Mobile industry must boost security prior to launching mobile payments

Plans to actively prepare phones for electronic payment transactions are ill conceived and ignore serious security concerns. The industry is not ready for this latest gimmick and it could cost phone manufacturer, network providers and their customers dearly.

Research has consistently shown that a wide range of mobile platforms, associated operating systems and handsets can be easily hacked and subverted for fraudulent ends. We are just not ready for this. Most mobile phones are insecure and can easily be hacked this latest plans means that millions of users will become even more vulnerable to attacks.

Users will need to be reassured that network operators, handset manufacturers and operating system providers have managed to co-ordinate efforts and to create a robust overall security regime capable of withstanding the increasing levels of criminal hacking and at the moment they have not.

The last thing that users need is another gimmick that leaves them wide open. The real issue is the complete lack of security awareness in the majority of mobile handset designs and numerous security vulnerabilities in phone operating systems.

Couple those with network providers, some of whom do not appear to have prepared the infrastructure needed to support regular security updates to phones and you have a recipe for fraud on a grand scale.

The industry had not shown sufficient maturity from a security perspective to be able to provide any form of real guarantee that payment by mobile phone would be secure.

A good analogy is to think of PC security 4-5 years ago. Updates were not frequent, the operating system manufactures did not design security as part of any software rollout, and substantial vulnerabilities were found nearly every month. This has changed substantially in the last 2 years, but the phone industry is really where the PC industry was 5 years ago from a security perspective.

In the last year we have seen serious vulnerabilities across nearly all of the phone platforms researched, and in many cases the handset manufacturers did not even have a security team to whom we could report them.

Some manufacturers still have not identified who the research material should be presented to. If the manufacturers are not building security into their designs, what hope do the network operators have to understand the threats they need to guard against, or the software providers of understanding how to make the operating systems more robust to attack.

The Mobile industry needs to invest significant effort to build in security that would scale across all the handset manufacturers, networks and operating systems.

The first major step would be for service providers to take responsibility for an end-to-end security regime to protect their users and to mandate and verify secure design of any handset and operating system combination on their networks.

Currently there appears to be a considerable disconnect between all parties, and no structure around security planning. It is also critical that the handset manufacturers form dedicated security units that have a direct influence on handset design.

Until this is implemented it is very likely that continued marketing pressure to release new versions and functionality will override any security considerations, leading to an inevitable incident. In this environment, payment functionality is clearly a large concern.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Alex Fidgen is a Director at MWR InfoSecurity.