Mobile devices are changing the payments landscape. More mobile devices are becoming equipped with near-field contactless capabilities and apps that allow for the purchasing of goods and services. While this provides a number of conveniences for consumers, mobiles also come with greatly increased risks related to payments. Case in point, malware instances on Android phones grew 400% between summer 2010 and spring 2011, according to the “Malicious Mobile Threats Report” by Juniper Networks.
The increased risk stems from the fact that mobile devices typically lack the firewalls and other security measures that are more standard on home computers. This make mobiles ideal for launching malicious software that tracks key strokes and compromises sensitive personal information, usernames, and passwords. To make matters worse, app purchasers are often much less discerning about downloads to their mobile compared to a home computer.
Beyond malicious apps and downloads, there is additional concern about the security of the networks used by the phone. Many phones are wifi capable, and although the public has become conditioned to not connect to unknown wifi networks using personal computers, there is less discretion when using mobile phones. In particular, the public has been systematically targeted at airports and other aggregation points by malicious wifi networks.
Even when users are careful selecting a wifi network, they can be prey to “Man in the Middle” attacks on mobiles. Here, a fraudster will target MAC addresses associated with a particular brand of phone and redirect transactions through the fraudster’s computer. This allows the fraudster to launch a tool like SSL strip to remove security protocols, and capture usernames and passwords used in payments, online bank access, email, etc. Although this is easily done on wifi networks, the same attack exists on mobile networks such as GSM, where a fraudster can impersonate a GSM base station.
These vulnerabilities demand advanced analytics that monitor mobile device usage to detect fraud. That will be the topic of a future post…
Stay tuned for Part 2.