Mobile Commerce Daily is now Retail Dive: Mobile Commerce! Click here to learn more!

Why smartphone users and developers should fear hackers

Analysts predict an increase in malware – malicious software – and other security threats that hackers spread through mobile devices, especially as sales of smartphones continue to explode worldwide.

While mobile viruses have been uncommon to date, hackers do have the ability to exploit mobile security, per Frost & Sullivan. Given that mobile users are increasingly surfing the Web, as well as downloading and using applications, many in the industry are not surprised to see a growth in malicious activity.

“TRUSTe believes that mobile apps and Web sites should only obtain information appropriate for the service provided,” said Janet Jaiswal, director and mobile product manager at TRUSTe, San Francisco. “In addition, sensitive information such as geolocation, credit card info and social security number should be encrypted before it is transmitted.”

NFC to lead to enhanced security?
Independent technology analyst Ovum has urged banks to understand the vulnerabilities in mobile payments at every level of its infrastructure. A strategy of “defense in depth” is necessary to ensure the integrity and success of the mobile financial services sector.

Companies such as Roamware have offered similar advice (see story).

Last July, Citigroup Inc. responded quickly to correct a security flaw in its mobile banking application for iPhone, and the problem seems to be an isolated incident, not an alarming trend (see story).

In addition, the emerging deployment of smartphones with near field communication and associated security processors for contactless payment may have other applications – as a security kernel for implementing hardware-based security protections on mobile devices, per Inside Secure. 

“As such devices are open, particularly in the Google ecosystem, they do expose hacking threats, which are best buttoned up via hardware protections,” said Charles Walton, Boston-based chief operating officer of Inside Secure. “These security processors, called Secure Elements, have the highest levels of security used in banking, passport and other ID applications – providing support for authentication, encryption and digital signature services. 

“As well, data can be stored securely and applications securely executed within these security microprocessors,” he said.

“This is particularly appropriate to security suites that require a sound ‘touchstone’ of security for proper integrity of operation – for login/password secure storage, for authorization controls, for secure execution of applications and for secure updates.”

Human error
A recent New York Times report cited a case from September when a virus infected 1 million-plus mobile phones in China.

Ironically disguised as an anti-virus application, the virus known as “zombie” let hackers access the phone’s SIM card and automatically send spam text messages to people listed on the phone’s address book, per the Times.

Many of the points made in the New York Times article are valid, accourding to mFoundry Inc., the company that powers Starbucks Card Mobile applications.

“It doesn’t surprise me at all that non-banking mobile applications fail to take security seriously,” said Rodney Aiglstorfer, cofounder and chief technology officer of mFoundry Inc., Larkspur, CA.

“At mFoundry, security is key to our business, and we are very diligent in our security testing efforts—but for solutions that aren’t security-focused, there is a serious issue,” he said. 

The weakest link in just about any security model is the end-user. Users tend to reuse credentials and passwords across services and platforms.

“When a user’s Groupon account is compromised, and the credentials used are the same as those for their banking service, that user is at serious financial risk,” Mr. Aiglstorfer said. “For this reason, education is the best weapon.

“The simple act of using a unique password that is only used for their banking account will go a long way to protecting that user’s financial data,” he said.

Final Take
Dan Butcher, associate editor, Mobile Commerce Daily