Mobile payment security: Top 5 threats
Almost all payment apps are vulnerable to cyberattacks. We recommend an integrated approach with strong data protection controls, enhanced user authentication, and runtime protection to keep your payment app secure. According to a report by Allied Market Research, the global mobile payment market is expected to reach more than US$12 trillion by the year 2027. […]
Almost all payment apps are vulnerable to cyberattacks. We recommend an integrated approach with strong data protection controls, enhanced user authentication, and runtime protection to keep your payment app secure.
According to a report by Allied Market Research, the global mobile payment market is expected to reach more than US$12 trillion by the year 2027. Many convenient services are available, including Venmo, Apple Pay, Google Pay, and Samsung Pay. Unfortunately, it seems like cybercriminals have also caught on to the convenience of mobile payments. Here are the top five threats facing mobile payments:
- Phishing and social engineering
- Fraudulent payment apps
- Reverse engineering and tampering
- Man-in-the-middle attacks
Cybercriminals often start their attacks against payment apps by using an emulator for the mobile operating system, where they can analyse the targeted app. From here, they can reverse code, attach debuggers, or change an app or its environment to alter its behaviour. Emulators allow access to multiple devices and apps at once, so they’re a successful method of bypassing authentication and rule-based security measures.
There’s no single solution that will help you combat emulators. Still, we recommend implementing runtime application self-protection (RASP) to prevent the app from running inside an emulator. A layered approach consisting of app shielding with runtime protection, strong authentication, and server-side risk analytics provides you with even stronger protection against emulator fraud.
2. Phishing and social engineering
Cybercriminals are increasingly targeting payment app users in phishing and social engineering campaigns. Earlier this year, the FBI warned that cybercriminals are tricking users into making instant money transfers using text messages with fake bank fraud alerts. In another phishing attack targeting Venmo users, attackers contacted victims about so-called problems with their account to trick them into handing over their account credentials.
Social engineering attacks continue to target digital payment users globally. By using these security features, you can keep your transactions secure:
- One-time-passwords (OTPs)
- Two-factor authentication
- Point-to-point encryption
- Automated detection of fraudulent transactions
Of course, you need to supplement these methods with other preventive measures, such as good cybersecurity awareness.
Make sure you are PCI compliant
If your mobile app accepts, processes, stores, or transmits payment card information, you will need to meet certain accepted industry standards to become PCI compliant.
In this checklist, you will find several of the technical guidelines for apps accepting electronic payments on mobile devices found in section 4 in the PCI Mobile Payment Acceptance Security Guidelines for Developers, and a high-level overview on how app shielding software can help you meet them.
3. Fraudulent payment apps
Threat analysts at mobile security firm Cleafy have been tracking the development of the Sova malware. They report it has evolved rapidly in the last few months: It can now mimic over 200 banking and payment apps and even encrypt mobile devices with ransomware. Earlier this year, a malicious 2FA authenticator app on Google Play made the headlines. The app remained available to download for 15 days, and over 10,000 people downloaded it, thinking it was a legitimate two-factor authentication solution.
These are just two examples of fraudulent apps masquerading as authentic services. To protect your payment app from malware, you may want to consider an app security solution that provides multiple layers of protection.
4. Reverse engineering and tampering
An attacker can easily download an unprotected payment app from an official app store. From there, they can reverse-engineer it to read the underlying code, identify APIs, read file names, access sensitive data, and more. Code protection makes your app more resistant to reverse engineering, app tampering, and protects against intellectual property theft.
Learn more about code obfuscation and how app shielding protects your apps against reverse engineering and tampering.
5. Man-in-the-middle attacks
Unsecured public Wi-Fi networks make it incredibly easy for a malicious actor to hijack communications and intercept data flowing between a payment app and its server. Once hijacked, an attacker can pull credentials and other confidential data to access accounts and fraudulently transfer funds. Detecting man-in-the-middle attacks is difficult, but they are preventable. Best practices include using encryption protocols like TLS and strong authentication. You should also educate remote workers about the potential dangers of unsecured networks.
There’s no shortage of attack vectors, so the real question is: How do you protect your payment app most efficiently? We recommend an integrated approach that includes runtime protection, user authentication, and robust data protection controls to safeguard app assets such as API keys, certificates, OTPs, and tokens.
Payment apps need to balance compliance, security, and end-user experience. Promon SHIELD™ achieves this with multiple layers of protection—at run-time and at rest—to secure your app while maintaining the end-user experience your customers demand.
Mitigate the OWASP Top 10
The OWASP Mobile Top 10 lists the most common threats to mobile apps. We recommend that you focus on these while designing your paument app. Download our OWASP Mobile Top 10 checklist and explore how you can mitigate these threats.