That authentication might be biometrics (the phone can scan the buyer's facial shape, match a voiceprint or do a retinal scan, although preferably not a fingerprint) or a onetime-password fob or even—for the ultimate simplicity—a rotating series of personal questions, so that shoulder-surfing wouldn't work. Even Square and SMB PayPal trials are using customer photos for verification. But with in-store mobile purchases now going into widespread retail trials, it may be time for some real security. Or is the absurdity of signature verification not enough to motivate anymore?
Is it time to insist that mobile devices have some type of authentication beyond PIN? The frightening scenario: A thief watches a shopper making a mobile purchase at the mall and shoulder surfs his 4-digit PIN. The thief steals the phone, walks into a store, buys a $5,000 necklace with that phone and that PIN and then dumps the phone into a trashcan.