web analytics

How to Protect Data in the Age of Mobile Payments

Mobile security is a critical aspect of mobile payments that organizations worry about these days. Many employees routinely access corporate data from their mobile devices, and this paves the way for cybercriminals to breach the security of mobile devices or the server-side applications to access confidential/sensitive information. 

Global mobile payment transactions will be worth more than $4.5 trillion by 2023, following a 33.8% compound annual growth rate (CAGR) rise between 2017-2023, according to a report by Allied Market Research. This Increasing volume of online mobile transactions may lead to higher security risks.

Mobile users and organizations need to stay vigilant and have proper security protocols in place to prevent cybercriminals from using their data. But first, let’s take a look at some of the most common mobile device threats that users face. 

Risks Associated with Mobile Payments 

1. Lost or Stolen Device

Mobile phones are no longer meant for just communication, rather people have started relying on their mobile phones as a lifeline. From replacing paper maps with GPS enabled maps, to replacing physical debit/credit cards with online wallets, application developers have transformed the way people use their mobile phones. 

Losing a mobile phone is probably one of the most difficult threats to fight against since it gives attackers direct access to the data they might need. Once they have a user’s device, they may be able to access the official website or the apps linked to their corporate data and the company’s private information using their credentials, which might be stored on the device. 

Many times, users stay logged in to the applications they use on their devices, so hackers don’t even need to figure out passwords. Instead, they can simply access the data. 

2. Phishing Scams

Phishing scams are a type of online cyberattack where hackers send emails that mirror reputable entities such as online resources, or banks and credit card companies. 

These scams are increasingly evolving around mobile devices with more sophistication and intelligence. In fact, a report revealed that phishing scams are the number one threat that affects organizations today.

Scammers may prompt mobile users to send money through mobile payment apps by sending phishing emails that trick users into sharing their mobile payment app credentials. 

Users may also be directed to malicious websites that pose as legitimate banking websites. Once there, they may be prompted for sensitive information such as credentials and other personal information that can be used by attackers to commit identity theft. 

These attackers may also send phishing SMS messages with links that request that they download malware that may interfere with their mobile payment apps and steal credentials. 

3. Weak Passwords

Hackers may exploit devices and accounts that use poor password hygiene. This is one of the oldest and most popular forms of hacking where hackers breach security via breaking weak or overused passwords. 

In the case of the decryption tools of cybercriminals, even the strongest form of password hashing may fail. Most often, hackers use lists of email addresses and passwords that were stolen from hacked websites and then try those credentials to check if they are able to login to your email accounts. 

If they get access to an email ID that is linked to your mobile payment app, they might attempt to reset the password of your payment app or try to login to the app and tamper with your data. 

From there, they may transfer funds to their own bank accounts, make online purchases, or use your account for other malicious activities. 

If you are a small to mid-scale business (SMB), you may be an especially easy target for cybercriminals and hackers. The attack may be smaller as compared to a multinational organization, but bigger companies are usually better protected. 

Weak passwords can be the result of a poor security culture in your organization, employee carelessness, insufficient resources to maintain a dedicated security team, lack of security guidelines, or other factors. 

4. Using Public Wi-Fi

Using public Wi-Fi can put mobile users at risk. Hackers can compromise public Wi-Fi by sidejacking and creating fake connections. 

Fake connections can be set up by creating an Access Point (AP), which can be done from any device with internet access and with a similar name as a legitimate Wi-Fi connection. Attackers then intercept unsecured data being transferred, such as online payment details or bank transfers. 

5. App Clones

Both Google and Apple have regulations on their app stores to restrict the upload of illicit or malicious apps. Nonetheless, attackers still find ways to install malicious or virus-infected clone versions of apps (especially payment apps) onto users’ devices. 

Such applications are released on less regulated or alternate app stores for Android, or offered as standalone .apk packages such as program files sent via email attachments. 

For iOS devices, attackers target users that have jailbroken devices that allow users to circumvent the strict application rules of Apple and access applications that are not published in the Apple App Store. 

Not all users have anti-malware tools installed on their devices, which means they are not able to detect these malicious apps on their mobiles. Malware related to banking and payment apps has been on the rise and will likely continue to be a threat since mobile payments have become so popular. 

Tips to Protect Data for Safer Mobile Payments

Establishing stronger security begins with small steps. From implementing effective security practices and tools to following security measures consciously, it all contributes to building a better and more secure environment. 

Here are a few tips to protect data for safer mobile payments:

1. Establish Remote Access to Your Phone 

Establish remote access to your phone if it has been stolen or lost. You can use the Android Device Manager to locate or lock a stolen mobile phone by visiting android.com/devicemanager. Moreover, an Android Device Manager also allows the user to remotely wipe the data from a lost or stolen phone so that all the information is cleared from the device.

For iOS users, you can do the same by visiting iCLoud.com or using the Find My Phone feature. As for Windows devices, users can visit windowsphone.com.

2. Download Apps From Trustworthy Sources

Downloading third-party, or unauthorized apps from other sources than a legitimate app store can be a risky decision. Make sure that you only download apps from trusted and authenticated sources such as the Google Play Store or the Apple App Store. 

Be cautious about the apps that you download as each app comes with its own terms and conditions that users tend to agree to without reading. Apps can use their privacy rights to get access to your contacts, accounts, calendar, and other personal information that can be used maliciously. 

Check app reviews and ratings to ensure that apps are legit and safe to use before you download them. 

3. Use Two-Factor Authentication

It is important to keep credentials safe on mobile devices for overall network security. Using two-factor authentication plays a critical role when it comes to mobile device security. Two-factor authentication adds an additional factor that authenticates the user’s access to the device. 

Two-Factor authentication may be a combination of a user’s biometric data such as fingerprints, eye scans, or face recognition along with a pin or password. 

Biometrics are increasingly being used by companies to enforce stronger authentication. Moreover, with the evolution of smartphone devices that include built-in biometric scanners, it is much easier for users to activate two-factor authentication on their mobile devices. 

When using two-factor authentication, give preference to time-based or token-based second factors. SMS messages are not a strong second factor but are better than no second factor.

4. Avoid Sending Sensitive Information Using Public Wi-Fi 

Any information transferred online using a public Wi-Fi is at high risk of being exploited by hackers. Especially when it comes to credentials, bank transfers, credit card details, and other sensitive information that can be targeted by hackers. 

Using a Virtual Private Network (VPN) can help you secure your data and network. A VPN establishes an encryption layer on the data being exchanged between the website you are browsing and your device. It makes the data unreadable without a unique identification key. 

5. Check Mobile Websites for HTTPS (HyperText Transfer Protocol Secure)

When you first visit any website in your browser, always check for the secure HTTPS connection. There is a padlock icon right next to the URL of the website which ensures that it is safe to use and that the connection is to the intended and trusted site by checking the certificate. 

HTTPS adds an encryption layer in HTTP to increase the security of the data that is being exchanged between the server and your device. It translates the data into a code that is readable only by your device and the server. Even if an attacker manages to steal the data that is being transferred, they would not be able to decode the data as it is encrypted.

In addition to an encryption layer, HTTPS is also secured using Transport Layer Security (TLS) protocol. TLS provides data integrity, which helps prevent unauthorized authentication, and transfer of data from being corrupted or modified, which guarantees that users are communicating with a legit website. 

Takeaways

Securing data should be of paramount importance for users, especially when that data is sensitive information containing credentials, credit card details, bank transfers or company details. 

Implementing simple security measures like enabling two-factor authentication on your mobile devices can go a long way to protect your device against security threats. You can also take precautionary measures to protect your data from hackers by enforcing a strong security culture that includes stronger passwords, using a VPN and many other significant security tips.

Aaron Cure
Latest posts by Aaron Cure (see all)

You may also like

(Views: 117)
Aaron Cure

Aaron Cure

Aaron Cure is the Principal Security Consultant at Cypress Data Defense and an instructor and contributing author for the Dev544 Secure Coding in .NET course. After 10 years in the U.S. Army, I decided to switch my focus to developing security tools and performing secure code reviews, penetration testing, static source code analysis, and security research.

Leave a Reply

Your email address will not be published. Required fields are marked *