Mobile Banking and the Threat of SMS Spam
Thu, Aug 15, 2013 by Andrew Conway
A recent report from Pew claims that 51% of all US adults bank online, and 32% of all US adults use their phone for banking. These numbers are growing all the time. The days of waiting in line for a bank teller are long gone. Now that your mobile phone can even be used to deposit checks, the only use remaining for ATMs is to dispense cash. Even cash is becoming less of a necessity now that we have credit cards for most transactions and bitcoin for buying drugs.
In some countries, mobile banking goes even further, and the phone itself is the payment device. The M-Pesa system, which started in Kenya and Tanzania, is the most developed system of this type, and is now spreading to other countries. (When the Afghan police force started M-Pesa to pay police salaries, they discovered that 10% of the existing policemen did not really exist and corrupt officials had been pocketing the pay checks.) In India, M-Pesa competes with IMPS and mChek to provide a payment system for millions of people who may have phones but not bank accounts or credit cards.
In Richmond, UK, PayPal has a pilot scheme where the customer’s name and picture are displayed on the point of sale terminal. The clerk compares the picture with the customer in front of them. If they match, the PayPal account is billed, and the customer receives notification on their phone. How long before enterprising bank hackers are using facial recognition technology to identify look-alike money mules to cash out compromised PayPal accounts? Better think twice about putting your mug shot on Facebook if it is also going to be used to secure your PayPal account.
Mobile banking depends on the fact that we trust our phones. We’ve long since given up emailing our credit card numbers to make a purchase or believing in the Nigerian gold at the end of the rainbow. Text messages are different. We read our text messages right away, and generally believe what they tell us because the vast majority come from real people that we know. That’s why phishing SMS spam is particularly pernicious.
We saw a big ramp up in this form of spam about a year ago, and for the past six months it has been a major component of SMS spam in the US, being the most common form reported during many recent months. The spammers are obviously making money at this or they would not keep doing it. However, as with most forms of spam, the real costs to the rest of us are far greater than the profits made by the spammer. If we can no longer trust our phones, then we may miss out on the full benefits of mobile technology. We need to replace the notoriously insecure US credit card system with something better. If a new payment system is going to be based on our phones, then we must put an end to them being used as a vector for bank fraud.