Why the Tower Group Could Be Right about Mobile Banking Attacks
So, it's Tuesday morning in London town and I've been up since 6:00 a.m. staring at a monitor, trying to free myself from PowerPoint hell (it's all rock and roll I tell ya!). Anyway, this morning I stumbled across an InfoWorld article entitled “Hackers to target mobile banking, study says.” This article seems to have been spun out of a press release by the Tower Group entitled “Increases in Mobile Fraud and ID Theft Could Hamper Mobile Payment / Banking Initiatives.” The press release, in turn, references a report entitled “Fraud, Virus and ID Theft: Mobile Malware Stands to Create a New Beginning.” While I've not read the report and may not agree with the notion that security issues hamper payment / banking initiatives (just look at the world that is the Internet—yeah, security really hampered that being used for online payments didn't it?), I still think that it's a subject we should all be discussing.
We've already seen examples of mobile technologies being used for fraudulent mobile activities with the use of spoofed SMS messages that link to premium short codes (article in French here). When we start looking at the bigger picture—which is phishing—then yes, there is a real risk that attacks may move to target mobile devices. Why? Well, mobile browser technology is similar enough to that of the desktop browser, so it's not going to take a rocket scientist to adapt. Secondly, there are numerous methods by which you can get a clickable URL into a device, including WAP-PUSH over SMS, MMS and email (and in the future, mobile IM). This is an evolution from the attacks I described in my previous blog entry on the subject, attacks that were later coined as “SMiShing.” This evolution is an important one: when users start to use their mobile smart devices as they would their laptop/desktop for day-to-day activities then it is logical that they will become the target of abuse.
Do I think that mobile phishing is a problem right around the corner? No. Do I think this is a problem that will arrive at some point? Logically, yes. Have we already seen indications that these attacks will occur? Yes. Do I think there is still significant mileage in the desktop that attackers won't have to complicate things by moving to mobile devices in the short term? Yes. Do I think certain sectors of the mobile industry are learning from the mistakes of the desktop? Yes (hurray!).
So, in summary, you have little need to worry in the short term, but simply remain vigilant and remember the things you've become accustomed to when using the “Interweb” on a PC (which is basically cowering behind the sofa, afraid of everything). To the mobile industry, be mindful of these potential threats, perform the risk analysis, and where appropriate develop the solutions before they come back and bite you.