This past Friday I spoke at the Northern Ohio Infragard meeting. The topic of the meeting was mobile security. I covered the risks related to mobile commerce and Chris Kovacs, from Mirifex Systems, covered security issues related to mobilizing the work force. Chris specifically focused on the need to secure Blackberry and Windows Mobile devices that are connected to the corporate network. Chris started out his presentation with a great quote:
"The biggest paradigm shift in mobile security is the death of the presumption that physical security is adequate."
This is a great statement regarding the challenges related to securing mobile devices. Some companies understand this statement and take it into account when they secure their mobile devices. They encrypt the contents of the device, require a password to access the device, have the ability to remotely wipe the device, control what applications can be installed on the device, etc. However, far more companies need to re-evaluate the security of their mobile devices and design them to resist attacks from someone who has physical control of the device.
Even fewer companies take this paradigm shift into account when designing their m-commerce systems. Few m-commerce systems are designed to protect against attackers who have physical access to a customer's phone. If you run an m-commerce system here are a few of questions you should ask yourself:
- Is my m-commerce system designed to resist attacks from someone who steals a customer's mobile device?
- Do we require user level authentication to access our services?
- Is sensitive data stored in a secure manner on the customer device?
- How does my application protect against malware installed onto the device?
- Do we educate our customers on how to secure their devices when our m-commerce application is installed on it?