Mobile: The New Weak Link

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Cybersecurity Director for CSC in Virginia.

Want to destroy your network infrastructure, grab all your customer's unencrypted credit card numbers and drive your business into bankruptcy? There's an app for that. As retailers of all sizes migrate to mobile-type payment systems and leverage existing mobile technologies (e.g., Android, IOS platform devices), the problems of PCI-DSS compliance and protection of credit card information increase. That is because these mobile platforms are inherently insecure, making the payment systems that reside on them insecure, too.

Increasingly, retailers are looking at mobile payment systems that do not require their own dedicated infrastructure. Using ubiquitous handheld devices over regular Internet connections, these devices are cheap, easy to maintain and hold great promise for line-busting, inventory management, offsite purchases and a host of applications we haven't even thought of.

An example of such a device is the Square payment system. This small cube-shaped device plugs into any iPhone's audio plug and, with the downloadable software and a square processing account, allows anyone to process credit cards. The device contains a magnetic code reader, along with the ability for customers to use their fingers to "sign" their names on the iPhone itself.

(Related story: The CIOs of Pizza Hut and Ann Taylor—plus the SVP/IT at Home Depot—discuss the advantages and dangers of turning part of their revenue flow to mobile payments.)

The iPhone camera can act as both an authentication device and a barcode scanner to obtain product information and current pricing and inventory information. Pretty slick. The device itself is promoted as PCI-DSS Level 1 compliant, so it is secure, right? Not so fast.

The problem for mobile computing in general and mobile payment systems in particular is not that the application—or the POS devices attached to it—is not secure. The problem is the same as that with ordinary POS terminals, only multiplied exponentially. A regular POS terminal, out of the box from the vendor, may be advertised as "PCI-DSS compliant," but in most cases, this just means that the device is capable of becoming DSS compliant.

Out of the box, the device contains the manufacturer's default passwords and configurations (look 'em up on the Internet, and you are in) and, generally, must be connected to the retailer's internal network and external Internet connections.

What is worse, the contracts with the POS vendors, payment processors and issuing and collecting banks generally impose both the responsibility for and the liability for security on the merchant. Thus, the merchant must take this insecure device, change the passwords, configure it securely, connect it securely to its network, ensure that its network is itself secure, ensure that only valid people can get on its network and essentially protect the credit card information. That's a lot to expect of a company in the business of selling staple guns or T-bone steaks.These mobile payment systems add an additional layer of complexity to the PCI DSS arena—and it's one that most retailers have not yet explored. The promise of technologies like Square is that they free the retailer from dedicated POS devices and from the store itself. That means a single individual at a road-side stand, far removed from anything, can become an outlet store.

This is as true for a big-box retailer as it is for the guy who sells tube socks at the flea market. The technology is designed to be used by both the sophisticated and the unsophisticated user. Just swipe and you are done.

Although the Square device may be secure, and PCI-DSS compliant, it resides in an environment that is anything but. Mobile phones, particularly smartphones, are mini computers without firewalls, authentication devices, password protection schemes, monitoring software, antivirus or anti-malware programs, access controls or other rudimentary security protocols.

When you attach a payment system to that device, you inherit all of the vulnerabilities of the device itself. Software and "hacks" are available today that will allow hackers to invade the smartphone, monitor and control what is going on (e.g., take over the camera, microphone, phone, applications, GPS, etc.) and essentially "own" the device. Because the device has a persistent Internet connection, it can be used to transmit information back at any time. If I "own" the device, I "own" the POS terminal.

Moreover, mobile devices are, well, mobile. They can be put down and unmonitored. They can be lost or misplaced. These devices also run a host of other applications, from GPS mapping to birds that are apparently very angry. A developer in the former Soviet Union could (and many have) develop a game or app that is intended to have one functionality but, in reality, is designed to corrupt the smartphone or other applications.

Despite precautions to prevent such conduct, the development of such software and its exploitation is inevitable. And this is true even if the device attached to the smartphone is PCI-DSS compliant.

Just as attaching a secure POS device to an insecure network destroys the security of the POS device, attaching a secure payment device to an insecure mobile device or platform can destroy the security of that secure device.

What is worse, it is neither the manufacturer of the POS application, the smartphone, the network provider, the payment processor, the issuing bank nor the receiving bank that would likely be on the hook for the damages resulting from such attacks. No, it would generally be the retailer that used the technology. Thus, the guy making 50 cents each from sales of tube socks could be liable for the 15,079,942-ruble (US $5,000) flat-screen TV purchased in Belarus by the hackers who attacked the iPhone at the Yonkers raceway flea market.

There is great promise in mobile technology that leverages existing infrastructure. There is gold in them thar hills. But before you go to mine that gold, remember your safety harness. After all, if anyone gets burned online, it will be the retailer.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.