Cash likely will always be king, but digital forms of payment are sure to give cold hard currency a run for its money. That’s if the digital systems, especially those involving contactless payments, become more secure and consumers get more comfortable with them, according to IEEE Member Diogo Mónica. He’s the security lead at Docker, an open platform for distributed applications, in San Francisco. Before that, he was the platform security lead for Square, one of the leading makers of credit card and digital payment readers, also in San Francisco.
The Institute asked Mónica whether contactless payment systems, like Apple Pay and Android Pay, are safer than chip-enabled credit cards, and what it might take for contactless systems to be used as widely as cash.
THE DIGITAL AGE
Mónica is past chair of the IEEE Public Visibility Committee, which this year conducted a survey of 2,000 technology enthusiasts on the future of cybersecurity. Seventy percent of the respondents said they believed that by 2030, mobile payment systems would overtake cash and credit cards.
Mónica says he doesn’t believe cash will ever disappear as a form of payment, and certainly not in 14 years. But he does predict that most payments in 2030 will be made using digital systems.
“By that time every single person will be able to make contactless payments, because just about everyone will have a mobile device, and all retailers will have a reader that accepts the payments,” he says.
SAFER BUT STILL VULNERABLE
In one important way, contactless systems—with their digital wallets that contain credit card numbers the shopper has loaded via an app—are safer than chip-enabled credit cards. That’s because the numbers are replaced by a token, an algorithm-generated one-time-use number. Thieves can’t pilfer your credit card number by writing it down, say, or using a skimmer.
Contactless payments are made possible by either near-field communication (NFC) or RFID chips in smartphones and in some credit cards. To pay at checkout, the smart device or card is held about 5 centimeters from a reader.
But right now NFC readers have a big downside: They can be exploited by digital pickpockets. Thieves on crowded subways have used small NFC readers with an associated account to make unauthorized charges on riders’ contactless credit cards. The crook simply stands close enough and keys in an amount on his reader that typically doesn’t require the purchaser’s authorization. In the United States, for example, those are charges of less than US $50; in Australia, under $100. The thief touches his device close to or against the rider’s purse or pocket to move the funds to the thief’s account.
Also, the NFC feature on some Android smartphones has been hacked. Such attacks are done with an app infected with malware that victims unknowingly download. The malware on the user’s device uses the phone’s NFC reader to note the credit card number and expiration date, then sends them back to the attacker. With that information, the thief can make online purchases.
“The fact that your phone is near an NFC credit card now gives the phone permission to use it,” Mónica says. “Any transaction that is contactless and that doesn’t require a passcode or a touch ID is vulnerable to these attacks.”
Smartphones such as iPhones that use a fingerprint or passcode to explicitly authorize a purchase are the most secure, Mónica says. But, by and large, he says Android Pay and Apple Pay are safer than credit cards.
To protect your contactless credit cards, Mónica recommends using one of the RFID-blocking wallets on the market. And to be safe with an Android device, avoid downloading apps that have not been approved in the Google Play store. And deactivate the NFC feature on your smartphone if you’re not planning to use it.
NEED FOR SPEED
Another major driver of adoption, Mónica says, likely will be how relatively quickly contactless transactions are processed. It takes about 2 seconds for a contactless purchase, compared with the nearly 10 seconds it takes with a chip-enabled credit card.
“Retailers lose huge amounts of money by people waiting in line while the transaction is processing,” he says. “They will do anything they can to speed up these lines, including incentivizing their customers to use Apple Pay or Android Pay—which are a lot faster.”
HURDLES TO OVERCOME
One major reason smartphones with their digital wallets won’t completely replace cash or credit cards is that phones can run out of power.
And some people will have to form new habits: They’ll need to bring their digital wallet everywhere with them, just like a traditional wallet. No more forgetting your phone at home or leaving it in your car.
“Some people might not be comfortable depending on just their phone to pay for things,” Mónica says.
Another drawback is that the systems aren’t everywhere yet. Apple Pay is available in only eight countries; Android Pay is in four. The majority of the working systems are in large retail and grocery stores.
Mónica also notes that people are still learning how to use the systems, and not all stores—particularly mom-and-pop shops—know how to install them.
“Acceptance will occur only when retailers see the systems’ value and adopt them, and customers feel comfortable using them,” he says. “A system has to work really well for people to like it.”
Mónica says he’ll be one of the people who’ll stop using cash entirely by 2030, adding, “I’m really excited about that.”