The Green Sheet Online Edition
March 14, 2011 • Issue 11:03:01
Security in a mobile world
The way merchants and customers conduct business is changing right in front of our eyes, and all professionals in the payments industry must keep informed about these changes to manage and support their portfolios properly.
I'm not just talking about industry changes here - like the rise of Payment Card Industry (PCI) Data Security Standard (DSS) obligations - but more fundamental changes in how we all communicate and work.
A dramatic change occurring is the shift from 'fixed' or stationary devices like desktop computers to mobile devices such as smart phones and netbooks. No one has a crystal ball, but all the signs are that this trend will continue for a long time and become a permanent part of the technology landscape.
A change of this magnitude has multiple repercussions. One of the biggest pertains to security. Unfortunately, many standard ways of thinking about security and solving security problems were developed in the old, fixed-devices world and don't work properly in the mobile world.
This means everyone affected by mobility (that means everyone) needs to rethink security almost from the ground up. This article will look at security in a mobile world. In a later article, I'll look specifically at the PCI implications of handling bankcard payments in a mobile world.
Most significant in the mobile world is that the idea of a perimeter is becoming irrelevant. In the fixed-device world, many security problems could be solved by treating your network like a castle that needed strong walls and a moat surrounding it.
This kept the bad guys on the outside and let the good guys operate safely inside. An entire industry developed around perimeter firewalls, intrusion detection, hardware-based network encryption and so on. These solutions haven't suddenly stopped working, but we have outgrown them in a number of ways.
For example, merchants who accept payments on smart phones that communicate to processors via the Internet are not operating inside any network they control; they don't have a perimeter to hide behind.
Similarly, they don't get additional protection from devices dedicated to providing encryption or intrusion detection. Instead, smart phones are directly exposed to hostile networks and environments.
Assuming greater personal responsibility
Thus, today's devices and solutions have to take much more responsibility for their own security. Lacking a firewall or anti-virus perimeter, devices should ideally have their own built-in security protections.
These should be configured correctly (since they can't rely on being protected by a perimeter device that is configured and managed by an administrator).
Mobile device communications are also more complex and risky, and these issues are amplified by rapidly changing methods of communication. So you're expected to hit a smaller, more rapidly moving target than ever before. Formerly, there was typically only one way to communicate: via the local area network, which led eventually to the Internet.
The emergence of wireless devices made things much more complicated from a security perspective. And modern smart phones can communicate via cellular network protocols in addition to wireless and Bluetooth, and can change between these different solutions automatically based on their own efficiency algorithms.
This added complexity makes it much harder to ensure that security is in place. Mobile devices are also at risk from low-tech dangers. For example, the fact that they are so small, and get taken everywhere, makes it far more likely that they will be lost or stolen.
It can be difficult to figure out what to do about the mobile issue when so many of the details and circumstances are new and changing so rapidly. Thus, a key part of handling this issue has to be regularly revisiting it, because even if you have the best possible answers for now, a few months will probably bring new features, solutions or problems, and everything will need to be reconsidered.
The first thing to recommend to your merchants and partners is to avoid risk wherever possible, rather than try to tame it.
For example, the theft or loss of cardholder data is a key danger for merchants. All the risks to stored cardholder data can be avoided by not storing cardholder data on mobile devices.
When that isn't practical, the fall-back position is to make sure all such data is encrypted. (Everyone should always follow this advice regarding sensitive data and mobile devices, not just cardholder data).
The danger to data in transit (eavesdropping or modification while data is being sent from smart phone to processor) can be reduced by always using hardware or software that employs encryption when transmitting sensitive data.
For now, while the technology and the solutions are new and unsettled, it makes sense to rely exclusively on solutions that have gone through careful testing by experts and are delivered by trusted providers.
Because most mobile devices employ immature technology, they are typically limited in what they can do, both right and wrong.
For example, until recently Apple Inc. iPhones could only do one thing at a time (they were single-threaded), so they couldn't run a firewall or anti-virus process in the background, nor could attackers hide malicious programs in the background.
As these devices evolve and expand their capabilities, more tools (such as firewalls and anti-virus programs) will become available, but the devices will also become more susceptible to new attacks: yet another reason for regularly revisiting security issues.
And the following security principles can still help protect your business:
- Don't install software unless you need it on a particular device and you have a good reason to trust it.
- Keep work responsibilities and data on a separate device from computers or smart phones used for your personal entertainment.
- Don't treat security as if it's just a technology issue: make sure you have the right policies and procedures in place, and train your staff on what to do and what not to do.
Following these recommendations will go a long way toward letting you (and your merchants) enjoy the benefits and convenience of mobility without sacrificing security.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.