Ever forget your wallet? I do. All the time. If I wasn’t in the security industry, an ability to pay for things with my cell phone (which is never too far from my grasp) would be attractive to me. But LifeLock’s recent move to pull their Mobile Wallet application from the app store and delete customer data simply reinforces my skepticism on the subject of mobile payments.
LifeLock purchased the mobile wallet application which leverages near field communication (NFC) for making payments to commercial establishments in the real world through its acquisition of Lemon Mobile late last year. There has long been concern over the security of NFC with an anxiety around the possible interception of payment data during the transmission process. However, the move to pull down the Mobile Wallet was due to concerns with vulnerabilities within that product that do not conform to the Payment Card Industry standards for security.
Unfortunately, understanding what vulnerabilities you are buying along with your software is just as important as understanding the innovative capabilities of that technology. LifeLock or any company acquiring software must review the security of the software being purchased in order to ensure that the product is aligned with the enterprise’s security policy. This goes not just for M&A activity, but also for software that is being purchased commercially for use within an organization. Adding in this requirement for software security within the contract or legal agreements with the software supplier or acquisition target is an obvious way to ensure that security (or lack-there-of) isn’t an after-thought or (like in LifeLock’s case) an embarrassing and costly surprise.
A mobile application that contains customers’ financial information is easily accessible and has a significant impact if that application is compromised. Therefore the application should have been classified as critical and proper security controls put into place to ensure that the application was appropriately secure --before it was offered to customers. This risk-based approach to security does not classify success as checking a box for a compliance regulation, but considers success to be an understanding of exactly what risk the enterprise is taking on. Software security is not the only aspect to enterprise risk, but the software layer is one of the most exposed and available for most enterprises.
By truly understanding risk, rather than focusing on regulatory requirement will help enterprises comply with regulations. Also, it will spur enterprises to create plans that will ensure the continued security of customer data – without having to pull applications or products from the shelves.
LifeLock proactively removing the offending mobile app from the market place despite having a significant impact to the LOCK stock price, is ultimately an indication that the market is maturing. Rather than quietly working on a patch while customers continued to use the vulnerable application, LifeLock did the right thing: they pulled the app out of production in order to ensure security of their customers’ data. Even though this action may be related to the company’s 2010 dust up with the FTC and significant concern over their brand reputation, they are clearly taking the security of their customers’ data seriously. If only they had done their due diligence to begin with, the consequences of being security minded would not have been so steep.