Much as mobile payments are comfortable to carry out, there is the danger of money being stolen by cyber thieves. Criminals use plenty of malware tools like Heartbleed bug or Trojan viruses to gain access to sensitive information for further manipulation. SMS interceptors allow thieves to receive the authentication text messages sent by banks on a per-lo-in principle. As far the level of safety goes, Android platforms are second safest to Apple analogues based on a walled garden App Store and a closed operating system, yet not even this product can keep mobile users safe when their inquisitiveness and desire to download malicious, albeit free app comes into play. Nor do the Near Field Communication platforms or Generic Top Level Domains seem capable of guaranteeing complete safety. To address the danger in a simple way, mobile payment users need to install safe antivirus apps, avoid gambling and similar websites, and use reason and common sense among other things.
Keywords: apps, mobile, payment, address, cyber, threat, platform
The life of people is the most comfortable it has ever been largely due to the evolution of scientific progress and the emergence of new technologies. People can now carry out online payments with their mobile gadgets, without them leaving the comfort of their home. They can acquire anything from wherever it is that they are now, be it a foreign country or any part of the home state. Looking to attract more customers and keep their services popular, banks have developed a wide range of mobile apps to gain a competitive edge and increase a market segment. Unfortunately, payment apps benefit customers as much as they do cyber thieves using SMS interceptors or urging to download malicious software that compromises bank accounts. Wanting to leave mobile payment users penniless, cyber criminals use viruses like Trojans that can cost banks millions of dollars in lost customers’ savings. Google’ Androids has turned out to be the most easily compromised mobile platform, unlike Apple. However, users’ inquisitiveness may expose even Apple devices, as it may generic Top Level Domains. The primary piece of advice is for mobile users to listen to common sense and question the safety of downloading free apps from sites other than those operated by their banks, yet there are other recommendation addressing cyber threats like the use of antivirus apps or the avoidance of sites with the gambling content. Overall, the use of mobile payment applications is fraught with a variety of cyber threats that may leave service users moneyless; however, following a string of recommendations is sure to help address the danger.
Threats that Arise from Mobile Payment Apps
Rampe (2014) referred to one of Threat Metrix surveys to describe 25% of e-commerce executives as concerned with mobile attacks as the major business danger these days. According to the Threat Matrix Global Trust Intelligence Network (n.d.), payment fraud, login, and account creation are the biggest dangers faced by mobile browsers and applications alike (as cited in Rampe, 2014). Network (n.d.) studied an estimated 210 million active user accounts only to conclude that mobile accounted for well over 30% of overall traffic in 2013, and the number was expected to crawl up to 50% by year-end. Consumer conduct was reported as changing, with mobile users spending as much as 86% on applications, as against 14% spent on mobile web browsers (as cited in Rampe, 2014). Opportunistic cyber thieves seem to be taking full advantage of the consumer behavior and misappropriate precious information or funds.
According to Senior Vice President at Net Names USA Lugde Pravda (2013), besides providing opportunities when it comes to banking, shopping, and stock trading, mobile commerce creates a breeding ground for fraudsters committing cybercrimes. Mobile accessibility or security issues and fraudulent communications like text message swindles are a few risks that come of people using gadgets for payment and commerce purposes. Consumers should stay aware that the link provided in a text message could be fake, that applications may not be authentic bank apps, and that payment-related messages could come from whatever bank other than their own, which means dummy establishment may be used to leave the users of mobile payments out of pocket. The click-first-and-think-later mentality is why the hands of cyber thieves come untied. Newly emerging payment tools present extra opportunities for criminals to capitalize on.
All fraudsters want is for mobile payment users to install and access malicious applications by making them look up-to-date. Thus, for example, the Euro-grabber Trojan smote on European banks that employ two-factor authentication by means of SMS message codes that make it possible for users to carry out whatever online banking operations they wanted to. Made to believe they were making use of the most advanced security method, they enabled a huge theft running into millions of dollars. Cyber thieves would not have left the illegitimate owners of millions if the now compromised users had not followed instructions in a blind fashion, without so much as questioning their legitimacy. After clicking a phishing email, they proceeded to install a desktop Trojan. By installing security upgrade on their smartphones, they installed the virus. Involuntarily did users have their smartphones and desktops infected (Pravda, 2013).
Arnfield (2013) reported about fake SMS apps or SMS interceptors developed specifically to allow cyber thieves to intercept the authentication text messages sent by banks on a per-lo-in principle. Jimmy Shah, who is a McAfee mobile security researcher, claimed that in order for thieves to succeed, the first thing they needed to do was pilfer the login information, such as a password and a username. The next step to make is accessing the mTAN in the bank text message. SMS interceptors forward whatever messages have mTANs the bank sends to its clients’ mobile phones. The better part of interceptors will delete the message moments after delivering it in order that bank customers may not learn someone carried out an unauthorized login. Manager of the McAfee Threat Intelligence Service James Walter noted the company had singled out a number of chief malware families that intercept the mTAN SMS messages as well as pilfering password and user names. Thus, mobile malware families like Android/Spitmo, Android/Zitmo, and Android/Citmo reportedly operate in cooperation with crimeware suits like Spy Eye, Zeus, and Carberp Windows intercepting mTAN messages (Arnfield, 2013).
If there is one platform exposed to cyber criminals most, it is Google’s Android. According to Arnfield (2013), in the second quarter of 2013, McAfee Labs detected 17.000 new inimitable forms of mobile malware that affect Android gargets, which means the number went 21% up on the first quarter when it did not exceed 14.000 forms. Rahul (2014) stated that viruses and malware affect one in ten Android Apps. Infections target the most popular of Android versions like Android 4.1 and 4.2. Malware installed on Android platforms has risen by a disturbing 600% in the course of the 12 last months, which demonstrates cyber offenders seem dead-set on bringing down the Android operating system. The leading provider of internet services based in China, Cheetah Mobile (n.d.) reported Android security issues to have risen in the first half of 2014. Malware related to financial information, such as viruses aimed at stealing the valuable fiscal details of mobile users, tops the list of cyber security problems (as cited in Rahul, 2014).
The entire first half of 2014 was marked by intense attacks against mobile payment systems. Viruses and related malicious malware affecting payments exclusively made up the share of 68% of overall malware attacks. Charges consumption, privacy leak, remote control, and hacker tools accounted for remaining 16%, 13%, 2% and 1% respectively. The rise in the number of cyber assaults is believed to be in direct proportion to the proliferation of mobile payment systems globally. Hacking application or SMS payment methods are not as difficult to accomplish as hacking attacks on online banking systems are. Earlier in 2014, security researchers identified the Heartbleed bug utilizing faults in Open SSL for misappropriating data from wireless networks and connected devices. Zhang (2014) confirmed the fact that the bug had the potential of affecting mobile apps. Researchers studied 390.000 Google Play apps, of which about 1.300 were found linked to exposed servers. Of these, 39 were related to online payment, other 15 and 10 to banks and shopping respectively. Mobile payment applications containing delicate financial and personal data were reportedly used on a daily basis (Zhang, 2014).
Ways to Guarantee the Cyber Security of Mobile Payments
The increase in the use of mobile devices, especially in connection with commercial ventures’ mobile-based applications, rationalizes extra efforts to keep clients protected from fraudulent transactions, account takeover, and other types of security risks (Rampe, 2014). There are different ways to address cyber threats coming from the use of mobile payments. While it is beyond possible to eliminate the danger as such, people may be better off using reliable mobile devices for their own good. Pravda (2013) noted that the near-inaccessibility of mobile gadgets was synonymous with ultra-security. Android’s platform is believed inferior to Apple’s in terms of the inaccessibility and subsequent security. The less accessible Apple is based on a walled garden App Store and a closed operating system, which is a massive advantage over the web-based application marketplace and an openly operating system of Android.
Not only consumers, but also business stands to benefit from the Near Field Communications platform with the highly advertised internet security (Pravda, 2013). According to Mobile Payments Today (2015), NFC is a high frequency wireless communication technology operating within a short range. Passive RFID, mobile phones, and contactless cards are the common areas of platform’s application. Mobile payment apps comprise retail, interactive advertising, and public transportation ticketing. According to Pravda (2013), it is not that such platform is far from dangerous since the desire and inquisitiveness with regard to new technologies can invite troubles. Side loading, an inter-device data passage method, would expose mobile devices to new threats if users were to download a malicious application. Next to mobile user in a coffee shop may sit a criminal.
What banks should be doing is giving practical pieces of advice so as to boost customers’ alertness of dangers. Banks need to refrain from requesting personal information prior to clients’ logging into the official website of the institution. A multi-factor login must authorize client’s access. Many a time has anyone received text messages or emails from fraudsters operating under the guise of clients’ banks either requesting personal data or requiring client to change passwords. Instead of buying into similar tricks, mobile payment users need to use common sense and question the legitimacy of messages or emails. The question of whether banks send customers text messages or that of why valuable apps are free needs answering. If downloaded, payment apps should come directly from the official website of the bank. On no account should online banking websites be set to log in automatically. Once stolen, a mobile gadget can provide access to the account for the further transfer of money or the execution of payment operations (Pravda, 2013).
Good news is that, with the advent of the new landmark of the internet history, bank customers are starting to enjoy the benefits of new trusted venue or platform known as generic Top Level Domains and abbreviated as gTLDs. Financial establishments may bear their personal names like “dot chase.” The domains will provide the Bank of America using “.bofa” along with other institutions with a huge advantage increasing the online trust. With time, the top domain will become the major trust differentiator in the banking industry (Pravda, 2013). Still, this is not to say that the domains are flawless. Ping (2014) warned that typo squatting, spamming, and phishing all could exploit the much larger name space. Beyond that, there is the risk of name collisions, with cyber criminals registering hostnames that designedly collide with the internal names of official companies like banks. Registrars for new top-level domains may be easily to leave compromised, unlike conventional servers. Some believe the problem linked to generic who-is databases not providing the “who-is” information on the domains (Ping, 2014). Head of new GTLD products at Net Names, Ben Anderson (2013) also confirmed the presence of new threats apart from security benefits. Different loopholes are left open for cyber thieves who can create fake websites and hijack the security systems of banks.
Principal Consultant of Frost & Sullivan Jared Carleton (2013) recommended installing credible antivirus applications like Kaspersky or McAfee Mobile Security on smartphones. QR codes scanning is not recommended unless performed via security applications, such as Norton Snap. The codes are widely applicable for mobile payment. QR Pay (2011) offered its service called QR Pay that is a contactless mobile payment solution allowing businesses and general users to receive and make payments with their QR codes by means of smartphone applications, such as QR Pay or QR Pal. QR Pay also suggests payments by Text/SMS launching the service (QR Pay, 2011). As follows from this, QR codes are widespread in terms of online payments, so the use of security application is a valuable preventive recommendation.
Furthermore, Carleton (2013) urged to download applications from the so-called curated stores like Apple App Store or Google Play. It is not wise for individuals to install applications through links sent by friends by means of email or mobile messages insofar as mobile botnets may come to pass themselves off as friends, colleagues, and family members to give the content the false impression of legitimacy. The free versions of popular apps are not worth downloading thereby leaving finances vulnerable. Mobile users would be best served by limiting permissions requested by an app at the installation stage. It would be better to avoid websites hosting hacking instruments, adult entertainment, and gambling. Unless sure about the verifiability of a server certificate, mobile phones users should not continue the session. What users dealing with payment should also do is audit their mobile telecom bills on a monthly basis so that they may determine the median data consumption and identify any unauthorized activities (Carleton, 2013).
For all the comfort mobile payment apps may give, their users have no way of using the service safely. The applications reportedly prove beneficial to unscrupulous cyber thieves eager to lay hands on bank customers’ money, as seen in the number of attacks conducted in recent years in response to the growth of apps’ popularity. Facilitating banking, shopping, and stock trading, mobile commerce creates new opportunities for cyber criminals who provide false links in text messages, urge customers to install false applications, and send payment messages under the guise of a bank. Banks using two-factor authentication by means of SMS message codes fell victim to the Euro-grabber Trojan virus inflicting enormous financial losses. Widespread also are fake SMS apps or SMS interceptors that give offenders access to login information, such as a password and a username. Researchers have identified that Google’s Android is the most vulnerable of mobile platforms. Attacks related to malware targeting financial information are at the top of the list.
Criminals using the Heartbleed bug take advantage of in Open SSL for misappropriating data from wireless networks and connected devices. Studied in relation to the bug, numerous applications used for online payments, banks services, and shopping reportedly presented danger. To address the cyber threats, mobile payment app users should opt for Apple products based on a walled garden App Store and a closed operating system. Users will stay safe from attacks unless their inquisitiveness make the choice for them and becomes instrumental in them downloading a free app from a questionable source. The same holds true for the Near Field Communications platforms that are quite much safe until the downloading of doubtful apps. Side loading may also expose users’ accounts. Although invincible at first sight, Generic Top Level Domains may be compromised by typo squatting, spamming, phishing, and other threats. In any case, users would protect their devices and money if they follow a number of general recommendations like installing a credible antivirus app, avoiding websites with delicate content, and refraining from scanning QR codes by any means other than security apps.
Anderson, B. (2013, April 6). New TLD’s can help address online banking security concerns. Information Week. Bank System & Technology. Retrieved from: http://www.banktech.com/new-tldand-8217s-can-help-address-online-banking-security-concerns/a/d-id/1296394?
Arnfield, R. (2013, September 19). Mobile malware to have doubled in 2013, says McAfee. Mobile Payments Today. Retrieved from: http://www.mobilepaymentstoday.com/articles/mobile-malware-to-have-doubled-in-2013-says-mcafee/
Carleton, J. (2013, August 22). Addressing mobile cyber security. Frost & Sullivan. Retrieved from: http://www.frost.com/c/10402/blog/blog-display.do?id=2958781
Mobile Payments Today. (2015). contactless payments/NFC payments. Networld Media Group, LLC. Retrieved from: http://www.mobilepaymentstoday.com/topics/contactless-nfc/
Ping. (2014, April 23). Attack prediction: Malicious GTLD squatting may be the next big threat. Open DNS. Security Labs. Retrieved from: https://labs.opendns.com/2014/04/23/malicious-gtld-squatting/
Pravda, L. (2013, February 15). Mobile commerce brings opportunity and cybercrime. Bank Systems & Technology. Retrieved from: http://www.banktech.com/channels/mobile-commerce-brings-opportunity-andand-8230-cyber-crime/a/d-id/1296162?
QR Pay. (2011). Welcome to QR pay. QRPay.com. Retrieved from: http://www.qrpay.com/
Rahul, R. (2014, August 4). One out of every ten android apps affected with malware and viruses, states new research. International Business Times. Retrieved from: http://www.ibtimes.co.uk/android-apps-one-ten-affected-malware-viruses-states-new-research-1459576
Rampe, D. (2014, September 24). Mobile attacks listed as one of the top threats facing e-commerce businesses. Threat Metrix. Retrieved from: http://www.threatmetrix.com/mobile-attacks-listed-as-one-of-the-top-threats-facing-e-commerce-businesses/
Zhang, V. (2014, April 11). Heartbleed bug – mobile apps are affected too [blog post]. Retrieved from: http://blog.trendmicro.com/trendlabs-security-intelligence/heartbleed-bug-mobile-apps-are-affected-too/