SANTA CLARA, Calif. — PayPal Mobile general manager Eric Duprat keynoted the final day of ARM TechCon in Santa Clara this morning with a surprisingly detailed discussion of the future of money transactions.
Predicting that within five years the majority of $5.5 trillion in retail transactions that occur face-to-face—what Duprat called proximity transactions—would be handled through mobile devices, the PayPal executive outlined a world in rapid evolution.
Today, Duprat said, mobile payment transactions primarily are payments concerning the mobile devices themselves, such as payments for added connect time, or for apps and content for the device itself. But in the future, he said, mobile devices would become the clients for traditional Web commerce, and in addition would create a whole new category of transactions in which mobile devices replace credit and debit cards and cash.
This too-rapid evolution will enormously stress transaction security, Duprat warned. “Today, mobile devices have been relatively—although not entirely—free from attacks by malware,” he observed, “because there has not been that much money at stake. But when huge amounts of money are transiting mobile phones, the level of attacks is bound to increase enormously. After all, these devices are exposed to attacks from all over a global network.”
Duprat said that PayPal could bring some important assets to this struggle, including a decade of experience in securing one of the most attacked Web sites on the Internet. To this end, the company has purchased significant fraud-sciences technology from Israel. But there remains much to be done.
Duprat said the first problem is to secure the PayPal login page from intrusion, snooping, or spoofing. This is a greater challenge for mobile devices, he said, because in order to secure the page, you have to secure the mobile device, the wireless network, and the Internet connection all at once. Even securing the device itself is a challenge because in modern devices, the PayPal client is an application running at the same level as other—possibly pernicious—applications under control of the local operating system. “Any page can be spoofed,” he warned.
Yet Duprat said that just protecting the user’s login screen will not be protection enough as the stakes increase. There must be a way to bind the physical identity of the mobile device—some identifying hardware characteristic—to the PayPal account, while allowing only minimum exposure of the user’s password to the network. He suggested several alternatives, only to reject each of them. SIM cards could work, but would require the cooperation of the world’s service providers—an unlikely scenario at best. Micro SD cards similarly could work, but would add cost to the handset that neither the service providers nor the end users would likely accept.
Similarly, a secure hardware element within the handset architecture would add cost and require agreement across the industry.
So Duprat said that his organization is looking with favor at ARM’s TrustZone architecture. TrustZone is already implemented in the processor, and could be the basis for a virtually non-spoofable authentication and security procedure, linking hardware within the TrustZone to the account.
But eventually, the link must involve not just the secure hardware, but the user herself. The executive said that biometric data, such as a finger swipe or even inertial sensors to extract a signature from the way the user moves the handset as they use it, could serve as the key to enter the secure zone. Then secure hardware in the mobile device’s display module could produce a non-spoofable login screen that would allow users to enter a transaction in total confidence.
This scenario would require the use of biometric sensors in the mobile device, although there is inconclusive research on using the motion sensors already present in many designs. And it would require a hardware lock in the display itself to ensure that the secure screen could only be displayed by the authorized routine from within the TrustZone. These are themselves not insignificant additions to the handset. But if Duprat’s projections for the growth of mobile transactions are close, the stakes will justify the means.