Tag Archives: mobile

Guest Post: A Trojan Horse In Every Pocket

mobile, smartphone, , , , , ,

“A hacker wiPhone with keyshing to break into a specific company may decide that compromising an unprotected mobile device is far easier than dealing with corporate firewalls”

After years of experience, and learning from the high profile mistakes of others, businesses are fully aware of the importance of security on desktop and laptop computers.  Anti-virus software and encryption tools are standard issue, and user rights management also forms a key part of any corporate security setup.

But this is now only one aspect of securing a business against digital threats. The rapid growth of powerful mobile devices has opened a whole new front in the war against hackers, viruses and mischief makers.

Now in addition to locking down a desktop and laptop computers, business owners must consider the danger posed by mobile devices, and those that don’t risk exposing their company to financial or reputational loss.

A trojan horse in every pocket

Smartphones and tablets can be hugely beneficial to businesses, but an unsecured device offers another route to confidential information for hackers.

There are already numerous mobile viruses in circulation. Typically these are untargeted, they’re used to gather private information or send premium rate texts for the financial benefit of those controlling the software. But a dedicated coder could easily create a virus with a much narrower focus, one designed with the express purpose of penetrating a company.

There’s already been one very high profile example of this kind of attack on desktop systems. Stuxnet was a virus designed to damage to a very particular type of industrial equipment used by the Iranian nuclear programme.

This was a sophisticated, state-sponsored effort, but it’s not restricted to those with government backing. A group known as ‘Winnti’ have been using malware attacks to steal online gaming credentials, security certificates and source code in order to profit from trading virtual currency and stolen data.

And just this month a new virus was discovered that is thought to have been targeted at UK companies, silently infecting thousands of machines.

A hacker wishing to break into a specific company may decide that compromising an unprotected mobile device is far easier than trying to deal with corporate firewalls. It could be all they need to capture confidential information or gain access to internal systems.

What can be done?

At this year’s Mobile World Congress event all the major security firms were in attendance, and while they were jockeying for attention for their own software solutions they did all agree on one thing: users need educating.

“On PC everybody is aware they need protection”, says Stefan Wesche of Norton Antivirus, “on mobile most people are not aware, and that’s where we should start, telling them about the problem.”

We’re all accustomed to the need for good passwords and up-to-date anti-virus on our computers, but the concept of anti-virus on a smartphone is still alien to many people.

Businesses need to start by ensuring their security guidelines cover the use of mobile devices, and that all employees are aware of the risks.

They also need to examine the inherent security features of the various mobile platforms; one reason BlackBerry was so popular for corporations was thanks to the excellent security it offered as a standard feature. At present, Google’s Android mobile OS has the largest number of viruses partly because there are very few limits to what users and developers can do with their devices. That offers many advantages, but also allows malware to piggy-back on pirated software or sneak in through the official app store.

A robust mobile security policy is particularly vital with the growth of ‘Bring Your Own Device’ (BYOD), where employees are permitted to use personal equipment. This can be a money saver, but a smartphone which is being used to download apps and games at home, perhaps being used by children, and then taken to work for business emails and calls should be a big area of concern for IT managers.

Author Bio: Matt Powell is the editor for the broadband, smartphone and tablet consumer information site Broadband Genie.

Payment Cards are Dead. Long Live Payment Cards.

payments, , , , , , ,

Any payment technology analyst will tell you that the payments market has exploded over the last few years. An explosion sounds great, but it also suggest fragmentation. Which is another way of saying that the customer has a confusing array of choices.

Not that confusion is anything new.

Everyone has, at some point, fumbled through a stack of payment cards stuffed in to a wallet or purse in a vain attempt to extract the right one for the purchase in hand.

“Do you accept Diners Card?  No?  How about Access? Oh. Hang on, I’ve got an Amex card in here somewhere…”

So much for taking the waiting out of wanting.

The last few years has seen the emergence of a variety of eWallet services. These on-line services enable the customer to register bank or payment card details just once with the eWallet provider. Once done, the customer does not have to share card data with the merchant as the eWallet provider handles all interactions with the account holders bank or card issuer.

But payment card brands are, just as the name suggests, brands. Vast amounts of money are expended to ensure that merchants and consumers alike are visibly reminded of the brand identity of the product embodied in that plastic card. eWallets obscure that brand, or indeed replace it altogether.

A curious but perhaps inevitable effect of this has been the appearance of “brands” such as PayPal in high street stores. No longer just an on-line entity, PayPal has a growing presence at the retail point of sale too, cleverly insinuating it’s own brand presence where previously only Visa, Mastercard, Amex et al had a footprint.

But just as on-line payments companies like PayPal are moving in to the face-to-face environment, it would be wrong to assume that the traditional card brands are simply watching this happen. eWallet offerings from Visa (V.me), Mastercard (Masterpass) and Amex (Serve) are all competing too, and in exactly the space that companies like PayPal have defined for themselves.

“The analytic possibilities presented by mobile payments data will make current loyalty card schemes look positively quaint by comparison.”

However, the major card brands are not the only competition to the likes of PayPal. Let’s not forget Google Wallet, for example.  Or Square, or Isis. There’s a lot of competition out there, and the stakes are high with the US mobile payments market alone expected to be worth over $90 billion over the next few years.

The key driver behind the growth of these services has been Internet-connected smartphones. All of the major eWallet services include a smartphone app component that effectively sees the phone not just as an eWallet, but as the payment device too, bridging the gap between on-line and face-to-face payments. These apps are able to implement their own security features too, including voiceprint, fingerprint or pin authentication.

Android phones have been available for some time equipped with NFC hardware, enabling the phone to act just like a physical payment card, and there are rumours that Apple’s next iPhone could also be NFC-equipped with Apple releasing a so-called “killer” eWallet app.

So it seems that anyone who’s anyone now has a stake in the future of mobile payments. The convergence and adoption of key technologies continues, and although no clear winners have emerged as yet, the future of payments will surely be mobile.

Smartphone platforms provide an unprecedented opportunity for retailers and payment providers to profile customers, to push individually customised offers and to analyse sales patterns based upon location, historical data and any of the wealth of information our smartphones reveal about us. This data will be hugely valuable. The analytic possibilities presented by mobile payments data will make current loyalty card schemes look positively quaint by comparison.

The winners will combine simplicity and sophistication to create a ubiquitous payment process, and will reap rich rewards in the process.  For now, it’s the simplicity that’s proving elusive from the customer’s perspective. Until that changes, we think most people will prefer to reach for the plastic.

5 Constraints To Security Innovation

security, , , ,

The great thing about the information security field is that it constantly re-invents itself, or at least it tries to. In truth, real innovation is rare, and recyling is common.

Developments in information security are reactive and innovation in the space only occurs when “real” innovations happen elsewhere. To some extent, this is inevitable. Example: there was no anti-virus industry before the microcomputer innovations of the 70s and 80s. Before that time, discussions about any kind of security were generally limited to the provision of usernames and passwords controlling access to dumb-terminals connected to central mainframe applications.

The microcomputer revolution changed everything, putting real power in the hands of the end user, freeing them from the tyranny of the sys admin. Simultaneously, the information security industry was born, offering instant solutions to new classes of problems.

Then the Internet blossomed, joining up the dots. End-users, empowered and on line. The next iteration, and an even bigger security industry.

The cycle is repeating itself, as cycles do. Roll forward a decade or so. AV is yesterday’s discussion, and every one of us is the administrator of perma-connected mobile devices.

We now have a massive security industry, and hacking and data loss is a bigger issue than ever before. Why?

The simple answer is that the security industry never actually catches up with innovations elsewhere (not forgetting that innovation happens both legitimately and illegally).  Also, there are some serious constraints that any security technology has to work within:

  1. End-users will resist being functionally restricted.
  2. Ease of use is, and always will be, paramount.
  3. Most end users do not perceive security issues, do not know who to trust and will often make poor security decisions.
  4. About 35% of the World’s population are currently on the Internet, and the figure continues to climb steadily. Solutions have to be capable of massive scaling in the future.
  5. All user-facing technologies have to innovate within the constraints above, or risk becoming niche or irrelevant .

Technology that is secure but hard to use will fail to make an impact. Technology that is easy to use but does not improve security will fail to make an impact. There have been plenty such products over the years.

Which (apart from the Internet statistic) is exactly where we were decades ago. In that sense, the industry has not moved at all, but has merely repeated itself on a bigger scale. It’s easy to become frustrated by this (frustration is a common complaint in the security business) however, there are some positive effects.

Firstly, now that we’re in this third cycle, we’re past the “we know what we don’t know” phase. Which means that many of the behavioral aspects of human-computer interaction are well understood. We understand the kinds of decisions people make when interacting with technology (the bad guys know this too, but lets gloss over that for now).

Secondly, we’re just beginning to understand what doesn’t work in the vital task of establishing trust. Technologies such as SSL are shown to be flawed because of their susceptibility to human error and implementation faults – clearly we need something better. Projects like Convergence seek to replace the flawed certificate authority system which underpins the trust that SSL is supposed to provide. It’s still early days, but this is real innovation.

Third time lucky, there’s every reason to be optimistic.

Mastercard Best Practices for Mobile POS Acceptance

mobile, p2pe, pci dss, risk, smartphone, , , , ,

Mastercard has released “Mastercard Best Practices for Mobile Point of Sale Acceptance”.

If you’re a POS solution developer, you’ll be interested in this document as it provides guidance on how to develop your solution, and if you’re a merchant, it provides you with guidance on the kinds of features your intended mobile POS implementation should support.

Solution developers are strongly advised to adhere to the P2PE (point to point encryption) standard – a message that comes as no surprise given the cross-brand endorsement of the P2PE standard. Read the P2PE FAQ for more information about the standard.

Download the Mastercard PDF document here.

 

Which Applications Are Eligible for PA DSS?

mobile, pa dss, smartphone, , , , , ,

A FAQ, which is neatly addressed in the PCI SSC guidance note available from here.

In summary:

If you can answer “yes” to any of the following questions, then your application is not eligible for validation under PA DSS (but may still be required to operate in a PCI DSS compliant fashion)

  1. Is this a beta version of the application?
  2. Does the application handle cardholder data, but the application itself does not facilitate authorization or settlement?
  3. Does the application facilitate authorization or settlement, but has no access to cardholder data or sensitive authentication data?
  4. Does the application require source code customization or significant configuration by the customer (as opposed to being sold and installed “off the shelf”) such that the changes impact one or more PA-DSS requirements?
  5. Is the application a back-office system that stores cardholder data but does not facilitate authorization or settlement of credit card transactions? For example Reporting and CRM, or Rewards or fraud scoring
  6. Is the application developed in-house and only used by the company that developed the application?
  7. Is the application developed and sold to a single customer for the sole use of that customer?
  8. Does the application function as a shared library (such as a DLL) that must be implemented with another software component in order to function, but that is not bundled (that is, sold, licensed and/or distributed as a single package) with the supporting software components?
  9. Does the application depend on other software in order to meet one or more PA-DSS requirements, but is not bundled (that is, sold, licensed and/or distributed as a single package) with the supporting software?
  10. Is the application a single module that is not submitted as part of a suite, and that does not facilitate authorization or settlement on its own?
  11. Is the application offered only as software as a service (SAAS) that is not sold, distributed, or licensed to third parties?
  12. Is the application an operating system, database or platform; even one that may store, process, or transmit cardholder data?
  13. Does the application operate on any consumer electronic handheld device (e.g., smart phone, tablet or PDA) that is not solely dedicated to payment acceptance for transaction processing?

Point 13 above is expanded upon in the SSC document “Mobile Payment Acceptance FAQ“, where the different categories of mobile payment acceptance applications are detailed.