PayPal says mobile risks still far off

Smartphones are taking off in a big way but it'll still be some time before there are any significant mobile security risks, online financial service provider PayPal says.

With more than 15 software operating systems out there including Nokia's Symbian, Google's Android and Microsoft's Windows Mobile smartphone users are at low risk of being targeted by big malicious attacks like those found on computers, said Andrew Nash, senior director of identity services for the online payment company.

"The variety and complexity that's involved makes it very difficult to formulate a large-scale attack that's likely to return a whole lot," he said. "The complexity level alone is going to make this a hard target to attack."

Global smartphone shipments are expected to total more than 180 million this year, or about 17 per cent of the total cellphone market, according to a recent report by Techno Systems Research.

Individuals could lose their deviceand the valuable information on it, or have it stolen, but it will still be severalyears before there are enough smartphones to attract hackers and thieves en masse, Nash said.

In the meantime, handset makers and security-oriented firms are developing encryption, authentication and identification system for when the attacks inevitably come.

"We're not looking at a six- to 12-month time frame, we're looking out four to five years," he said. "If you're too far ahead of the curve, the cost of actually implementing this doesn't correspond to what the bad guys are trying to do."

Seeking single user ID

Nash was in Toronto on Tuesday to give a keynote speech at the third annual SecTor conference, Canada's version of DefCon, which is a meeting of "black hat" security professionals and hackers.

During his address, he pushed PayPal's idea of creating a "single user identity," which could replace the dozens of passwords and logins the individual web surfer typically has to remember.

The single identity would hold all of the user's information that he or she chooses to disclose, then giveinformation to websites on a need-to-know basis. One example, Nash told CBCNews.ca, might be a site that requires age verification.

"If someone like Wine.com wants to know whether you're allowed to purchase wine, what we'd like to do is rather than give them you saying, 'Here's my date of birth' ... we can say, 'Yeah, he's over 21, that's all you need to know,'" he said. "So PayPal is advocating on the consumer's behalf."

PayPal, which is owned by auction site eBay, is also looking to expand beyond its roots by getting other e-commerce sites and individuals to adopt its service. PayPal can draw money from a user's bank account, thereby allowing online transactions without a credit card.

Some retailers, including Dell Computer, La Senza and Tiger Direct, have already signed on.

"From a merchant's perspective, you're not losing the customer relationship, you're just simplifying the checkout process," said Darrell MacMullin, general manager of PayPal Canada. A lot of merchants don't want to store customer's information, so "it's a win-win for them."