Blog article
See all stories »

How Safe is Your Mobile Wallet?

Consumers love alternatives, especially if the alternative is easy to use and already part of their everyday life.  However, most consumers who undertake e-commerce using their mobile device are woefully unaware of the risks.

Even when they do, there tends to be an ‘it-will-not-happen-to-me’ response.  We are in some ways in the technological dawn of anywhere, anytime e-commerce, where we have the freedom and the toys to use but process and control are lagging behind.   The need is to create a safe environment on the device that enables a secure communication between the parties that maintains the integrity of the transaction. 

The challenge is that it has been a bad week for mobile devices, both Apple and Android based.  Firstly the recognition that the open application development platform for Android devices poses a security threat to mobile devices.  For sure the environment creates a fantastic platform for developing applications, which alas, also makes it a great platform for developing malware!  The recent announcement uncovering more malware posing as applications within the Android marketplace highlights the risks involved using these devices for mobile commerce. 

Secondly, it’s not always the bad guys causing the concern.  The acknowledgement that software from Carrier IQ is placed on many mobile devices by the carriers themselves has caused the authorities to start asking serious legal questions in both Europe and the USA.  The software gathers information about web usage, text messages, location and according to one developer actually captures keystrokes.  All this data is stored on the device and uploaded to the company’s servers again creating a gold mine of information with the potential for compromise. 

Simply put, security on mobile devices is in its infancy and needs to be bolstered with third party tools.  A simple method is use of a token that delivers a onetime code for the session or transaction.  Some web based services use these and they need not be expensive if using something like YubiKey.  Another alternative is to use additional client software on the mobile device that creates a secure area called a sandbox.  This permits the e-commerce session and data to be encrypted and ring fenced, or if needed, the mobile device to be disabled if compromise is suspected.  An example of this client software would be DME from Excitor. 

In short, mobile devices are insecure but using third party tools, simple processes and common sense they can be made safer.  All early technologies go through these phases and the end user needs to understand the risk and be presented with options to control the risk, either forced or optional.   

7019

Comments: (4)

A Finextra member
A Finextra member 21 December, 2011, 08:30Be the first to give this comment the thumbs up 0 likes

"In short, mobile devices are insecure but using third party tools, simple processes and common sense they can be made safer."

But only to some degree ...

PC's are pretty mature these days, certainly no longer in their infancy. Today, people have a bewildering number of options and third party tools to choose from, but security on PC's is even in a worse state - mainly due to a long history of sophisticated malware development. Antivirus software effectiveness is actually deteriorating, and there is little hope for better PC security in sight ...

A Finextra member
A Finextra member 21 December, 2011, 08:42Be the first to give this comment the thumbs up 0 likes

I think Gerhard's comments are accurate and reflect my view.  Devices can be made 'safer' and I think the key word here is 'safer' rather than 'safe'.

There are many ways to compromise devices, be they technical or social engineering, but I think we have to build the fences that make it more difficult for the attacker to succeed or at least make it not worthwhile for the return. E-commerce depends on trust and integrity at multiple layers and if we as security experts want to help this growth we have to put those fences in place.

Mind you, I wonder how long it will be before we really focus on the main weakness, the end user!  Maybe soon we will see education at school level in basic IT and security skills, much the same as Maths is taught.  I hope so. 

Brett King
Brett King - Moven - New York 23 December, 2011, 00:32Be the first to give this comment the thumbs up 0 likes

Martin,

But isn't this all relative?

The title of your post leads me to think about how safe my physical wallet is/isn't. Compared with the mobile, even with it's shortcomings, my wallet is not even close to being as 'safe' as a mobile wallet. A plastic card is far easier to corrupt and steal than the capabilities required to hack a phone through vulnerabilities. 

Or am I missing something?

Brett King
BANK 2.0 

A Finextra member
A Finextra member 23 December, 2011, 08:06Be the first to give this comment the thumbs up 0 likes

Hi Brett

Yes, relative is a good word to use. However, there are some interesting differences that I believe could be debated.  If someone compromises your card it is often easier to identify it and the compromise is limited to that one item (OK, I guess you could lose the entire physical wallet!).  The subtlety with a mobile wallet compromise is in the breadth, depth and visibility of the compromise.  If my mobile wallet is compromised this may bleed over into other financial accounts accessible through the wallet, access to my personal directory, access to other passwords and the loss of key personally identifiable information.  My whole life could be on display if the mobile wallet is compromised.  Secondly, if the attacker was smart, they could sit on your device for some time learning your buying patterns and waiting for the right moment and if they were smarter they would try and hide the purchases inside one of your own busy periods or buying patterns.

Yes, it may be harder for the average man to compromise a mobile wallet than steal a piece of plastic, but that is exactly why the attackers are organised into teams (the coder, web master, guy on the street etc).  I think that as e-commerce makes it into people pockets, this will be the new crime target.

And on that point, in reflective mode, it’s kind of funny that we are probably discussing the same crime that Victorians were discussing over 100 years ago, just the vectors have changed.

Happy Holidays

 

Blog group founder

Retired Member

Member since

19 Mar 2009

Location

Blog posts

5,626

Comments

6,042

This post is from a series of posts in the group:

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...


See all