Drawn by the prospect of gaining speed, convenience, and efficiency, businesses and individuals have been steadily moving their assets into digital environments. For many, that environment has been their smart phones. While smart phones have become an invaluable source of convenience, it’s also becoming a common cause of data loss.
This blog explores the evolution of smart phones into today’s mobile wallet, the potential dangers that accompany it, and some valuable tips on how to mitigate these risks.
Mobile wallets like Apple Pay, Google Pay and Samsung Pay enable consumers to purchase items through their phones. Many of those who use this payment method often do it for convenience (e.g. they don’t like carrying cash). Others are drawn to it because it matches their behavior (i.e. they always prefer to be virtually connected – even to their wallets). Hence, these people take their phones everywhere and relish the ability to accomplish multiple tasks in one device.
While adoption has been slow, this study conducted by Forrester Consulting for JPMorgan shows that tech-savvy, early adopters appreciate the idea of using digital wallets. The survey found 41% of respondents already used digital wallets on a weekly or daily basis, and 63% said being able to use a digital wallet had at least some effect on their willingness to buy from a business.
From a security perspective, Apple, Google, Samsung, and other major players in the mobile payment space have built several innovative solutions to secure not only the sensitive data that accompany these types of transactions (e.g. credit card numbers) but also the various processes involved in these transactions as well.
For example, most digital wallet transactions support near field communication (NFC) based transactions. That alone introduces a certain level of security. NFC requires a user’s phone to be in close proximity with the NFC reader, making it very difficult for an attacker to carry out a man-in-the-middle attack during that step of the transaction.
Secondly, most of these mobile wallets use tokenization to avoid storing sensitive data on the device itself. Even if an attacker somehow gets hold of a tokenized number, they wouldn’t be able to transact with it.
Third, the devices these digital wallets are stored in use biometrics, such as TouchID (or facial recognition in the case of Apple X) to authenticate users before allowing a transaction. Even if an attacker steals the device, they would still have to bypass the biometric security features to access the digital wallet apps and complete a transaction.
These are just some of the many layers of protection being employed to secure these mobile wallets. But despite these advanced controls, mobile payments still have some significant weak spots.
Convenience vs. security
Weaknesses aren’t necessarily found in the mobile wallet itself (i.e. the app or device) but are nevertheless part of the processes integral to using the wallet. In the case of Apple Pay, one of the vulnerabilities manifests in the verification process required for provisioning a card to Apple Pay. It’s easy to add a card to Apple Pay. You can either select a card already on file with iTunes or you can scan a physical card using your iPhone’s camera. However, before you can start using that digitized version of your card, your bank still must verify its legitimacy.
Here we see a problem; the verification process isn’t always strict enough. Banks want the process to be convenient – otherwise, consumers won’t adopt the service in significant enough numbers. But this means cyber criminals who have a victim’s personal information (perhaps from one of the many data breaches) can easily pass the verification process.
Cyber criminals simply install Apple Pay on their own iPhones, setup the stolen credit cards, and use Apple Pay to make fraudulent transactions.
Here’s another vulnerability; by default, iPhones are set to automatically join known networks once they get in range. Very convenient for the user who doesn’t want to manually connect to Wi-Fi every time they want to connect to the Internet (which, let’s be honest, is pretty much all the time).
So if you’ve set up your phone to join, say, ‘starbuckswifi01,’ the moment it detects an access point named ‘starbuckswifi01’ that has the same password as the original access point, it will automatically join that network.
Security researchers have demonstrated the possibility of this attack where a rogue access point spoofed a known network near an Apple Pay-ready POS terminal. For the attack, an iPhone connected to a network pretending to be the coffee shop, the user (presumably fresh from an Apple Pay transaction) was shown a screen masquerading as an Apple Pay form requesting credit card information. If the user were to believe the procedure is part of a normal transaction, they could innocently enter credit card details as requested. Those details would be beamed straight into the hands of the criminals.
There’s a trend here. Companies who accept mobile payment methods or the people using digital wallets have the tendency to favor convenience at the expense of security.
Why am I not surprised? Convenience has a habit of winning out of over security. It’s understandable; whenever organizations lean too much on the latter when introducing a new process, end users usually find ways to circumvent or reject the process altogether.
But this has got to change. The cybercrime industry has already exceeded the profitability of drug trade and continues to grow at a frantic pace. Businesses and consumers need to come together to at least slow down this juggernaut. How can users do their share?
Security best practices when using mobile devices
With the growing adoption of BYOD (bring your own device), more people are combining their personal and work lives in one device. This poses risks, especially to enterprise data. If your personal phone and work phone are one and the same, you need to be conscious about security even if it means sacrificing some degree of convenience.
Below are some tips on how to secure your mobile device:
Don’t disregard software updates
Some people don’t take software updates seriously. Others even avoid them intentionally, fearing they might slow down their phone’s performance. Don’t be like these people. Most software updates include security fixes that fix known vulnerabilities present in the previous version. If you don’t update, those known security bugs (which are announced on hacking forms shortly after updates are sent out) will expose your device to exploits.
Switch off auto-join
The auto-join or auto-connect feature is prone to all sorts of man-in-the-middle attacks that don’t even have to be associated with mobile payments. If you don’t want your phone joining any rogue WiFi router, simply switch that feature off. Losing a couple of seconds is way better than losing what’s in your bank account.
Use virtual credit cards
If you’re not using Apple Pay, Google Pay, or Samsung Pay but want a secure way of making credit card purchases from your phone, one way to do so is by using online solutions that allow you to create virtual credit cards, such as privacy.com.
Privacy.com enables you to make purchases online without revealing your real credit card number, name, or address. If you transact with a site and that site gets breached, none of your credit card details are compromised. You can even set things up so that a specific virtual card will have a spending limit and can only be used with a certain vendor.
Perform regular backups
You’ll never know when your phone might be stolen or lost. When these things happen, you might have to resort to the extreme step of doing a remote wipe. With the iPhone, this capability can be activated through the Find My iPhone feature. However, remote wipe erases all the data on that phone.
The good news is that you can still retrieve your data on another device. But you can only do so if you’ve previously created a backup. Backups can also come in handy in cases when your phone suddenly becomes completely unusable, like if you brought it swimming in a pool or dropped it off a cliff. Plus, they’re easy to do automatically by plugging your phone into your computer to charge.
Most technologies already inherently provide a substantial degree of convenience. But when we start asking for, or (in the case of businesses) offering more convenience than is necessary, we risk exposing ourselves to easily exploitable vulnerabilities. Since cybercriminals have been continuously improving their craft, it’s high time that we also stepped up our game to at least make their jobs a bit more difficult.