there are many different flavours of Android, from many different manufacturers, many of which will never see an upgrade or security patch. The mechanism for getting a patch from Google to handset is simply too convoluted, relying on both handset manufacturers and carriers to act as middlemen. Middlemen who actually have an interest in getting you to buy a new phone rather than fix your old one… On top of that the (currently) under-explored area of vulnerabilities in the apps themselves and the widespread abuse of app store platforms for spreading Trojan type malware and there’s a perfect storm of threat brewing for e-wallets.
Much of the burden for securing these technologies lies with app developers and handset and OS manufacturers and perhaps the greatest step toward effective security would be the development of, and adherence to, an open standard that includes security mechanisms such as TPM on the mobile platform. Unfortunately Visa are already talking about waiving the need for merchants need to validate their PCI compliance if 75% of their transactions originate from NFC technology!
Of course consumers have a role to play too, making sure they keep their devices physically safe, using effective device locking passwords, enabling remote lock and wipe functionality and making sure that any sensitive information (or preferably all information) is wiped from the device when it will not be in their hands for a period of time, or when they are disposing of it.
As for the Bitcoin type currencies, dividing your assets between multiple wallets and keeping the lion’s share on a secure device that is not used for regular Internet access is your best defence, breaking wallets up into “spending” and “saving” functionality. There is currently no regulator in the Bitcoin world, so every transaction is effectively final.
By 2020, we fully expect digital currency to be embedded in the economies of the early adopter geographies and consequently there will be greater level of malicious interest in your digital pockets. On the security side, we would hope that those standards are more than just a pipe-dream and that effective multi-factor (biometric) authentication has, by then, been integrated into many of the sensitive transactions that we will increasingly carry out online.