Your Mobile Wallet Isn’t Safe

Featured article by Dror Nadler, SVP Sales & Strategic Alliances at Cellrox

As mobile payments barrel forward like a freight train, the potential consequences of cyber breaches grow in severity. 30 percent of U.S. shoppers already use mobile wallets, and 62 percent of shoppers who don’t use a mobile wallet expect to adopt one in the next year, according to a 2015 report from Interactions marketing group. The IDC estimates that the volume of mobile payments will exceed $1 trillion per year by 2017.

This would all be encouraging news if it weren’t for one inconvenient fact: mobile wallets are currently unsafe. The LA Times reported that Apple Pay fraud rates could be as high as $6 per $100 spent, according to security expert Cherian Abraham of Drop Labs. Fraudsters have found creative ways to hijack mobile payments for their own purposes. For example, Gartner analyst Avivah Litan explained how hackers have been able to load Apple Pay with stolen credit card info, spoof the card issuer’s verification process and then make fraudulent purchases.

The higher the volume of mobile payments, the more hackers stand to gain from breaches. Unless the mobile industry accepts that business as usual is not an option, we’re effectively waiting for a massive breach to derail the mobile payments train and scare consumers away from financial innovation. To get back on offense and start addressing the challenge at hand, the mobile industry needs to embrace mobile virtualization.

The Secure Element Isn’t Good Enough

The Secure Element (SE), a tamper-resistant hardware chip capable of securely hosting credit card information and other confidential information, is the standard in NFC mobile wallets. It provides decent protection once it actually receives the information it attempts to protect. However, when users either initiate a mobile wallet for the first time or enter new credit card information, the data is vulnerable.

Let’s imagine a group of friends that like to share the coolest new mobile games. One of them finds a car racing game from an unofficial Android app store and texts the link to the group. It turns out that the game is laced with malware code that intercepts communications between the keyboard and applications, capturing the actual key strokes made by the user.

When a user enters payment information for the first time, the mobile wallet relies on operating system (OS) services to move the info to the SE, just as any app would use OS services to receive keyboard input or display information on the screen.

So once the group of friends download and run the racing game, their keystrokes are captured from that point onward and sent to a remote server controlled by the hacker. If anyone in the group initiates a mobile wallet or enters payment card information into one, the hackers may get the card info. So far, no mobile wallet provider has created a solution to this security problem.

The Wallet Instance

All mobile users are liable to download malicious code onto their smartphones. Even the savviest of IT professionals fall prey to spear-phishing campaigns and other schemes that can compromise a phone – or a whole corporate network. To significantly reduce these threats, the mobile industry needs to isolate payments with mobile virtualization.

Mobile virtualization technology allows you to transform one physical smartphone into multiple Virtual Mobile Instances (VMI) that are independent and isolated from one another. Each VMI runs within its own namespace and has its own dedicated OS services. VMIs are fully customizable and unaware that other VMIs exist on same device.

A Wallet VMI would protect payments against the type of malicious code I described above. Imagine that each person in that group of friends has a virtualized smartphone with several VMIs – perhaps Work, Personal and Wallet. The Wallet VMI is used strictly for mobile payments and banking apps. The Personal VMI would contain personal email, games, social media and other high-risk apps. The Work VMI strictly contains corporate applications. If the friends were passing around games, they would read the email and download the games onto the Personal VMI.

Let’s assume they all download the malicious code once again. Yes, it could intercept and record keystrokes on the Personal VMI, but when the user switches to the Wallet VMI to enter credit cards or make payments, the malicious app could not intercept communications. It wouldn’t have any visibility into the Wallet VMI or Work VMI, for that matter. The malicious app doesn’t know that these other VMIs exists since each has its own isolated and independent set of OS services.

For an added layer of protection, payment service providers could block the Wallet VMI from browsing the internet, checking email or visiting unofficial app stores. These restrictions wouldn’t apply to the Personal VMI. With payments isolated in a separate virtual mobile instance, OS services vulnerabilities will present no risk, even as new credit card information is entered by the user.

Trillion Dollar Stakes

Smartphones are the de facto hub of private data ranging from financial and health information to personal conversations and photos. Users must have a way to preserve their privacy and protect what matters. Encrypted “containers” for corporate data and Secure Elements for payment card info are a move in the right direction but cannot prevent hackers from exploiting OS services vulnerabilities. Secure Elements, encryption and other security means, combined with mobile virtualization, can minimize a variety of cyber threats that all mobile users face.

If $1 trillion in payments remain vulnerable, we can be certain that cyber criminals will pounce. Only complete isolation of different mobile usages, achieved through virtualization, would provide sufficient protection. It’s time we embrace mobile virtualization and get on offense.

Dror Nadler, SVP Sales & Strategic Alliances

Dror Nadler brings 20 years of global leadership experience in driving adoption of emerging technologies in the marketplace, building strategic partnerships and deploying sales strategies resulting in accelerated revenue growth. Prior to joining Cellrox, Dror was the Vice President of Global Sales Engineering for Rapid7; a Boston based Information Security Company, where he focused on driving business growth, global expansion and operational efficiencies. Prior to Rapid7, Dror held a variety of new business development, sales and marketing leadership roles throughout his 13-year tenure at EMC Corporation. Most recently he served as a Senior Director of EMC’s Emerging Technologies Center where he was responsible for driving market adoption of newly developed and acquired technologies in the marketplace. Earlier in his career, Dror held several IT, Engineering and business operations roles at Intel Corporation and few small technology startups. Dror holds an LL.B. degree in Law from IDC Herzeliya, a Master degree in Software Engineering with Honors from Harvard University and an Executive MBA with Honors from Boston University.