With the rapid development of mobile payment, the security problem of mobile payment is becoming more and more prominent, and the demand of users for mobile payment security management is becoming more and more urgent. Based on this, EnfoDesk Analysys think tank conducted a special study on the current field of mobile payment security, and released the "20 14 Research Report on Mobile Payment Security": in the report, the usage and main problems of users' mobile payment security were investigated:
The survey results show that mobile phone security software has become the most mainstream way for mobile payment users to guard against mobile payment risks, and 9 1. 1% users choose to use third-party mobile phone security software such as Tencent Mobile Manager, which shows that security software is the most popular protection measure and the threshold is low. Among the respondents, only 7.7% chose not to take any protective measures, and only 1.2% chose other ways.
Among the security functions of mobile payment, pilfer date trojan virus killing function is the most mature one with the highest user awareness, with 74% of users saying that they are using it, while the concept of payment insurance is relatively new, with only 37% saying that they are using it. Other users, such as mobile phone anti-theft protection, monitoring and intercepting phishing websites, security code scanning, WIFI network killing, pirated software killing, etc. , accounting for about 50%, the proportion is relatively close.
The frequency and demand of users for the safe use of mobile payment have greatly increased. In the priority ranking of common functions of mobile phone security software, mobile phone acceleration and mobile phone payment security account for the highest proportion, reaching 4 1.65% and 39.4 1% respectively. It can be seen that users' demand and awareness of mobile payment security has been greatly enhanced.
20 14 in the second quarter, Tencent mobile phone housekeeper was ahead of other manufacturers in brand recognition and security function utilization, and became the first choice brand for users' mobile payment security applications.
With the increasing penetration of smart phones and mobile internet into all aspects of people's lives, mobile payment has also shown explosive growth since 20 13. A series of mobile payment products called "XX Bao" have caused a constant upsurge. Alibaba has stepped up the promotion of Alipay wallet, and the number of users of Yu 'ebao has exceeded 30 million in the past four months. WeChat payment has reached tens of millions of users in just a few months through taxis and WeChat red envelopes.
It is becoming more and more common for people to shop, transfer money, repay credit cards, book tickets and recharge their phone bills through mobile phones. Statistics show that in 20 13 years, the scale of China's third-party mobile payment market has exceeded120 billion yuan. The next decade will be the golden decade of mobile payment industry, which has basically become industry knowledge.
While mobile payment brings more convenience, it also faces more and more security risks. According to the analysis of Kingsoft Internet Security Center, from the beginning of 20 13 to February of 20 14, the risk factors such as viruses and trojans related to mobile payment surged by 3 12%, which became a very important reason for threatening the assets of netizens.
First, the scale of China's mobile payment market.
With the rapid growth of mobile Internet users and the maturity of mobile e-commerce related industrial chains, the number of users of online payment and mobile payment has expanded rapidly.
Statistics show that as of 20 13 and 12, the number of users using online payment in China has reached 260 million, and the utilization rate has reached 42. 1%. In 20 13, mobile phone online payment grew faster, with the user scale reaching1250,000 and the utilization rate exceeding 25%, which was 1 1.9 percentage points higher than the end of 20 12.
In terms of payment amount, statistics show that in 20 13, the transaction scale of the third-party internet payment market in China exceeded 5.3 trillion yuan, up 46.8% year-on-year, and the overall market continued to grow at a high speed. In 20 13, the transaction scale of the third-party mobile payment market in China also exceeded120 billion yuan, with a year-on-year growth rate of over 700%.
In the domestic mobile payment market, Alipay wallet, online banking clients of major banks, Lacarra and WeChat payment have formed the first army, accounting for more than 90% of the market share. Among them, Alipay wallet is still far ahead, accounting for about 60% of the market share. Tencent's WeChat payment is ready to go, with the fastest growth, becoming the most powerful competitor to impact Alipay's wallet status.
Recently, Tencent and Alibaba have launched hand-to-hand combat in the field of mobile payment. Through several battles such as Internet wealth management products, Spring Festival red envelopes and mobile phone taxi software, the competition is extremely fierce. From the perspective of the whole mobile payment market, it is these campaigns that have greatly improved netizens' awareness of mobile payment, which is of positive significance to market education and industry structure.
Second, mobile payment security risk analysis
Since the second half of 20 13, with the hot concept of internet finance, more and more netizens have used mobile payment and financial management, followed by malicious attacks on mobile payment tools, and the victims' losses are generally more than before.
Kingsoft Internet Security Center found that malicious attacks mostly take the following forms:
1, mobile phone verification code thief
The characteristics of this virus are: very simple and low-cost virus, low development threshold, mastering some social engineering skills and easy to obtain.
The main function of viruses is to intercept short messages, some intercept all short messages, and only intercept short messages related to verification codes with a little care. Then, the virus forwards the intercepted SMS to the thief by email or SMS. Thieves can use the stolen verification code and personal information such as ID number, secret security information and bank card number obtained from the victim through social engineering to reset Alipay password.
After the thief obtains the login and payment authority, he can immediately transfer the balance, spend money (usually buying game cards and mobile phone recharge cards), quickly pay the current deposit of the associated bank card, and apply for a Taobao loan. The loss of the victim can reach hundreds of thousands of yuan.
2, online shopping refund fishing.
After the normal transaction, the swindler faked the online seller, lied that the transaction failed, and contacted the buyer for a refund. During the chat, send phishing websites to defraud the victim's bank card, ID card and verification code information. After success, the victim's online banking funds will be quickly transferred away through Internet payment tools.
A large number of similar cases have appeared. In addition to buying general goods through the internet, the victim was also fooled. Some customers who booked air tickets were dialed by swindlers before taking off. The swindler used the cancellation or change of the flight as an excuse to trick the victim into getting a refund. During the chat, let the victim transfer money through online banking or ATM.
3. The fake ID card is used to reissue the SIM card of the mobile phone.
By illegally purchasing personal information, forging other people's identity cards, and reissue mobile phone cards in the business halls of some poorly managed telecom operators. The victim's mobile phone SIM card was invalid, but the other SIM card directly fell into the hands of criminals. The subsequent result is exactly the same as that of the captcha thief poisoning. Thieves can easily gain control of victims' funds by resetting their passwords.
4. Apply for a credit card to defraud personal details.
Under the guise of handling a large credit card, the victim is tricked into providing detailed personal information, opening an account with a bank card, and associating the new savings card with the thief's mobile phone number. Thieves quickly used Internet payment tools and mobile payment tools to transfer all the funds in the victim's new savings card.
Third, statistics on the number of viruses related to mobile payment.
Before the popularization of mobile payment platform, Kingsoft Internet Security Center observed that the main attacks on payment were online shopping Trojans and phishing websites. The attacker disguised the online shopping Trojan as a picture file related to goods and sent it to the victim for double-clicking. Once poisoned, online shopping Trojan can take away online banking funds at the moment of payment. Online shopping Trojans are recognized in the industry as trojans with certain technical content, and the development threshold is high.
After the popularity of mobile payment tools, especially in the second half of 20 13, the number of netizens using mobile payment increased rapidly, and many people began to use mobile phones to manage their finances. The wealth contained in mobile phones has attracted the attention of many attackers. At the same time, due to the openness of Android, Android virus is growing rapidly. In Android suspicious files, the virus detection rate is as high as 7%.
Some attackers soon discovered that they can get a lot of wealth by intercepting SMS messages from Android phones. July 20 13, Kingsoft Internet Security Center intercepted the first verification code theft virus, and local media kept reporting cases of inexplicable theft of online banking funds. Many people can't understand that the bank card, U shield and password are all in their own hands, but the money in the bank card is missing.
Kingsoft Internet Security Center has made special statistics on the infection of mobile phone viruses of captcha thieves. Up to now, * * * has intercepted 2959 samples of captcha thief virus, and more than 2800 Android phones of different models are infected with captcha thief virus every day. The victim's loss is hard to estimate.
In addition to mobile phone viruses, users will also be deceived and harassed by various fraudulent short messages. Criminals use mobile phone short messages to send a large number of short messages containing fraudulent contents, directly trick netizens into logging in to fake bank phishing websites to defraud online banking funds, and trick netizens into transferring money through ATM machines or online banking through short messages, telephone calls, etc.
Phishing websites also have a great influence on mobile phone users. According to the statistics of Kingsoft Internet Security Center, fake online shopping phishing websites account for 47% of the total phishing websites. Due to the limitation of mobile phone interface, it is more difficult for users who surf the Internet with mobile phones to distinguish between true and false websites than users who surf the Internet with computers. Once fooled, it is difficult to avoid economic losses by submitting personal information to phishing websites.
With the popularity of various "treasure" financial management tools, various fake investment financial management websites related to it have grown rapidly. The main types are: 1. Small loan processing, 2. Credit card processing. Investment and financial fraud. Among them, investment and wealth management phishing is the type with the highest amount of single fraud, and the amount of single fraud is above 1500 yuan.
Four. Expert advice and solutions
There are two basic conditions for the occurrence of mobile payment security-related cases: one is the disclosure of personal information caused by various reasons; Second, for various reasons, the mobile phone verification code information on which mobile payment depends reaches the hands of criminals.
Only by preventing these two basic conditions from being met at the same time can we prevent the occurrence of cyber crimes. Specific suggestions are as follows:
1, netizens need to be aware of the importance of password management.
Important and key network services (e.g. common email, B2C website account, QQ, Weibo, etc.). You must ensure that the password will not be reused. Reusing passwords is like opening all the doors with one key. As long as any website is hacked, it will endanger the security of all key network services.
Internet users can choose to use password management software to generate complex passwords on their own computers, and then encrypt and store the generated passwords in their local computers. Pay attention to changing important service passwords regularly.
2. Relevant enterprises and units cooperate to protect citizens' personal information.
Enterprises, units and state organs in charge of users' personal information should strengthen the security management of information systems to prevent hackers from invading; Judicial organs strengthen the investigation and punishment of crimes of illegally reselling personal information and crack down on illegal intrusion by hackers according to law;
Security vendors, media, banks and other institutions continue to educate netizens about safety knowledge, so that netizens can gradually develop the habit of consciously protecting personal information.
3. Use security software to intercept the abuse of authority that is common in mobile phone application software and prevent mobile phone software from illegally collecting personal information. The slow development of mobile payment not only occurs in China, but also in many western developed countries. As far as mobile payment is concerned, there are two obvious shortcomings: first, most mobile phones are limited by the capacity of SIM cards, and the information sent is plain code, which makes the security of mobile payment low; Second, the poor immediacy of SMS payment will inevitably lead to the stagnation of capital flow and logistics. In order to make mobile payment reach the ideal fast and safe level, from a technical point of view, at least two problems must be solved. The first is the integration of SIM card and STK card. STK card is a small programming language software, which can be solidified in SIM card. Can send and receive GSM short message data, and play the role of interface between SIM card and short message. At the same time, the SIM card is allowed to run its own application software. Secondly, it is necessary to ensure the timeliness of information transmission through technical means. Mobile payment generally requires strong real-time communication. In some cases, when using SMS, it is often delayed due to storage and other reasons. In addition, the purchase of some items can be realized not by SMS, but by voice, which will lead to the call cost and increase the transaction cost. How to use voice callback and other means, as well as the comprehensive comparison and adoption of S M S, WAP, GPRS and other transmission means, remains to be studied.
Existence trap
"Active disclosure" means that users voluntarily disclose personal sensitive information such as personal bank cards, Alipay accounts and passwords to criminals without realizing the security risks in their accounts. Active exposure is often accompanied by various "fishing traps" carefully designed by criminals. Recently, Baidu Mobile Guardian caught a "serial trap" of mobile payment by "fishing".
In order to obtain the user's mobile phone number, bank account number and bank card password, criminals designed a fraudulent short message of winning the phone bill to trick the user into clicking on the "phishing website" in the short message to redeem the bonus. This short message uses the means of "pseudo base station" and disguises the sending number as the official service number of China Mobile, 10086, which improves the confusion of fraudulent short messages. Once users enter the phishing website, they will be required to fill in personal mobile phone number, bank account number, bank password and other information, and download a "China Mobile Client". This seemingly formal software is actually a new type of mobile phone virus, which can intercept bank verification messages. From then on, criminals can steal assets from users' online banking unnoticed.
In addition, there are criminals who make all kinds of fake online banking and payment applications to trick users into downloading and using them to obtain user information. These means make users inadvertently reveal their personal information, which poses a great threat to the property security of bank accounts.
Stealing privacy quietly, hiding nothing.
In addition to fraudulent SMS messages and new viruses, mobile phone system vulnerabilities and free WiFi will also lead to user information disclosure, threatening the payment security of users. Zhuge Jianwei, a mobile phone security expert and associate researcher at Tsinghua University, said: "You just connected a free WiFi in cafes and bars, brushed the news of the World Cup, opened a normal website and started a regular app, and you may be caught and your mobile phone is controlled."
According to CCTV reports, in fact, criminals can take advantage of the security loopholes in the mobile phone operating system itself, insert malicious attack programs, and then silently read all the user privacy information stored in the mobile phone. This malicious program is usually implanted into the mobile phone when the user connects to the "cottage WiFi" set by criminals or when the user plugs the mobile phone into the computer, and uses the security vulnerability of Android ROOT to obtain the highest authority of the mobile phone. This means that the attacker has gained complete control of the mobile phone. Once the mobile phone is completely taken over, the payment account password will naturally fall into the hands of hackers, and property security cannot be guaranteed.
It is not uncommon to use free WiFi to commit fraud: CCTV reported that Mr. Zhang, a citizen of Nanjing, used public WiFi, which led to the theft of the password of the online banking account. In two days, more than 60,000 yuan in the card was stolen, and most of the money was used to purchase virtual items such as prepaid cards and game cards.
For this trap, Baidu mobile guard experts pointed out that this requires users to improve their security awareness. It is not recommended to turn on the automatic connection function of mobile devices when going out. Don't take the initiative to connect when you see free WiFi. It's best to check with the merchants who provide WiFi, so as not to fall into the trap and give hackers an opportunity. If you surf the Internet, you can use the function of Baidu Mobile Guardian to check the WiFi environment to ensure the security of the Internet environment. It is understood that in order to further ensure the security of users' WiFi, Baidu Mobile Guardian has also accessed 6,800 cafes in dozens of airports and 38 cities across the country to provide users with payment security tips with WiFi usage, further reminding users to pay attention to the security of WiFi.
There are more and more security traps in mobile payment. Baidu Mobile Guard experts further advise users to learn to protect the security of personal information and not to easily fill in and disclose personal sensitive privacy information. If users are still uneasy about the security of mobile payment, they can also start Baidu Mobile Guardian's "100 million yuan guarantee and compensation plan for safe payment". In case of economic losses, you can get a single payment of up to 3,000 yuan from Baidu Mobile Guardian, and the highest annual payment is 654.38+10,000 yuan, which makes the mobile phone consumption process more secure.