Mobile malware has become easier for criminals to deploy, circumventing all antivirus and firewall solutions, as these viruses are delivered in the form of trusted applications we all install and can lead to m-commerce vulnerabilities.
The permissions of the Bible app, for example, which runs on both Android and Apple iOS platforms, includes device & app history; contacts, location, photosread sensitive log data, identity, device ID, photos, and others. If this app, which has been downloaded by more than 100 million consumers, chose to eavesdrop on m-commerce transactions, could it do it and get away with it? The answer is yes.
While Apple, Google, Microsoft and Samsung all want to enable anyone to develop any app they wish with all the features and permissions they chose, these companies also provide the perfect spyware toolkit in the form of analytics. Simply plug in the Apple or Google or Microsoft analytics engine and function calls into your app, compile the app, join their cloud and look like a trusted advertiser. Meanwhile, your app could be collecting everything from debit and credit card credentials to all the personally identifyable information (PII) to spoof that consumer and steal their identity.
Before we think mobile commerce is the next big wave for retailers, lets realize its already been opened up to be the next big wave of cyber crime, in the form of trusted apps that are never verified for their proper behavior.
I doubt this is going to change in the near future so expect, if you are the retailer, that when a consumer is victimized, as in the recent Target, Home Depot or TJ Maxx breaches, you become the victim too, as youll end up paying fines and reparation damages to make things right even though it was the act of a malicious app the consumer chose to install on the same device as your trustworthy m-commerce retail application.
Also, recently in the U.K., someone demonstrated a vest for sale that the hacker can wear as they walk through the mall, picking up NFC, Bluetooth, Wifi and iBeacon signals, later to dump all the stolen data by connecting this vest to a USB port on their computer at home. By eavesdropping on the airways, they literally snarfed consumer identities and mobile data, without anyones knowledge.
This puts Google Wallet and Apple Pay at serious risk, especially if they choose to use NFC as one of the protocols to share transaction data. Youll need to ask for multiple factors of authentication if youre considering updating your point of systems to work with these insecure wireless protocols. Ask Apple how they plan to stop the proximity attackers, before you deploy Apple Pay.
The best steps you can take are question all your developers and vendors who are helping you to enable m-commerce for your customers. Ask them about the security of your own app, cloud, backend, etc. and how they might be attacked or eavesdropped upon on the same device as a malicious app delivered in the form of a flashlight or a game or even the bible.
Take proactive steps to harden your networks and learn about vulnerabilities in all your POS and network touchpoints before you get exploited. If you are vigilant, you might get one step ahead of the next threat for the benefit of your customers.
Gary Miliefsky is the CEO of SnoopWall.