Cyber-criminals target mobile banking

IT managers must extend existing malware and virus security initiatives to include mobile phones

Cyber-criminals and identity thieves will turn their attention to mobile banking and payment initiatives during 2007, experts warned today.

TowerGroup noted that, while most mobile phones are potential targets, smartphones and wireless PDAs are "particularly attractive" to fraudsters given their capabilities to support PC-like applications including web browsing and instant messaging.

The analyst firm believes that mobile commerce initiatives now emerging from the financial services industry "lack a reasonable and justifiable focus" on mobile security.

"The success of mobile banking and payments, as well as the concept of the mobile wallet, will be measured against the industry's ability to effectively contain the malware problems to a level that is at least on par with that of the existing internet channel," said Bob Egan, chief analyst at TowerGroup and author of the research.

"Over 200 mobile viruses have already been identified, a number that is doubling nearly every six months.

"Now is the time for IT managers and line of business heads within institutions to take action to protect their companies and customers from mobile malware."

TowerGroup estimates that employees at 80 per cent of US financial institutions are already using smartphones, including BlackBerrys, in a mix of professional and personal capacities.

As the mobile channel continues its rapid growth, the complexities surrounding security, including identity theft, consumer privacy and fraud, are increasing exponentially.

TowerGroup recommends that financial services CIOs and IT managers take the following steps to protect against virus attacks on mobile devices and the infiltration of these viruses into institutional computer networks and databases:

• Create enforceable policies regarding mobile usage that are communicated to employees, including what type of mobile downloads are safe and allowable
• Require wireless carriers serving an institution on an enterprise level to install and monitor mobile safeguards
• Restrict the use of personal mobile phones that can be used for corporate activities, mirroring the security and protocols now in place for PCs
• Evaluate which combinations of network-based and device-based security solutions represent the right fit for the institution, and prioritise their deployment

"IT managers must examine extending their existing malware and virus security initiatives to include mobile phones," added Egan.

"Likewise, the mobile commerce industry beyond financial services players must step up to take more aggressive and immediate action to circumvent the potential of fraud and theft.

"We are currently in the lull before the storm. To ensure that the mobile banking and payments channel will ultimately thrive, there is no time to waste in getting ahead of the malware challenge."