Mobile payments security: Four tips for keeping crooks' fingers out of m-wallets

Expect new ruses from criminals as mobile-wallet use increases...

...the mobile fraud industry is still in its infancy. Expect the criminals to come out with some clever innovations as their sophistication develops.

Mobile security is the new Wild West, combining the explosion in mobile apps with the immaturity of mobile security to make the whole environment an attractive target for black-hat hackers and organised crime. And you can bet that m-wallets will quickly become a favoured target for mobile criminals.

As the 2011 Lookout Mobile Security Mobile Threat Report has shown, Android users are two and a half times as likely to encounter malware today than six months ago and three out of 10 Android owners are likely to encounter a web-based threat on their device each year.

CIOs may want to consider some practical tips when approaching m-wallets:

  1. Think like a criminal Organisations adopting m-wallets need to look at their business model, technology and processes from a criminal's perspective. The best defences often come from looking at the assets from the eyes of the attacker and deploying accordingly.
  2. Build security in from the beginning Innovation and security may not always go hand in hand, but secure applications are always cheaper in the long run. So while it certainly makes sense to do security tests before going live with an app, it makes even greater sense to arm your developers with the tools to get it right in the first place. Those using third-party developers can build periodic security assessments into the process to ensure the proper checks and balances are being followed before it becomes too late to change.
  3. Use what you have Organisations with existing anti-fraud measures on other channels will want to make sure they are applied to the mobile channel too. It will be critical not only to ensure that they still work - and that they work fast enough - but also that they work across channels. Exploiting silo thinking between different channels is a fraudster's favourite technique.
  4. Security should be the greatest enabler of m-wallets Combining ease of use and strong security will be key to achieving the potential of m-wallets. This approach means not only securing the technology but also building operating models and processes that are fraud-proof - or at the very least highly fraud-resistant - by applying lessons from other channels and testing the security to the extreme.

So while the introduction of mobile wallets may mean the days of the computer fraudsters are numbered, there is every indication that, for companies and businesses, the challenge of securing customers' money and information may only just be beginning in earnest.

Malcolm Marshall is head of information protection and business resilience at services firm KPMG.