Do you know what’s currently going on in your mobile device?
Here is a quick test to find out—check to see if you’ve downloaded one of the popular, free flashlight or navigation apps onto your smartphone. If so, then you are probably unaware you’ve likely given that navigation app permission to download your entire contacts list and the flashlight app access to your location. But in reality, this should not really come as a shock to you. At the end of the day, nothing is truly free and all of this info is outlined in the seldom read user agreement. Ultimately, it's time for end users to step up to the plate to fully understand what permissions they have given to mobile applications. End users should know how data will be used and be aware of the associated security ramifications to both personal and corporate data.
According to a recent U.N. study, out of the world’s estimated seven billion people, six billion have access to mobile phones. I don’t see these numbers slowing down anytime soon, but just continuing to accelerate over time. With this proliferation of mobile devices, the next logical step is to see a rise in the number of transactions made over mobile devices. According to a recent report from the e-tailing group, more than one in three shoppers made at least one purchase on a mobile device during the past six months. Just look at the stats from last year’s holiday shopping season—18.4 percent of retail site traffic came from mobile devices, up from 10.75 percent in 2011, for a total increase of 71.4 percent. Gone are the days of a traditional wallet—we are entering the age of the "mobile wallet."
When it comes to e-commerce and mobile security, a lot of data is at stake. Whether it is through popular shopping apps or retail QR codes, users are allowing data to be taken off a device and into someone else’s hands. Don’t get me wrong, I’m not trying to vilify app developers or retailers, because I personally like to receive targeted ads that are based on my personal tastes. In fact, this makes life easier for me. But the conversation that needs to start happening revolves around what data is being taken off of a mobile device and how is it being used. And let me reiterate, this is not just limited to personal data, but in a BYOD world, what is being taken off of corporate networks matters too.
Mobile is such an interesting topic to debate because the possibilities are so clear and endless. But if you ask any Chief Information Security Officer what keeps them tossing and turning at night, mobile is a topic high on their list. No organization wants to mandate what an employee can or can’t purchase with a personal mobile device that is connected to a corporate network. The solution? New security technologies and techniques that can help a CISO break through the mobile security wall. Security intelligence tools that combine analytics and big data can detect anomalies in behavior that might seem risky. For example, if an employee that lives in Boston suddenly purchases thousands of dollars worth of merchandise in Moscow with a corporate credit card using a mobile device, you have the signs of a mobile security anomaly.
Properly securing mobile devices can also provide e-commerce businesses, retailers and corporations with the ability to reduce fraud. Mobile fingerprinting is one way to ensure and verify that a user is who they claim to be during a mobile transaction. Additionally, organizations that are using mobile for e-commerce can help secure the transaction. Banks and retailers are now sending verifications via text message when large transactions are made. This is a great way to instantaneously confirm that a purchase was indeed made by the correct consumer or end user.
My prediction is that retailers, technology vendors, government and industry groups will come together in the very near future to create new, innovative solutions to better protect personal and corporate data when it comes to mobile e-commerce. Very clear messages will need to be shared with consumers that outline what data will be used and what services will be provided. But it’s a two-way street; end users will need to clearly understand what is at stake when it comes to providing certain information.
It’s clear that mobile devices are increasingly become an integral, "must have" part of our lives, for work and play. Instead of fearing the challenges of mobile e-commerce security, organizations should embrace the potential. In order for this to be a success for all parties involved, information must be readily available on how data is being used. In addition, consumers and end users must be aware that their actions pose consequences, not only to themselves, but to their employer.
—Caleb Barlow is part of the executive team in IBM’s Security division. He manages three portfolios — Application Security, Data Security and Mobile Security. In addition to his day job, Caleb also hosts a popular Internet Radio show focused on IT Security with an audience averaging over 20k listeners per show.
[Image: Flickr user Derek Gavey]