For many years, security managers have adapted as users wanted and needed access to new technologies. The next new technology security managers will need to embrace could well be mobile payments. Employees may begin to ask if they can make payments on their mobile devices -- the same devices that access corporate information.
The bottom line is to show you are considering embracing this technology, rather than having to control it after widespread adoption.
Mobile payment technology will require additional security implementations. Established security procedures, such as the corporate risk assessment process, will still need to be followed, but enabling mobile payments by employees will require new policies, adaptations of current security tools, and possibly the purchase of new security technologies that are just now being developed.
Mobile payment systems
Mobile payment systems are systems that enable a user to pay out and receive agreed amounts of money using their mobile device, such as their smartphone. Mobile payment systems are often classified into two broad categories:
- Payment systems that utilise a mobile network to initiate or authorise a transaction;
- Contactless systems that use a mobile phone in lieu of a traditional credit card.
When a mobile payment system is installed on a mobile phone, it raises the value of that device to attackers. Previously, mobile phones were targeted for their resale value or, in the case of smartphones, for the data stored on them. But with a mobile payment system installed, online payment details are added to the data on the device, which could give it a much higher value to a hacker than any other item the individual carries -- perhaps even more than their wallet.
Best practices for enabling mobile payments
As employees begin considering making mobile payments, security professionals should undertake a risk assessment of mobile payment systems. Here are some tips, based on my own experience, about the best way to handle mobile payments, both before and after the risk assessment process.
- Consider embracing mobile payment systems from the outset. Some mobile payment systems are going to end up on the mobile phone estate somehow. Get involved now by announcing you will provide detailed information about mobile payments in the near future. The bottom line is to show you are considering embracing this technology, rather than having to control it after widespread adoption.
- Evaluate different mobile payment systems and the risks associated with each, and determine which is best for your organisation. In some cases, this may mean determining which system is not the worst for your organisation.
- Promote dialogue with users who are already using mobile payments and find out their preferences, or what they would like to do with mobile payments.
Once user preferences have been noted and a mobile payment system has been selected, provide users with a roadmap -- and do it soon. Otherwise, some users will find their own solutions faster than you would like, as happened with the entry of the iPad brought in by executives who then told the IT department to find a way to make iPads work on the corporate network.
More on mobile device
Three tools to manage mobile device security threats
Pros and cons of touch gesture recognition authentication
Securing mobile payment data on devices
Because mobile devices with mobile payment systems have especially high value to hackers, a full range of security controls should be implemented on these devices. The technical controls for mobile devices are straight forward since they are led by advances in control development. However, most new smart devices sold today do not have root access. This means, for example, you will likely need to gain root access before you can install controls such as a firewall.
Another vital control that should be implemented on mobile devices is encryption. The point to remember here is it is far easier to recover data from most non-hard disk technologies (like memory sticks, memory cards and flash drives used in smart devices) than on a smartphone. The only way to reduce the likelihood of data recovery is not to rely on the built-in software device wipe functionality, but to encrypt the data and then wipe the device.
In summary, the technical controls to utilise on mobile devices that may be making mobile payments are:
- an antimalware product;
- an encryption system;
- a host-based firewall (if your security policies allow rooting the devices), and
- a mobile device management (MDM) system.
There are two other useful technical controls that are not yet mature enough to use, but are worth exploring for devices supporting mobile payments. First, dual SIM card devices may offer a safer way of storing payment data. The personal SIM card could simply be removed when necessary. Second, virtualisation on mobile devices could allow the virtualised business operating system to be deleted without disrupting the personal operating system, its apps and its data. Both of these technologies are likely to become viable options in the next 12 to 18 months.
About the author:
Sarb Sembhi, CISSP-ISSAP, GCIH, GAWN, is the director of consulting services at Incoming Thought. His is a past President of the London Chapter of ISACA, and the founder of its Security Advisory Group, and current Chair of the Europe and Africa Region Government & Regulatory Authority Sub-Committee.
This was first published in May 2012