Digital Transactions Authoritative, insightful and timely information for payments professionals
n
Mobile payments are the buzz of the financial industry, but merchant acquirers and independent sales organizations thinking about adding applications that facilitate payments from smart phones need to be especially careful about data security. Many existing apps store consumer information or otherwise expose data to compromise, according to an executive with a data-security testing firm.
n
n
In recent security tests of 100 leading apps for smart phones, Oak Park, Ill.-based viaForensics said only 17% passed, 40% failed, and the rest got a warning about vulnerabilities, according to Andrew Hoog, the company’s chief investigative officer. Hoog, who spoke on Thursday at the MidWest Acquirers Association annual conference in Oak Brook, Ill., added that the tests involved only such “low-hanging fruit” as user names, passwords, and account numbers.
n
n
In the tests, viaForensics researchers recovered user names from 76% of apps, passwords from 10%, and data from 69%. The slightly better news, according to Hoog, was that 44% of the apps from financial institutions passed.
n
n
Smart phones and their apps have a number of vulnerabilities. “Mobile is different” from Web applications designed just for personal computers, according to Hoog. “It requires a different set of techniques to secure it.”
n
n
The always-on Internet connections of smart phones add to risk, and the flash memory they use also has its own vulnerabilities. Also, mobile apps can be easily downloaded and picked apart by hackers at their leisure, Hoog added. “Your app, by definition, must be publicly available,” he said.
n
n
Add to that the mix of corporate and personal data often found on smart phones and you’ve got a tempting target for hackers looking to harvest and then sell card numbers or bank-account credentials. “I kind of win if I’m the bad guys” and get hold of such data, said Hoog.
n
n
Besides recovering data, viaForensics in its testing has been able inject data into mobile apps. In one involving a bank app, the company was able to create a fake ATM location and direct customers’ mobile traffic to its own office, according to Hoog. In other instances, viaForensics found mobile apps vulnerable to so-called man-in-the-middle attacks where hackers can intercept online digital traffic.
n
n
Hoog recommended to his audience of acquiring and ISO executives that they shore up their mobile-app security before Congress imposes standards that they might not like. Spurred by recent high-profile data breaches at Sony Corp.’s PlayStation game system and Citigroup Inc., lawmakers this year are again mulling online data-security bills. They’ll surely devote more attention to the issue once they resolve the pressing debt-ceiling and budget controversies they’re preoccupied with this summer, according to Hoog. “You need to be ahead of that game,” he said.
