Consumers love alternatives, especially if the alternative is easy to use and already part of their everyday life. However, most consumers who undertake e-commerce using their mobile device are woefully unaware of the risks.
Even when they do, there tends to be an ‘it-will-not-happen-to-me’ response. We are in some ways in the technological dawn of anywhere, anytime e-commerce, where we have the freedom and the toys to use but process and control are lagging behind. The need
is to create a safe environment on the device that enables a secure communication between the parties that maintains the integrity of the transaction.
The challenge is that it has been a bad week for mobile devices, both Apple and Android based. Firstly the recognition that the open application development platform for Android devices poses a security threat to mobile devices. For sure the environment
creates a fantastic platform for developing applications, which alas, also makes it a great platform for developing malware! The recent announcement uncovering more malware posing as applications within the Android marketplace highlights the risks involved
using these devices for mobile commerce.
Secondly, it’s not always the bad guys causing the concern. The acknowledgement that software from Carrier IQ is placed on many mobile devices by the carriers themselves has caused the authorities to start asking serious legal questions in both Europe and
the USA. The software gathers information about web usage, text messages, location and according to one developer actually captures keystrokes. All this data is stored on the device and uploaded to the company’s servers again creating a gold mine of information
with the potential for compromise.
Simply put, security on mobile devices is in its infancy and needs to be bolstered with third party tools. A simple method is use of a token that delivers a onetime code for the session or transaction. Some web based services use these and they need not
be expensive if using something like YubiKey. Another alternative is to use additional client software on the mobile device that creates a secure area called a sandbox. This permits the e-commerce session and data to be encrypted and ring fenced, or if needed,
the mobile device to be disabled if compromise is suspected. An example of this client software would be DME from Excitor.
In short, mobile devices are insecure but using third party tools, simple processes and common sense they can be made safer. All early technologies go through these phases and the end user needs to understand the risk and be presented with options to control
the risk, either forced or optional.