While computer network systems have evolved to protect against cyber penetrations in the PC world, mobile phone and tablet devices have some catching up to do. Part of the problem is that layered defenses originally designed for the former may not fit the bill in the mobile world.
But as more of us embrace mobile payments, the fact that a compromise could occur under our noses adds a sense of urgency to resolving security issues. With about 26 apps on the average U.S. smartphone, malware exposure is a major concern. Malicious apps may appear to behave as regular apps do. However, once installed, they can leverage vulnerabilities that exist at the operating system services level.
Even the major mobile payment players are not immune to this problem. "The minute you actually scan your credit card or enter your credit card information on the screen, that malicious app can have keylogger or screenlogger capability," said Dror Nadler, Senior Vice President of Sales & Strategic Alliances at Cellrox Ltd. "At that given moment, I can take that information, put it somewhere else … and start using it. This whole notion of security goes out the window."
The question then becomes, with all the best security measures available today – tokenization, end-to-end encryption, multifactor authentication – how does one separate the good from the bad apps on our mobile devices without impacting user experience?
In the past, computer network servers relied on hypervisors, a layer that resides between the hardware and the kernel, or central input/output function within the computer operating system, to protect connected devices. "You can essentially have multiple virtual machines that are running on top of that hypervisor," Nadler said, adding that this type of layer is also referred to as Type 1 virtualization.
However, attempts to apply hypervisor technology to mobile devices have met with little success. "It just doesn't scale well and the performance is pretty lousy," Nadler noted. "We're approaching it differently." The objective is to create "a minimal footprint visor layer that resides within the kernel."
According to Nadler, a visor layer creates an impenetrable wall between virtual mobile instances (VMIs). Such instances might include payments, gaming and social network activities. Payment information can be stored in one VMI, and games and other apps can be stored separately. In essence, the visor prevents malware in one VMI from infecting another VMI, and malware doesn't recognize other VMIs residing on the same mobile device.
"What we really care about when it comes to mobility and mobile virtualization is the ability to completely isolate one operating system from the other," Nadler said. "You can customize each one of these VMIs independently."
Nadler pointed out that others have attempted to protect data in mobile environments by creating something called a container or sandbox, which is an environment within an environment. However, if one environment is compromised, the entire container is compromised, whereas with a virtual OS, if one virtual OS is compromised, the other is not necessarily affected.
Many businesses are realizing that as workers increasingly use their personal devices for both professional and personal applications, visor and other security protocols are an essential component for protecting sensitive company data. This applies to all sectors, including healthcare providers, financial institutions and educational organizations.
While no data security system is infallible, mobile security defenses will continue to evolve as consumer usage picks ups. Cellrox is working with original equipment manufacturers, the payments industry and business enterprises to embed the virtualization layer to protect all participants in the mobile movement.
As part of its effort to educate the public and heighten mobile security, Cellrox recently introduced a free edition of its ThinVisor solution. "We made a freemium version available for those who have a Google Nexus 5 or Nexus 7," Nadler said. "They can go to our website [www.cellrox.com] and download a version that will allow them to run two VMIs on their physical device, and it's good for the lifetime of the device."
Education can serve as a catalyst to remove inertia. Creating stronger demand for more effective data security in the payments industry will inevitably improve the situation.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next