The Green Sheet Online Edition
July 11, 2011 • Issue 11:07:01
Thoughts on smart phone security
I read the cover story about mobile security in your June 13, 2011, issue with interest, but this article seems already outdated in its information. Mark Rasch seems to be repeating what he's heard in blogs, mostly, and has not done a lot of real-world exploring on his own. The Green Sheet readers need to have better information if they want to knowledgably compete in the mobile commerce markets.
The assertion that there are no antivirus or malware programs for mobile devices is simply wrong. Well-established PC antivirus vendors are all venturing into the mobile markets. Currently, titles from companies like ESET, Kaspersky, AVG and Lookout are available, many for free, and there are others of less notoriety.
As with all AV products, their effectiveness is debatable. The issue with mobile devices plugged into the same Internet our home and work computers are using has been, and will always be, more about careful use of the device itself than whether or not it can be properly armored using software - a dodgy proposition, but the point is that mobile security will come down to human behavior more than software protections that might be in place, just like in the PC/Mac world (read about Mac Guard malware to see further illustration of this point; believing any vendor's device to be invulnerable is a classic mistake).
The assertion that "someone can just take my phone and run transactions" does not appear to be based on any real-world testing of mobile payment applications. ROAM Data, for example, is a password protected app, does not allow you to save or store the password and automatically log in, etc., and that makes it more secure than most brick-and-mortar credit card machines, which rarely use password protection at all.
The assertion that "these are open systems," would be hotly debated by any iOS (Apple) developer. Apple audits apps sold in their App Store and wields total control over what may be sold there. Their decision to exclude apps has been famously arbitrary and could be by no means called "open." Perhaps the author had the Android OS in mind, but the article did not include that kind of detail.
The points about Square are made very late in the game, and I can't understand how this article is being published in June, when most of what was said has already been laid to rest by the announcement on April 27, 2011, that Visa had invested millions of dollars in Square, but is going to require them to use an encrypting stripe reader. This happened within days of Square announcing a deal to be sold in the Apple retail stores.
The article would have rung true if it were in the March issue, perhaps, but by time of publication, much of the information, and the opinions formed around it, have lost a great deal of value.
Elmhurst Financial Services
Thank you for your response to "Wising up about smart phone security," published in The Green Sheet, June 13, 2011, issue 11:06:01. We do want our readers to have accurate, timely information to help them engage in mobile commerce, and your input will contribute to this, as well as stimulate healthy debate.
Regarding your point about anti-virus and malware programs, the article did not assert that there are no anti-virus or malware programs; it stated that mobile devices lack them, meaning they are not being employed, which serves to reinforce the excellent point you made about how security has been and will always be "more about careful use of the device itself than whether or not it can be properly armored using software."
Also, the quote from Mark Rasch's blog article stating that "somebody could just pick up my phone, use it to make a payment or make a transfer, put the phone back, and I wouldn't know that anything had happened," was intended to express a fear on people's minds, not to convey research data. People often leave their phones out on their desks and tables because they use them frequently for multiple purposes, whereas bank cards are usually tucked away until needed to make a payment. The more mobile devices are used for making payments, the more people will have to treat them with the same care as the cards in their wallets, which is a new burden for consumers - as well as for merchants, whose standard POS devices are typically not as easy to carry away as mobile devices.
As far as the term "open" goes, we were using it to mean that the specifications and source code are shared with parties outside of the companies creating devices so that outsiders can develop apps.
And you are correct that we should have mentioned Visa's investment in Square Inc. We do want to point out, however, that as of early July, Square is not yet encrypting transaction data.
Thanks again for your helpful feedback.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.