By Brad Keller & Craig Mathias
January 01, 2007
Yes: The capability to perform mobile financial transactions is
outpacing the ability to protect them with adequate security.
I realize I'm taking a somewhat precarious position by speaking out
against the ever-expanding move to mobile computing. However, I believe
we're seriously facilitating online fraud by failing to address the lack
of meaningful security on mobile devices.
First, let's clear the air: I have nothing against mobile access per se.
Indeed, I wouldn't be caught dead without my BlackBerry. But as a
technology consumer and corporate IT executive, I take issue with ISPs,
technology vendors, and device manufacturers that disregard security
concerns when developing methods for consumers to access their banking
information, for instance.
How many mobile devices routinely come with antivirus or anti-Spyware
software already installed? Or better yet, how many ISPs or carriers
even offer effective security tools? While numerous ISPs tout their
ability to protect your computer from a variety of evilsmalware,
crimeware, viruses, spyware, and the likehow many wireless carriers
advertise their ability to protect your mobile device from these same
New Internet-access devices seemingly appear monthly, and I'm not just
talking about new E-mail devices and smart phones. Many gaming systems
either offer an Internet-access option or plan to include such access as
basic functionality in the near future. But how well protected is your
PlayStation from keystroke loggers and Trojans? Consider the following:
* According to Japan's Computer Emergency Readiness Team (CERT),
virtually all cell phones in that country have Internet functionality,
making them the most heavily targeted devices for phishing scams and
malware. So the malevolent capability existsthe criminals just haven't
targeted the United States yet.
* SMiShingSMS-based phishinginfects not only mobile devices, but wired
computers as well. Many people routinely forward SMS messages to their
PCs because linked Web sites are easier to view. Criminals are aware
of this and write their SMS message accordingly. By doing so, they're
using SMS to effectively target wired computers.
What do you really know about the wireless network you just logged on
to? We don't really know who runs those servers and what kind of
security is on them. In Japan, some enterprising employees at a coffee
shop installed their own software on the company's servers so they could
perform a man-in-the-middle attack and get the online banking
credentials of everyone who logged on to their bank accounts while
getting their caffeine fix for the day.
Consider the TV commercial that shows a couple of buddies at the coffee
shop making a debit-card payment online. See the fellow in the corner
with the big smile? He's on a laptop running a wireless hotspot, and in
their bank account at the same timehappily transferring money to his own
The simple truth is that mobile computing offers little security
protection today, and few people understand the risks. For the most
part, financial institutions like ours have been left to protect online
users from these threatsafter all, it's our own customers who are at
A cooperative effort between the banking industry and the companies that
develop wireless technologies would do much to address these problems.
Working in partnership to identify and mitigate security issues before
new technologies are released could very well be the answer to
developing a safe and secure mobile society. Let's not worry about just
how mobile we are until we all work together to find a way to secure the
mobility we have.
Brad Keller manages E-commerce risks for a large financial institution.
He's testified before Congress on privacy issues on behalf of the
No: Mobile technology is just the latest medium that determined
cyberthieves can use to perpetrate fraud.
Hackers, crackers, scammers, spammers, spoofers, and phishers all lurk
in the cyberworld. They're a thoroughly reprehensible bunch that
deserves a minimum of two weeks in the stocks.
But let's face it, fraud in its many forms has been with us throughout
history. We always manage to remain a step behind the criminals, and new
electronic media only seem to encourage the fundamentally evil
misapplication of human intelligence.
Wireless is merely the latest medium to offer its capabilities to people
who should know better than to take advantage of their fellow human
beings. The question before us is whether wireless in some way
represents a unique, new vehicle for wrongdoing, and deserves special
treatment of a legislative or other nature as a consequence. The answer
to me is: Are you kidding? No way.
The wireless industry was always a target of fraud. Cloning cell-phone
handsets was a billion-dollar problem for the industry, but new
technologies have taken the sport out of that. There have even been
problems with investment scams surrounding bidding on the auctions used
to allocate frequencies to particular carriers.
But no problem in wireless is as great as the use of these devices and
services for good old end-user fraud. The beauty of wireless from the
perpetrator's perspective, of course, is its fundamental location
independence. It's a lot tougher to get caught if one is always on the
move. Access to cheap prepaid or even stolenhey, why stop with just one
crime?cell phones simply allows rotten individuals to stay ahead of the
While it may be argued that E-commerce providers and wireless networks
offer too much access without enough protections, I submit that the bad
guys will still stay ahead of the curve. Wi-Fi networks might ramp up
security, and E-commerce services might build in better protections, but
those out to steal personal financial data or hack into a network will
still find a way.
The ability to pop into your favorite coffee shop and check E-mail or
bank balances is as convenient as it is potentially dangerous. Yet no
one would advocate banning Starbucks, or cellular-phone networks, or
metro-scale Wi-Fi networks, or any other network, wired or wireless,
just because the technology can be misused by criminals or employed
carelessly by the end users it was created to serve. Matches are great
for lighting one's fireplace, but they can also be used for arson. As
far as I know, nobody's lobbying Congress to ban matches. There's an
upside and a downside to every technology; wireless is no different.
And I'm really left to wonder exactly what we might do if we did want to
control wireless. We already have the ability to track cell phones and
Wi-Fi devices, with no GPS required. That makes it easy, more or less,
to find stolen phones and known criminals foolish enough to identify
themselves. But how could we track or otherwise locate someone using
Skype on an open (unsecured) Wi-Fi connection?
I don't think too many people would advocate monitoring the Web,
wireless or otherwise. Apart from the obvious technical and
constitutional issues, we don't have the technology to do so. Besides,
it's just too easy to hide one's identityand maybe that's as it should
Few CIOs are worried enough about the potential for fraud to keep
workers wired. CIOs know that the perils of mobile technologies are
many, but the benefits of a wireless workforce are even greater. The
best a CIO can hope for is smart users who follow smart corporate
Craig Mathias is a principal at Farpoint Group, an advisory firm that
specializes in wireless networking and mobile computing.
Subscribe to InfoSec News