Wednesday, April 06, 2011

Confidentiality and mobile wallets

One thing that is great about doing a cash payment transaction is that very little uncertainty exists in making the payment: you either have the money in your pocket or you don't. When asked about mobile banking, most people are uncomfortable about fraudsters getting access to their personal information and then doing transactions on their behalf. The ease with which information can be stolen is an important topic in the world of mobile banking and I was made aware of this in a recent article from Software Advice written by Michael Koploy that I read.

Unfortunately, in the case of mobile security, simple is better. It is the much more complex phones with their multi-feature operating systems that scares me. It is now possible to develop all kinds of interesting applications that could potentially sit and listen or present in another format. Clever developers can build applications living in these operating systems (Android, Apple etc.), that could potentially steal sensitive financial information and send it off to another recipient. Michael argues that application developers and operating system producers should be the gate-keepers to the security of mobile phones. This is unfortunately a pipe-dream. Somewhere one will find a rogue developer that will flex his/her skills to get (in)famous by stealing sensitive information.

I believe that the solution can be found through a combination of some of the following:
  • Education to ensure that rogue applications do not get installed easily. Consumers must be taught that one should not install any old applications on a mobile phone.
  • Building mobile banking applications with simple security designs that are easily understood. For instance building security on simple PIN entry mechanisms that most people understand and can relate to.
  • I believe that hardware and firmware manufacturers should become part of the solution. Security designs should ideally utilise primitives available in the phone or the SIM card and this should be visible to the consumer.
Phones with more features are great for the average consumer, but bad news for the designers of mobile banking solutions.


Frans Stander said...

While identifying these security risks, an extract from the following article, confirms the growing trend of access to personal information from these ever increasing applications:

Extract from: "The 5 Most Popular Mobile Banking Apps in America
Gwynneth Anderson, Investing Answers
Wednesday, April 20, 2011 - 15:25"

"Yes, But Is It Safe?
These days, smartphones are our wallets except that they carry a lot more personal information than perhaps a traditional wallet ever did. Lose the phone and identity theft takes on a whole new meaning.

Our smartphones, and the large number of easily downloadable apps, work overtime as our social networks, video game providers, radio stations and, from time to time, our mobile phone booths. Yet IT World reported that 89% of mobile phone owners don't realize that many smartphone apps can transmit personal information, while 91% were unaware that these same apps can be infected with malware specifically designed to steal banking details. 29% of smartphone users even admitted to storing credit and debit card details on their phones, thus leaving themselves open to easy identity theft pickings should these files be accessed by thieves.

Since mobile payments in North America alone are estimated to reach $288.4 billion by 2014, these security issues are all the more reason to use commonsense when accessing mobile banking platforms. Here are a few best practices to help protect yourself against potential identity theft through your mobile phone:
•Avoid using obvious passwords to access bank accounts.
•Realize that not all apps are safe and malware-free.
•Choose apps from your bank's website or the iTunes store as the best security bet.
•Check your bank statements for any unusual activity.
•Remember to log out completely from any app or website after you're done.
•Have a Plan B to alert financial institutions in case the phone is stolen.

As a final preventive measure, smartphone owners can also sign up for phone locating and wiping services such as MobileMe for iPhones or Total Equipment Protection for Android and Blackberry. This service allows users to remotely delete personal or sensitive financial information if their phone goes missing or is stolen." - End of extract -

My personal view is that an international body should certify so called "safe apps" by means of a similar solusion as that of the "Verisign" and that such pre-installed verification stamp platform would then allow/disallow any attempted application to be downloaded to any device. The mobile manufacturers which have included such a verified stamping platform as a standard on their devices, could then lay claim on the security level of such mobiles for safe application downloads. It will be interesting to follow industry attempts to provide an industry standard security on this aspect.

ABitLost said...

I couldn't agree more - simple is better when it comes to mobile platform security. However, the smartphone genie is out of the bottle already. The tussle between functionality that customers will want on mobile platforms and data security that finserv institutions will want to provide is just getting started up.

A short term solution could lie in the division of customer liability. Simple and basic functionality (e.g. mobile payments) that can be made more secure is the liability of the provider. However, if the customer wants enhanced functionality, then they must also accept the liability of fraud. Just some initial thoughts...