PayPal Closes Security Hole, But Now How Can It Get iPhone Users To Upgrade?

Success in mobile commerce depends on getting millions of copies of smartphone apps to customers—which is great if you get the details just right. But last Thursday (Nov. 4), PayPal had to rush out a new version of its mobile payments iPhone app. The old version—which has been downloaded more than four million times since its April release—turned out to have a security hole that could let a thief trick a user through a "man in the middle" attack. PayPal says it will cover any customer losses from fraud due to the security flaw.

That's great for PayPal users. For PayPal, it's a problem. The success of its iPhone app means there are millions of users at risk. And PayPal's promise to reimburse any fraud loss related to that risk means there's nothing to motivate users to upgrade from the old version that, to users, seems to be working just fine. Result: All the risk is on PayPal—and the only way to get out from under that risk is to irritate its customers.

The security problem with the iPhone app was easy enough for PayPal to repair. The app neglected to confirm that it was actually connected to the PayPal Web site before doing any business. The app should have done that by checking the PayPal site's digital certificate. The failure was spotted by security research firm viaForensics, which announced the problem the same day PayPal rolled out its fix and said the Android app and PayPal Web site don't share the problem.

That failure to check the certificate creates the risk of a "man in the middle" attack, in which a thief sets up a public Wi-Fi hotspot that includes a phony PayPal Web site in a place where users might connect to it—say, an airport, train station or shopping mall—and then waits for victims to discover the hotspot and log in. It would be a low-percentage attack, and PayPal says it hasn't detected any fraud. But it's a real risk, especially with a recent wave of hacking software for public Wi-Fi networks that are designed for almost anyone to use.

Now PayPal's challenge is to get users to download the new app. That may not be easy. The new version doesn't have any compelling new features. Except for the quickly patched security hole, it's exactly the same as the old version. There's nothing to encourage users to upgrade—a process that requires time and bandwidth for users, and always comes with the nagging fear that something will go wrong. With a cost that users care about and no benefit they can see, why should users upgrade? That's the problem PayPal faces four million times over.Of course, there's an obvious way to force users to upgrade: Just stop allowing the insecure iPhone app to do mobile payments. When a user tries to use the outdated version of the app, instead of being able to check a balance or transfer funds, the app could just inform the user that he must upgrade his app or he can't access PayPal from his iPhone.

If that sounds like a logical approach to the problem—well, yes, it is. Now just imagine four million users getting messages telling them they can't make the purchase or payment they want to make right now because they can't transfer funds into PayPal—not until they spend a few minutes downloading an upgrade. That would make four million very unhappy PayPal customers.

And that's a very M-Commerce-specific problem. With E-Commerce, each customer has a Web browser talking to an E-tailer's Web site. If there's a security hole in the browser, only one piece of software on the customer's PC has to be upgraded (and that upgrade usually improves security for many Web sites). If the security flaw is in the Web site's code, that can be patched once, and it improves security for all customers everywhere.

But mobile commerce depends on smartphones containing dozens or hundreds of apps. Each app may have security holes. Upgrading the app only solves the problem for that app. And the problem clearly lies not with a browser maker like Microsoft or Firefox or Apple but with the M-Commerce retailer whose name is on the app.

That's pretty likely to annoy users. And any heavy-handed attempt to nudge them into upgrading to a version that doesn't offer the customer any new features is sure to irritate them even more.

For the customer, it's a tradeoff between security and convenience. And in the PayPal case, there's no cost to the user in insecurity. The most convenient thing for users is to be insecure.

For the M-Commerce retailer, the tradeoff is between security and customer satisfaction—and there is a real cost attached to both sides. But short of a new killer feature that gives customers a real reason to upgrade, it's a tradeoff without a good solution.