 "Limiting Transaction Value Safest Way To Secure Mobile Payments")
Louie Stojanovski, Director of Regional Operations, APAC, Messaging and Mobile Media Division, VeriSign, in conversation with BizTech2.com talks about the potential threats associated with mobile transactions and what should be a CIO’s priority to safeguard these channels.
Please highlight threats associated with mobile payments in the current scenario
Security threats associated with mobile payments are not different from the ones related to online banking. There is room for snooping on the communication channels and infesting malware and rogue software, in addition to getting access to personal data. Mitigation of such threats is going to be similar but of course there would be some difference in technology used because of the difference in platforms. Participation of players in the mobile channel, financial intuitions, operator, aggregator and the like is required to combat these threats.
How can mobile payments be secured and what technologies are available for the same?
Illegally accessing a mobile channel is a bit complex because there is specialised equipment required to interrogate data that is being transferred over the air. Also, availability of such equipment is relatively easy since it is freely available over the internet. What we can do to stop this, is use an advanced level of authentication like two factor authentication.
Malware is a bit more difficult to deal with. Malware can enter your device through a variety of ways. Through channels such as text messages and email services over GPRS one might not even come to know that you have been tricked into installing malicious codes via a text or an email resulting in the OS getting exposed. Good news is that there haven’t been many cases of malware infestation on the mobile channel. A part of the reason is because the potential development lifecycle of mobile operating systems has been relatively closed. It’s a closed group and hasn’t exposed the OS to the hacking environment.
In the recent years we have seen that companies have been opening these operating systems to a greater degree; recent examples might be the launch of OS like MAC OS X on the iPhone and Android wherein you can download applications for your device. Now when the SDK is freely available for anyone to download it has opened up the mobile platform to threat vectors and malware. That has to be taken care of at the OS level from side of the mobile providers. Even platform providers can potentially check for any malicious code before making that application available for download.
Does the operator have a role in safeguarding the transactions?
As a service provider to a financial institution there should be an interchange as far as the individual policies for security are concerned. Also, every player involved in the value chain needs to be take into confidence. Typically, a financial institution connects to an aggregator to do the bulk message transfer. With the operator when I push the message to an intended subscriber I expect you to have some degree of control or management of the message and have an extra layer of protection within your network. Operators by default have a good level of security; the core network of an operator uses a SS7 network, which is segregated from any network such as optical fibres etc. and that in itself provides some level of security.
What do you think should be the priority for a CIO of a BFSI establishment to safeguard mobile transactions?
A CIO, for small level transactions should limit the transaction value and messaging makes to be a good solution because it is quick, cost effective and a CIO has enough safeguards to instill required degree of confidence to the end consumer.
On the flip side, if a larger financial value transaction has to be dealt with, a CIO should look at investing in a different technology. Options such as developing an application for handheld devices can be considered. By developing an application there is the luxury of importing encryption at the end point of the application to the endpoint of the financial institution; this is another layer of end point security. As a CIO, it is very important to match the technology that is going to be employed to the banking function that is trying to be achieved.
 "Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty")
 "Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched")
 "Who is CP Radhakrishnan, India's next vice-president?")
 "Israel informed US ahead of strikes on Hamas leaders in Doha, says White House")
 "Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty")
 "Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched")
 "Who is CP Radhakrishnan, India's next vice-president?")
 "Israel informed US ahead of strikes on Hamas leaders in Doha, says White House")
