As mobile usage grows and security threats such as rogue applications and infected mobile browsers increase, consumers will need to take more care when they use their handsets to transact, say industry players.
Winston Yeo, marketing director for telecoms at digital security vendor Gemalto, noted that one of the main challenges currently hindering wider adoption of m-commerce is the lack of antivirus software built with mobile handsets in mind, particularly, smartphones.
"The lack of antivirus [software] on smartphones is one of the main security threats as malicious software can be used to, for example, sniff out sensitive information from your phone," he added in his e-mail.
In a previous ZDNet Asia report, though, an IDC analyst explained that mobile security tools have been available for several years but adoption remains low because there have been few instances of mobile attacks.
In fact, a 2008 survey from F-Secure revealed that 86 percent of respondents did not have security software installed on their handsets.
But they may be encouraged to do so in future as the number of mobile attacks is expected to grow.
According to McAfee Labs, the main bulk of threats will come from rogue applications and browser-based attacks.
Paula Greve, director of Web security research at the security vendor, told ZDNet Asia in an e-mail: "The prevalence of hacks against a smartphone's browser is going to grow based on the number of people using that browser."
The Apple iPhone and iPad, for example, are "leading the way" in mobile computing and this will make their default browsers likely targets of malicious hackers, Greve said.
With that in mind, she applauded Apple's decision to restrict Adobe Systems' Flash technology on these devices.
Apple CEO Steve Jobs had criticized Flash for being proprietary, unstable and insecure. "Flash is the No.1 reason Macs crash," he said in an open letter published in April.
Greve said: "Flash is a rather intrusive as well as cross-platform technology, which means that supporting it opens up significant risk as the malware would also be cross-platform and other mobile devices could be infected, even if they were not specifically targeted."
In an apparent response to Jobs' criticisms, however, Adobe argued that security is "one of the highest priorities" for its Flash player team.
Security by NFC
According to Yeo, though, security risks in technologies that support m-commerce such as near-field communication (NFC), 3G, wireless and Bluetooth, will be limited as long as the data transmitted via these channels are encrypted.
He underscored the need for mobile handsets used in mobile payments to be "trusted", adding that the "simplest way" to do so is by leveraging the security embedded in the phone's SIM card, or smart card, he added.
"The use of a secure element, such as universal integrated circuit card (UICC) in a phone to store sensitive information like payment credentials, brings significant security," he said. Yeo also pointed out that the UICC, which is the smart card used in GSM networks, for example, has been adopted for "proximity NFC transactions".
Greve, though, noted that NFC has "significant" security issues due to its reliance on the proximity factor to safeguard over-the-air transactions.
"Obvious issues include fake readers, eavesdropping and even people who may invent wacky technology such as a directional antenna," she explained.
iPhones that have been "jailbroken" or reconfigured to run apps not approved by Apple's App Store are particularly at risk as these software may redirect users to iTunes accounts created to steal their personal information, she added.
Asked when mobile security risks will hit mainstream users, Greve said this would depend on the prevalence of mobile devices and use in consumers' daily lives.
"Eventually, as mobile devices become more powerful and full-featured, they will compete with their larger predecessors such as the desktop or laptop," she observed. "At this point, mobile threats will be synonymous and a whole new type of threat will be attacking these devices to infiltrate users' online identities."
Gemalto's Yeo predicted that mobile threats will enter the mainstream market "when multiple cases of fraud using the same attack technique make the news".
"My guess is [this scenario] will probably happen sometime over the next two to three years," he added.
Mobile user remains unfazed
However, one user that ZDNet Asia spoke to illustrated the keen interest and uptake in mobile commerce and payments within the Asia-Pacific region.
Singapore-based June Wong told ZDNet Asia in an online interview that she was "very comfortable" making transactions via her handset.
She attributed this confidence to the mobile token issued by her bank, DBS Bank, which "provides a pin unique to her account".
"This gives me the assurance that no one else will be able to access my account online," Wong said. "It is also so convenient and to be able to perform bank transactions on-the-go, and on-demand, is great."
According to survey findings from research firm Gartner, the Asia-Pacific region is leading the way in mobile payment adoption, with the number of users set to grow from 41.8 million in 2009 to 62.8 million by end-2010. Worldwide, the number of mobile payment users is expected to surpass 108.6 million this year.