The Green Sheet Online Edition
July 08, 2013 • Issue 13:07:01
Why mobile should scare the app out of you
The last time I allowed a merchant to process my credit card through a tablet or smartphone device, I wondered if cash would have been safer. I wondered if a cybercriminal could easily intercept the information streaming from the merchant's device, and if my credit card data was floating in some hacker's database, waiting to be sold and used in a fraudulent online purchase.
Though a bit dramatic, I must admit that as a security professional, those thoughts have crossed my mind quite a bit in the past year. I wonder if you've had similar concerns since the advent of mobile payments.
According to Constant Contact Inc., one out of every five small businesses that utilize mobile technology run credit cards through a tablet-based POS solution. Though mobile payments are growing exponentially, the security portion of processing credit cards via mobile devices is somewhat neglected by merchants. Mobile payments add an entirely new dimension to transaction security - and not in a good way.
Get up to speed with the issues
Mobile processing is a double-edged sword. On one hand, it allows merchants more processing flexibility, which increases revenue for merchants, acquirers and ISOs, but it also has the potential to dramatically increase fraud. The problem with mobile devices is that they weren't made for security or payment processing. Hackers know it, but consumers and merchants may not be aware of the vulnerabilities involved.
Mobile devices can turn on your car, dim your house lights from 10 miles away and take your pulse. Because mobile devices are so technologically advanced, the general populace doesn't question mobile security. How could a device so innovative not securely process a credit card? While that sugarcoated thought clouds the population's judgment, thousands of malicious apps are created by cybercriminals, putting merchant smartphones and tablets at risk of payment card theft.
What you need to know
Mobile devices are exposed to the same threats as computers - namely malware, viruses, botnets, bad Internet connections, etc. - but the hardware and software are created with significantly less security safeguards than computers. Unlike typical POS systems, mobile devices don't include firewalls or other safeguards, and they are automatically connected to the Internet.
Another problem is "jailbroken" devices. Jailbreaking is the process of removing limitations manufacturers put on devices. It is common among users who wish to get free apps or increase processing speed, but it also strips a device of programmed protections and operating system security.
One of the security drawbacks with a smartphone or tablet is that it's difficult to guarantee an app is malware-free when it enters an app store, and is downloaded by merchants or consumers.
Hackers repackage apps, or create their own malicious apps, to be downloaded by unsuspecting mobile users. Those bad apps have the power to steal credit card information, listen to text and audio conversations, shuffle default settings, read information from other applications, or even control the actions of the entire device. Thousands of malicious apps are downloaded through official software stores daily.
Merchants that use encrypt-at-swipe readers are on the right track to a secure processing environment. However, as soon as that merchant manually types in a credit card number that stubbornly refuses to be swiped, the game is over. Manually typed data is not encrypted, and a rogue app could be recording those numbers.
Where it concerns you: fees and revenue
Merchants who process on mobile devices present a new liability concern to acquirers and ISOs. The PCI Security Standards Council doesn't segregate between a mobile breach and a typical POS breach. No matter how consumer payment cards are compromised, someone has to pay for financial penalties, and if your merchants can't afford them, it may be you.
On a more positive side, securing mobile transactions is a potential source of revenue for your business. Because your entity is at increased risk per mobile-device POS user, you have the right to regulate the security of those devices.
Mobile device vulnerability scanning is a great way of identifying which merchants are following Payment Card Industry (PCI) Data Security Standard (DSS) mobile best practice guidelines.
Acquirers looking to increase both revenue and security can penalize businesses that haven't kept up on mobile safety by regularly testing the security of devices through a security scanning app. These apps include dashboards for acquirers to identify the severity of at-risk merchants and may offer referral commissions.
How to protect merchants from mobile vulnerabilities
Merchant education is a good place to start monitoring the security of mobile transactions in your portfolio. I've compiled a list of five mobile security best practices to share with your mobile merchants. Please be aware of these recommendations as you promote your own mobile processing solutions as well.
- Use an encrypt-at-swipe piece of hardware that attaches to your smartphone or tablet to securely process payment cards.
- Do not manually key in customer credit card data. While your hardware card reader may encrypt sensitive information at-swipe, your phone does not have that secure capability.
- Update both OS and app software so any discovered security holes can quickly be patched.
- Read up on the PCI Mobile Payment Acceptance Security Guidelines for Merchants, and follow all its instructions. Though there is not yet a mobile standard, mobile device security is still directly enforced under PCI DSS requirements.
- Use mobile scanning tools to ensure your devices are tested for mobile processing security. Don't forget to promptly remediate any discovered vulnerabilities.
Not a serious problem - yet
The reason you haven't yet heard about a large-scale mobile breach may be because mobile transactions are thinly spread among small merchants. Luckily for you, your merchants and general consumers, it's likely hackers are more concerned with obtaining large sums of credit cards from known, high-transaction areas. However, as more merchants process via mobile, they will surely gain hackers' attention.
Hopefully, for all of us, mobile technology will move quickly into a secure direction, and hackers will have no time at all to develop a profitable way to breach mobile devices. But I wouldn't count on it. As the mobile payments trend grows, so will attacks on merchants processing via mobile devices.
Jake Young is Director of Business Development for SecurityMetrics, and can be reached at firstname.lastname@example.org or 801.995.6340. SecurityMetrics is a global data security and compliance company and offers mobile vulnerability scanning programs and solutions for processing and acquiring entities.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.