(November 25, 2009) The increasing popularity of smart phones, which has given a big lift this year to consumer adoption of mobile banking and payments, has brought with it an ominous new threat of fraud. Last week, the Dutch security firm XS4All reported on a worm that infects iPhones and allows hackers to steal information from them. The worm, or malware, attacks so-called jailbroken phones, or iPhones that users have altered with software that lets the phone run programs not approved or supported by Apple Inc., the popular device’s maker.

That may be only the beginning. A U.S.-based security-software vendor predicts a wave of fraud stemming from a wide range of smart phones, including BlackBerry devices, phones running Google Inc.’s Android operating system, and iPhones. These devices, which are essentially handheld computers that can link to the Internet, began to hit the mass consumer market only two years ago with the arrival of the iPhone. That makes them especially vulnerable compared to PCs. “Phone malware is new,” so there’s no antivirus to ferret it out, says Ori Eisen, founder and chief innovation officer at 41st Parameter Inc., a Scottsdale, Ariz.-based firm whose software helps detect efforts to hack into payment systems.

Smart phones now total 29 million in the U.S., or 12.5% of all handsets in use, according to comScore. That’s helping to drive consumer adoption of mobile banking and payments because smart phones’ built-in computing power and ability to link to the Web, along with their large screens and sophisticated graphics, make them ideally suited for these functions. Banks are reporting that a large fraction of their new customers for mobile banking are iPhone and BlackBerry users.

But that very popularity for payment and banking is also starting to make the devices a target for cyberthieves. The worm discovered by XS4All was aimed at customers using their iPhones to conduct banking with ING Group N.V., the big Netherlands-based financial institution. After taking over the device, the malware sends data from the phone to a server in Lithuania. Financial-services executives should expect more such attacks, says Eisen. “The first shot across the bow happened last week,” he says. And while the worm infects jailbroken phones, there’s no reason to suspect hackers won’t ultimately attack unaltered devices, he says.

Besides the novelty of the malware signatures, a number of factors make smart phones more vulnerable to hacking than other handsets. For example, Eisen says, they are designed to optimize battery life, making it impossible to run antivirus programs at the same time another application is running. “If we’re optimizing for power, security isn’t the first thing that comes to mind,” he notes.

Smart phones can also be hard to identify when they link into a bank or merchant server. Session cookies, the bits of code that identify users and devices, tend to disappear when users close the browser, and cookies that depend on Flash won’t work at all because the device doesn’t support that protocol. From the point of view of a risk manager, “all you will know is that it’s an iPhone [logging in], but what you won’t get it is the cookie,” says Eisen. “It will look like all other iPhones.” Eisen says his company gets around that vulnerability with a device identifier that works with smart phones and doesn’t depend on cookies.

For now, though, he warns that hackers, always looking for easy targets, will likely ramp up their attacks on smart phones. “Currently, it’s the jail-broken phones,” he notes. “It’s the path of least resistance. But I think this [wider fraud] is coming. I could be wrong, but all the evidence points to it.”