New Research from Mercator Advisory Group Explores Emerging Threats to Mobile Payment Ecosystem
Boston, MA - October 10, 2012 -- Mobile payments have arrived. Driving this revolution is a large collection of technologies, some of which are immature and not fully secure. Nascent solutions are a gilded invitation for criminals to attack at various points within the mobile payments ecosystem. Operating system (OS) developers, payment networks, banks, and even users need to be involved in keeping this evolving environment secure.
The two greatest threats to the mobile payments industry are malware and data breaches. The data breach is well understood and is a universal issue for the payments industry. Standards like PCI have gone a long way toward combating the problem. The malware problem, however, is more focused, initially affecting OS and applications developers, with the effects eventually spreading to the rest of the mobile payments community.
Mercator Advisory Group's new report, Mobile Payment Security, Fraud, and Risk: Breaches, Malware, and the OS Linchpin , examines these threats, explores ways in which fraudsters might exploit them, and indicates how the mobile industry should prepare and respond.
"Criminals are highly motivated to attack mobile payments because they are such a rich target. Historically, these hackers have been loosely organized but effective. They take advantage of the lag between the introduction of a payment technology and its general acceptance by the public. This period provides ample opportunity for the perpetrators to discover vulnerabilities and prepare attack strategies," David Fish, senior analyst in Mercator Advisory Group's Fraud, Risk, and Analytics Advisory Service and author of the report, comments. "Our research has indicated that OS developers are in the best position to limit the spread of mobile malware. They control the OS, they control their own applications, and they are in a position to control the offerings of third-party application vendors."
Discussion of the two approaches to mobile payments and analysis of the security threats facing them.
Review of traditional forms of payment fraud and explanation of how these forms are evolving as mobile enters the payments ecosystem.
Examination of the methods and vectors that fraudsters use to obtain payment card information and the schemes they exploit to capitalize on stolen data.
Analysis of the drivers of insecurity in the mobile arena, including OS application review processes, time-to-market pressures, vulnerabilities to phishing, WiFi hacks, man-in-the-middle attacks, and others.
Recommendations for tighter mobile payment security for OS developers, corporate and individual mobile users, application developers, and mobile carriers.
Companies mentioned in this report include: American Express; Apple; Dwolla; First Data; F-Secure; Gemalto; Global Payments; Google; Isis; LevelUp; MasterCard; Microsoft; PayPal; Research In Motion; Starbucks; Symantec; Symbian; Visa; and WebMoney.