August 19, 2016
Guest Perspective: Without Mobile Virtualization, Mobile Payments Are Risky Business
By Dror Nadler, Senior Vice President of Sales & Strategic Alliances, Cellrox
With companies from Apple and Google to Wal-Mart and Starbucks jumping into mobile payments, it’s time we pause to ask: are these apps and mobile wallets actually secure?
The answer is no.
Apple Pay’s vulnerabilities were widely reported this spring. Multiple media outlets, including the Los Angeles Times , carried reports this spring that Apple Pay fraud rates could be as high as $6 per $100. Security expert Cherian Abraham of Drop Labs was the first to identify a hole in the Apple Pay card provisioning process. Abraham explained that hackers were loading iPhones with stolen card-not-present information and turning them into usable stolen credit cards via Apple Pay. The card issuers’ verification processes are too easy to spoof, especially when hackers have picked up social security numbers and contact information alongside the credit card number.
Last week, Google launched Android Pay —its secure payment API and answer to Apple Pay—and we expect the process will repeat itself. Hackers will swing at the piñata and eventually a few will connect, exposing vulnerabilities and leaking the goods inside.
Currently, there is no obvious fix to these problems—and the risk of fraud is simply too high. I would argue that to bring mobile payments toward more acceptable levels of risk, we need to isolate all mobile payments using mobile virtualization.
The Secure Element Is Good, But Not Good Enough
Mobile devices that use NFC for payments must all have a “secure element”—a storage area guarded by strong cryptography. Credit-card information is very safe in the secure element, but when the user is entering card information, the data is vulnerable.
Mobile payment solutions are configured such that other applications can’t access info in the app or the secure element, whether it be on the device or in the cloud. However, when payment information is being entered on the screen using the keyboard, the app relies on operating system services. In fact, all apps must rely on those same OS services to present information on the screen or receive input from the keyboard.
Consequently, malicious code in an application, perhaps downloaded from an unofficial app store or a phishing email, can potentially intercept information as it’s presented on the screen or typed into the keyboard. Therefore, any time a mobile payment user enters a new credit card, the information is vulnerable to hacking.
Isolating Mobile Payments with Mobile Virtualization
The reality is that mobile users usually don’t know when they have malicious code on their phone, and most don’t use antivirus software of any kind. If mobile payment apps are located within the same OS as other applications, they are at risk. This is why we need to isolate mobile payments within their own distinct virtual mobile instance.
Mobile virtualization technology can divide a single phone into multiple virtual mobile instances that are unaware of each other’s existence. A virtual instance for games wouldn’t know about the payment instance, as each instance runs within its own namespace.
Thus, mobile users can significantly reduce the risks of fraud by isolating all commerce-related apps on a separate instance. Users can then block that instance from browsing the Internet, checking email or visiting unapproved app stores, and they can give it exclusive rights to use NFC so that no malicious app in other virtual instances can hijack the hardware.
With payments isolated in a separate virtual mobile instance protections in place, using OS services will present no risk, even as card information is entered on the screen.
No Mobile Virtualization, No Digital Wallets
Today, we are struggling to secure mobile payments yet trying to convert a wallet full of credit cards into an app that lives on our phone. If we hope to store more and more sensitive information on mobile devices, the current levels of risk are unacceptable. If credit cards are falling prey to hackers, how can we consider adding driver’s licenses, passports, health insurance cards and employee IDs to mobile wallets? Can we really trust a phone to store our personal health records and biometric data?
We can’t treat mobile payments like Angry Birds. Payment applications need an isolated, customized virtual instance that can form a barricade against malicious code and fraud.
There is no silver bullet for mobile payment security, but virtual mobile instances can minimize one clear risk. If the utility of mobile payments is to outweigh the security risks, we have to start somewhere.
Dror Nadler, is Senior Vice President of Sales & Strategic Alliances at Cellrox. The Boston-area company enables the co-existence of multiple virtual mobile instances on a single mobile device.