Q&A with Gareth MacLachlan, AdaptiveMobile

AdaptiveMobile is a major business in mobile security, enabling trusted networks for the world’s largest operator groups and protecting one in six subscribers globally. AdaptiveMobile provides operators with comprehensive network-based security solutions, enabling them to protect their consumer and enterprise customers against the growing threat of mobile abuse.

Here, Gareth MacLachan, CEO at
AdaptiveMobile, talks about what
security issues we need to be aware of
when using mobile payments.

MMX: What are the general mobile security issues that people using mobile payments should be aware of?

GM: We’re undoubtedly at the beginning of a revolution in how we pay for things. However, as with all advances in technology, this comes with a new set of challenges.

To put this into context, there are 1.6 billion bank account holders globally, but five billion phone subscriptions, and analysts Berg Insight predicts this figure will increase sixteen-fold by 2015. Mobile phones provide a direct link to prepaid credit or billing, and so mobile payments and mobile banking has become increasingly popular. However because of this it has also become an increasingly popular revenue stream for criminals.

The security risk, whether they be SMS, online banking or near field communications (NFC) transactions, do not lie with the payment technology itself, either on the part of the banks, mobile operators or third party providers, because these services and applications have largely proven themselves to be safe.

The biggest challenge with mobile payments arises when criminals execute scams or frauds which trick subscribers into either unintentionally revealing their personal information, clicking links or downloading applications which appear genuine, but are in fact built to defraud users.

Such phishing and spoofing tactics are born from the traditional PC domain. However, where as we have been trained to be suspicious of emails claiming to be from a bank, users are much more trusting of information and messages reaching them on a mobile device.

MMX: What are the new types of threats emerging?

GM: As the mobile world becomes more open and devices more complex, the type of mobile banking scams developed by the criminals are also becoming more sophisticated. We are now seeing what we term a ‘compound threat’, an attack that uses multiple vectors (SMS, MMS, email, web, voice) to compromise handsets simultaneously. These threats are built with the primary aim of extracting money, but have a secondary knock-on effect for the mobile networks and banks of damaged reputations and a loss of trust.

One recent example of advanced mobile malware developed specifically to harvest mobile banking details is the Zeus MitMo, an evolution of the Zeus PC virus. It monitors users’ access to banking websites, harvests details and allows attackers to withdraw money.

MMX: How can people protect themselves from being scammed?

GM: There are four simple steps mobile users can take when using mobile banking applications and services to help them stay safe:

Only download applications from legitimate application stores (ie Apple’s App store, Android Market, Microsoft Marketplace) as applications from illegitimate stores and sites will not have been approved and will not be from your bank.

Do not click on links from untrusted sources. If in doubt always check with your operator or bank.

Always check your mobile bill; mobile scams are designed to go unnoticed for as long as possible, taking small amount regularly so as not to alert the subscriber.

Do your research and pick the right mobile network operator. There is very little differentiation in price between the networks so they have to compete on other factors, and flexible security options are one of them.

MMX: How does AdaptiveMobile protect the whole network?

GM: The growth of mobile data usage and increasing device sophistication brings with it the threat of exploitation of network resources, operator revenues, and subscriber trust, and as such the mobile device is today a real target for mobile abuse.

To address these challenges the industry has responded with a variety of approaches; from adopting security models more familiar to the fixed line internet, such as traditional email and web filtering, through to handset client-based security, where individuals and enterprises are expected to take responsibility for the security and protection of their own device.

However, to date this piecemeal approach to mobile security has not been sufficient, especially since today’s threat is increasingly sophisticated. Simply protecting your email traffic or inbound SMS traffic is not adequate when the threats span all services, known as the compound threat. Nor is it beneficial for a carrier to place the responsibility for handset security entirely in the hands of the consumer or enterprise.

The challenges associated with keeping multiple handsets regularly up to date with the latest security software are obvious. Not only does this put the consumer and enterprise themselves at risk, it also has a serious impact on an operator’s network as infected devices seek to exploit the connectivity and payment mechanisms available to them.

With this in mind, our Network Protection Solutions provide a consistent policy-based view of user behaviour across all services including SMS, MMS, email, voice and web, allowing operators to identify new exploits, whether these are mobile viruses, denial of service attacks, spam or fraudulent phishing attacks, and respond rapidly to protect their network assets, subscriber privacy and subscriber credit.

www.adaptivemobile.com