The risks of mobile processing and best practices for secure payment transactions

Does Mobile Processing Scare You? It Should.

© 2013 SecurityMetrics

Share this eBook!

Does Mobile Processing Scare you? It Should. 2

ContentsAbout This eBook 03

Introduction 04The Mobile Ecosystem 05

Mobile Processing 08Security Issues 11

Protecting Mobile Processing18Summary22

About SecurityMetrics24

Share this eBook!

Does Mobile Processing Scare you? It Should. 3

Who should read this eBook?

• Businesses that currently use mobile device paymentprocessing(mPOS)

• BusinessesconsideringmPOSsolutions

• FinancialinstitutionsthatoffermPOSproductsandservices

• Individualsconcernedabout thesecurityof theirpaymentdatainmPOStransactions

What does this eBook include?

• Abrief backgroundof themobile device andmobileprocessingindustries

• CurrentsecurityrisksmPOSpresentstobothconsum-ers and businesses

• Howcriminalsusemobilevulnerabilities,malware,andmaliciousappstostealpersonaldata

• CurrentbestpracticeguidelinesforbusinessesthatwishtosecurelyimplementamPOSsolution

Why was this eBook written?ThemissionofthiseBookistoexplaintherisksofprocessingpay-mentsviamobiledevicesthroughdata,statistics,andcasestudies,andprovidebestpracticesolutionstoprotectmobiletransactions.

About This eBook

Share this eBook!

Does Mobile Processing Scare you? It Should. 4

Mobileprocessinghasbeenhypedasthefutureofpaymenttrans-actions;butas thenumberofbusinessesusingmobilepoint-of-sale(mPOS)solutionsincrease,sodoesthechallengeofsecuringmobiledevices.

Mostpeoplemistakenlybelievemobiledevicesarealreadysecure.Inactuality,mobiledeviceshave inherentsecurityflaws thatmayputmerchanttransactionsatriskofcompromise.

Ifyouusesmartphonesortabletsformobileprocessing,thetimeto secure thosedevices isnow.This introductoryguidewillwalkyouthroughthebasicsofmobilepaymentsandofferbestprac-ticestofortifymobiletransactions.

Let’sgetstarted.

Introduction

Mobile Devices

(Tablet)

(PDA)(Smartphone)

The Mobile Ecosystem

01 Chapter

Share this eBook!

Does Mobile Processing Scare you? It Should. 6

World DominationConsumers are buyingmobile devices faster than ever. It’s pre-dictedthatnearly1.25billionsmartphonesandtabletswillbepur-chasedin2013alone*.WithEarth’spopulationatawhopping7billion,thatwillmeanonemobiledeviceforeveryfivepeopleintheworld.

Market OwnershipQuick!Namethemajoroperatingsystemsthatdominatethemo-bile space today! If you saidApple® iOSandGoogleAndroid™,you’respoton.WhileAppleisoneoftheworld’smostprofitablecompanies,whenitcomestomobileplatforms,Androidisthebigkahuna.1.3 million Android devices are activated every day,whichmeansevery24hoursmorethanfourtimesasmanymobiledevicesaresetupthanbabiesareborn.

The average person checks their smartphone every 6.5 minutes!

* Estimate based on CCS Insight and IDC findings.

85% of small businesses use smartphones for operations

69% of small businesses use a tablet computer

According to a recent AT&T survey:

Share this eBook!

Does Mobile Processing Scare you? It Should. 7

Apps, Apps, and More AppsThe average smartphone contains 41 apps that its owner uses on a regular basis.Weusedtorelyonmobiledevicesforthingslikecommunicationandplanning,butnowtheyaremorelikevirtualSwissArmyknives.Creativedevelopersreleasemoreappfunction-alityeachyear,includingtheabilitytostartcarsremotely,measureyourheartrate,dimhouselightsfrom50milesaway,andevenactasavirtualcashregister.

Total number of unique downloads that both Ap-ple’s App Store and An-droid’s Google Play will reach in 2013.

2012 Smartphone Market Share

Android69%

iOS19%

BlackBerry®

5%Windows®

3%

Mobile Processing

02 Chapter

Share this eBook!

Does Mobile Processing Scare you? It Should. 9

Mobile ProcessingMobileprocessingisaverysimpleandflexiblewayformerchantstoprocesspayments.Aneasyway to thinkofmobileprocessingis that itenableseverysmartphoneor tablet tobe itsownswipeterminal.Merchantsattachhardwaretoasmartphoneortabletthatreadsthedatafromacard’smagneticstripe,oruseapaymentpro-cessingapptomanuallyentercarddata.Notablemobileprocess-ingsolutionsincludeGlobalBayMobilePOS™,Square®,andIntuit®

GoPayment.Many traditionalprocessingbanksalsooffermobilesolutions.

Growth of Mobile ProcessingMobileischangingtheentireshoppingexperienceforbothcon-sumersandmerchants.Initially,mPOSwasadoptedbymicro-mer-chants(e.g.,photographers,tradesmen,doggroomers)withlow-valuetransactions.Comparedtolegacypaymentsystems,mobilePOS solutionsare costeffective, convenient, andeasy to imple-ment.Now,mobilepaymentshaveexplodedbeyond thenichemarketofmicro-merchantstolargeglobalbrands.

mPOSPayment

Apps

VirtualWallet

Bill MeLater

Online Purchases

MobileCard

Reader

This is what we’re

talk

ing about today

Mobile Payments

By 2015, it is estimated that mPOS could increase new card payments by $1.1 trillion.

Share this eBook!

Does Mobile Processing Scare you? It Should. 10

Customer Confidence in mPOSCustomersarestillquitewaryofhowmobileprocessingcouldaf-fecttheirprivacyandpersonaldata.Infact,only28% of consum-ers consider mobile processing to be secure.Withrecentnewsreportsofhighprofiledatabreaches, it’snowonderconsumersquestionmobilepaymentprocessing.

However, it iswidely felt thatmPOSwill soonbreak thedamofcaution that blocks consumer confidence inmobile processing.Square,amobileprocessingservice,hasreportedexponentionalgrowthoverthepastfewyears.Asimilargrowthpatterncouldun-doubtedlybeappliedtoothermPOSsolutions.Smallbusinessesare adoptingmobile technology in increasing numbers. In fact, of businesses that use mobile devices, one out of five use them to accept payments.

Square payment card transactions increased 3,200%in the last 24 months.

Security Issues

03 Chapter

Share this eBook!

Does Mobile Processing Scare you? It Should. 12

Just Like Computers, But...Boileddown,mobiledevicesaresophisticatedcomputersthatlackmanyfeaturesofcomputersecurity.Theproblemis,smartphonesandtabletshavesimilarthreatsasadesktoporlaptop,suchasmal-ware,insecureenvironments,andcommunicationattacks,butlackthefortificationtothwartattacks.Scaredyet?

Sincemobiletechnologyisextremelypowerful,peoplemistakenlyassumemobiledevicesareassecureasatypicalhardwarepoint-of-sale (POS)system.POSsystemsare typicallyplacedbehindafirewall inacontrolledenvironmentwith limitedaccesstothe In-ternet,andthereforehavelimitedattackvectors;whereasmobiledevices are automatically connected to the Internet via cellularor unsecured public wireless.Mobile devices don’t include fire-wallsorothersafeguards,andarewideopentopotentiallyhostileenvironments.

Essentially, mobile devices were designed for convenience andeaseofuse,notnecessarilyforsecurity.

Security

Share this eBook!

Your Data: A Hacker’s Gold MineMobiledeviceshandlealotofsensitivematerial.Traditionally,mo-bilehackersprofitedfromthepersonalinformationofyouandyourcontacts.However,withtheriseofmobilecreditcardprocessingandfinancialmanagementapps,amorevaluablesetofinforma-tionhasbecomeavailable to steal—credit carddata. Itwon’tbelonguntilhackersbegintotakenotice.

Ifthatmakesyoualittleunnerved,itshouldseriouslyalarmyoutolearn that 32% of mobile malware created in 2012 was designed to steal information from your device.Luckily,therehasn’tbeena largenumberofmobilebreachesreported…yet.However, it’sjustamatteroftime.

If a merchant processes your card on a mobile device, how do you know it‘s secure?

You don’t.

Share this eBook!

Does Mobile Processing Scare you? It Should. 14

Mobile MalwareMobilemalwareisbadnewsforsmartphoneandtabletusers.Mo-bilemalwarearepackagesofsoftwarethatcarryoutmaliciousac-tivitiesonamobiledevice,andtheamountofmobilemalwareisgrowingdaily.

Howworriedshouldyoube?Thatdependswhattypeofmobileplatformyouuse.

Googlehasatargetpaintedonitsmobileplatform.In2012,over97% of all the malware in the world was designed specifically for Android.WhyiseveryonepickingonAndroid?Well,onerea-sonisitsappstore.ComparedtoApple’sAppStore,GooglePlay™ placesfewerrestrictionsondevelopment,whichisgreatforwritingapps,butterribleforsecurity.AnAndroidappcanaccessdataout-sideofitsownapplication,whichallowshackerstocreatemaliciousmalwaredesignedtocompromisemobilesecurity.

It’s gonna be a long year...Over 40K unique malware threats were created in 2012. The first quarter of 2013 has already seen 22K new threats.

Share this eBook!

Does Mobile Processing Scare you? It Should. 15

Don’trejoicejustyetiOSandWindowsusers.Itisn’taseasytowritemalwareforiOS,butithappens.Ifweknowonethingabouthack-ers,it’sthattheyevolve.Asmobiletransactionsandtheopportu-nityforfraudincreases,hackerswillbecomemoresophisticatedintheirattacks(ashackersalwaysdo).

Types of Mobile MalwareLet’slookatcommonwaysmalwareendsuponmobiledevices.

Apps Malicious apps are themost common type ofmobilemalware.Criminalswriteappswithmaliciouscode,orsecretlyaddlinesofcodeinto legitimateappsandreloadthemintotheappmarket-placeforunsuspectingvictimstodownload.Newlyinstalledappspackagedwithmobilemalwarearefullyfunctional,butalsodevi-ouslyworkinthebackgroundtocollectpersonaldata,changeset-tings,remotelycontrolthedevice,orevenreadfromunencryptedcardreadersattachedtoyoursmartphoneortablet.

Evolution of HackersExpect more creative attacks as hackers evolve. For example, re-searchers recently discovered a way to hack Apple devices through malicious chargers.

Share this eBook!

Does Mobile Processing Scare you? It Should. 16

Wantproof?Hereareafewexamples.

• Asinglepieceofmalwarewasdownloadedover2 million timesvia32differentappsfrom4separatedeveloperaccounts.ThemalwaresignedusersupforapaidSMSserviceanddirectedusers todownload infectedappsthathijackedtheirmobiledevices.

• Apieceofmalwarewas inserted intoawallpaperappthatsecretlycapturedphonetoneswiththeintelligencetoreportanydatafrommanuallytypedcreditcards.

• Malwarewasdevelopedthatenabledtheuser’sphoneto continue downloading malicious data indefinitely.In other words, after the app was downloaded, themalicious possibilities were endless—even if the appwasremoved.Thispieceofmalwarewasdownloaded 200,000 times in four days.

URLsMalware developers use malicious URLs to collect personalinformation.AmaliciousURLredirectsausertoafraudulentsiteinhopestheywillentersensitiveinformation,suchasapassword,mobile number, or social security number. Guess what? Itworks. This year,4 in 10 mobile users will click an unsafe link on a smartphone. Because smartphone and tablet screens aresignificantly smaller than computer screens, malicious links areeasiertohidebetweenlinesofharmlesstext.

Hackers also use SMiShing, where cybercriminals encourage con-sumers to click on malicious links via text message.

Share this eBook!

Does Mobile Processing Scare you? It Should. 17

Operating System VulnerabilitiesBecausesmartphonesandtabletswereneverdesignedfordatasecurity,mobileoperatingsystemshaveinherentflawsthatauto-maticallymakethemlesssecurethancomputers.Whydoesyoursmartphoneconstantlyalertyoutodownloadthelatestsoftwareupdate?It is likelybecausesmartphonemakershavefoundase-curityhole in theoperatingsystemandhave topatch itwithanupdate.

Here’swherethelackofsecurityrearsitsuglyhead.Operatingsys-temsecurityholesstayopenforavarietyofreasons.Somemobileplatformsdon’talertusersofupdatedversions.Quiteoften,usersignoretheupdate.Checkoutthisstatistic.Two years and two op-erating systems later, more than 39% of Android users are still using the Gingerbread operating system.ForthosenotfamiliarwithAndroid,Gingerbreadistheversion2.3platformofAndroidfrom2010.Asaresult,thesemobileconsumersarelackingmanyof themajor security updatesprovidedby IceCreamSandwichandJellyBean.Yikes!

More than 800 apps are downloaded per second. How many of those apps are infected with malware?

Protecting Mobile

Processing

04 Chapter

Share this eBook!

Does Mobile Processing Scare you? It Should. 19

The Evolution of Mobile HardwareSecurity will continue to evade mobile processing until mobilemanufacturersmakesecuritychangesinhardwareandoperatingsystemsoftware.Somenewsmartphonesarebeingreleasedwithdualprocessors,whichallowsforsegmentationofprocessingac-tivitiesfromotherapps,theInternet,andtextingcapabilities.NewiPhonesarerumoredtohavestrictersecurityprotocolstoprotectmobilepayments.However,untilphonesandtabletsarecreatedspecificallywithsecurity inmind,truemobileprocessingsecuritywillcontinuetobeagamble.

Mobile RegulationsThePaymentCardIndustrySecurityStandardsCouncil(PCISSC)istheorganizationresponsiblefordefiningprocessingsecurityre-quirements.ThePCISSChasprovidedmobile payment accep-tance guidelinestohelpbusinessesprocessmobiletransactionssecurely.

Share this eBook!

Does Mobile Processing Scare you? It Should. 20

Best PracticesThesafestscenarioformerchantswhowishtoacceptmobilepay-ments is to use an encrypt-at-swipe (or encrypt-at-type) reader,whichencrypts card informationbefore it enters thedevice andthemobileprocessingservicedecryptsitafteritleaves.Evenifacriminalgainsaccesstothemobiledevice,alltheywouldreceiveisauselessstringofciphertext.NotethatmanyoftheearlymPOScard readers likeSquareandGoPaymentdidn’thaveencryptionasafeature,sousersshouldperformduediligencetoensuretheirdongleshavebeenupgradedtotheencryptedmodel.

SomemPOSvendorsoffersolutionsinwhichtheswipereaderisoptional.Expertshavecounseledagainstmanuallyenteringcreditcardnumbers,asthelackofencryptionmayallowarogueapptointerceptthecarddata.

Mobile Vulnerability ScanningOnepartofsecuringamobileplatformistoscanitformobilevul-nerabilities.SecurityMetrics MobileScanisanappthatscansde-vicesinternallytohelpusersavoidthreatsthatoriginatefromthingslikemobilemalwareandunwarrantedappprivileges.Becauseitwasdesigned for businesses,MobileScan was created using the PCIMobilePaymentAcceptanceSecurityGuidelines.

Share this eBook!

Does Mobile Processing Scare you? It Should. 21

1. Use an encrypt-at swipe hardware reader created by a big player in the mPOS field (e.g., Square).

2. Minimize the manual entry of credit cards.

3. Read and follow the PCI SSC Mobile Payment Acceptance Security Guidelines.

4. Ensure everyone who comes in contact with the device (e.g., employees) is educated on mobile security.

5. Only download apps from official app stores (e.g., Google Play, Apple App Store).

6. Stay up to date with both app and operating sys-tem software.

7. Download and begin using a mobile vulnerability scanning app on your mobile processing device (e.g., SecurityMetrics MobileScan).

Top 7 Best Practices

Summary05 Chapter

Share this eBook!

Does Mobile Processing Scare you? It Should. 23

Make Changes NowAsthenumberofbusinessesprocessingonmobiledevicesbeginstorise,hackerswillbegintargetingmobiletransactions.Shouldthesecurityrisksofmobileprocessingconcernyou?Yes.Shouldthesecurity risksstopyoufromprocessingcustomercreditcardsonmobiledevices?No,aslongasyoutakethenecessaryprecautionslikeusingencrypt-at-swipe/typereaders,avoidingmanualdataen-try,andscanningmobiledevicesforvulnerabilities.

Luckily, a significantmobilebreachofcredit carddatahasn’t yetbeenreported,butit’sjustamatteroftime.Untilmobilehardwareisaltered,simplesecurityprecautionsmustbetakentosecurecus-tomer’ssensitivedata. Ifyou identify thecurrent risks inherent toyourmobiledevicesandmakenecessarychangestoday,youmaypreventtheseriousmobilesecurityproblemsoftomorrow.

Protect Yourself With MobileScan

www.securitymetrics.com/mobilescan

Share this eBook!

Does Mobile Processing Scare you? It Should. 24

SecurityMetrics protects e-commerce and payments leaders,globalacquirers,andtheirretailcustomersfromsecuritybreachesanddatatheft.Thecompanyisaleadingproviderandinnovatorinmerchantdatasecurity,andhashelpedover1millionorgani-zationsasanApprovedScanningVendorandQualifiedSecurityAssessor.

Amongotherproductsandservices,SecurityMetricsoffersPCIau-dits,PA-DSSaudits,securityconsulting,mobiledevicevulnerabil-ityscanning,penetrationtesting,datadiscoverytools,andforensicanalysis.

FoundedinOctober2000,SecurityMetricsisaprivatelyheldcor-porationheadquarteredinOrem,Utah,USA.

About SecurityMetrics