Throughout 2013, security professionals will continue to face evolving mobile security challenges, says Javelin's Al Pascual, who, in a new report, analyzes the changing mobile threat landscape for the year.
"Whether it's bring-your-own-device, or the devices are being provided by the organizations themselves, it's really a question of how secure those devices are," Pascual says in an interview with Information Security Media Group [transcript below].
Pascual, lead author of the 2012 Mobile Security report from Javelin Strategy and Research, says this year organizations are going to see more of the same, "but much, much more."
"We're going to see in greater numbers more malware, more mobile man-in-the-browser," he says. "More phishing is going to show up on consumers' radar, and what it really comes down to is limiting the impact that the bad guys can have."
Limiting the fraudsters' success is going to take an effort from all parties that have a stake in the mobile space, from financial institutions to payment providers and app developers.
"With each of those respective risks, regardless of the platform, what it really comes down to is protecting the information on the device," Pascual says. "If those devices are insecure, if those threats aren't mitigated by the organization, if they're not following best practices, they could be just as exposed as the consumer."
Combining all the pieces of the mobile landscape together will help to create the most control possible for the environment, Pascual says, limiting the devices' exposure to risks.
In an interview about Javelin's new mobile security survey, Pascual discusses:
- Top mobile risks, including malware and user complacency;
- How banking institutions can influence user behavior;
- The roles institutions, service providers and customers must play to ensure mobile security.
Pascual leads Javelin's security, risk and fraud practice. He began his career with HSBC during the height of the mortgage boom. While working in HSBC's borrower verification department, Pascual performed enhanced due diligence investigations of high-risk loans. He later joined Goldman Sachs' fixed income, currency and commodities division, serving on its mortgage fraud investigations team. Later he joined Fidelity National Information Services, now FIS Global, to oversee data driven investigations of organized payment fraud groups in the U.S. Pascual is a member of the Association of Certified Fraud Examiners and the International Association of Financial Crimes Investigators.
TOM FIELD: Give me some sense up-front. What were the primary objectives or the mission going into conducting this study?
AL PASCUAL: We wanted to take a look at the state of mobile security through the lens of mobile payments. It's a growing $20 billion market and we wanted to consider consumer behaviors, market share, threats to the ecosystem as a whole, and threats that affect of all users, and then threats to specific platforms and remediation to those threats.
Top Mobile Risks
FIELD: I would like to know what some of the key findings are. But I'd also like to ask you: what surprised you about the findings?
PASCUAL: If we can frame it in terms of smart phones, I was surprised to find that even though the Android user base is about 50 percent larger than that of iPhone, the spending through the browser and through the app for the whole Android user base and the whole iPhone user base was very comparable, a difference of maybe $100-200 million between the two. What that means from a security standpoint is that while Android presents a larger target profile because of the number of viable targets, iPhone users and the security should be a high-profile concern in that they represent a substantial portion of the mobile payment volume and it shouldn't be put at risk because of neglect. Even though Android is a bit more exposed from a security standpoint, it doesn't mean that iOS is invulnerable, and failure to remain diligent could put that significant market share and those billions of dollars at risk.
We also have some concerns about consumer spending through browsers as compared to apps. As for all platforms, the spending through the browser was greater, but apps really offer a more secure environment for the consumer.
FIELD: When you look at the different platforms, what do you see as the top risk based upon this study?
PASCUAL: To give you examples from each, for Android, one of the top risks that we conceived was really the fractured nature of the system. There are numerous versions in the wild right now. Consumers can be exposed simply due to the fact that they have an older version of the operating system. These folks are either not being given the opportunity to download a current version at all or they're being left to wait months to do so. Then, as a result, all these older operating system users, all those known vulnerabilities and threats are out there and they're exposed and that's a real problem for the Android community.
As far as iOS is concerned, one of their largest risks is a sense of complacency, if you will. Apple has done a great job so far of securing the iOS environment as a whole, but it has been shown that there are ways around, even directly through sandboxing, past code signing, but Apple has yet to allow third-party security software for iOS. If there was an outbreak, how would anybody know?
Talking about Windows as well, we looked at Windows and we looked at Blackberry, but for Windows we have concern about that app marketplace. They've had some issues with apps in the marketplace itself, but they've also had to restrict Windows phone users of older versions from accessing the marketplace to maintain security, and we've seen a recent proof of concept for Windows Phone 8 malware. Microsoft really needs to be sure that they're keeping any malware ... out of the marketplace, limiting those hiccups that we've seen so often.
We also looked at Blackberry and for us the concern with Blackberry was the stability of the company itself. With their recent financial performance, their quarter-over-quarter loss and any potential reductions that we may see as a result, they may not be able to keep up with the new security threats, new vulnerabilities, and that in turn could put the consumer at risk.
Impact to Organizations
FIELD: How do these threats to the smart phones impact the organizations as more and more employees are using these mobile devices, whatever the platform might be?
PASCUAL: Whether it's bring-your-own-device, or the devices are being provided by the organizations themselves, it's really a question of how secure those devices are. With each of those respective risks, regardless of the platform, what it really comes down to is protecting the information on the device. For employers, they want to protect their intellectual property. They want to protect company information. They want to protect company financials. If those devices are insecure, if there's malware - I know the FBI recently put out a warning to that extent, malware that could invade a device, steal that sensitive information and then relay it to a third party - if those threats aren't mitigated just as they would be on the consumer side, if they're not mitigated by the organization, if they're not following best practices and really trying to take care of those potential risks for each platform, they could be just as exposed as the consumer. They can lose that sensitive information and that's obviously a priority and something that they need to avoid.
FIELD: Speaking of mobile malware, probably for the past three years we've heard that the next year is going to be the year of mobile malware. What are your thoughts on that? Have we finally got there? Is 2013 going to be that year?
PASCUAL: Saying it's going to be next year, the big year, I think may be going a little bit too far. We've seen that it's a much larger problem on Android than it is on any other platform, and I think we may see a pretty serious explosion within that particular ecosystem. When there's a serious malware problem that finds its way on to iOS, finds its way into Windows Phone 8 and Blackberry 10, should it become a real market force, then that's going to be the year, but I doubt if necessarily it's going to be 2013. 2014, unless things are really put in check and the security vendors clamp down, the OS manufacturers and developers clamp down, then I see maybe the following year being a good year of malware. But next year they're just going to learn, they're going to get better and it's just going to be a setup for the follow-up.
FIELD: Are the fraudsters in malware going to Android because that's where the marketplace is, or is iOS in particular that much more secure?
PASCUAL: I think it does have to do with the security of iOS. Apple has done a great job keeping malware out of their marketplace, whether it's through the code-signing, through the way they've structured their sandboxing and allow permissions within the apps themselves. They've really had their bases pretty well covered.
Again, you have Android issues with the fractured ecosystem. You've had issues with their app marketplace, the Play Store, maybe even with the deployment of Bouncer. They have shown that's not 100-percent full-proof. Those two factors do have a lot to do with it, but again you have a large number of Android users. ... They're spending a lot of money through those devices and that's going to make them a target as well.
But again, iPhone users are spending nearly as much so hackers are going to go where the money is, so it's not like they're ignoring the iPhone, and we've shown and we've seen that the iPhone is not completely invulnerable. They're working on it. I wouldn't be surprised if they can find a way to penetrate and make a real dent in the coming year.
FIELD: Let's talk about mobile payments. What do you see as the impact on mobile payments of these types of threats that we're talking about? We're in sort of a delicate nation-state here with mobile payments.
PASCUAL: We are in fact, and I think it really comes down to a confidence issue. Consumers want to feel a sense of security, especially when it comes to new technologies when we're talking about their money. We looked at some data as far as consumers and contactless payment, something like a Google Wallet, their NFC implementation. That was consumers' number-one concern, how secure the actual platform is in using it, and that's what has been keeping them away. The last thing that we would want to see in mobile payments is a rash of outbreaks where consumer payment data is lost. It really could have a deleterious effect on the market going forward, and it's growing and the last thing that the market needs as a whole is to have a negative perception from a consumer point-of-view.
Developing Confidence in Mobile Security
FIELD: If security professionals don't necessarily have confidence in mobile security, how are we going to get consumers to have that confidence?
PASCUAL: What it would really coming down to is maintaining - I wouldn't necessarily say - a status quo, but the first thing we need to do is make sure that there isn't that rash of outbreaks, there isn't that big headline that says, "Consumer payment data was lost. High numbers of consumers are suffering large amounts of fraud as a result of the mobile payments channel." That's really going to be the priority I think. No news in that particular case would be good news. But you definitely want to get in front of consumers. You want to educate them, keep them aware of the threats. For as much as you don't necessarily want to highlight the fact that they could be exposed, you don't want to leave them out in the cold either and potentially risk some market just to keep things silent.
It really comes back to building the confidence, and mobile payment providers, FIs, card-issuers, there are shared threats there. Everyone has just as much at stake and they really need to invest as much time and energy as they can here because mobile payments, the mobile channel, is going to be the future, and whether that's education, whether that's partnering the security vendors to deliver solutions to consumers, whether that's transitioning the consumer from the browser to the app which is going to be more secure, players or the organizations who have a hand or something to gain from mobile security from the mobile channel really need to be involved.
Improving User Behavior
FIELD: I want to come back to that topic of collaboration in a minute, but for now I'd like to talk a little bit about user behavior. One of the things that we always talk about with mobile security is that the users are risky, that they will download apps that they shouldn't and that they don't take good care of their devices necessarily. They lose a lot of them. But you're talking about complacency as well in terms of consumers not updating their operating systems. How can organizations have any kind of a positive influence on user-behavior, whether it's helping them to avoid risky apps or encouraging them to stay current?
PASCUAL: As far as staying current and making sure that their device is properly protected, I think that for the organizations that are currently deploying apps themselves, what they can do is limit the functionality of those apps. If you have a device that's insecure, you want to test for the stability and security of a device, and then be sure to disallow functions that could put the consumer at risk if the device still doesn't have security software, if the device hasn't been patched, basically a way of getting the consumer to go down the road in making sure that they're taking the steps necessary to protect their payment card information and protect their personal information.
But we also want to avoid reinforcing certain types of behaviors as well. You want to limit communications with the consumer that include links, whether that be via text or e-mail, and avoid any attempt or conception or thought that consumer information could be shared through those channels. Let consumers know that they would never be asked for that information and that they wouldn't be directed anywhere through that organization via text or e-mail so that criminals can't prey on that idea for phishing or delivery of malware.
FIELD: Is there a model now? I don't necessarily know that I can look at any previous example and say that this is a way that organizations have been successful in influencing user-behavior, because so much of it is just out of their control, especially in financial services. We haven't done a great job with security awareness.
PASCUAL: I wouldn't necessarily say that's 100-percent true. The banks have been learning, especially as a result of online banking, that they need to be security leaders and they need to go out and educate the consumers. We've seen from our data that consumers, even though they as a whole don't necessarily trust the financial industry, do trust their specific bank to deliver a secure solution. There's that belief on the consumer's point-of-view [with] the organizations that they're dealing with, specifically FIs, and that can very easily translate to their card companies or payment companies as well, that they can deliver security.
I don't think there's necessarily a complete disconnect there. It's just that the mobile channel is a bit newer and we want to be able to continue to deliver strong messaging and really try to influence that behavior, because it's not being lost on them. Consumers see it. They're interested in doing it as well, and they're willing to share responsibility. That's something we've seen with their FIs. They want to install safe security software. When given the option, we ask what their level of interest is in using it and they're interested more often than not. So it's not a lost cause and we have examples of it working in the past and it can work for this channel as well.
Addressing Top Risks
FIELD: We've talked before about the different players. We've got financial institutions, the banks, card issuers, device manufacturers, telecommunications companies, so many different players here. What are some of the specific roles these organizations need to play in improving mobile security going forward?
PASCUAL: Talking about FIs, we've seen it as a strong corollary between mobile banking, but there are shared threats between the two as far as malware, stealing credentials, stealing payment information. The FIs have just as much at stake or more than the payment issuers, payment providers and card issuers as far as the mobile channel's concerned. They all have that shared responsibility in reality to ensure that the devices being used are secure, and again it really comes down to getting the word out, education being the first and best line of defense.
Making sure that consumers are aware of their options for protecting themselves and protecting their devices, we talked about partnering with vendors to get the software in the consumers' hands, making sure that the other consumers interacting let them through the app or at least making the app available rather than defaulting to a browser solution - browsers are just inherently less secure than an app - and making sure any apps that are being deployed are well-conceived and well written.
FIELD: As we head into the New Year, what do you see, based on your study, as being the top risks, and what's your advice to organizations to address these risks?
PASCUAL: Is 2013 going to be the year of malware? I wouldn't say that, but what we're going to see for this coming year is more of the same, but much, much more. It's going to be more successful. We're going to see in greater numbers more malware, more mobile man-in-the-browser. More phishing is going to show up on consumers' radar, and what it really comes down is limiting the impact that the bad guys can have. You want to limit their success and what that's going to take is strong authentication on the part of FIs, payment providers, folks in the mobile space; back-end solutions, device fingerprinting. Front-end solutions with mobile devices lend themselves really well, such as voice or facial biometrics, and then really combining that with well-written, well-conceived apps. Wherever you're interacting with the consumer, try to get them down that road because that's where you're going to have the most control over the environment and really limit their exposure.