posted 13 October 2009 | Markus Jakobsson    view bio

© Lorna | Dreamstime.com

Amazon.com used to only sell books, which are hard for criminals to resell. Then they added electronics, jewelry, and much more — which made them a more attractive target for fraud. Now, with the recent news that they launched a mobile payments service, I have to wonder if fraud will go through the roof.

As discussed here before, password entry on mobile phones is not a lot of fun. But Amazon wisely invented 1-Click payments to reduce user burden. Soon this feature will apply to mobile users, who also will enjoy the convenience of always being logged in.

All of this is very nice and convenient for the user. Except if you’re among the 8+ million users a year who lose their mobile phones. Then it becomes very nice and convenient for whoever finds your phone.

Ways to address the problem

One way to harden phones against mobile phone theft and unauthorized access is to let your phone learn to recognize you/ your habits: the way you move around, where you are, what you used the phone for right before the payment. Your phone can detect all of these things, and calculate how likely it is to be you. No password needed, and we would still have security.

But there’s more. While a dedicated criminal could steal at most ten (maybe a hundred) phones a day, a malware author could get his malicious code on a million phones in a single day from the comfort of his own home. [Just check out this example of sophisticated malware that can perform payments the user is unaware of... EVEN IF he checks his account balance!]

Yet why do a majority of consumers have anti-virus software for their laptops and desktops, but very few have anti-virus software for their phones?

…Because malware authors target common platforms, and there are currently more PCs than smartphones (which, by the way, are easier to infect than “old-school” mobile phones). But this will change as soon as the mobile market reaches its transition point.

…And because phones have not yet been easy to monetize. Amazon’s new service not only make this more of a looming reality, but also provides more incentives for criminals to defraud mobile phones. To put it in historical perspective: when asked why he robbed banks, Willie Sutton famously responded, “Because that’s where the money is.”

Mobile services require mobile security

This is not to say that we should avoid convenient services like mobile payments — we just need to plan for the worse-case scenarios now. [One solution is to automate and centralize malware detection.]

We also need to target the security challenges that are unique to ubiquitous applications, and focus on security in a more usable, cross-disciplinary way. Everything is connected. Organized crime is going increasingly online. More capabilities on phones and conveniences for users make everything — and everyone — more susceptible.

tags: malware, mobile devices & interfaces, mobile security, pervasive computing, ubicomp posted in security & privacy, ubiquitous computing