Dec 04, 2015
Mobile Payments: Protecting Applications and Data from Emerging Risks
Holiday shopping season is upon us, and more and more buyers will be leaving their credit cards and cash in their pocket, and completing their holiday purchases via their convenient mobile phones and tablets. Most mobile payment solutions are very secure – and in fact, more secure than the old- fashioned swiping of a credit card at a point of sale terminal. But, in light of the recent rash of mobile app attacks (including Key Raider, XcodeGhost, and Shuanet) and new attack vectors that have recently emerged, we wanted to provide input for organizations that are revisiting their mobile payment security approach in preparation for the holiday shopping rush.
What threats should you be concerned about?Techniques hackers are using to attack mobile payments continue to evolve. There are many attack points, but the most critical ones we see are summarized in the table below: Of particular importance in most mobile payment apps is cryptography. We highlight cryptography because:
- In most mobile payment apps, it’s used to encrypt data and ensure secure communications between the mobile app and the back- end server handling the transaction.
- Many organizations don’t protect their keys or think it is too difficult to protect them. In fact, 80% of respondents to a Ponemon Institute survey sponsored by IBM identified broken cryptography as the most difficult risk to minimize.
- Unfortunately, crypto keys represent a prime target, as hackers are utilizing a broad set of tactics to discover keys, including extracting them though memory scraping techniques. With access to an application’s crypto keys and algorithms, hackers obtain “keys to the kingdom” that unveil data and app security measures, making it quite easy for hackers to circumvent security controls and/or tamper with application logic to steal payment and personal information.
What Protection Techniques Should you Focus on?There is no shortage of attack vectors, so the real question is: “What are the most important factors to focus on, given limited resources and time?” We believe that you’ll get the best results by taking an integrated approach that includes:
- Compromised device detection
- User authentication
- Data protection
- Run-time application protection
- Static keys – Embedded in applications when they ship
- Dynamic keys – Generated on the fly at run-time
- Sensitive user data
- Download mobile apps only from official app stores (e.g. Google Play®, iTunes®, Facebook®, etc.)
- Ensure that their phone settings are set to prevent app downloads from unofficial stores (they may want to check their mobile phone’s User Guide for instructions.)
- Ensure private data and transactions are secure when using mobile apps, by asking their banks, retailers and credit card providers if mobile apps have been safeguarded against hacks such as: reverse-engineering, tampering or malware insertion.
- Avoid mobile payments over public Wi-Fi. If that’s unavoidable — because they spend a lot of time in cafés, hotels, or airports etc. -- then they should consider paying for access to a virtual private network that will significantly improve privacy on public networks.
- Follow their instincts. If something about the payment transaction appears to be suspicious, they should consider making the payment later on, or by a different means.