June 2, 2014, 4:25 PM

Mobile security evolves

(Page 2 of 2)

"ViaForensics has made its mobile security testing abilities and institutional knowledge into a product that we can use any time, so this mobile security expertise isn't something that just lives in the heads of viaForensics experts," says Danny Piangerelli, co-founder and chief technology officer at Malauzai Software.

ViaForensics looks at how apps handle data at rest and in motion. A viaLab scan might reveal, for instance, that an app is storing a consumer's user name and password in an unsecure fashion, an example of exposing data at rest. Or a scan might reveal that an app is not properly identifying both parties in a financial transaction, thus allowing for "man in the middle" attacks, where a criminal intercepts data in transit between a consumer's app and the retailer, an example of exposing data in motion.

ViaForensics charges clients a one-time fee of $35,000 and then $14,000 a year for unlimited app testing.

Some mobile security threats are highly surreptitious, where criminals attempt to trick consumers into thinking they're sharing information required to make payments with legitimate businesses but in fact are handing over the keys to the kingdom to criminals. These uniquely mobile threats include fake apps and phishing via SMS text messages, which is also called smishing.

Criminals will, for example, hijack a retailer's Android smartphone app and inject malware that takes over the keyboards displayed in the app and sends data typed on those keyboards to the crooks via unseen text messages. The criminals publish their malicious version of the app in an app store and wait for the consumer data to start rolling in. (This happens almost exclusively in the realm of Android apps because it's easier to get a malicious app into Google Play and other Android app stores than it is to get one into the highly closed Apple ecosystem, security experts say.)

When smishing, criminals attempt to acquire consumers' credentials by sending consumers text messages that appear to be from the bona fide retailer.

Besides securing their own sites and apps, e-retailers need to defend against crooks attempting to buy from their mobile sites and apps using stolen information.

Web and mobile security vendor ThreatMetrix uses personas to identify legitimate customers, associating with each consumer it tracks her routine behaviors, locations and other traits. That, ThreatMetrix says, allows it to spot possibly fraudulent transactions even when a criminal has accurate payment information, such as a consumer's credit card number and address.

"We know what a good user normally does with her device, we have personas defined by behaviors," says Dean Weinert, product manager. "When we detect anomalous behavior, such as activity happening far from a normal location, far from a usual time of day, on a different mobile device, or many other factors, we stop a transaction."

ThreatMetrix has 2,500 clients, analyzing 500 million transactions a month across 10,000 web sites, mobile web sites and apps, the company says. This is how it learns to detect anomalies. As a result of this monitoring, the company says it can provide any client a clear look at the behaviors commonly associated with 85% of mobile devices in the United States. It charges per block of transactions monitored at fractions of a penny per transaction, the company says. Multiple ThreatMetrix e-retailer clients declined to discuss the technology, citing concerns about revealing security measures in a public forum.

Moving forward, retailers will need to keep an eye on whether consumers embrace biometrics such as fingerprint scanning that pioneering merchants begin offering. That's important because biometrics not only add security but ease mobile checkout, currently a major m-commerce hurdle.

Retailers in mobile commerce must take all the precautions they take with traditional e-commerce, but also protect against threats unique to mobile, such as hackers mimicking retailers' mobile apps, relying on vendors where necessary to provide mobile security expertise that merchants don't have themselves.




Consumers' risky smartphone behavior

56% of smartphone users do not use a PIN to protect their device

26% click on unfamiliar links on mobile

18% store passwords for various accounts on their device

Source: Harris Interactive, Sprint

comments powered by Disqus



Get a Free Subscription to IR


From The IR Blog


Adrien Henni / E-Commerce

A Russian bank discusses a partnership with Alibaba

By partnering with Russian national savings bank Sberbank Alibaba could more easily navigate bureaucratic obstacles ...


Paul Dobbins / E-Commerce

6 tips for maintaining sales during the post-holiday lull

Use that stellar email list you built during the holidays to market new products or ...