The holiday shopping season is upon us, and more buyers will leave their credit cards and cash in pocket and complete their holiday purchases via convenient mobile phones and tablets.

Most mobile payment solutions are very secure — in fact, more secure than the old-fashioned swiping of a credit card at a point-of-sale terminal. But in light of the recent rash of mobile app attacks (including KeyRaider, XcodeGhost and Shuanet) and the new attack vectors that have emerged, we wanted to provide input for organizations that are revisiting their mobile payment security approach in preparation for the holiday shopping rush.

What Threats Should You Be Concerned About?

Mobile payment attack techniques continue to evolve. There are many attack points, but the most critical we see are summarized in the table below:

Of particular importance in most mobile payment apps is cryptography. We highlight cryptography because:

  • In most mobile payment apps, it’s used to encrypt data and ensure secure communications between the mobile app and the back-end server handling the transaction.
  • Many organizations don’t protect their keys or think it is too difficult to protect them. In fact, 80 percent of respondents to a Ponemon Institute survey sponsored by IBM identified broken cryptography as the most difficult risk to minimize.
  • Unfortunately, crypto keys represent a prime target. Cybercriminals are utilizing a broad set of tactics to discover keys, including extracting them though memory scraping techniques. With access to an application’s crypto keys and algorithms, attackers obtain keys to the kingdom that unveil data and app security measures, making it quite easy to circumvent security controls and/or tamper with application logic to steal information.

What Protection Techniques Should You Focus On?

There is no shortage of attack vectors, so the real question is: What are the most important factors to focus on given limited resources and time? We believe that you’ll get the best results by taking an integrated approach that includes:

(Note: With these factors addressed, network protection becomes less important!)

The table below summarizes what you can do to address the most effective techniques being used to compromise mobile payment solutions.

To protect all-important crypto keys in payment apps, we recommend applying white-box cryptography in lieu of standard cryptographic implementations. The best white-box cryptography solutions combine mathematical obfuscation with classic code obfuscation. Together, these forms of obfuscation raise the bar to higher levels for attackers trying to identify keys or algorithm implementations via either static or dynamic analysis. White-box cryptography protects:

  • Static keys, which are embedded in applications when they ship;
  • Dynamic keys, which are generated on the fly at runtime;
  • Sensitive user data.

Best Practices for Protecting Mobile Payment Information

Finally, organizations should educate those using their mobile payment apps on some best practices. The risk of your mobile payment solution getting hacked decreases dramatically if users:

  1. Download mobile apps only from official app stores (e.g., Google Play, App Store, etc.).
  2. Ensure that phone settings are set to prevent app downloads from unofficial stores. Users may want to check their mobile phone’s user guide for instructions.
  3. Ensure private data and transactions are secure when using mobile apps by asking banks, retailers and credit card providers if mobile apps have been safeguarded against attacks such as reverse engineering, tampering or malware insertion.
  4. Avoid making mobile payments over public Wi-Fi. If that’s unavoidable — because users spend a lot of time in cafes, hotels, airports, etc. — then they should consider paying for access to a virtual private network that will significantly improve privacy.
  5. Follow their instincts. If something about the payment transaction appears to be suspicious, users should consider making the payment later or by a different means.

If implemented properly, these protection techniques will dramatically decrease the risk that your mobile payment app will be compromised. They could also prevent you from squandering profits from your holiday-related mobile transactions to cover the cost of potential data breaches.

Download Arxan’s 4th Annual ‘State of Application Security’ Report to learn more

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…