I had an interesting discussion about mobile systems security and banking over the weekend with some friends from the University of Washington. Here are my thoughts on what is going to be some of the more advanced issues with information security, mobile systems, and the idea that the phone is the new credit card.
Few systems are designed with “security first”, really if you want to gather an audience, you have to have an awesome interaction with the software, the hardware and the person driving the software on the device. Realistically as mobile payments become standardized, there are going to be three problems that crop into the mobile system payments.
1. People who root their own software but still want to run payment processor applications. All the current mobile systems have been so compromised that anyone can do anything they want to do with their phone. This is a good thing for people who want to extend their hardware and software beyond what the developer/designer/company intended. But this also brings in the idea on people who root their own phones, but are not aware of the security ramifications of doing so. You can read more about this using this search string. http://www.google.com/search?q=ssh+attacked+rooted+iphone&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
2. People who have had their phones or mobile systems compromised because of malware, bad applications, or intentionally developed software that attempts to capture data from all over the phone ecosystem, including banking applications. http://www.google.com/search?q=android+dream+malware&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a is a good place to start. People will download anything.
3. Companies who design software for banking applications do not always follow best security practices. Major flaws have been found in many of the most popular banking applications. http://www.google.com/search?q=mobile+banking+software+security+flaws&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a is a good place to start on this subject.
Realistically anyone who is trying to secure and protect mobile banking faces those three threats at any given time. Intentional or unintentional flaws, design and security issues, malware, or poor programming and design of software are the three most common flaws in today’s mobile banking systems. It is unlikely that these issues will be dealt with in the foreseeable future, as these systems are all designed by humans, all are to various degrees open to users, malware, and programs to do things that are beyond the design specifications, and all require a deep review of everything banking on mobile systems.
This is the challenge then, to design a wrapper around a banking application, that would be hyper aware of the state of the phone, the software, and what the user has done, what the programmer has done, and if there is malware on the phone or not. This wrapper has to be very intelligent, very protected if not invisible, and literally baked into the phone so that regardless of what the user does (root their own phone), what malware designers do (be as invisible as possible to the phone and its security mechanisms), or what shoddy software does (security flaws, poor programming, crashes, bad user input).
This is a real challenge, it would require a well-built secure wrapper around the software that validates everything regardless of the state of the mobile device that validates user input, and can shut down the application if there is a serious problem, or assign a “trust factor” that this is a trusted or reliable transaction. It would require deep awareness of the current state and future states of malware for mobile systems, and it would require knowledge of the state of the phone. If the phone was running normally as if it came right from the manufacturer, or if the phone had been altered or rooted by the user for whatever reason.
That is the challenge then, software that is a wrapper that manages the phone on all levels regardless of mobile system state. Then has deep knowledge of mobile system malware and can check for it. Then manage user input and shoddy programming standards for mobile system payment software. Banking is one of the few places that we all rely on, and as mobile banking becomes the standard for everyone, these three issues will be at the core of trust in the system.
(Cross-posted @ Managing Intellectual Property & IT Security)