Philip Pieterse, senior security consultant at Trustwave, answers questions related to mobile banking security...What do customers of mobile banking systems need to be cautious of?
In general for mobile banking systems, the credit card information is either stored locally on the device itself or remotely. When the credit card information is stored locally on the device, it is normally encrypted in some sort of way. The problem comes in when the mobile device gets infected by malware or the encryption gets broken somehow. It might then be possible to read the data stored on the mobile device and extract the credit card information. Secondly, when the credit card information is stored remotely, the communication still needs to be encrypted. If the mobile device gets infected with malware it might be possible to intercept the credit card information, either in transit or while it is in memory. Are the main players in this sector doing a good job to secure transactions? How and what are the best systems being used?
There are a few different mobile payment solutions. To clarify, there are mobile applications that interact with your bank and are similar to your online banking. Another type of mobile application is a virtual wallet that you can use in a store to pay for items. There are also mobile payment solutions for merchants to be able to accept credit cards, almost like a mobile point-of-sale device.
At Trustwave we do a lot of mobile security testing and often we find very serious vulnerabilities in mobile banking or mobile payment applications. The reason for this might be that there is typically a rush for the mobile application to be developed and launched.
According to our 2014 Security Pressures Report, four out of five IT pros felt pressured in 2013 to roll out IT projects despite security issues. During the development and production stages, mobile applications might not go through the vigorous vulnerability scanning and penetration testing it should be going through, almost like security is being put on the back burner. How far has this industry come in the last five years (secure mobile transactions) and where do you see it going in the next five years?
Five years ago the only type of mobile payment application were online banking related. Today payment services develop e-wallets and can conduct transactions via mobile devices. Some companies incorporate a loyalty point structure when you use their mobile payment application to buy certain items. Small retailers only need a smartphone and a small device that plugs into that smartphone and then they have their own point-of-sale device.
Obviously we can’t predict the future. But we can imagine that companies will further the development and deployment of such mobile payment applications, with more features and more benefits. This will help maintain and grow their customer base. Also, the information that the companies are able to gather, such as profile spending, is very valuable for the companies. How can customers prevent a security breach and losing money?
Users can prevent losing money by having a very good understanding of how these mobile applications actually work, including knowing what happens to your credit card data. Users’ awareness needs to increase, because all types of data such as their payment card data, personal information, health information, and corporate information – for people who use their personal devices at their workplace – are stored on one device. There seems to be an influx of different types of apps and systems entering the market. It seems a bit overwhelming. Will one system work itself into a dominant position or will retailers and customers have to adapt to countless apps with different logins and passwords and hope they don’t get led astray?
I would think the latter, as every company would like access to the profiling data that can be obtained as a result of transactions flowing through your systems. This allows the company to see the characteristics of the buyer. Companies want to understand you as a consumer in order to provide you with either the best service or product that is applicable to you.
Comparing Africa to the rest of the world, smartphone users leapfrogged as a result of getting around infrastructure limitations. For example, in areas with no physical lines for internet connectivity it is now possible to have your own mobile point-of-sale device and the ability to accept credit cards for purchases. - Now read:
Are you tired of carrying your wallet around? With a bunch of new apps that allow you to pay your way without cards or coins, the evolution is speeding up.
- News24 Live:
Fin24's Matthew le Cordeur, Zapper's Harrison Bean and Trustwave's Philip Pieterse chat to News24 Live's Jerusha Sukhdeo.