Think you know everything about mobile e-commerce? Here are the security risks.
Australian retailers have been warned the exponential growth in m-commerce could leave them vulnerable to data breaches.
Protiviti managing director Chris Grant said growing popularity in the local market could come at a cost.
"In 2013 alone, almost 300 billion mobile transactions worth more than $930 billion were processed."
"By 2015, the number of mobile apps developed for smartphones and tablets will outstrip PC based software four times over, pushing transaction volumes to even greater heights.
"And by 2016 more than half of the world’s top 1000 companies will be storing sensitive customer data in the cloud.
"The rapid shift from desktop to mobile internet services and from traditional data centres to the public cloud will open up a whole new world of security vulnerabilities for businesses that are unprepared for the risks."
Grant said the recent data breach suffered by eBay showed cybercriminals are becoming increasingly sophisticated.
The breach resulted in the theft of personal information of 145 million eBay users.
According to Grant, Australian businesses have a poor record in resisting cyber-attacks.
In 2013, Australian companies had data breaches that resulted in the highest average number of compromised records per capita (34,249).
Australia also ranked second after Germany, on the list of countries most likely to experience a data breach from malicious or criminal attack - the most costly breach category for companies.
These statistics were documented in the Ponemon Institute 2013 Cost of Data Breach Study.
Grant said the first critical first step in overcoming this is to understand customer behaviour.
"Companies first need to know how consumers behave when it comes to online security and adopt systems that help protect their customers from themselves.
"It’s well known that consumers tend to let their guard down particularly on social media by readily accepting contact offerings, sharing files or clicking on links from people they don’t personally know – even though these behaviours greatly increase their chances of malware infections, identity theft and the like."
Grant advised a 'defence in depth' strategy to combat e-commerce risks.
"A ‘defence in depth’ approach involves a coordinated use of multiple IT security measures to protect the organisation’s information assets.
"Because the source of a cyber-attack can be unpredictable, you need to be set up so if one security measure is infiltrated there are fall-backs that can continue to hold the fort.
"And to be effective, those integrated measures must protect the business on all essential fronts.
These include having robust server and application security which should include a clear policy for when it’s appropriate to use the cloud.
"Also critical are message confidentiality and integrity measures so that communications between transacting parties are private and not able to be tampered with, and authentication and authorisation protocols so that parties are properly identified and authorised to make the relevant transactions.
"Sound audit controls should also be implemented so that breaches or other unauthorised activities can be quickly detected. And lastly, payment processing and settlements need to be secure and compliant with the Payment Card Industry Security Standards which protect against credit card fraud.
"The explosion in mobile e-commerce presents both opportunities and threats for Australian businesses. The companies that succeed will be those that invest adequately in IT security and have a robust, multi-dimensional security strategy to deter the hackers at the gate."
Grant listed the following points as essential components of a ‘Defence in Depth’ e-commerce security strategy:
1. Server and application security: to minimise risk of attacks on the systems that support e-commerce
2. Message confidentiality: to keep communications between transacting parties private
3. Message integrity: to keep communications between transacting parties secure and free from unauthorised interference
4. Authentication: for robust identity validation of transacting parties
5. Authorisation: to ensure the trading parties are authorised to perform certain functions and transactions
6. Audit controls: checking and testing of systems and transaction records for early identification of irregularities
7. Secure payment processing and settlement: to ensure goods and services are paid for and processed securely.