Reflections on Mobile Security
Time to Step Back and Review Concerns About Devices - and UsersI'm not sure how concerned the financial industry should be about mobile security, and I don't think anyone is certain, either.
Sure. Mobile definitely has vulnerabilities that pose risks. And in the financial space, some institutions and third-parties have been hasty to launch mobile banking and payments platforms without first considering all of the security ramifications.
But are our concerns about open-source platforms and the mainstream availability of downloadable mobile apps over-hyped?
I've spent the past couple of weeks catching up with various sources about the current state of mobile security. The focus of our conversations: security surrounding downloadable mobile apps and mobile browsing.
Most experts I spoke with highlighted all of the vulnerabilities surrounding mobile software and platforms, and the inherent risks present in the configuration of mobile applications. But one expert's view stood out, namely because it was not all doom and gloom. In fact, this security expert from The European Network and Information Security Agency, which has published a new report about mobile app security, says the mobile channel actually offers some security advantages.
"Mobile security is still much better than other areas of security," ENISA's Dr. Giles Hogben said during an interview this week.
But what makes mobile so concerning is its explosive growth. "The mobile market is growing faster than any technology has ever grown before, and that's pretty difficult to do," he says. "There's now more Internet-enabled phones than PCs. ... and Google just announced that they're activating 500,000 Android devices every day. That's pretty amazing, I think."
Pretty amazing, indeed.
Don Jackson, director of research for the Counter Threat Unit at Dell SecureWorks, says exponential growth in mobile use is likely to make mobile fraudsters' next target, especially as the financial industry takes more aggressive steps to enhance the security of online transactions.
"Over the last year, we've seen mobile [smart] phones being used more often than PCs," Jackson says. "So the phones will be the real target in the future. And as more people move to the phone as they're primary tool for communications, that's where they are going to store more information that hackers want."
That makes sense. But is information stored on a mobile device in the same way it's stored, for instance, on a PC or Mac? Well, not really. Though differences do exist among mobile operating systems, such as Windows, Apple and Google, most apps interact with their respective OSes and platforms in a similar way.
Mobile apps work relatively independently. They don't interact with one another. That's not how they're designed. That lacking interoperability is one reason developers have had difficulty coming up with anti-virus solutions that can scan and detect malicious software, whether hidden in an app or inadvertently launched during a browsing session, on mobile devices.
So, because of the compartmentalized infrastructure of mobile devices, even if a malicious app is downloaded and installed by an unsuspecting user, chances are, at least with the attacks most industry experts see today, that malicious app won't be able to hijack a device in the same way malware launched on a PC can. But again, it's probably just a matter of time.
The primary concern about mobile apps is that they often collect or attach themselves to information about, and data stored on, the mobile phone that they don't really need. Things like address books and device locations are often, by default, connected to the app. If the app is malicious, then fraudster could potentially see or steal address book and location information. To date, however, only relative few such egregious breaches have been reported.
Mobile browsing seems to be the greatest worry, not because of the high-tech or uber malware that today's cyberthieves have developed, but because most people behave in a less secure way when they're browsing on-the-go.
"Phones are social devices, and people are more naïve when it comes to using their mobile devices," says Dr. Markus Jakobsson, security expert in the field of phishing and crimeware. "When people talk on their mobile devices, they are usually talking with people in a less protected way, and that rubs off on the way they use the device, whether for browsing, accessing and responding to e-mail, banking, or payments. Their behavior is much riskier."
So, the risks, at this point anyway, have a little more to do with the person holding the mobile touchscreen than with what's actually contained inside the mobile device itself. Again, at least for the time being.
Mobile is an exciting channel to watch, and as an emerging channel, we all have to mindful of its potential risks. But let's not be too quick to jump to conclusions. Leaping to lump mobile in with online security risks is a misstep the financial industry must be mindful to avoid. A better understanding of the differences between the mobile channel and its online cousin is definitely advisable, while also appreciating their similarities.