Mobile payments have arrived. Driving this revolution is a large collection of technologies, some of which are immature and not fully secure. Nascent solutions are a gilded invitation for criminals to attack at various points within the mobile payments ecosystem. Operating system (OS) developers, payment networks, banks, and even users need to be involved in keeping this evolving environment secure.
The two greatest threats to the mobile payments industry are malware and data breaches. The data breach is well understood and is a universal issue for the payments industry. Standards like PCI have gone a long way toward combating the problem. The malware problem, however, is more focused, initially affecting OS and applications developers, with the effects eventually spreading to the rest of the mobile payments community.
Mercator Advisory Group's new report, Mobile Payment Security, Fraud, and Risk: Breaches, Malware, and the OS Linchpin, examines these threats, explores ways in which fraudsters might exploit them, and indicates how the mobile industry should prepare and respond.
"Criminals are highly motivated to attack mobile payments because they are such a rich target. Historically, these hackers have been loosely organized but effective. They take advantage of the lag between the introduction of a payment technology and its general acceptance by the public. This period provides ample opportunity for the perpetrators to discover vulnerabilities and prepare attack strategies," David Fish, senior analyst in Mercator Advisory Group's Fraud, Risk, and Analytics Advisory Service and author of the report, comments. "Our research has indicated that OS developers are in the best position to limit the spread of mobile malware. They control the OS, they control their own applications, and they are in a position to control the offerings of third-party application vendors."
Highlights of this report include:
- Discussion of the two approaches to mobile payments and analysis of the security threats facing them.
- Review of traditional forms of payment fraud and explanation of how these forms are evolving as mobile enters the payments ecosystem.
- Examination of the methods and vectors that fraudsters use to obtain payment card information and the schemes they exploit to capitalize on stolen data.
- Analysis of the drivers of insecurity in the mobile arena, including OS application review processes, time-to-market pressures, vulnerabilities to phishing, WiFi hacks, man-in-the-middle attacks, and others.
- Recommendations for tighter mobile payment security for OS developers, corporate and individual mobile users, application developers, and mobile carriers. SHOW LESS READ MORE >
Vulnerabilities in OSs and Apps
The Mobile (Payment) Future
Emerging Threats: Mobile Payment Fraud
Mobile Payment Approaches
Traditional Payment Card Fraud
Modern Payment Card Fraud
The Outcome: Identity Theft
Mobile Operating Systems and Applications: Leading the Way to Payment Fraud
Competition Drives Fast-Paced Software Development (and Bugs)
Third-Party Applications as an Entry Point
Mobile Phishing: The Berkeley Reports
NFC and Device-Based Security Threats
Lost/Stolen Devices and Walk-offs
Ghost and Leech Attacks
Other Forms of Potential Compromise
Conclusion and Recommendations
For OS Developers
For Corporations and Individuals
For Application Developers (Merchants, Issuers, Corporations)
- American Express
- First Data
- Global Payments
- Research In Motion