Contents
Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
The smartphone explosion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Malware for mobiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Mobile shopping made safe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Executive summary
Consumers are using their mobile devices anywhere, any time and, increasingly, for online banking and shopping. While
mobile transactions are convenient, there are a growing number of threats to such sensitive data passed over a mobile
network.
Mobile vulnerabilities increased by 93 percent in 20111, and there has been a rise in threats aimed at the Android operating
system2. Hackers are targeting consumers and businesses with methods such as data collection, tracking and sending
content. The consequence of security breaches is a loss of consumer confidence and trust, which results in lost business.
However, with a secure mobile strategy that includes SSL certificates, organisations can protect their customers, providing
safe online shopping services and giving their customers confidence that their sensitive data is protected.
This white paper looks at recent research from Symantec to highlight the importance and ubiquity of mobile and the
impact it is having on business. It will touch on the browser-based types of mobile malware threats, and then focus on why
businesses must take responsibility for mobile security and protecting sensitive data, using SSL as part of a secure mobile
security strategy.
1
2
Introduction
Shopping online has been commonplace for 10 years or more, but only recently has mobile shopping, or m-commerce,
gained in popular use, driven by the explosion in the number of smartphones in peoples pockets and handbags. As well as a
growth in the numbers of devices, this has resulted in an explosion of mobile data3.
However, the growth of platforms such as Android has been accompanied by a growth in malware that takes advantage of
the way that the mobile market has coalesced around a small handful of operating systems4.
The result has been a rise in security breaches, which can result in a loss of trust in mobile devices and in making
transactions online. When people cannot be sure about the identity and security of the mobile shopping sites to which they
connect, they will stop using them.
In order to build and maintain customer confidence in your mobile shopping sites, your business will benefit from a security
solution that can help protect sensitive data and alert you to potential hacks and attacks. Trusted solutions such as SSL
encryption and real-time malware scans can add to an all-round security package.
3
4
Businesses large and small are seeing damages as mobility-related security issues increase. Source: Symantec State of Mobility Survey EMEA, 2012.
Their security concerns are justified. Businesses large and small are seeing damages as mobility-related security issues
increase. They have suffered a variety of losses, measured by lost productivity, direct financial expenses, and loss of
data. Within the last 12 months, the average cost of these losses was $247,000 globally, but $259,000 in EMEA7. Large
enterprises and small businesses are largely experiencing the same kinds of loss, but to a very different degree -- globally,
small businesses averaged $126,000 of loss, while enterprises averaged $429,0008.
Nearly one-third (30 percent) of all IT leaders report their company has experienced a security threat as a result of personal
mobile devices accessing company data9.
6 78
Mobile devices are also vulnerable to the kinds of browser-based attacks found in
premium rate SMS messages.
Source: Symantec Internet Security Threat Report, 2011
desktop machines. For example, malvertisements, which are pop-up windows that
look like advertisements, especially those warning of the possibility of the device being infected and inviting users to click
on them. If a user is alarmed enough to click on this so-called scareware, the site to which they are directed may attempt to
infect their machine or extract money from the user for removing non-existent threats from their device15.
10
Another example is drive-by downloads. These applications download unwanted and malicious code after being granted
permission by the user to install an application, sometimes without checking its permissions thoroughly, or after a user has
clicked on an ad or a malicious browser link.
Loss of confidence and trust
The nature of mobile devices amplifies the danger of such malware. A smartphone is an intimate part of an individuals life;
it stores all kinds of personal, private information, making it an attractive target. At the same time, people routinely allow
apps to track their locations and activities, often without fully checking their functionality16. This behaviour can open the
door to infection, such as drive-by downloads.
Service
Moderate
confidence (%)
Little to no
confidence (%)
Online banking
51
16
Healthcare services
44
20
Online shopping
60
18
Business email
45
13
Social networking
36
39
16
17 18 19
becomes infected with malicious software. Malicious code can be hidden in the source code of your website and can be
difficult to detect without line-by-line analysis. It also can result in your site being blacklisted or excluded by search engines.
This protection should be deployed in addition to traditional anti-malware software, which focuses on the client device. Most
scanning solutions are designed to protect employees from downloading or installing malware rather than protecting the
companys website from distributing malware. Symantecs Web site malware scanning service, also included with its SSL
Certificates, will inspect your mobile shopping site on a daily basis, providing a list of infected pages and notification of the
code causing the problem, so that you can then apply a suitable remedy to the site.
Conclusion
With an all-round approach to Web site security, especially shopping sites, your business can establish and maintain online
trust while keeping the hackers away. Worldwide mobile spending online is due to top $171.5 billion in 201220, up 61.9
percent over 2011, so maintaining your online reputation is of paramount importance. By using a complementary service set
such as SSL encryption, vulnerability assessment and malware scanning, you can detect, identify, alert and defend against
potential problems, protecting your customers and your reputation.
The additional levels of reassurance and trust that such a service set creates will allow visitors to your mobile shopping
website to click with confidence, which in turn can help increase conversions and improves your business results.
20
More information
Visit our website
www.verisign.co.uk
To speak with a product specialist
Call 0800 032 2101 or +44 (0) 208 6000 740
About Symantec
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and
organisations secure and manage their information-driven world. Our software and services protect against more risks at
more points, more completely and efficiently, enabling confidence wherever information is used or stored.
Symantec (UK) Limited
350 Brook Drive, Green Park
Reading, Berkshire
RG2 6UH, United Kingdom
2012 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton Secured, and the Norton Secured Logo, are trademarks or registered trademarks of
Symantec Corporation or its affiliates in the U.S. and other countries. VeriSign and other related marks are the trademarks or registered trademarks of VeriSign, Inc. or its affiliates or subsidiaries in
the U.S. and other countries and licensed to Symantec Corporation. Other names may be trademarks of their respective owners.
10