By Heather McLean
Trusteers chief technology officer,
Amit Klein, on the diaspora of desktop
financial fraudsters to the mobile
phone.
Mobile payments is a new area that, as we all know, has only begun to really gain traction in the marketplace over the past 12 to 18 months.
The initial successful implementations of mobile money were in developing countries, with the outstanding example set by M-Pesa the one that all others in the developing world are now judged by.
In the developed world, the use of barcodes, internet banking and payments from the mobile, and now near field communications (NFC), are starting to make an impact. NFC and its ability to enable users to make contactless payments is the area getting most of the attention, with mobile device manufacturers being applauded or scowled at for the addition or failure to include the technology in new device releases.
Yet, as this area of mobile payments begins to grow, the issue of securing mobile devices, which most people never even consider, is going to simultaneously become more of an issue. Amit Klein, chief technology officer at Trusteer, provider of secure web access services, said there were three major problems in securing mobile transactions.
The first is about hygiene. Users, applications and money providers do not know how clean and free from malware and viruses a mobile phone is. Klein explained: We dont know anything about the hygiene of a device, if its infected with malware, carries up to date virus protection, or has an up to date operating system.
For mobile transactions, the risk involved in dealing with financial assets is reflected from the desktop world. On the desktop, sophisticated malware targeting financial transactions uses cunning, knowledge and the ability to evade various measures put in place to spot this type of activity. However, the hackers have became really good at stealing money.
“Its actually very impressive to look
at such financial malware for the
desktop and realise what it does from
a fraud perspective, remarked Klein.
He continued: The bad news for mobile users is those brains behind the financial fraud on the desktop are very close to porting those concepts to the mobile world. Once there is enough money on the mobile, they will be there. They have a vast amount of data, understanding, and intelligence that can enable them to drop a solution, or threat from our perspective, into place in a very short time. The concepts are there and theyre already acquired financial information, and they can port to the mobile world any minute.
Another challenge for the potential solutions to this coming problem is the need for fresh thinking when approaching securing the mobile. One area Klein fears not all banks are aware of is the fact that an out of band channel, currently used to secure online transactions for the desktop, becomes an in band channel when the user is conducting a transaction on the mobile phone.
An out of band channel is a phone call, email or SMS to the user to verify a transaction that is being made. However, it is always the users mobile phone that is called or texted, and emails are commonly also available today on the mobile. So that valuable, simple way of adding a further layer of security to a transaction on the desktop is now in band, and can be used by a fraudster as another way to rip off the end user.
Trusteer offers the tools needed for banks to develop their own mobile apps with security in the core, including a health indicator so the bank can see how secure, or hygienic, the mobile device is, and can bear that in mind as transactions are conducted. It also offers a secure browser to banks to offer to their customers, so the consumer uses the secure browser to interact with the bank and make transactions.
Klein added: Banks should design
security into their solutions from day
one. They need to look at this market
differently from the desktop market,
designing apps differently. They need
to take responsibility for the
security of their solutions.
At the end of the day, the security provided on the operating system of a mobile device is less mature than that on a desktop, therefore the mobile world is still behind in its overall security execution, and that is something that banks and mobile app providers need to take into account, Klein concluded.
Comments