CIO Upfront: Mobile payment threats to drive adoption of mobile virtualisation
- 08 December, 2015 06:30
The everlasting conflict between convenience and security is coming to a head in the world of mobile payments. In a survey of 900 cybersecurity specialists conducted by ISACA, 87 per cent of respondents said they expect an increase in mobile-payment data breaches over the coming year. If identities and credit card numbers are to be exposed in nearly a trillion dollars’ worth of mobile transactions, individuals will want some control over their own security. Mobile virtualisation technology will be the best tool at their disposal.
Would mobile virtualisation solve all our mobile payment security woes? No. In July, The New York Times claimed that half of American adults had their personal information exposed to hackers in 2014. The reporters posed the question, “How can you protect yourself in the future?” and their depressing answer is, “It’s pretty simple: You can’t.”
That answer is half correct. Yes, consumers can’t do anything about backend data breaches. Those are on ecommerce companies, retailers, banks and credit card companies. However, the isolation provided by mobile virtualisation can protect the endpoints against SMS phishing campaigns and malware attacks on mobile payment apps. It can also address the never ending conflict between mobile security and convenience.
A tale of two mobile payment systems
NFC mobile wallets and ecommerce apps are both lumped into “mobile payments”. Despite their differences, both payment methods are highly susceptible to phishing and malware attacks.
Let’s imagine a smartphone owner named Nancy who uses an NFC mobile wallet and ecommerce shopping apps. Her mobile wallet stores credit card information and credentials in the Secure Element, a tamper-resistant, encrypted hardware chip. Nancy only uses major ecommerce apps that are considered secure and safe
One day, Nancy receives an email from her friend that contains a link to download a popular game. She downloads, installs and plays the game on her smartphone. It turns out that this unofficial version of the game is laced with malware code, which takes continuous screenshots of her phone and transmits the images to a remote server controlled by a hacker. The phone shows no sign of this behaviour to Nancy.
The mobile wallet relies on operating system (OS) services to move card information to the Secure Element, just like any app. As Nancy enters her newest credit card into the mobile wallet, the hacker picks up screenshots of her information. The same thing will occur when Nancy enters credit cards into an ecommerce app to make a purchase.
In this case, the hacker exploited a vulnerability in OS services and spread the resulting malware via a simple phishing campaign. The screenshot malware was just one possibility. The hacker could have attempted to intercept keystrokes instead.
Enter mobile virtualisation
At present, mobile virtualisation is the only solution that can significantly reduce malicious attacks on mobile users. Essentially, mobile virtualisation allows a user to turn one physical mobile device into multiple virtual devices. Each virtual mobile instance operates within its own domain, meaning each has its own namespace and dedicated OS services, and each instance can be customized independently. This proactive security approach isolates different usages of the device and dramatically reduces the end user’s exposure to threats.
So let’s imagine that Nancy uses mobile virtualisation to create a Wallet virtual instance on her phone. This instance contains nothing but mobile wallets and mobile shopping applications. It’s hardened at the kernel-level and uses a separate encryption key from her other virtual instances: Gaming, Work and Social. Nancy cannot receive text messages and emails on her Wallet instance, and she cannot browse the web or connect to public Wi-Fi either. The Wallet instance also has exclusive rights to use her phone’s NFC hardware.
As in the last case, Nancy downloads a copy of malware-laced game onto her Gaming instance. She installs and starts playing the game, which begins to take continuous screenshots of her phone. However, when Nancy goes into her Wallet instance and enters credit card information, the malware installed on the Gaming instance cannot access her Wallet. As a matter of fact, it doesn’t know that other virtual instances exist on her smartphone. Her mobile payment apps are insulated against malicious attacks.
Consumer cybersecurity precautions don’t catch on easily because they usually present a conflict between convenience and security. For example, tell people they should use multifactor authentication on their smartphone at all times, and they’ll say, ‘no way’. Who wants to enter a six-digit password and complete a thumb scan just to respond to a text message or take a selfie?
With mobile virtualisation, people can finally customise security to each mobile use case. Nancy could decide not to set a password for her Social instance while requiring a six-digit password and fingerprint scan for her Wallet instance.
Some technologist fear that a massive data breach will kill the public’s appetite for mobile ecommerce. I doubt that. Data breaches won’t stop users from making mobile payments just as hurricanes don’t stop people from living on the Atlantic coast. Instead, people accept the risks and build homes with flood defenses and hurricane-proof glass. Similarly, victims of data breaches will seek out security solutions like mobile virtualisation. It can’t stop every breach, but it can spare people from subjecting selfies to the same security barriers as mobile wallets.
Dror Nadler is the CEO of Cellrox.
Send news tips and comments to firstname.lastname@example.org
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz
Click here to read digital editions of CIO New Zealand
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, CDOs, COOs, CTOs and senior IT managers.