Mobile Payments and Devices Under Attack

Posted on by Christopher Burgess

A number of annual security reports released in the first half of 2014 address the threat to mobile devices and capabilities, including mobile payments and banking. If you are an Android user, you will find it interesting these reports estimated 98 to 99 percent of all mobile malware created in 2013 targeted Android devices (see, for example, the Cisco 2014 Annual Security Report and the Kaspersky Security Bulletin 2013).

Mobile_Credit_CardWhere Are Risks the Greatest?

The report from Kaspersky Lab highlights how mobile malware became more sophisticated in 2013, with "mobile Trojans which could check on the victim's balance to ensure the maximum profit." More often than not, mobile phishing attacks targeted credit card and bank card data. Users in central and western Asia were at the highest risk of online infection (when the malware is delivered over the Internet), as countries in these regions made the list of the top 20 countries with infected devices. For local threats (threats that spread through means other than the Internet, e-mail, or the local network), the countries of Vietnam, Bangladesh, Nepal, and Mongolia were at highest risk, while Denmark, the Czech Republic, Finland, Cuba, and Japan were considered to be the five countries with the lowest risk.

Trend Micro released a threat research report specific to the mobile cybercriminal underground market in China. Sobering content indeed, as mobile payments and payment systems are clearly being targeted. And it makes sense, given that 81 percent of Chinese Internet users used their mobile phones in 2013 to get online, according to the China Internet Network Information Center, which also notes there were 500 million mobile Internet users. Both Kaspersky and Trend Micro call out the increase in premium number fraud, where infected mobile devices can automatically make premium service subscription requests, which the malicious apps can then confirm for the user via SMS (text message) and delete all evidence of the confirmation text. The users don't know they have subscribed to the service, and they will be charged through their mobile device plan.


This week's RSA Conference in Singapore has a number of presentations that address this issue head-on within the Mobile Security track. The common theme of these presentations is that as mobile device usage increases, so too will cybercrime incidents, but all is not lost. The "Heartbleed" bug in the OpenSSL code created a global rush to update servers and certificates with patches, and it clearly affected those working with mobile payment systems who were counting on the security of the SSL. Therefore, Heartbleed, coupled with the various security vendor reports, drives home the reminder to give some thought to the implementation and usage of mobile payment systems. Only download apps from trusted entities; embrace two-factor authentication, when available, if you use mobile payments—and integrate it into your offering if you are creating a mobile payment capability; and consider using any of the number of available biometric capabilities for mobile devices and mobile wallets.

The drive to secure digital payment systems is only going to accelerate in 2014 and beyond, as consumers want the convenience of a mobile payment capability but also wish to have a higher degree of security surrounding their mobile payments.

Christopher Burgess

, Prevendra Inc.

anti-malware mobile security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community