Standards Will Bring Mobile Payment

Mobile payment has been around for years in numerous forms for purchases such as downloading music, ringtones and various other services and is now gaining traction for retail purchases in the U.S. But its implementation in the U.S. is a bit slower due to a lack of standardization of payment methods and the overall security concerns of mCommerce. Some consumers in the U.S. have had bad experiences with criminal hacking and data breaches and are concerned about their security and are waiting for the various handset manufacturers (those who make the phones), mobile carriers (those who provide mobile service) and third party technology providers (those who make the technology facilitating financial transactions) to agree on standardization leading to more secure transactions.

However, for many years in Japan and South Korea for example, mobile penetration has been much higher and many people don’t and have never owned PCs (or have been hacked) as they function purely from mobile devices. Security hasn’t been as much a concern. It’s a perfect example of “ignorance is bliss.”

Consumers in the U.S. overwhelmingly want mobile payment. A recent study by Mobio showed “49 percent of Americans said they’ve used their mobile phones to make a payment or purchase in the past three months. And 77 percent of the 1,085 respondents in North America said they would be interested in using their mobile phones to make a payment or purchase. The response was higher — 84 percent — in the 35 to 44 year old age group and among Canadians (86 percent versus 72 percent of U.S. respondents).”

Near Field Communications (NFC), the engine behind mobile payments comes in a variety of forms and there are multiple players trying to makes theirs a standard. Bank Systems Technology reports the disagreements involve banks, credit card companies and the third party technologies all coming together with mobile carriers. The mobile carriers want to control near-field communication and mobile payment fees by maintaining control over the phones payment technology containing their users’ credentials. Mobile carriers see the devices they support as revenue generators that should grant them mobile payment per transaction fees.

Meanwhile, consumers crave mobile payment and must adapt until the big guys fight it out to see who ends up top dog. However, because there is a relatively low security risk in mobile payment, consumers stand to benefit by trying out and adopting the various methods presented. I’m frequently using 2-3 methods such as the Paypal App which allows me to send and receive payments and Square which allows me to make and receive credit card payments on the spot. I find both convenient and fun!

Robert Siciliano, personal security expert contributor to Just Ask Gemalto.

Clients Alert Banks to Fraud

In a perfect world there would be no sickness, nothing would ever break, everyone would get along, yummy food wouldn’t make you fat, and there’d be no crime. However, there are forces over which you and I have no control and we have to struggle simply to maintain balance.

In a perfect world, a bank wouldn’t need you or me to help detect fraud.

According to a survey of banks and credit unions, 23% learn of fraud through their own auditing processes. This means that more than three quarters of all bank fraud is detected either by customers or third parties. Just 32% of banks felt prepared to prevent online bank fraud.

That’s far from perfect, which means you, the customer, must pay close attention to your accounts.

Check your online statements frequently. I no longer receive paper statements and I don’t wait for my monthly online statement, either. Once a week, I check each individual account online. Check your investment accounts, credit cards, checking and savings account, and any other account that holds your money or grants you credit.

Create a bookmarks folder with links to all your accounts and set a consistent time to check each account, every week. Monday mornings, Wednesday afternoons, or Friday afternoons work for me.

Sign up for Mint. This service helps track activity on your bank and credit card accounts and sends notifications of any transactions involving any linked account.

The moment you spot a discrepancy, contact the institution and remedy the issue. Remember, as accommodating as a lender may be, they will often put up a fight before crediting your account for any losses. Persistence pays off.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses identity theft in front of the National Speakers Association. Disclosures

 

Get Digitally Secure before it’s Mandatory

For the past decade, much of banking has taken place online, after hundreds of years of traditional banking. Banks have streamlined their processes, but must also cope with fraud. With banks absorbing billions in losses, consumers also pay.

In a recent survey of 1,000 U.S. residents, 60% responded that dealing with fraud is the banks’ responsibility, while only 6% believed that responsibility rests with consumers. 48% said they were concerned about the risk of fraud, and 14% had fallen victim to fraud in the last two years.

Advances in technology have made banking more convenient but have also outpaced consumers’ security intelligence. It is possible to secure systems against most cybercrime but that level of security often proves too inconvenient for consumers. As long as banks continue absorbing losses from fraud, consumers remain blissfully ignorant of the consequences of inadequate security.

Meanwhile, other countries take different approaches. South Korea has introduced a “Zombie PC Prevention Bill,” which makes installing and using security software mandatory for all citizens. A New Zealand law reserves the government’s right to confirm that personal computers are adequately protected.

Protect your computer by setting its operating system to automatically update critical security patches. Always run antivirus software and set virus definitions to update automatically. Use a protected wireless network and make sure your firewall is protecting both incoming and outgoing traffic.

Never click links within the body of an email. Instead, go to your favorites menu or type the address into the address bar. And be sure to check your online bank statements frequently.

You can find more tips from JustAskGemalto on how to bank safely online here.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. Disclosures

 

Virus Hijacks Online Banking Session

Online banking is great. I highly recommend it. But if you aren’t careful to keep your computer secure, getting hacked can turn your online banking session into a nightmare.

OddJob Trojan is the latest in malware and yet another reason to beef up your computer’s security. OddJob hijacks online banking sessions, keeping users’ accounts open after they think they’ve quit. Hackers can then access the open account to make fraudulent transactions.

When your computer’s security is lax, you’re vulnerable to malware or malicious software. An old, outdated, or unsupported browser, operating system, or antivirus program leaves you open to a virus designed to steal your sensitive personal data.

Are you seeing a theme here? Get new, up-to-date operating systems, browsers, and antivirus programs. If you use a PC, I’d strongly recommend Windows 7 with Internet Explorer 9, Firefox 4, or Chrome. All four can be set to update critical security patches and software updates automatically.

I recommend paying for the latest in antivirus protection. If your software license has expired, pay for a new one. If you use a free antivirus program, upgrade to a paid version. You should do this because free antivirus software relies on manual settings rather than automatic scans and updates.

The OddJob Trojan slipped past antivirus software. Keeping your computer’s security updated with the latest definitions is the best way to add layers of protection.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses online banking security on CBS Boston. Disclosures

Back Up Your Backup, Then Back Up Again!

If you aren’t in the habit of backing up your data, you might assume that it’s difficult or tedious. But I’ve got news for you, it’s easy-peasy. Nowadays, backing up is a complete no brainer.

There are many backup options. New PCs often come bundled with backup options included in the “bloat ware.” Microsoft Windows 7 comes with “Windows Restore/Back Up” accessible via the Control Panel, and Macs offer a backup option called Time Machine. You can buy an external hard drive to copy your files to, or invest in a remote backup service.

I suggest backing up twice on local drives and once in the cloud.

Cloud backup options include Mozy, McAfee, and Carbonite.

Mozy online backup costs $6 per month to back up 50 gigabytes of data on one computer, or $110.00 a year for 125 gigabytes on up to three computers. Mozy offers an easy to use interface and quick, effortless backups of every file type, including files on external drives. If you have over 110 gigabytes, though, it gets pricey.

McAfee online backup costs $5 per month, and works exactly like Mozy, except that as of this writing, users receive unlimited backup for that $5 monthly fee.

Carbonite online backup offers unlimited storage from one computer for under $5 per month. Carbonite is inexpensive with an easy to use interface that allows you to access your data via an iPhone app, which is very cool. Unfortunately, Carbonite won’t back up external drives, backing up certain media, like videos, is slow, and you have to manually check your folders to make sure everything has successfully been backed up. Also, certain files , like software programs with a variety of unusual file extensions, have to be zipped beforehand, since Carbonite won’t back up the individual files with odd extensions.

My 200-gigabyte C: drive came built into my PC as the main operating system drive. My E: drive is a secondary 2TB drive installed in the slot most PCs provide for a second drive. And I have a 2-terrabyte external drive, my F: drive, which I keep running 24/7. I paid $80.00 for a 2TB E: drive and $104.00 for a 2TB external drive. I also have unlimited cloud-based backup, which is accessible for $60 a year. And for $20, I’ve installed Goodsync.

All my data is on stored on my E: drive, filling more than three quarters of the 2-terrabyte internal drive. Drive E is my primary data drive, and gets backed up to the cloud and synced to the external 2-terrabyte F: drive. Goodsync automatically syncs my internal E: drive and external F: drive every two hours. I do this because, while all my data is stored in the cloud, if my internal drive does crash, downloading it all would be a chore, plus, I’d need a drive to download it too, anyway.

The cloud is ideal for mitigating major catastrophes, like fires, but not practical for accessing data on a daily basis.

That’s it. Two local backups and one cloud-based backup. Do it today. It’s easy-peasy.

Robert Siciliano is a personal security expert contributor to Just Ask Gemalto. (Disclosures)

My Top 5 Mobile Commerce Apps

The day when your wallet becomes a relic, like an 8-track tape, isn’t here quite yet. But we are getting close.

Thinning out your wallet isn’t just nice for your pants pocket. It’s also a good way to minimize your risk for identity theft, should your wallet ever be lost or stolen. As long as you’re keeping your smartphone safe and secure, the following mobile payment options offer safe, convenient alternatives to traditional payments.

Mint: Personal finance tools from Mint.com help you track, budget, and manage your money while you’re on the go. Sign up for a free Mint.com account, add your online banking and credit card accounts, and access your personal finances, all from your iPhone. One cool feature Mint offers is optional alerts to any high dollar transactions.

Square: This application and free credit card reader allow users to accept credit cards via iPhone, iPad, or iPod touch without a contract, monthly fees, or merchant account required. You can become your own merchant with this truly amazing app, which is ready to take payments within minutes of downloading. This can be handy when splitting a dinner check with a group in which everyone has a credit card, but no cash.

KeyRing: Never carry plastic or paper loyalty, membership, or library cards again! You can save time, space, and money by storing cards and coupons on your phone, so you’ll never miss a discount at the point of sale again. I especially like that KeyRing fully backs up your credit and store cards. Not every merchant is ready to accept a digital card at this point, but many are, and the number is increasing.

Paypal: Send money to your friends, manage your account, and more with the PayPal app. It’s free, secure, and more convenient than going to an ATM, writing checks, or sending gifts the traditional way.

I haven’t listed my bank’s application because they don’t currently offer mobile check deposit. But if your bank does, add them to the list, because that’s cool.

Robert Siciliano is a personal security expert contributor to Just Ask Gemalto. (Disclosures)

Mobile Phone Operating System Insecurity

As more online retailers introduce mobile ecommerce applications, criminal hackers are taking notice. Existing mobile operating systems are under attack and, like standard PC operating systems, they sometimes fail to provide the necessary security to support a payment application.

Current research is primarily geared towards securing mobile payments, but there is a lack of coordination between mobile payment developers, device manufacturers, and mobile operating system platform developers. Hackers are taking advantage of the loophole created by this lack of coordination.

Mobile phone spyware has been a concern for years. Legitimate software companies sell mobile phone spyware that allows the user to monitor a spouse, kids, or employees. And criminals deploy mobile phone spyware, as well.

Beijing-based mobile security services firm NetQin Technology reports that an application called Xwodi, which allows third parties to eavesdrop on cell phone conversations, has infected more than 150,000 phones in China. Apparently, the malware targets mobiles running the Symbian platform, and monitors phones by silently activating the conference call feature or microphone.

One security company, Trusteer, informed The New York Times, “Mobile users are three times more likely to fall for phishing scams than PC users…because mobile devices are activated all the time, and small-screen formatting makes the fraud more difficult to spot.” In the same article, another mobile security firm, Lookout, claimed that in May 2010, 9 out of 100 phones scanned for malware and spyware were infected. That’s up from 4 out of 100 infected phones in December 2009.

Protect yourself by refraining from clicking links in text messages, emails, or unfamiliar webpages displayed on your phone’s browser. Set your mobile phone to lock automatically and unlock only when you enter a PIN. Consider investing a service that locates a lost phone, locks it, and if necessary, wipes the data, as well as restoring that data on a new phone. Keep your phone’s operating system updated with the latest patches, and invest in antivirus protection for your phone.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses spyware on FOX Boston. (Disclosures)


Should You Worry About Smartphone Security?

Every industry involves four main parties. There are, most obviously consumers and manufacturers. There are also those who provide services or supplies to the manufactures, or produce peripheral products that work in tandem with the original product. Finally, there are the watchdogs, keeping tabs. Watchdogs are usually either government regulators or third party nonprofits.

IBM predicts rising mobile threats, critical infrastructure attacks in 2011.

As reported by BoingBoing, former Google Android security framework engineer Chris Palmer, who is now technology director of the nonprofit Electronic Frontier Foundation, addresses the risks posed by mobile operating system manufacturers’ lax approach to security:

“Mobile systems lag far behind the established industry standard for open disclosure about problems and regular patch distribution. For example, Google has never made an announcement to its android-security-announce mailing list, although of course they have released many patches to resolve many security problems, just like any OS vendor. But Android open source releases are made only occasionally and contain security fixes unmarked, in among many other fixes and enhancements…

Android is hardly the only mobile security offender. Apple tends to ship patches for terrible bugs very late. For example, iOS 4.2 (shipped in early December 2010) contains fixes for remotely exploitable flaws such as this FreeType bug that were several months old at the time of patch release. To ship important patches so late is below the standard set by Microsoft and Ubuntu, who are usually (though not always) much more timely. (For example, Ubuntu shipped a patch for CVE-2010-2805 in mid-August, more than three months before Apple.)”

Other industry leaders disagree. CIO.com’s Bill Snyder has stated:

“I was sitting in the middle of one of the most security conscious crowds you’d ever come across—about 200 computer security professionals listening to a high-powered panel on mobile security threats at the RSA Conference in San Francisco last week. And you’d think that after nearly 90 minutes of discussion, I’d leave the room all a twitter (pardon the pun) and scared that my iPhone was about to go rogue. Not at all. In fact, I left feeling a lot more relaxed about the security of my smartphone, and a little more skeptical about the barrage of hacker warnings to which we’ve all been subjected.”

Ed Amoroso, chief security officer of AT&T, said:

“Day-to-day mobile threats haven’t (yet) caused much harm.”

Ian Robertson, security research manager for BlackBerry developers  Research in Motion, said:

“I can count on one hand the pieces of (mobile) malware I’ve seen installed.”

And quoted in NPRs All Things Considered is Paul Smocer, who is in charge of technology at the banking trade group The Financial Services Roundtable:

“I have begun to use mobile banking myself, yes. We haven’t seen a whole lot of malicious software yet. Part of that relates to the fact that there are so many different manufacturers and operating systems in the mobile world. But part of it, I think, is also to do with the fact that this is a relatively new environment, and unfortunately, crime follows growth.”

The truth, of course, lies in the middle. While the mobile security industry isn’t exactly under siege, there is clearly more work to be done. It’s smart to invest in antivirus protection for your mobile phone, keep its operating system updated, and be cognizant of how you use you phone, so that you can avoid putting your data at risk.

Robert Siciliano is a personal security expert contributor to Just Ask Gemalto. (Disclosures)

Mobile Banking Becoming an E-Commerce Staple

Mobile banking, m-banking, or SMS banking refers to online banking that occurs via mobile phone or PDA rather than a PC. The earliest mobile banking services were offered over SMS, but with the introduction of smartphones and Apple iOS, mobile banking is being offered primarily through applications as opposed to text messages or a mobile browser.

Mobile banking reduces expenses by allowing customers to review transactions, transfer funds, pay bills, and check balances without relatively expensive phone calls to a bank’s customer service call center. More than half of all customer service calls already come in from mobile phones, and studies show consumers are twice as likely to have a cell phone than cash when out and about. Younger consumers, who are most likely to carry cell phones, are also heavy debit card users who require frequent balance checks.

Enhanced security with SMS transaction notifications and the ability to turn card accounts on or off, and new technologies like mobile check deposit, in which you simply take a cell phone picture of the check, are contributing to the increasing popularity of mobile banking. Eventually, mobile phones may even replace ATMs and credit cards.

About 10% of U.S. households currently use mobile banking, according to market research firm Nielsen, and Forrester predicts that one in five adults in the U.S. will be useing mobile banking by 2015:

“Consumer adoption of smartphones and increasing use of the mobile Web will drive sustained growth of casual, informational use of mobile banking — to check balances, review transactions, or receive alerts. Creating preference for mobile banking broadly will require banks to deliver more obvious value and superior execution than other channels offer. Functionality like mobile remote deposit capture and contactless mobile payments alone, though, will not anchor mobile banking the way that bill payment and account transfers have done for online banking. Channel managers must address issues of duplicate functionality, marginal user experiences, and a general failure to exploit the most valuable aspects of the channel if mobile banking is to become a critical part of how consumers manage their accounts.”

Standard, PC-based online banking is holding steady at around 40%, banks like USAA and Bank of America are reporting big increases in mobile banking in the last two years.

Like regular online banking, mobile banking won’t be for everyone. But as more banks and credit unions recognize the financial efficiency of mobile banking, they will invest in applications that make banking that much more convenient for their customers. And as those customers take advantage of the timesaving features provided by their banks, mobile banking will grow exponentially.

Robert Siciliano is a personal security expert contributor to Just Ask Gemalto. (Disclosures)

Mobile Payment Set to Dramatically Increase

Mobile payments generally involve three participants: the mobile device, the merchant, and a financial service provider or trusted third party.

That trusted third party, or TTP, is an established, reputable fiduciary entity accepted by all parties to an agreement, deal, or transaction. A TTP authenticates and authorizes users in order to secure a payment transaction, and acts as an impartial intermediary for the settlement of payments and any problems that arise after the transaction has occurred.

There are various mobile payment delivery options. Near Field Communications is a contactless delivery system, involving a chip that is either built into the phone itself, into a card within the phone, or a sticker attached to the phone. There are also new applications that facilitate mobile payments, most of which involve a barcode that the user scans at the register.

The statistics for mobile payment are impressive. The U.S. mobile payment industry encompasses a number of categories, including mobile bill payment, mobile point of sale, m-commerce, and mobile contactless. Mobile bill payment, in which consumers pay bills via mobile phone, currently makes up the bulk of the U.S.’s mobile payment industry. Mobile point of sale, in which a consumer’s phone is used as a point of sale device, accounts for just over 5%, but is expected to grow by 127% in the next five years, to $54 billion in transactions. Mobile contactless is expected to grow 1,077% by 2015. The gross dollar volume of mobile payments overall is expected to grow 68% by 2015.

This is all very exciting, but the Payment Card Industry Standards Council is not yet granting approval to any mobile payment applications. With the explosive growth of the mobile payment industry, they are holding off and waiting to see which technologies rise to the top. This shouldn’t be a concern for mobile phone users, though, since the merchant, rather than the customer, undertakes the bulk of the risk.

Meanwhile, as you increasingly use your phone for mobile payments, be aware that the phone correspondingly increases in value to thieves and hackers. So keep track of your cell phone. You wouldn’t leave your wallet on a bar and walk away, and you shouldn’t do that with your phone, either. And be cautious when visiting websites on your phone’s browser, clicking on links, or responding to text messages.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses mobile phone spyware on Good Morning America. (Disclosures)