Skip to content

Mobile Fraud: More needs to be done

2009 October 21
E*Trade Mobile Pro is a finance app I use often.

E*Trade Mobile Pro

Mobile financial service applications are spreading rapidly and are generally secure. However, I don’t see evidence of institutions monitoring and protecting the mobile channel as diligently as other channels.

Hackers will certainly start targeting mobile banking and mobile stock trading applications as adoption increases. Furthermore, there are more opportunities for exploits because of mobile platform fragmentation.

When a major attack happens, it will be well publicized and it will likely slow adoption while the public reconsiders their safety. I will be purposefully vague here to avoid providing any roadmaps or ideas to bad guys.

For example, many organizations use fraud detection software on web applications to look for suspicious activity and limit both losses and risk. Often fraud detection software also preserves evidence in the event the fraud is real. For web sites, this type of software is almost as commonly deployed as firewalls and routers.

Organizations have been suspiciously silent on the protections they’re deploying, which is unlike historical ecommerce behavior. Are companies actively monitoring the traffic from mobile enabled accounts to ensure new types of fraudulent activity aren’t occurring?

TD Ameritrade provides a third-party stock trading application (Mobitrade) that optionally lets you save your username and password in the application, thus providing access without a username and password. (E*Trade pictured here, requires a password to see account data). While this option is convenient, the risks are bound to outweigh the reward.

In the case of TD Ameritrade, users can’t execute trades using the Mobitrade application. However, account balances, positions, stocks owned and watched are all sensitive information thieves can use to commit crimes through other channels.

Providing separate applications on separate platforms also increases the effort required to keep security holes plugged. Many institutions are considering supporting mobile applications on iPhone, Android, Blackberry and potentially other mobile operating systems in addition to their mobile web and SMS-based systems. Each production release of each product version runs the risk of containing a vulnerability. It’s all just software.

Organizations must keep the details of their security infrastructure secret to prevent circumvention of those protections. However, organizations need to perform detailed risk assessments of the mobile channel and deploy protections that are at least as strong as protections to online and ATM channels. The security vendors usually ensure the world knows what companies are using their technology.

The silence on mobile security is deafening.

(Disclosure: I have accounts with both TD Ameritrade and E*Trade. I own TD Ameritrade stock (NYSE: AMTD) and have done work for them in the past. This article DOES NOT imply that E*Trade, TD Ameritrade, or any other company are lacking any particular security measure or that I have knowledge of their specific security measures.)

Be Sociable, Share!
One Response leave one →
  1. October 22, 2009

    You raise a good point !!! The bottom line is that where money is migrating into mobile the fraud, hacking, and mobile identity theft is migrating too!!! As the mobile security industry is taking shape there are many choices to choose from with regard to mobile payment transaction protection.

    I can’t vouch for all mobile payment providers, but at mobicash ( we focus on a level of optimal mobile payment security to fit each unique transaction. Actually we have done some great work and we seems to have a what seems very secure (bank grade) mobile payment platform.

    Transactions are securely signed with NSDT™ a technology that sends “cryptosounds” through the phone’s audio channel to enable contact-less mobile payment. NSDT™ technology provides a very high level of security and protects user privacy; it is uniquely suited to the retail context. In many sites of mobile financial service deployment, NSDT™ is needed to expand the contexts in which mobile payment is feasible and secure.

    NSDT™ (Near Sound Data Transfer), transmits an electronic signature, one time password, and cryptographic key to secure electronic transactions and provide strong authentication services. NSDT™ uses the audio channel and security features of any cell phone. As a result, no software downloads or hardware modifications are required. An Encrypted Sound is emitted every second containing: transaction data, a certificate, a one-time password, an indentifier, a transaction number and an electronic signature. OTPs are only valid for 1 transaction and have a very short life span, making them useless if intercepted and replayed.

    NSDT™ transforms any cell phone into a secure payment or authentication tool and is immediately compatible with all existing cell phones worldwide, whatever the manufacturer and whatever the network, without any hardware phone modification or software download. This solution is 100% mobile network agnostic and can work on any cell phone model.

Leave a Reply

Note: You can use basic XHTML in your comments. Your email address will never be published.

Subscribe to this comment feed via RSS