'Major' Data Breaches from Insecure Mobile Apps Likely

The explosion of mobile applications, especially those involving banking and payments, is almost certain to lead to ingenious new hacker attacks on consumer data next year.

Indeed, the vast majority of developers of mobile wallets and related payment applications are focusing on the business case and the user experience, leaving the door open for data-security problems, says Mark Bower, vice president at based Voltage Security Inc. of Cupertino, Calif.

Bower points to the data-security gaps recently exposed in Google Wallet as a prime example of the lack of deep security standards emerging in mobile-application development.

"It is almost inevitable that we will see some major data breaches in 2012 as a result of a failure to thoroughly protect financial and other data through all the steps where it may be exposed in mobile applications," Bower says.

But most potential security gaps will not directly expose credit or debit card account information or access to bank details, Bower says. In fact, the Near Field Communication technology Google Wallet and other mobile-payment applications use is "quite secure," he says.

Instead, it is "vast amounts of what you might think of as very sensitive data that can be stolen and repurposed by crooks" through mobile devices that will put consumers at risk of hacker-attacks, Bower says.

Such data was at the center of a breach that occurred in March at Alliance Data Systems Corp.'s Epsilon email marketing unit.

The exposed data was limited to customers' emails and names, but hackers can combine such data with other information to illegally access consumers' accounts, Bowers says.

The biggest risk for data breaches from mobile applications comes from how much information the handset can store, such as identification details, account data or purchasing history, that crooks can use to defraud consumers, Bowers says. They can use such basic data to craft a sophisticated phishing attack that would prompt a consumer to provide more useful information, he says.

For example, malicious software might affect a consumer using a mobile handset to pay for something online by triggering a message directing the consumer to give up sensitive data, such as an account number or password, Bower says. And such incidents are on the rise, Bower says, citing Voltage research.

"Clearly, with the quantity of mobile devices out there, hackers are at work looking for ways to make money from this area," he says.

The problem illustrates the need to provide security at every level of mobile-payment applications, "through the whole spectrum, including the direct and indirect consequences of data gathered through broad types of user activities that hackers could harness to important information," Bower says.

Encrypting data throughout its "lifecycle," such as the advanced data-security processes certain payment processors are adopting for purchase transactions, is the most highly recommended path, Bower says. The process of fully encrypting data for mobile payments likely would not be as arduous as it has been for merchants at the point of sale, he says.

"In the traditional in-store payments world, we are dealing with the need to add new equipment and adapt legacy systems to enable encryption, but new mobile-payments applications and hardware can be designed from the outset to enable full encryption, which should speed adoption," Bower says.

Besides encrypting data, developers must ensure they base their mobile applications on the industry's top standards for writing computer code and that devices use the right technology for secure key management, Bowers says.

U.S. regulators eventually may step in with new data-security requirements for mobile applications, but it is still too early to expect the government to manage such a fast-growing industry, he says.

"The pace of mobile development right now is so fast that it's almost certain we're going to see problems emerge from a lack of proper planning for data protection, and only then will developers begin to take this more seriously," Bower says.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER