Covid-19 has accelerated the mass adoption of mobile payments, as a means of avoiding direct contact with banknotes and coins. However, as Mohamed Dabo reports, it has also heightened security risks
Mobile payments – which encompass mobile wallets and mobile money transfers – are regulated transactions that take place through your mobile device.
Simply put, instead of paying for stuff with cash, cheques or physical credit cards, mobile payment technology allows you to do so digitally. However, cyber-criminals and nation-state hackers are taking advantage of the coronavirus pandemic and turning their attention to mobile devices to spread malware, including spyware and ransomware.
In Verizon’s 2020 Payment Security Report, which forms the basis of this article, Sampath Sowmyanarayan, president – global enterprise at Verizon Business, says: “The recent coronavirus pandemic has driven consumers away from the traditional use of cash to contactless methods of payment with payment cards as well as mobile devices.
“This has generated more electronic payment data, and consumers trust businesses to safeguard their information. Payment security has to be seen as an ongoing business priority by all companies that handle any payment data, they have a fundamental responsibility to their customers, suppliers and consumers.”
Fake coronavirus tracking apps are really malware
Researchers at security operator Lookout have tracked a malicious Android application, Corona Live 1.1, which hides surveillance spyware. Initially, the application does not request any special permissions, but subsequently requests access to photos, media and device location. The application also attempts to gain permission to take pictures and record videos.
Opportunistic malicious actors also are finding new ways to harvest credentials by setting up fake Covid-19 sites. These scams vary from phishing attacks that lure users with information about coronavirus cures and charities to mobile apps that collect keystrokes from mobile devices.
With many organisations using email, text messages and applications to keep stakeholders informed, these actors are taking advantage of the increased communication to infiltrate victims’ devices.
Scammers target consumers and businesses via Covid-19 support
Since January 2020, thousands of domains relating to stimulus packages or relief packages found their way onto the internet – including hundreds with suspicious domains, and dozens deemed malicious.
Accessing these sites from the mobile space can impact payment applications, as these threats can install keyloggers, such as EventBot, to harvest credentials from financial applications such as PayPal Business, Coinbase and TransferWise.
Adopted rapidly in recent years, mobile devices are reshaping the way we purchase goods. Mobile payments also have multiple advantages over traditional banking: customer experience, rewards programs, fast transactions, and the mere fact that they reduce the footprint in our wallets are just some examples.
Covid-19 has also impacted consumer behaviour by driving customers to use contactless payments with mobile devices. Although card-present payments still lead the North American market, contactless payments are forecast to increase eight-fold between 2020 and 2024.
Mobile payments are evolving rapidly and can take on different forms, such as NFC, soundwave-based payments, magnetic transmission, mobile wallets, QR code payments, internet payments using a mobile browser, payment links sent via email or SMS, SMS payments, direct carrier billing, mobile banking and cryptocurrency exchanges.
Around 72% of fraudulent transactions start in the mobile channel
Although all these channels are designed to be secure while processing transactions, there is still the chance of compromising the host device and leaking vital information about the account holder, as in the example of the EventBot malware.
Mobile payment providers must continuously analyse their strategy to secure mobile payments to prevent fraud inherent in their method of purchasing goods.
According to the RSA Quarterly Fraud Report for the fourth quarter of 2019, 72% of fraudulent transactions originated in the mobile channel, and specifically, 59% were attributed to mobile browsers.
According to Verizon’s MSI 2020 report, the number of organisations suffering a compromise involving a mobile device went up to 33% in 2019. Vulnerabilities on operating systems and apps allow attackers to infiltrate their exploits to hijack legitimate payment applications and exfiltrate information by tricking users into granting permissions.
Lookout, in collaboration with Promon, reported an Android exploit called StrandHogg found in the Google Play store, which used this technique to steal information from unknowing users.
A mobile-related compromise can lead to downtime, loss of data, compromise of other devices, damage to reputation, regulatory penalties and loss of business.
Financial organisations are starting to look at partnering with Mobile threat defence providers to implement machine learning capabilities to detect abnormal behaviour on apps that reside in mobile devices to detect, protect and respond to malware.