Sunday, January 30, 2011

Mobile Payments: One Trillion More Reasons to Think About Mobile Security

It is hard to think of anything more attractive to hackers than a widely-deployed digital payment system. And the world is now witnessing the fastest rollout of a digital payment system ever, to your mobile phone, a.k.a. smartphone, cellphone, iPhone, tablet/slate, i-device. Consider just two stories that appeared one day last week:
"With corporate behemoths such as Starbucks Coffee Co. and McDonald's Corp. leading the way, 50 percent of consumers will have made a mobile payment of some kind by 2014, according to Juniper Research."
And "according to this report, U.S. mobile payments could reach $1 trillion by 2015."
That's one trillion dollars with a "T' headed to a bunch of devices that are, from an historical IT perspective, barely out of beta testing. Consider a couple of random stories I found hanging around in my browser cache when I sat down to write this post:
November, 2, 2010: An analysis of the kernel used in Google’s Android smartphone software has turned up 88 high-risk security flaws that could be used to expose users’ personal information, security firm Coverity said in a report published on Tuesday.
December 29, 2010: Mobile security firm Lookout is sounding the alarm about a Trojan targeting Android devices that, while confined to China so far, represents one of the most sophisticated pieces of malware it has seen to date. The malware, named “Geinimi” is the first Trojan to display botnet-like capabilities, allowing it to receive remote commands...
And don't think that using an iPhone or Blackberry will eliminate security risks. Just check out this page of stories about password cracking software available from Russia. Something to bear in mind when you read that "MasterCard's PayPass wallet application can be password-protected so that a lost or stolen handset cannot be used to make payments"
But let's get back to what I meant when I said it's hard to think of anything more attractive to hackers than a widely-deployed digital payment system. Notice I didn't qualify "hacker" in this context. That's because hackers of all stripes find computerized payment technology fascinating. Back in 1995, when I spoke for the first time at DefCon, the now legendary annual hacker convention in Las Vegas, the speaker ahead of me presented a detailed explanation of just how easy it was to make fake credit cards that worked.

When I cited that presentation as an example of the damage that hacking could do, the response was vociferous and articulate and could be summed up like this: The banks are to blame for using such lame technology when a few tweaks to the system and a little more effort could actually make it a lot more secure, as shown in the presentation.

That was a valuable lesson for me. Not everyone who hacks payment systems is out to steal your money. Hence the useful qualifier "criminal" as used by my friend and colleague Mich Kabay who is always careful to say criminal hackers when that is the type of hackers to whom he is referring. A lot of people see a spectrum of hackers. One can describe it, if you leave out the nuances, like this: black hat hackers who are criminally-minded, gray hat hackers who may hack for profit, and white hat hackers who are trying to find solutions to hacks before the hacks are widely exploited (and may profit professionally for so doing).

What I'm saying is that every shade of hacker is likely to look long and hard at hacking mobile payment systems, from those who want to hack the system for illegal gain to those who seek to gain fame for finding the holes. The question is: Can the systems now being rolled out withstand the scrutiny? History gives me a clear answer: No.

Unless some fundamental changes have occurred in the technology and banking industries, changes of which I am unaware, that negative answer has a high probability of being right. I predict holes will be found and some of those holes will be exploited for illegal gain before they are plugged. I also predict that:
  • Mobile payment systems will still be rolled out, and 
  • Companies that already have a good track record in mobile security will do very well this decade.

Tuesday, January 25, 2011

One to Watch: MAD's MECS is mobile security made real

There is no doubt in my mind that the new information security frontier is mobile, as in mobile phones and mobile pads/slates/tablets. More and more data is going to be processed by, stored on, and accessed from mobile devices. You can see this very clearly if you spend any time in the world of consumer marketing where the biggest buzzword right now is "mobile" as in mobile advertising, mobile shopping, and mobile payments.

And where the money goes, criminal hacking is sure to follow, along with scams, spammers, phishing and fraud. Which is why I've been very interested for a while now in a mobile security company called MAD, a company of which my good friend Winn Schwartau is Chairman.

MAD's flagship product has already won several awards like this. And I can assure you that awards like these don't grow on trees. Industry analysts don't like to get burned by endorsing flash-in-the-pan products that leave them looking all egg-faced in 12 months if the product peters out. Bear that in mind when you read this assessment:
“The Mobile Enterprise Compliance and Security Server (MECS) innovative solution focuses primarily on delivering a new dimension of security, management and compliance to enterprises. Compared to standard mobile device management (MDM) solutions, which are not regarded to be viable security platforms, M.A.D.’s offering promises to provide the utmost protection for mobile enterprise devices.” and goes on to state that “Owing to the extensive capacity offered by M.A.D.’s solution, Frost & Sullivan feels that the company has gained a significant advantage compared to its competitors...”
Pretty impressive! MAD's MECS  is definitely one to watch as the struggle to secure the mobile frontier heats up in 2011.