Why the mobile phone is the next battleground for hackers and payment companies

"If you know the enemy and know yourself, you need not fear the results of a hundred battles", said Sun Tzu, a legendary Chinese military general, strategist and philosopher who authored the military treatise "The Art of War" considered to be the most definitive work on military strategy and tactics of its time. The stark parallelism between waging a battle and tackling the challenges encountered on the business front makes Sun Tzu's treatise relevant even in today's day and age.

Chronicled into thirteen chapters, the book has served as an inspirational force to business leaders the world over who harness its strategic and tactical wisdom to capture new markets, fend competition and manage resources optimally in the most adverse scenarios. This article is an attempt to apply the postulates of this book to the ever evolving electronic payments industry.

Companies in the electronic non-cash payments space stand besieged by the threat of attacks from hackers who profit from stealing sensitive personal and financial data of end users such as you and me for their personal gain. This calls for pre-emptive measures, both from the payment companies as well as the end users, to be adopted to thwart the attempts from fraudulent hackers to compromise data security.

The ubiquitous mobile phone, which is increasingly used as a data access device as much as for voice transfer, has become a point of convenience and a gateway to a whole universe of product and service offerings on the internet. Be it shopping on the move, accessing information, entertainment, gaming or payment of bills, the convenience the mobile phone offers remains unparalleled. With smart phone adoption growing three-fold in India over the last year, the scope for security risks too have increased manifold, making the mobile a hot target for cyber criminals.

According to RBI data, 83 million mobile payment transactions were registered in 2013 (a rise of 89 percent as compared to 2012) amounting to Rs. 161,000 million (287 percent higher as compared to 2012). The phenomenal rise of mobile payments seen over the last two years is attributed significantly to banks promoting mobile banking initiatives such as Immediate Payment service (IMPS) among their customer base. The mobile wallets launched by telecom service providers as well as payment services companies for domestic money remittance and utility bill payments have also played a major role in this regard.

The bad guys go where the money flows. The growing incidents of cyber crimes have cost the country $4 billion in the year 2013, making India the cyber attack capital of Asia Pacific according to a report released by Internet security solutions provider Symantec. Ever since the onset of the Internet, cyber crimes have been in vogue. Over the years, the attacks have become more sophisticated yielding more money per attack than ever before.

The average cost per cyber crime victim in India grew 8 percent to $207 in 2013 from $192 in 2012. What's all the more staggering is that 63 percent of smartphone users in India have experienced some form of mobile cyber crime in the past 12 months as cited by the report. This poses a huge concern for the adoption of the mobile phone as a mode of effecting payments. A deeper understanding and awareness about ways and means adopted by fraudulent hackers would enable payment companies and consumers to make their life harder.

"All warfare is based on deception. Hold out baits to entice and crush the enemy when opportune." (Chapter 1 "Laying Plans")

Replace warfare with malware and you get the drift. The proliferation of freely downloadable games, wallpapers, music and apps serve as baits for mobile users to compromise their sensitive information. Hackers download popular apps which are available at a cost, put in a malicious code and then upload it as a free app on the Android Play Store.

According to the McAfee Mobile security report (Feb, 2014), 35 percent of privacy invading apps contain malware which is used to track the user's location, phone usage and tasks performed, collect the device id, know the SIM card number, bug into account log in credentials and even initiate banking transfers without user intervention. Android malware transferred via apps, emails and web pages saw an annual jump of 197 percent in 2013! This is due to Android not being a regulated operating system unlike an iOS or a Windows.

"Supreme excellence consists in breaking the enemy's resistance without fighting." (Chapter 3 "Attack by Strategm")

Cross-platform hacking (Infecting a user's PC with a virus, so that the next time the user connects the smartphone to it via a USB cable, the malware gets transferred), installing malicious systems in public phone charging kiosks that write malware into the smartphone being recharged; setting up a free Wi-Fi hub identically named to the legitimate Free Wi-Fi hotspot; SMSes with malicious links that install trojans which explicitly intercept the SMS messages used to validate the OTP (One Time Password)/ MTAN (Mobile Transaction Authentication Number) transactions besides the regular techniques of phishing (soliciting sensitive information via emails or telephone) are some of the often used techniques by unscrupulous hackers to crack into our mobile phones.

"The good fighters of yore first put themselves beyond the possibility of defeat. To secure ourselves against defeat lies in our own hands" (Chapter 4 "Tactical Dispositions")

From a mobile user's perspective, installing up-to-date anti-virus software on the device, securing the device as well as apps with strong passwords (using a combination of alphanumeric and special characters) which are periodically changed and downloading of apps from trustworthy sources (App Store or Google Play) becomes essential.

Care should be taken not to conduct any financial transaction over a free Wi-Fi hotspots or on websites that do not have a secure HTTPS. Users should not open SMSes with any web links unless it comes from a trusted source. Apps that seek permission to read or track text messages, which can contain private messages and online banking transaction authorization numbers should be dispensed with.

Payment companies in concert with telecom service providers should implement strong fraud prevention and detection practices starting with customer education, strict account set up and management processes, strong authentication, real time fraud detection services, and 24x7 customer support. Sandboxing i.e. preventing mobile payment applications from interacting with other applications on the device as well as limiting the applications' interaction with the OS to the necessary interfaces is crucial.

Security can be enhanced by ensuring that sensitive financial & personal information is encrypted, truncated, redacted or otherwise rendered incomplete while transacting with third party vendors. Secure elements built into the SIM or device benefit from additional protections provided by the mobile device's OS which prohibits applications to access the secure element. Once unlocked, the secure element is vulnerable to unauthorized access.

Mobile payment companies need to mitigate this vulnerability by implementing inactivity timeouts, auto locking after a particular number of incorrect entries to automatically re-locking the secure element. Dual approvals for high ticket transactions as well as enrolling customers for predefined alerts would be beneficial in mitigation of mobile payment frauds.

Challenges indeed abound for mobile payment companies, but there's no better way to end this article than with a Sun Tzu quote -"You can ensure the safety of your defence if you only hold positions that cannot be attacked." Time to be on the qui vive!

The author is the CEO, of TechProcess Payment Services Ltd

Updated Date: Jun 20, 2014 09:44:20 IST