• News
  • Columns
  • Interviews
  • BW Communities
  • Events
  • BW TV
  • Subscribe to Print
  • Editorial Calendar 19-20
BW Businessworld

Paying Off Cybercrime

Photo Credit :

Since its launch in November 2010, interbank mobile payments service (IMPS) has been gaining traction in India. Just last month, it was announced that over 10 million Indians have registered for the service and the number of banks supporting the service has grown to 20, with another 15 in the testing stage. In addition, the Reserve Bank of India also approved the routing of merchant payments through the service, which was initially restricted to person-to-person transfers. This move has made it extremely simple to pay utility bills, shop, pay fees and premiums and transfer money through an SMS. All you need are a mobile money identity and a PIN. In fact, according to an Informate Research study in India, 26 per cent of respondents said mobile banking has made life easier and 20 per cent are planning to use mobile banking. However, 23 per cent of respondents indicated that they don't consider mobile banking to be safe.

This simplicity of using mobile devices for financial transactions also increases security risks. As banks provide multi-channel banking they should be able to provide customers with a secure environment and adequate trust and confidence in transactions.

Perhaps the biggest challenge in mobile banking is protecting a customer's financial information over the air and on handheld devices. For example, a secure mobile banking infrastructure requires  security for - handheld device,  the application on the device,   authentication of customer and  the device with the service provider before initiating a transaction, encryption of the data being transmitted over the air, and encryption of the data that will be stored in the device for later review by the customer. Clearly, it is a complex process!

Symantec has observed a 43 per cent increase in mobile vulnerabilities in 2010, according to the latest Internet Security Threat Report XVI. Symantec documented 163 vulnerabilities during 2010 that could be used by attackers to gain partial or complete control over devices running popular mobile platforms.

In 2010, most malware attacks against mobile devices took the form of Trojan Horse programs that posed as legitimate applications.  While attackers generated some of this malware from scratch, in many cases, they infected users by inserting malicious logic into existing legitimate applications.  The attacker then distributed these tainted applications via public application stores.  For example, the authors of the recent Pjapps Trojan employed this approach.

Symantec has already observed malicious software targeting ATMs. As non-PC devices increasingly connect to the internet and are used for financial transactions, cybercriminals are likely to exploit them for profit.  From internet transactions to cash withdrawal, physical and virtual money need to be protected against a growing number of targeted and sophisticated attacks on bank brands. Only an integrated, 24X7 approach across multiple delivery channels can deliver the needed level of monitoring and protection against the current threat landscape.

Specifically, security for mobile payments requires multiple stakeholders – from banks, telecom operators, m-retailers to consumers – to work in tandem, deploying an approach to secure information and identities through all the layers of transactions that are involved. Today's need is to seamlessly secure information from the individual to the device to the enterprise to the network. To ensure that we protect and manage identities and information, regardless of the device, the location, or the infrastructure, we need to take a holistic approach that brings together identity and device security, information protection, context and relevance and the benefits from leveraging the cloud – the critical enablers of confidence in a connected world. 

Secure the device: Ensure that the endpoint – in this case the mobile phone – is secured from malware attacks, and the data on it is safe even if the device is stolen. Device security protects individual endpoints and ensures devices and the information on them are protected.

Use two-factor authentication: Authenticating the transaction with just the mobile app can lead to malicious money transfers if the device is lost or stolen. Two-factor authentication combines what a user has with what a user knows to provide an added layer of security.  Identity security enables users to trust they are connecting to the services they want without fear of data theft or misuse of their digital identities. It also enables network and service operators be able to trust users are who they say they are, while easily provisioning and managing their identities.

Encrypt the data at rest and in motion: This protects information on the device if it is lost or stolen, and while it is in transit wirelessly. Information protection helps ensure the wrong people don't get access to information and sensitive information doesn't go where it shouldn't. Strong encryption ensures that data does not fall into the wrong hands when it is at rest on devices, or when in motion on the network.

The combination of encryption, data loss prevention and identity assurance provides an information-centric approach to security — ensuring all security controls work together to verify that access is authorised and movement of information is regulated. Today while we leverage technology to improve convenience and productivity, let us not forget that our information, identities and money are at stake.

The Author is VP and MD, India Product Operations, Symantec