• Japanese
  • Korean
  • Chinese
Cover Image

Mobile Payment Security, Fraud, and Risk: Breaches, Malware, and the OS Linchpin

Abstract

New Research from Mercator Advisory Group Explores Emerging Threats to Mobile Payment Ecosystem

Boston, MA - October 10, 2012 -- Mobile payments have arrived. Driving this revolution is a large collection of technologies, some of which are immature and not fully secure. Nascent solutions are a gilded invitation for criminals to attack at various points within the mobile payments ecosystem. Operating system (OS) developers, payment networks, banks, and even users need to be involved in keeping this evolving environment secure.

The two greatest threats to the mobile payments industry are malware and data breaches. The data breach is well understood and is a universal issue for the payments industry. Standards like PCI have gone a long way toward combating the problem. The malware problem, however, is more focused, initially affecting OS and applications developers, with the effects eventually spreading to the rest of the mobile payments community.

Mercator Advisory Group's new report, Mobile Payment Security, Fraud, and Risk: Breaches, Malware, and the OS Linchpin , examines these threats, explores ways in which fraudsters might exploit them, and indicates how the mobile industry should prepare and respond.

"Criminals are highly motivated to attack mobile payments because they are such a rich target. Historically, these hackers have been loosely organized but effective. They take advantage of the lag between the introduction of a payment technology and its general acceptance by the public. This period provides ample opportunity for the perpetrators to discover vulnerabilities and prepare attack strategies," David Fish, senior analyst in Mercator Advisory Group's Fraud, Risk, and Analytics Advisory Service and author of the report, comments. "Our research has indicated that OS developers are in the best position to limit the spread of mobile malware. They control the OS, they control their own applications, and they are in a position to control the offerings of third-party application vendors."

Highlights of this report include:

Discussion of the two approaches to mobile payments and analysis of the security threats facing them.

Review of traditional forms of payment fraud and explanation of how these forms are evolving as mobile enters the payments ecosystem.

Examination of the methods and vectors that fraudsters use to obtain payment card information and the schemes they exploit to capitalize on stolen data.

Analysis of the drivers of insecurity in the mobile arena, including OS application review processes, time-to-market pressures, vulnerabilities to phishing, WiFi hacks, man-in-the-middle attacks, and others.

Recommendations for tighter mobile payment security for OS developers, corporate and individual mobile users, application developers, and mobile carriers.

One of 10 exhibits in this report:

image1

This report is 27 pages long and has 10 exhibits.

Companies mentioned in this report include: American Express; Apple; Dwolla; First Data; F-Secure; Gemalto; Global Payments; Google; Isis; LevelUp; MasterCard; Microsoft; PayPal; Research In Motion; Starbucks; Symantec; Symbian; Visa; and WebMoney.

Table of Contents

Executive Summary

Introduction

  • Mobile Security
  • Vulnerabilities in OSs and Apps
  • The Mobile (Payment) Future

Emerging Threats: Mobile Payment Fraud

  • Mobile Payment Approaches

Payment Fraud

  • Traditional Payment Card Fraud
  • Modern Payment Card Fraud
  • Data Breaches
  • Malware
  • The Outcome: Identity Theft

Mobile Operating Systems and Applications: Leading the Way to Payment Fraud

  • Competition Drives Fast-Paced Software Development (and Bugs)
  • Third-Party Applications as an Entry Point

Mobile Phishing: The Berkeley Reports

WiFi Hacks

NFC and Device-Based Security Threats

  • Lost/Stolen Devices and Walk-offs
  • Ghost and Leech Attacks
  • Other Forms of Potential Compromise

Conclusion and Recommendations

  • For OS Developers
  • For Corporations and Individuals
  • For Application Developers (Merchants, Issuers, Corporations)
  • For MNOs
  • Copyright Notice
  • Endnotes
Show More
Pricing
Get Notified
Email me when related reports are published