Mobile computing is all the rage in Europe and is becoming quite a thing here in the US. As a result, we are seeing more and more inquiries regarding PCI compliance and mobile computing.
First, let us make sure we all understand what we are talking about. Mobile computing is defined as, “Using a computing device while in transit. Mobile computing implies wireless transmission, but wireless transmission does not necessarily imply mobile computing.”
Laptops, netbooks, smartphones and even cell phones are all capable of some form of mobile computing. You can order laptops and netbooks with cellular modems built into them. Smartphones run Windows Mobile, iPhone OS, Symbian and Palm webOS that make them essentially very portable computing devices. And all of these devices have access to the Internet through a browser running a Java virtual machine and other common Web-based computing environments, making them capable of executing a lot of Web-enabled applications.
On the application side, a lot of organizations have mobile computing-enabled their Web sites. Just pay attention to all of the “m.domain.com” URLs that are advertised on TV and the Internet. TV stations, airlines and financial institutions are all jumping on the mobile computing bandwagon. From a PCI compliance perspective, airlines are probably on the leading edge of the credit card transaction generation wave followed by financial institutions. Over a mobile device, you can pay for a first class upgrade; purchase a premium seat near the front of the plane or in an exit row and pay for your checked luggage. In the financial institution arena, you can pay bills and check your credit card balance.
Security experts are enthusiastic about mobile computing as they currently believe it is actually safer than doing similar activities on a PC. But, they couch their enthusiasm with the caveat that this is only for the moment. Most security experts believe that once mobile computing starts catching on in a big way that the hackers will follow and that will bring mobile computing into the same league as the traditional PC.
One of the biggest problems with mobile computing is the fact that most people do not have firewall, anti-virus or other security software on their mobile device. This is particularly true for smartphones and cellular phones. As a result, they are easy targets to compromise or infect. In addition, the security on their mobile devices is limited if they have even implemented it at all. A number of European financial institutions have addressed this issue by requiring their mobile banking customers to have such software on their mobile device. In some cases, the financial institution is providing the software via their mobile Web site which is leading hackers to spoof the financial institution’s Web site to direct the user to load compromised anti-virus or firewall software.
And security gets very tricky in some mobile computing environments. The trickiest of all is Windows Mobile. It seems that Windows Mobile has a different version for practically every different smartphone it executes on. And it is not just from Motorola to Samsung to LG that it is different. It can be different between a given manufacturer’s models such as the Samsung Saga and Omnia. As a result, software that runs on the Omnia may not run on the Saga and vice versa. All of this incompatibility makes development of a standard security solution difficult and time consuming for Windows Mobile. This is why the iPhone has taken such a lead in applications. It has one and only one operating environment, making application development very easy and compatibility a given.
On the application side, the issue is with ensuring that a secure communication link is made between the mobile device and the application. For a browser-based application, this is not a big deal. Like their PC brethren, mobile devices support TLS. You also need to keep in mind that most mobile browser-based application can be susceptible to the same attack vectors that PC browser-based applications are susceptible. So, you need to send your mobile applications through the same code review and security assessment processes as your other browser-based applications.
Another issue with mobile computing is making sure that if the end user looses their mobile device, there is nothing truly lost. Therefore, if you are saving user credentials or other sensitive information, you must make sure that that information is properly secured and cannot be readily obtained by anyone other than the proper end user. Given my earlier comment about mobile device security, this can be a bit challenging. Particularly from the standpoint that most mobile computing users do not want to log on to their mobile device. And if they do have to log on, they want it as simple and convenient as possible.
SMS-based applications are where things can get interesting. Just look at the impact SMS donations have had for Haitian earthquake relief. In three days, the American Red Cross raised over $6M in donations using SMS. Granted, this example of donations does not directly involve credit cards, but it could. Numerous SMS-based applications have been and are being developed. However, SMS is not as simple and secure as one might think. Depending on how an SMS-based application is implemented, there may be the cellular carrier and other third parties that are in the middle of the communication stream and may therefore be part of the transaction’s PCI compliance requirements. The only way to know is to get into the application itself and understand how it is architected.
Now do not get the wrong idea. Mobile computing is not entirely a bad thing. It is just an unexplored area of computing that needs more work and research before we get crazy with it. While that will not likely happen, hopefully this article will explain where the risks exist and compensating controls can be put in place to protect the information that ends up being stored or transmitted on these mobile devices.