As the number, power and flexibility of mobile devices has increased, so has their use for shopping. In 2008, a Nielsen survey found that 9 million people in the United States “have used their mobile phone to pay for goods or services,” and many more expect to do so soon. In a 2009 survey by Deloitte, 45 percent of respondents said they would use their mobile phone to research prices, and 25 percent said they would use their phone to make purchases.
Consumers will use mobile devices to research and make purchases as long as they feel safe. Without consumer confidence, people will hesitate to expose their interests — and, more importantly, financial information such as credit card numbers and PayPal account information — where attackers can get it. Thus far, confidence in the security of purchasing using mobile devices seems to be growing.
How accurate is that perception? How safe is shopping from mobile devices? The answer: pretty safe, if you take some precautions and are careful.
Good Phishing Spots
Shopping using a mobile device is similar to shopping from a desktop computer, but with two important differences. The first is the size of the device. Mobile devices such as cellphones have considerably less memory and storage than computers. The second is their mobility. Desktops generally stay in a single location that is generally considered “safe.” Mobile devices, on the other hand, travel with their owner, and consequently are often in “hostile” territory. They can easily be misplaced or stolen, much more so than desktop computers. So there are additional, and different, risks.
The screen on a mobile device is very small, so the software on the mobile device often abbreviates Web addresses, shows only part of the address, or shows the address in very tiny print. In any of these cases, consumers may think they are giving data (such as credit card numbers) to reputable vendors — but in reality, they could be giving it to scammers.
Here’s an example. A phishing attack occurs when someone tries to trick you into going to what you think is your bank’s sign-in Web page. You then log in, using your account name and password. The phishing site now has this information, and the owners of that site can now access your accounts at the bank’s actual Web site.
If the full address of the Web page is visible, you might notice that the address of the Web site you went to was “http://www.mybank.phishing.example” and not the bank’s real Web site, “http://www.mybank.example.” (Obviously, neither of these URLs is associated with a real bank or phishing site.) If there is not enough room to show the full address, it might be shown as “http://www.myban … ple”– and from that, you cannot tell whether the address is that of the real bank site or an impersonator.
Advice: Check whether the site you are going to is actually the one you intended to go to.
Similarly, be sure that you know what you are buying. The Web page may not be completely visible; you may need to scroll around to see everything. Also, some vendors provide different Web pages to mobile devices than they do to desktop computers. While not strictly a security issue, this can save grief and unwanted expense when using mobile devices.
Along the lines of protecting your information, be careful of what you use your mobile device to send, even to Web sites you trust. (This is good advice for shopping over the Internet in general.) There are two reasons for this:
- Even trusted vendors get attacked and have customer information stolen. Numerous reports of large-scale thefts of credit card numbers and other personal information have been in the news recently. This can happen for many reasons — for example, due to security lapses or to untrustworthy people, or even by accident. So, when you purchase something, do so in such a way that your liability is limited if someone steals the data you send to the vendor.
- Your browser and the vendor’s Web server exchange sensitive information (like payment information), by using a special protocol to protect the data. Unfortunately, a researcher has found flaws that would allow an astute attacker to compromise this connection. While experts are still discussing how serious this problem is, it remains a threat to protecting your information.
Fortunately, there’s an easy way to limit your liability: Use your credit card. The Federal Trade Commission says that “if the loss involves your credit card number, but not the card itself, you have no liability for unauthorized use.” The rules for ATM and debit cards are somewhat different; check with your bank about them.
Also, if a thief does steal your payment information, you will need to render that information useless. So use something you can easily cancel or change so the thief cannot use the stolen data.
Advice: When purchasing something using a mobile device, use a payment method that minimizes your liability and is easy to render useless if the information is stolen.
It’s tempting to store data in your mobile device so you can easily use it. Frequent flyer numbers, credit card numbers, phone numbers, account names and passwords are examples of what people store. The problem with mobile devices is they travel with their owners. So, someone can forget a cellphone at a restaurant, for example, or it could fall out of someone’s pocket or handbag on the subway or in a taxi. The finder then has access to all the information on the device.
The solution is to assume that the mobile device might be stolen. What data would you not want a criminal to see? Either remove that data from the mobile device or get an application that will keep the data encrypted except when you are using it. (These are often called “wallets” or “password wallets.”) That way, if you accidentally misplace your mobile device — or worse, a thief steals it — you have protected your information.
Advice: Think like a thief. Figure out what information on your mobile device you don’t want anyone to see, and either delete it or encrypt it. If you do the latter, remember to choose a good password!
Everyone needs to balance the convenience of mobile shopping against the risks of purchasing errors or data theft. Given the proliferation of smartphones, mobile commerce will undoubtedly continue to grow. Shopping using mobile devices can be reasonably safe if you take proper precautions — so let’s be careful out there!
Matt Bishop is a member of IEEE and a computer science professor at the University of California at Davis.