That seemingly innocuous mug shot of 1980s pop star Rick Astley circulating wildly on jailbroken iPhones shortly before Christmas last year may be a harbinger of a more serious menace for businesses offering mobile payment services, according to Ovum, a British technology market research firm.
Cell phone-based pranks may be irritating at worst right now, but they could be a “wake-up call” for banks and organizations offering mobile payment services, said Graham Titterington, principal security analyst at Ovum.
Most malware were “just demonstrated as proof of concepts and no particular mobile banking examples have been spotted in the wild,” he says. “However, we see a lot of potential mobile banking threats.”
Banks should work with mobile network operators and handset vendors to improve security, according to the analyst. In addition, they should plan for “living with malware” and always assume the possibility of an attack.
Mobile money transfer mania
With the growing adoption by consumers of more powerful smartphones, banks and other businesses have lost no time in developing mobile banking and payment applications.
In Canada, ING Direct introduced banking apps for the BlackBerry, iPhone and iPod Touch in March. The Canadian Imperial Bank of Commerce came out with its own banking apps for the iPhone a month earlier.
Online payment firm PayPal also released in March a peer-to-peer cell phone- based payment tool called PayPal Send Money.
Mobile banking and mobile money transfer systems are inherently vulnerable because its security currently falls short on two flanks: 1. Hardware and 2. Network.
“Mobile devices are easily stolen, lost or hacked and are typically used in situations that are inherently less secure than when a person is sitting in an office or in front of a home computer,” said Titterington.
Mobile banking interfaces also run more risk of being breached, he added.
“Mobile networks and their transmissions may be intercepted either by breaking the wireless encryption mechanism or by hacking into the wired backbone where encryption is not mandatory under telecommunications standards.
“IT malware that is harmless in the wireless environment, may be passed through mobile banking interfaces and compromise back-end servers,” Titterington said.
Recently, the Russian Internet security software vendor Kaspersky Lab , reported encountering five Trojan attacks against mobile financial transfers in Indonesia, he adds.
In 2009, BlackBerry users in the United Arab Emirates became victims of a mobile marketing malware which could be used to capture phone user’s info, Titterington said.
All quiet in the Western Front
Despite these instances abroad, security analysts report that virulent mobile attacks are hardly heard off in the North America.
With the growing use of Internet-enabled phones, particularly Apple’s iPhone and RIM’s BlackBerry, Mikko Hypponen, Chief Research Officer for security vendor F-Secure Corp., sees more opportunities than ever for malicious activity. But, surprisingly, he sees a quiet mobile malware landscape at the moment.
“It’s quite quiet on the mobile side. We now have over 400 known mobile phone viruses and Trojans, but most of those target the older smartphone systems,” he said. “Most of the current systems have improved built-in security.”
Hypponen believes the most likely mobile risk today isn’t mobile viruses or Trojans, but mobile spying tools like FlexiSpy, Neocall or Mobile Spy. These commercial tools run fine even on the latest versions of Symbian, Windows Mobile or BlackBerry mobile operating systems, he said.
Brenda Rideout, head of marketing for ING Direct Canada, assured the bank’s clients that its mobile banking system is secure.
“Security is very much a priority for us. Apart from adhering to banking industry security standards we have made efforts to ensure our mobile banking,” she says.
For instance, she said, ING’s mobile banking application only works with browsers that use the 128-bit encryption.
Rather than relying on passwords alone, ING also makes use of passphrases and user-chosen images. As users are setting up their mobile banking account they are asked to choose a security phrase or an image from ING’s image bank.
When the user logs into the ING mobile banking site, the user must see this phrase or image, said Rideout. “If the chosen image or phrase doesn’t appear that is an indication that the user is being phished and may have entered a bogus site.”
As an added security, the IP address of the user’s machine is also registered by ING. When as user logs into the ING mobile banking site using a different machine, they are asked a security question.
Titterington of Ovum recommends that banks and financial firms using mobile transfer apps routinely check the security of mobile payments more rigorously and consider offering to reverse payments made in error “even if fraud is not proven.”
He said financial institutions should practice defense-in-depth strategies that ensure the mobile handset, backend servers and data transmissions are secured.
For instance, handsets should have authentication or remote shut off mechanisms to prevent accounts from being hacked when the device is stolen.
On the back-end fraud detection systems that monitor transactions and detect potential fraud similar to those being used in online backing, debit card and credit card transactions should be used.
Rideout of ING also encourages users to keep their browsers and phone operating systems up-to-date to benefit from the most recent security patches.