Thursday, 8 January 2015

Why complexity is always the enemy of good design

I was reading an article about why mobile payments hadn't taken off and why, in the words of the article, they would soon succeed. People quote ApplePay and other attempts to infiltrate the market but all of these, currently, are on a losing battle. I can't find the exact article I was reading but there are loads of them out there!

ApplePay doesn't actually bring anything new to the market other than Apple's name and brand and perhaps a bit of marketing muscle but otherwise they have the same problems as everyone else.

The article said that the barrier to uptake was security but I don't actually think that's true. As in the case of magnetic strips on older credit cards and even chip-and-pin, which wasn't reviewed and therefore as some have said it is not really very strong but we still use/used it because it was a definite advantage over cash in certain situations, namely:

  1. Paying for high value goods didn't require a briefcase full of cash
  2. When cash is stolen, it is usually irretrievable. Cards can be blocked fairly easily.
  3. Credit companies insure most of your purchases, including fraudulent ones.
  4. You can pay for stuff remotely e.g. over the phone or internet
  5. Compared to cheques, the receiver knows that they will receive payment

So, I think we choose to use things that give us an advantage over the current system. So there are certain practical barriers to using mobile payments:

  1. Shops need the kit to handle them - most don't even have credit card proximity readers
  2. Customers need smart phones
  3. Mobiles will generally require a data connection to be available - good luck at Tescos
  4. The customer will need to set up 1 or more potentially incompatible apps
But even if those barriers were suitably overcome, there are still reasons why a mobile payment does not really cut the mustard for us the user.
  1. I don't really have a problem with my credit cards, they work, generally quickly
  2. I need my wallet when I go shopping anyway since it contains store cards, cash and cards. This way, I also need to remember my mobile
  3. What if my phone is faulty or the battery has run out? No purchases for you son!
  4. If it isn't working, the responsibility is now blurred. Is my phone working? My data connection? The payment app? The shop's reader kit? At the moment, there is a card and a reader. I have never had a problem working out what is wrong. Doesn't work? Try another card.
There are of course a whole raft of security issues when it comes to mobile payments. I have found similar problems creating mobile apps. The mobile device is in the red zone - I have limited control over the software on it and how it might be modified or corrupted intentionally or due to hardware problems and I cannot protect anything on the device unless it has a Secure Element, something lacking on many smart phones. What does this mean? It means that people can potentially work out how an app works and then either put some malware on a phone that watches the process and send the data to an attacker or perhaps find a hole in the process for an attacker to create fake transactions and get money from the banks. This is much easier to do than it is to clone cards and some attacks wouldn't even require the attacker to steal the phone, they potentially install malware over usb, bluetooth or nfc or otherwise via a malicious web site that the user visits on their mobile, none of which you can do with a credit card.

What the mobile payment providers are suggesting is a complex raft of design, counter-measures, fraud detection and insurance in order to make it work but complexity is always the enemy of good design. Sure, some technology is complex in one sense but things work well when the complexity has been tested as a unit and then a simple interface provided to the user but in the case where there are various players, various communication links, various design decisions (mostly taken behind closed doors) and a whole lot of trust, I think it is just another problem waiting to happen. We have seen so many high-profile security failures in large organisations that we cannot trust people to safely look after anything more than the simplest systems.

That said, I still don't see people wanting to implement a new system that is generally slower and more fiddly than credit cards just because some bank or whatever can potentially save some credit card transaction fees.

What we really need is something to replace the, now pointless, credit system where people like Visa and Mastercard charge a fortune to do little more than provide credit. Their networks are defunct now that we have an internet to most retail premises, certainly in the Western world. I think these companies would be better off creating their own shared credit network which would run not-for-profit and take payments directly from banks for a fraction of what current credit cards charge.


Post a Comment