Banking industry's m-commerce plans threatened by mobile malware

Research and consulting firm TowerGroup predicts 2007 will be the year malicious code developed for identity fraud will target mobile banking via smartphones, PDAs and any other devices capable of running a connected Internet browser.

In a study titled "Fraud, Virus and ID Theft: Mobile Malware Stands to Create a New Beginning" TowerGroup chief analyst Bob Egan warns current m-commerce initiatives being developed by the financial services sector lack a justifiable focus on mobile malware.

Egan is calling for IT managers to upgrade malware and virus security packages to include mobile phones, based on what he believes are more than 200 mobile viruses in the wild. Egan said this figure doubles every six months.

"We're currently in the lull before the true storm," Egan said.

"To ensure that the mobile banking and payments channel will ultimately thrive, there is no time to waste in getting ahead of the malware challenge.

"The success of mobile banking and payments, as well as the concept of the mobile wallet, will be measured against the industry's ability to effectively contain the malware problems to a level that is at least on par with that of the existing Internet channel."

Gartner, too, have been very vocal in terms of the security procedures associated with Internet banking through handheld devices.

Last year analyst Graham Taylor released a paper titled "Banking on Mobile Platforms: Proceed with Caution" which advised banks to delay m-commerce plans as late as 2008. He said the delay in rolling out mobile banking initiatives is necessary to educate new users.

Most of the current mobile-phone specific malicious code acts either as a premium dialer (diverting calls to premium services numbers), "bluetoothing" contact lists to other bluetooth-enabled phones, or wiping out certain applications. No code exists yet with the potential to capture keystrokes or hijack banking sessions.

However, Neal Wise, director of security firm Assurance.com.au isn't too alarmed at this stage. Wise said most mobile phone viruses, so far, have been proof-of-concept and the idea they could act as keystroke loggers is a bit far fetched.

Wise cited the iPhone as one example, pointing out that with more functionality comes more risk.

"If you follow the money chances are someone is developing malicious code intended to hijack banking sessions or capture passwords," he said.

"As far as someone installing keystroke capturing software on a phone to hijack mobile commerce banking with a bank that is hard and far fetched and requires a sophisticated platform.

"The new Nokia 60 version 3 requires code to be signed by Nokia to do low level functions and so did the Blackberry so as long as the vendors have a model to only allow trustable code to be executed just like an operating system does to know something can be trusted.

"Phones are more focused computers now but many have Java which may allow malicious stuff to be executed but Java is supposed to ask the user if code to be executed exceeds the bounds of trust."

While Australia's major banks are planning m-commerce initiatives, Westpac, the Commonwealth Bank and the National Australia Bank, all confirmed there are no mobile banking services currently in use.