Interesting opinion on application of Beacons technology in retail. I would agree. 

Interesting view on U.S. EMV migration. 

I agree with #1, #2, and #4. 
As a technical guy, I don't care who pays for it (#3): eventually, it's us - consumers - who pay for everything. 
I disagree with #5: ACH and bank transfer threats (and solutions) are completely different from merchants' payments security problems. 
I would agree with #6 but I don't see "real opportunity": there is no mature payment technology available today that could become a real alternative to EMV. Crypto-payments (Bitcoin & Co.) is very promising trend but based on recent series of failures it is still on early proof of concept stages. And there is no single mobile payments technology that is secure enough to be accepted by mainstream consumers.

This essay was previously published by VentureBeat on March 13, 2014

As a payment security expert, I get a lot of questions from people about new payment technologies. Are merchants likely to accept them? How secure are they? A couple of recent startups in this space, Loop and Coin, have been generating quite a few of those questions, and my review of them shows some concerning vulnerabilities.

Loop and Coin are just two examples of mobile payments startups that try to bring an invention to market by marrying their new technology to an existing payment card system. The reason is simple: Their tech is more likely be accepted by the mainstream if merchants can reuse their existing payment hardware and software.

Both Loop and Coin are trying to keep alive the dying magnetic stripe payment system. However, they have another important “feature” in common: By replacing the original plastic cards with digital ersatz, they unintentionally simplify the flow of the stolen credit card data.

Loop

The core know-how of Loop is transforming the traditional magnetic stripe reader device (MSR), which merchants use to accept the magnetic credit and debit cards, into the contactless reader. The powerful magnetic field is generated by the mobile payment device (instead of the payment card’s magnetic stripe), so the card data can be transmitted wirelessly to the same reader.

Although this technique is very interesting from a technical point of view, there are several potential issues with accepting Loop as a mainstream method of payment. First, there is no real innovation here. It’s just a combination of old technologies. Second, from a security point of view, it’s the same nightmare as existing credit cards. It can be even worse because all my cards are now stored in one place. And the card data is not protected when it is transmitted from the mobile device and throughout the system, just like with traditional plastic cards.

Finally, Loop is less convenient than plastic cards, especially, with the fob required for iPhone. Instead of just swiping the card, I need to: hold both the fob and the phone, unlock the phone, find and start the app, select the card, then press the button on the phone and at the same time “swipe” the fob. Not to mention the fact that many card readers are deeply “hidden” inside the customer-facing hardware, such as a bank ATM or gas station’s fuel pump, and therefore cannot be reached by the Loop device.

But most importantly, this system is dangerous to merchants, issuers, and acquirers because it simplifies the credit card fraud process. Hackers don’t need to make the physical plastics anymore – they just load the dump of stolen card data into the single device, and voilà!

Loop’s developers say the app identifies the cardholder before the new card is added to the wallet, so it is impossible to add someone else’s card into your wallet. This “security control” is very weak, and anyone familiar with the design of magnetic payment cards can find a workaround. This protection measure is implemented by comparing the cardholder name, which is encoded on magnetic Track 1 of the credit or debit card, with the name on the Loop app account. A hacker who wants to enter and use the stolen track data can easily fake the name on the card and match it with the name on the Loop account because the cardholder name on the magnetic track is not protected by encryption or digital signature and can be changed to any combination of letters without affecting the payment approval process.

Coin

The idea of Coin is similar but more elegant: replacing several payment cards with a single card-like sophisticated device. The technology behind Coin is pretty impressive, but it raises exactly the same security concern as the Loop device. Normally, when carders want to use the stolen card data to make a purchase in a brick-and-mortar store, they need to produce the fake plastic card, which must look like a real credit card, and encode it with the stolen magnetic tracks. But with Coin, there is no need to produce a good looking physical plastic anymore. The stolen data can be encoded directly into the Coin device.

Carders would have to overcome one obstacle: taking a picture of the real card so they can enter the new card information into Coin through the iPhone or Android app. But I think generating a realistic virtual image of a credit card (so it can be photographed instead of the real card) is cheaper than creating a physical counterfeited card, which requires special equipment such as a PVC printer, an embosser, a tipper, etc.

I am sure that hackers, carders, and cashers will be among the first beta testers (and subsequently the most appreciative users) of such “innovative” technologies. More effective security controls — if they are feasible at all — must be designed for the mobile wallet apps that reuse the existing magnetic stripe technology.

The article is called These new mobile wallet apps will make it easier, not harder, for hackers to hijack your payment card and it's focused on two mobile payment solutions: Coin and Loop. When I started reviewing those technologies and their security features, I noticed that there are potential security vulnerabilities "hidden" in those solutions. The trick is that those vulnerabilities are not threatening directly the consumers or merchants, but they may affect the already weak security of the card payment system itself.

Interesting list of 10 examples of BLE Beacons implementations, including payments (PayPal "hands-free").

Secure payments with HP Mobile POS: Implementing point-to-point encryption using HP retail solutions is the technical whitepaper which I have created for HP. More information about HP mobile POS solutions can be found here.

Download PDF

Amazon is reportedly going to enter the brick-and-mortar business by providing mobile checkout solution and competing with Square and PayPal.

I think integrating single mobile payment solution into multiple existing bank apps is interesting idea which has a future. On the one hand, we use mobile phones and we would like to use them as wallets for mobile payments, but we don't trust the mobile payments providers and don't like the eWallet apps. On the other hand, we already use bank apps and we (usually) trust the banks, but they fail to provide universal tool to process mobile payments. If we combine the two problems, there is a chance to get a viable solution.

Is Bitcoin going to be the future technology of online payments? And maybe not just online?

    Bitcoin hit a high of $1,073 on Tokyo- based exchange Mt. Gox, the best-known operator of a bitcoin digital marketplace, compared with just below $900 the previous day.
    Bitcoin is not backed by physical assets and is not run by any person or group. Its value depends on people's confidence in the currency. It has been gaining acceptance by the general public and investment community but has yet to become an accepted form of payment on the websites of major retailers such as Amazon.com.

HP partners with Accumulate to provide mobile payments services.