Mobile Malware A Risk

New research from TowerGroup finds that 2007 will be the year that new banking and payment initiatives in the mobile channel will be increasingly targeted by those engaged in fraud and identity theft, with the goal of infecting or otherwise compromising mobile devices. These targets will include deployments where a mobile device acts as a credit or debit card.

Like malicious software (or "malware") in the wired world, mobile viruses are small programs that infect a host device. While most mobile phones are potential targets, smart phones and wireless PDAs as particularly attractive to fraudsters given their advanced capabilities to support PC-like applications including Web browsing and instant messaging. TowerGroup believes that current mobile commerce initiatives emerging from the financial services industry lack a reasonable and justifiable focus on mobile malware.

"The success mobile banking and payments, as well as the concept of the mobile wallet, will be measured against the industry's ability to effectively contain the malware problems to a level that is at least on par with that of the existing Internet channel," said Bob Egan, Chief Analyst at TowerGroup and author of the research. "Over 200 mobile viruses have already been identified, a number that is doubling nearly every six months. Now is the time for IT managers and line of business heads within institutions to take action to protect both their companies and customers from mobile malware."

Highlights from the findings include:

• TowerGroup estimates that employees within 80% of U.S. financial institutions are already using smart phones, including the BlackBerry, in a mix of professional and personal capacities.
• As the mobile channel continues its rapid growth, the complexities surrounding security, including identity theft, consumer privacy and fraud, are exponentially increasing.
• TowerGroup recommends that financial services institution CIOs and IT managers take the following steps to protect against virus attacks on mobile devices, and infiltration of these viruses into institutional computer networks and databases:
  • Create enforceable policies regarding mobile usage that are communicated to employees, including what type of mobile downloads are safe and allowable
  • Require wireless carriers serving an institution on an enterprise level to install and monitor mobile safeguards
  • Restrict the use of personal mobile phones that can be used for corporate activities, mirroring the security and protocols now in place for PCs
  • Evaluate which combinations of network and device based security solutions represent the right fit for the institution - and prioritize their deployment

"IT managers must examine extending their existing malware and virus security initiatives to include mobile phones," said Egan. "Likewise, the mobile commerce industry beyond financial services players must step up to take more aggressive and immediate actions to circumvent the potential of fraud and theft. We're currently in the lull before the true storm. To ensure that the mobile banking and payments channel will ultimately thrive, there is no time to waste in getting ahead of the malware challenge."