Invisible payments are convenient…until they’re not.
From paying for groceries through Apple Pay to paying for a ride on Lyft, many popular services today require nothing but a phone – no need to pull out a credit card or sign a receipt. It’s almost like not spending money at all. Yet just because these payments can’t be seen doesn’t mean they aren’t at risk.
In fact, according to Rusty Carter, VP Product Management, Arxan, it can be even harder to keep these payments safe because they can’t be seen.
Hackers, he explained, can insert malware into mobile apps and intercept user information such as credit card numbers and login credentials, just as invisibly as these payments are made in the first place. Companies often don’t realize they’ve been targeted until they register losses.
Companies put a lot of emphasis on security with features like multi-factor authentication, Carter said, but that’s like putting extra deadbolts on the front door while leaving the back door wide open. He said that criminals are opportunistic and look for vulnerabilities in mobile apps so they can attack at scale. Passwords, security questions, and even biometrics can’t protect users from that sort of attack — because it’s coming from inside the app itself.
The call is coming from inside the house, so to speak.
Today, banking, payments, gaming, media, entertainment, and medical devices are some of the primary targets for criminals, who often hold accounts or devices hostage to extract ransom money from individuals or hospitals.
Criminals may appear to be targeting a specific bank, said Carter, but they are not stealing money from the bank itself. Rather, they’ve found an insertion point in the bank’s mobile app and are using it to steal from individual customers of the bank. They do this by reverse-engineering unprotected mobile apps – and again, their presence is invisible as they do this.
That’s the problem that startup Arxan aims to solve. Carter explained that the company’s technology “protects apps from the inside out” by tweaking the code to make it harder to reverse-engineer. Arxan also sets “traps” in the code so that, if someone does try to tamper with it, it raises the alarm so that the problem can be remediated instantly.
Carter said that even the best software developers leave gaps in mobile apps — not because of negligence, but because it takes a whole separate type of programming to make codes uncrackable. Even a perfect app can be plugged into a de-bugger and disassembled into pieces that a cybercriminal can use to commit fraud.
Arxan uses cryptography, obfuscation, active protection and other methods to make this much harder to do. The startup is able to detect it if a fraudster tries to run the app through a de-bugger or emulator.
Carter explained that Arxan also destroys parts of the app during the development process so that those pieces of code are only reassembled at the exact moment they are needed to function. That way, if a hacker tries to reassemble the software, it simply won’t work.
Arxan started out in 2001 as a PhD research project at Perdue University with the goal of protecting software in hostile environments. This was spurred by the loss and subsequent recovery of a U.S. spy plane, the software of which had been reverse-engineered by enemies, putting military secrets at risk. In 2010, Arxan sold off the defense technology unit and pivoted to protecting commercial applications in mobile and IoT environments.
Consumer trust is at an all-time low when it comes to data and payments security, thanks to a seemingly endless string of data breaches and hacks. But trust has always been one of the most important facets of a brand’s relationship with its customers, and that is still true today. Carter believes that this sort of protection can really be a differentiator for banks and payment providers, especially if they are transparent about the approach they are taking to security. Vigilant consumers will take note.