Peter Li, co-founder of Atlas Wearables Inc., liked the virtual wallet one of the company’s partners built into his fitness bands for a demo earlier this year.
“You just walk up, wave your wristband,” said Li, who’s also CEO of Austin-based Atlas. “There’s a huge application for what a wrist tracker can do for buying things within the gym, getting gym access.”
Yet Atlas, which makes bands that monitor users’ workouts, is still debating whether to add the payment capability to its next-generation products – partly due to security concerns. As smartwatches, bands and other wearables multiply and more include payment functions, the potential for theft and hacking grows. Right now, there’s little agreement about the best way to proceed. Companies are testing a variety of tools, from pairing devices with phones to measuring a user’s heart rate for verification.
“I have to think a while to think of a single wearable that’s truly secure from end to end,” said Brian Witten, a senior director at Symantec Corp., which sells cybersecurity software.
Users like the convenience of having their wallets on their wrists. At Walt Disney World in Orlando, Fla., tourists wave their MagicBands to pay for food or get into their hotel rooms. A jogger or worker wearing an Apple Watch doesn’t need to carry cash or a credit card on a run or lunchtime walk.
Researcher IDC predicts shipments of wearables will grow more than fourfold to 237 million units in 2020 from about 80 million this year. Between 30% and 40% will have payment functions in 2019, compared with 2% today, said Roger Kay, president of Endpoint Technologies Associates Inc.
With hundreds of companies jumping into the business, security and privacy protections vary widely, and even the most trusted companies aren’t risk-free. Immediately after Apple Pay made its debut in 2014, fraudsters used stolen credit card data to make purchases. Apple Inc. and its bank partners have tightened controls over the service, which lets consumers pay by tapping their iPhone or Watch on a store terminal, and reduced this type of fraud.
Still, opportunities for theft will grow with the industry. For starters, wearables are among the least secure of all smart devices. While many phones require a fingerprint to OK a payment, 69% of wearable-device owners don’t bother setting up a password for the products, according to a survey released in March by identify-management provider Centrify.
“The devices themselves can be compromised,” Witten said. “They can be used to track users, even halfway around the world,” potentially letting would-be burglars know their intended victims are on vacation. Symantec’s research shows “the majority” are vulnerable to breaches, he said.
Last year, some accounts of Fitbit Inc. users were compromised because the wearers used the same usernames and passwords on a number of websites, according to a report by security blogger Brian Krebs.
Fitbit had since started monitoring user activity patterns: If someone’s behavior changes dramatically, that’s a sign the account has been compromised, Marc Bown, senior security engineer, said. The company can alert the user, get passwords reset and contact law enforcement. Fitbit’s gadgets don’t make payments right now, but might one day.
“We are always exploring additional things, potentially including payments,” Eric Friedman, the company’s chief technology officer and co-founder, said.
Wearables makers are using a variety of tools to authenticate users. Some require that a paired smartphone be nearby. Others are trying to match a user’s gait or heart rate to one on file to ensure the device hasn’t been stolen. The heart-beat technology still has a ways to go to be reliable, said Angela McIntyre, a Gartner Inc. analyst.
In January, MasterCard Inc. began working on wearables security with the payment startup Coin, maker of an all-in-one connected card that holds account data on everything from store accounts to loyalty plans. Coin’s technology can add payment capabilities to wearables like Atlas’s bands, while MasterCard allows the payment to go through without the exchange of sensitive card information.
“We are talking with lots and lots of partners in this space. It’s generated a ton of interest,” Sherri Haymond, a senior vice president at MasterCard, said. The first devices using its secure payment service should come to market this year.
For its part, Fitbit is sending its security team to hacker conferences like Black Hat, and trying to educate consumers about securing their data. Atlas’s Li is still thinking about whether to add payments to his devices. “It’s experimentation,” Li said. “Reliability of the tech and security is very important to us.”
By Olga Kharif