Common sense, it seems, is often sadly lacking when it comes to protecting ourselves from cyber criminals
In the digital realm – just as in the physical – criminals follow the money. And if smartphones soon become our digital wallets as predicted, the villains of the virtual world are set to launch sophisticated attacks in a bid to knock down any walls in the way of our cyber-cash. Already, the large computer security firms that monitor systems for malicious rogue programs (known collectively as malware) are seeing a sharp increase in the number targeting mobile devices.
While the threat of an individual smartphone becoming infected is small, the diversity and deviousness of what has already been detected is both staggering and sobering. For example, sensory malware can monitor your voice calls, recognise when you’re entering account numbers and passwords on the keypad during a call and transmit those credentials surreptitiously to a third party. Other malware invisibly uses an infected phone to send premium-rate SMS texts, which customers probably won’t notice until their next bill arrives.
nd the number of variants emerging across computer systems in general is mindboggling. Graham Cluley, senior technology consultant at IT security firm Sophos, says his company’s labs see 150,000 new pieces of malware every day: “That’s about one a second,” he says. “And most of them have some financial motivation behind them.”
Google’s Android operating system for smartphones and tablets has seen the biggest growth in malware recently – although this still represents a tiny proportion of overall threats. But other devices such as iPhones (despite their better security record at present) will increasingly be targeted if they become popular conduits for digital payments.
Professor John Walker, an independent IT security adviser to governments, law enforcement agencies and major corporations, says: “I wouldn’t recommend running any financial transactions over any device which does not have an assured level of security. They may be called smartphones but when it comes to security most are rather dumb.”
“Where does its insecurity lie and how might it be attacked?” – Walker
Even dumber are the people that use them, it seems. Most malware gets on to our computers and phones because we click on malicious enticements in spam messages. And most financial information is compromised because we follow links in emails purporting to be from PayPal or our online banking provider and divulge credentials to fake sites. PayPal is the number one target for phishing emails, since it is so commonly (and globally) used online. The only thing anyone requires to access a PayPal account or authorise a transaction is an email address and password – convenient, but not very secure.
And what of the new breed of smartphones hard-wired for touch-and-go payments (see NFC article, p9) and the contactless bank payment cards set to be issued en masse this year? Smartphone-based payments face the same potential threat from malware as any other form of computer-based digital payment. But any contactless payment technology – whether on a smartphone, bank card or chip implanted in your arm – could be at risk of external interception. For example, in 2008 Professor Bart Jacobs and colleagues at Radboud University in the Netherlands revealed details of how they had cracked the security of the Oyster card.
Professor Walker agrees no system can be guaranteed 100 per cent secure. He has looked closely at MIFARE – the technology behind Oyster cards and some of the newer contactless bank cards. “The security model (used for the new cards) looks very robust, but the question is where does its insecurity lie and how might it be attacked?” he says.
That said, payment technologies owned, controlled or created by major banks are less at risk than our self-managed smartphones and PayPal accounts. “Banks have many years’ pedigree looking for fraudulent behaviour patterns. If there is anything strange or outstanding, their internal mechanisms should detect them,” says Rik Ferguson, director of security research at Trend Micro.
The big banks and affiliated online payment systems, such as those operated by Visa, MasterCard and WorldPay, apply internal and external security standards for digital payments. Increasingly these standards require more reliable authentication than a simple username and password. For example, major banks already issue card readers to online banking customers as an additional layer of protection for some transactions.
Some experts think such mechanisms will become increasingly common for all types of digital payments, but customers find them cumbersome. Google, which is increasingly handling digital payments via its Checkout and Wallet services, may have hit on a convenient compromise. The company has introduced an extra layer of security where users can opt to have a code sent to them via SMS text message whenever they attempt to log in, which must be entered in addition to their password.
But both businesses and individuals using digital payment systems need to take their own security precautions. For businesses this means deploying effective security software such as anti-virus and intrusion detection systems, encrypting any sensitive data, ensuring systems are continually updated with latest patches, and any websites hosting transactions are regularly tested for vulnerabilities. It also means better educating employees and customers about their own responsibilities.
Individuals, meanwhile, must learn to protect their smartphones with good antimalware apps and a passcode lock, and should be sure not to choose obvious passwords or use the same password for multiple services. Password vault applications that encrypt and store all your different passwords can help here. Users should simply apply the same common sense to their smartphone as they do to their wallet or purse.
Unfortunately, as Cluley points out: “Where security’s concerned, common sense isn’t very common.”
A password that you could never forget
Biometrics could allow us to make cash withdrawals or purchases using our face, fingerprints or even our veins
Biometric authentication could hold the key to making sure the right person has access to mobile money.
Mobile phones that recognise their owners by their faces or fingerprints are already available. Samsung and Google unveiled the Galaxy Nexus last October, running the new Android 4.0, which includes Face Unlock facial recognition technology instead of a PIN for users to unlock their phone. Owners of the Motorola Atrix can use their fingerprint to access the phone.
Josef Kittler, professor at the University of Surrey, headed up the EU Mobio project, which created prototypes of apps using face and voice authentication to make cash withdrawals and purchases.
“Mobio showed you could do authentication on a mobile phone, and the performance is good enough for commercial applications,” says Kittler.
In the future biometric authentication could bypass the mobile platform altogether. As we carry our biometrics with us at all times it is possible to simply present our fingerprint, face or even veins. Over the next two years major German retailer Edeka plans to replace established payment by fingerprint terminals with multimodal biometrics, mixing fingerprint and finger vein scanning for its payment or loyalty schemes.
Jim Mortleman is a freelance writer, journalist and commentator with over two decades’ experience examining technology developments and their implications for business and society. He has written for numerous trade, consumer, online and national titles, as well as organising and presenting at high-tech events.