ePayments Week: How to steal coffee from your friends

Starbucks skips security, Visa wants a cut of those Smurfberries, and Nokia's CEO sets a fire.

Here’s what caught my attention in the payment space this week.

How to steal coffee from your friends

Starbucks mobile payment screenIf you can’t get your friend to buy you a cup of coffee, this week there are helpful hints on how to steal it from them by exploiting some pretty obvious gaps in the security on Starbucks’ mobile payment system (which we tried out a few weeks back). The embarrassing part is that there is no security on the app, other than perhaps keeping it in your pocket.

Update: Thanks to our readers who pointed out that you can set a pass code in the Starbucks app’s preferences menu.

Mobile Commerce Daily explained how to swipe from your friend’s app: wait until your friend excuses themselves to visit the restroom, and hope they leave their iPhone on the table. Then grab the phone, open the Starbucks app, press the touch-to-pay button that generates a bar code, and grab a screen shot of the bar code. After closing the app, mail the screenshot to your own iPhone, remembering to delete the picture from your friend’s. If you manage to accomplish all this before your friend returns from the restroom, you’ve just scored yourself a pass to drain out your pal’s Starbuck’s card. Clearly, it’s a security gap that Starbucks should address. But at the risk of sounding like a socialist, if someone needs coffee that badly, maybe we’d better let them have it.

On the serious side, this story points to two larger issues. The first is obviously security. As we increasingly store sensitive information on our phones, including financial data and the ability to make purchases, we’re going to need to get more serious about security. Pass codes to lock a phone and various apps to find or “blow up” the data in stolen phones already exist, but many people don’t bother with them. Biometric security — the ability to unlock your phone with a thumbprint or retina scan — can’t be far behind. And at least one effort is underway to use “gait analysis” to shut down your phone if someone other than you walks away with it (providing you don’t share the same limp).

The second issue points to convenience. As I noted last month, if every retailer sets up a proprietary purchasing app, checkout will become a ridiculous exercise in pawing through apps. But even a one-app-pays-all solution has to be implemented cleverly if it is to win converts, according to Kevin Woodward, editor of ISO and Agent, which covers payment issues. “It has to be easier than a credit card,” Woodward said in an interview. “You can’t walk around with the app open, and if you need to fish around in app menus to find it, most people are going to reject it.” Woodward cites the lack of uptake for contactless payment with systems like MasterCard’s PayPass a few years back, noting consumer uncertainty and expense for merchants apparently stymied adoption. “Someone has to figure out a way to make it a better transaction experience, not only for the merchant but for the customer as well.”

Visa buys PlaySpan, a virtual goods payment platform

Visa says 45% of the $948 billion e-commerce transactions processed in 2010 traveled through its network. But it doesn’t want to miss out on the growth that’s happening in new markets, like virtual goods. So this week it announced plans to buy PlaySpan, a Silicon Valley company with a payment platform for virtual and digital goods — things like in-game purchases or electronic documents and recordings. Josh Constine at Inside Facebook has a great write-up of PlayScan’s business and its place in the social game industry. The post includes a helpful graph that hints at the complementary skills of Visa and PlayScan.

PlayScan has a development platform called Monetization-as-a-service that helps integrate in-game payments on a variety of platforms. Visa doesn’t. But it has something that PlayScan lacks: name recognition and a piece of plastic in every adult player’s wallet.

Last fall, Inside Facebook asked game players what service they would most like to use when buying virtual goods. Nearly 40% said Visa, a little more than 20% opted for PayPal, and PlaySpan’s UltimateGameCard received a “participant” ribbon. By integrating PlaySpan’s platform as a front-end feeder to its payment network, Visa hopes to catch a larger piece of the virtual goods pie, which Inside Facebook predicts will grow to $2.1 billion in 2011. Now that’s a lot of Smurfberries.

Jump, Nokia!

Oil platform
Nokia’s new CEO Stephen Elop has finished his internal review of the company and come to the conclusion that it’s in deep trouble. In a leaked memo, Elop used the metaphor of a man trapped on a burning platform, making the decision to leap into the icy water in order to survive. Once the leader in mobile handsets, Nokia finds itself under attack from Apple on the high end, overtaken by Google’s Android in the mid-range, and overcome by Asian competitors at the low-end. As if to punctuate the need to jump, Gartner reports this week that Android sales grew 888% in 2010, and Android is now the dominant smartphone operating system, beating out the Symbian systems that Nokia has used in its phones since the Napoleonic Wars.

The leap that Elop wants Nokia to take looks like it will be straight into the arms of his old employer, Microsoft, which has struck a deal to put its Windows Mobile 7 into Nokia smart phones. That news came after rumors that Nokia had also been in talks with Google about a similar deal. A tip that those talks had failed came in the form of a cryptic tweet from Google vice president Vic Gundotra, who told his 5,300 followers: “Two turkeys do not make an eagle.” Nor could they escape a burning platform without plunging into icy water.

Got news?

News tips and suggestions are always welcome, so please send them along.

If you’re interested in learning more about the payment development space, check out PayPal X DevZone, a collaboration between O’Reilly and PayPal.


tags: , , , , , ,

Get the O’Reilly Programming Newsletter

Weekly insight from industry insiders. Plus exclusive content and offers.

  • Randy

    You can set a 4 digit passcode in the ‘Mobile Card’ app. Statement of ‘no security’ in article is faulty.

  • David

    Here’s another way to steal coffee from your friends:

    Wait until your friend excuses themselves to visit the restroom, and hope they leave their wallet on the table. Then grab the wallet, open it, and grab some money out of it. After closing the wallet, put the money in your pocket. If you manage to accomplish all this before your friend returns from the restroom, you’ve just scored yourself a pass to drain out your pal’s money. Clearly, it’s a security gap that money should address.

    If there’s a risk here, it’s that folks don’t equate (yet) possession of phone with possession of secure or depletable resources. This is not really about any specific app. If your friends are going to steal your money, you need different friends.

    Usual caveats apply if you lose your phone etc. But the phone itself has a passcode lock and other solutions for remote data destruction/access in case of app-agnostic emergency.

  • I worked for Nokia for a while and it pains me to see them ready to embrace Microsoft.

    Does anyone remember what happened to Silicon Graphics when they hired an ex-Microsoftie as CEO and then about-faced on embracing and MS OS? I was there and it was not pretty.

    Here’s the short version: Terrible, going down in flames, disastrous failure.


  • David Sims

    David: Perfect! I can’t imagine leaving my iPhone on the table — not least because I’m likely to want to be checking messages on the walk to and fro the men’s room. You’ve punctuated my point here which is that, we can forgive Starbucks for bringing this out to market with no special security. The stakes are pretty low: I’ve never seen a Starbucks card with more than $20 on it. But this is the camel’s nose under the tent: as more financial data & capability begins to live in the phone, it needs to be less forgettable.

  • David Sims

    Any thoughts on why the Symbian o.s. couldn’t evolve to become as interesting and adaptable as something like iOS or Android? Is it just too much of a legacy system, built for a different purpose?
    — Dave

  • In my opinion, Symbian’s architecture is more difficult to wrap your head around than Android. This has been a drag on potential Symbian development for years. That, combined with Android’s forward looking design versus Symbian’s legacy orientation as you mention, make Android more attractive to many developers.

    Even worse for Nokia, Google’s Android business model has invigorated handset vendors in a way that Symbian never quite seemed to.

    I don’t see Symbian recovering from the iOS-Android 1-2 punch.

    PC Mag got a lot of things right in their coverage of Nokia Windows Phone announcement this morning. Most importantly, Microsoft is the big winner. Nokia, I fear, not so much. http://www.pcmag.com/article2/0,2817,2380117,00.asp

  • Sun

    Nokia could have joined the Android platform and focus on making good hardware.

  • Taxiguy66

    The fly in the ointment is all phones should be password protected