In the past few years, we’ve seen point-of-service payment card hardware and software capabilities extend from an enterprise level (proprietary systems) to a small business level (financial instutution-backed merchant accounts) and finally to an individual level (web and mobile payments). And it makes sense; despite the growing popularity of e-currency, most people with a bank account have access to a credit/debit card and aren’t afraid to use it. And with each step of maturity, the technology surrounding payment cards gets more and more diverse and open to innovation.
Jumio’s Netswipe is a new twist on entering payment card data online. Instead of swiping or typing, you essentially stream an encrypted video capture of yourself holding up your card. I’m assuming some OCR and heuristics on the other end translates those video frames into the actual card number. The resulting experience has the benefit of being keyless (immune to keystroke loggers), unsniffable (due to the encrypted stream), and easier than typing it out. The security benefits are complemented by the claim that the whole service is compliant with the PCI-DSS.
Yet, despite these kudos-worthy achievements, what new avenues are being slowly opened for exploitation by taking the tech in this direction? For example, when making purchases, I know what to look for to tell if I’m on a secure site (https and valid server certificate). But how do I quickly verify that my encrypted video stream isn’t being tampered with? If photo/video-enabled authentication becomes the standard, will phishing be just as lucrative on these new platforms? What about trojan’d hardware (webcams in this case)?
Innovation, especially in technology, can develop and mature despite a generally shady understanding of future implications. Sometimes, potential concerns are simply noted in passing, as if to say “we’ll cross that bridge when we get to it.” Other times, they are met with vehement resistance as issues of ethics and morality get debated. But I suspect the most interesting issues, the type that manifest themselves long after a technology has been adopted by society, are ones that were never even considered in the first place.