Mobile Security: The Downside Of The mPayments Revolution
Mobile payments are becoming increasingly popular as consumers have come to expect and demand multi-channel banking experiences, flexibility and accessibility from their smartphones and tablets. Mobile wallets provide unique experiences for merchants to build loyalty and consumers to pay with ease, and mPayments acceptance provides opportunities for acquirers and issuers as well.
But there’s another group provided opportunity by mobile payments – fraudsters and hackers – and the threat they poise to consumers and merchants alike is very real. PYMNTS.com spoke with Luge Pravda, senior vice president at NetNames USA, who explained some of the most basic types of mobile security breaches, if Apples devices are truly more secure than their Android counterparts and what consumers can do to protect themselves from harm.
PYMNTS.com: Please introduce yourself and introduce NetNames USA to us. What services does NetNames provide?
Luge Pravda: Luge Pravda, Senior Vice President at NetNames USA in New York. NetNames is a global specialist in online brand protection. NetNames protects its customers' brands online from a variety of threats, including counterfeit and unauthorized grey market sales; all forms of media, software and book piracy; and domain name cyber-squatting and email phishing. NetNames is also a leading vendor of website security certificates which protect customer and transaction data online. Our Brand Protection, Domain Name Management and Security services keep our clients one step ahead, and counter the multiple risks companies face online, protecting their customers, increasing their revenues, and optimizing their website traffic.
We know this is a time of huge mobile commerce growth, but unfortunately that means there’s a lot of new opportunity for fraudsters and criminals as well. What can you tell us about some of the risks that come with mobile commerce and payments, and how they’ve grown recently?
The modern consumer is extremely switched on and open to new, ever more convenient ways of shopping, banking, stock trading, and so on. I personally do more of my shopping and banking online than I do physically in brick and mortar stores. With innovation comes opportunity. Unfortunately, innovation is also a beacon for those who want to exploit it for illegal gain. Take Square, for example, a brilliant business model spearheaded by tech giant and Twitter founder Jack Dorsey. Square is used by businesses that want a new way of transacting with their customers, outside of the traditional banking payment platforms, and most importantly using a mobile device such as the ubiquitous iPhone or Android based phones. Of course, Square adheres to all the usual security standards for credit card payments. However, payment rival VeriFone has already claimed it would not take much for a rogue app installed on the iPhone to skim credit card data, something Square naturally refuted. And consider the Square-using vendor. How can you be sure the vendor's iPhone is running the correct Square app? Simply seeing the Square device does not guarantee its authenticity. And what about the website used to manage the Square account? The main website for Square is squareup.com (square.com is seemingly owned by someone else, who is forwarding traffic to Square’s main website, either by arrangement or license). Square does not own the domain names squarepayment.com or squarepayments.com, for example. What are the intentions of the owners of these domain names? Could they be used for future lookalike sites, or phishing emails?
Consumers need to be sure they understand the new payment methods: is that payment text message coming from your actual bank? Is that app the genuine bank app? Is that link a genuine link? As online consumers, we tend to be apathetic, gullible, and often without forethought. New payment methods simply create more opportunities for criminals to prey on these basic human characteristics.
I think that among many consumers the prevailing notion is that Android devices are less secure than Apple devices. Is that true?
This appears to be the common consensus within the security community, too. Security is always counterbalanced by accessibility. To make something ultra-secure you have to make it pretty much inaccessible. Consider a castle; now consider a castle and a moat, now consider that same castle with a moat at the top of a mountain - more secure, less accessible. The same is true of IT security. Mobile devices are all about accessibility, access to everything, all of the time and this may lead application creators to sacrifice security in lieu of rapid access and slicker delivery. Apple’s platform is considered more secure simply because it is less accessible, opting for a closed operating system and a walled garden App Store versus Android’s open operating system and web-based app marketplace (known as Google Play).
To counteract this, Google has a system called Google Bouncer, which patrols the marketplace for malicious apps, but of course hackers claim to have already circumvented this and it is a reactive rather than a pro-active security measure. That said, jail-broken iPhones are reported to be more prone to malware than factory phones -- and jail-broken iPhones were infected with a worm that exploited ING Bank users a few years ago, for example. While malicious apps sometimes make it through Apple’s vetting process, I think it is fair to say that Androids are more prone to malicious downloads simply because it is an open platform.
How do mobile fraud or cyber attacks usually occur? Do they infiltrate the device through apps, do they occur from using mobile web browsers, when you make a payment, etc?
Exploitation of the devices and operating systems is actually executed by the user but driven by the criminal. Would-be fraudsters need to somehow trick us into installing or accessing something we shouldn’t. The Eurograbber Trojan recently affected those European banks that use two-factor authentication with the use of SMS message codes to allow users to conduct online banking. And therein lies the apathy characteristic – the banks’ customers think they are using a thought-leading level of security – whereas in fact they were being compromised, and millions of dollars were stolen. The success of the criminal campaign hinged on the user blindly following instructions without question and doing something they shouldn’t have, such as clicking a phishing email, installing a desktop Trojan and later on being duped again into installing a smart phone security upgrade, which in reality installed the smart phone Trojan. So, unwittingly, now you have an infected desktop and smart phone and the criminal is all set.
It is the existence of a platform or a newly established but trusted payment method that breeds confidence in the consumer (and maybe even the vendor) to the point where, again, we exhibit the usual online characteristics of apathy, gullibility and not thinking ahead.
We debate the future of NFC frequently on our site, and one of its supposed calling cards is its inherent security. Do you believe NFC can help to solve any of the mobile payments problems we’ve spoken about today?
NFC seems to offer an exciting range of new opportunities for businesses and consumers alike. But again, that means a parallel range of opportunities to exploit our curiosity and desire to use new forms of technology. Sideloading – the passing of data from device to device – could become a new threat if the user has downloaded a malicious app, for example – and one where you may unwittingly have sat down right next to the criminal in a coffee shop!
Finally, give us a few steps consumers can take to protect themselves from becoming mobile fraud victims.
Online and mobile consumers can stay one step ahead of the fraudsters by asking themselves a few questions and exercising some common sense. Is this a genuine email or a phishing email? Does my bank usually send me SMS messages for any reason? Be suspicious. If something apparently valuable is “free,” ask yourself “why?” and if you have even the slightest suspicion, don’t download! And always exercise caution: at NetNames our advice to customers is “if something appears too good to be true, it almost certainly is.”