At the end of last year the FBI issued an e-scam alert specifically notifying Android mobile phone users to be aware of mobile malware and take appropriate precautions.
- Infrastructure threats – WiFi or cellular sniffing takes advantages of mobile operating system vulnerabilities. These could be used to induce mobile malware or dupe users in visiting certain sites that contain malware and then profit from such malpractices.
- Web-based threats – Using email, Facebook, Linkedin and Twitter to send links to websites that are designed to trick users in providing sensitive information such as passwords or account numbers.
- App-based threats – The most exploited threats are malware and spyware perform malicious activities on the user mobiles without their knowledge. Sending unsolicited premium text messages, giving an attacker control of the mobile and gathering user sensitive and private information.
While the situation may sound bleak, the potential security and privacy attributes of mobile devices may – in the long-term – far outweigh the risks.
Many forms of mobile payments have already become more secure than cash or cheques. A lost wallet, for example, would require the owner to cancel all credit and identity. A lost mobile, on the other hand, can quickly and remotely be wiped clean and the data swiftly migrated to a new device – with money and identity intact.
Mobile security is expanding, with the use of the unique characteristics of mobile devices to reinforce and strengthen protocols. By using the geo-location feature of a mobile phone when faced with a suspicious transaction, card companies can establish whether the cardholder was, in fact, present at the transaction.
It’s not too far a leap to see the introduction of payment authorisation using the device’s camera, or any number of new approaches that turn science-fiction into reality.
As with any other technology, it is not sensible to stop the development of mobile strategies. Instead efforts must be driven to embrace these technologies, but with knowledge and awareness of the potential threats and risks and safeguarding data in the most cost-effective manner.
Approaches and solutions will differ but there are some common themes that may universally apply:
- Comprehensive Risk Management – A comprehensive risk assessment should be carried out. The threat of mobile malware must be considered in security risk management and appropriate controls developed to control, mitigate or avoid risks due to such threats.
- Customer/Employee awareness – User training and awareness is another effective weapon to counter the threats.
- Mobile Strategy and planning – Development of mobile strategy with buy-in from business and IT stakeholders. Alignment of mobile strategy with business objectives and consideration on the change of risk profiles and subsequent management are all part of managing the acceptance of mobile as a technology.
- Continual verification - Given the speed of change in the mobile ecosystem, executives will need to focus on creating appropriate controls and governance processes to ensure that any changes to the platform or software are thoroughly tested.
In conclusion, the evolution of mobile devices and advances in mobile malware bring an increasing risk of mobile fraud. The key is to manage and mitigate these risks and continue on the path of mobile innovation.