When it comes to security issues, smartphone users are a bit delusional in believing the phone is safer than the PC. “If you can access data on your smartphone, so too can hackers,” warned Martin Hack, EVP of NCP engineering.
What can thieves get from your phone? Access to your mobile banking site complete with passwords and PINs; your email at work and at home; passwords and access to your employer’s networks; your social media accounts that contain all the info. an identity thief needs (and desperately wants); access to your PC when you sync your phone; and … much, much more.
For example, smartphones are increasingly being used as a second factor of authentication by banks and other businesses. Cybercriminals are aware of this and will be increasingly intercepting the SMS-based (text) authentication messages that are sent to users’ phones. Typically, during high-risk or high-value transactions, many online businesses will send a one-time pin (OTP) or a temporary password to the user’s smartphone by SMS text message. Once the user receives the OTP they type it into the webpage to authenticate the transaction or simply reply to the SMS message. Businesses do this to add an extra layer of security for user account changes and online transactions in case the user’s login credentials or online session had been compromised.
“However, the downfall of this process is that the temporary code is sent in clear text and anybody with access to the phone can read it,” said Roman Yudkin, CTO at Confident Technologies. You don’t even have to lose your phone for this breach to happen. Cybercriminals are adept at redirecting phone numbers and snatching encrypted text messages from public WiFi or personal Bluetooth connections.
Wake up call
It’s time to wake up and smell the sweaty hacker on your phone. Whether you are a CIO charged with securing the enterprise from employee cell phone use or just a guy or gal toting a loaded smartphone, Tim Armstrong, malware researcher at Kaspersky Lab, said there are several universal things that all smartphone users should and should not do:
The Do’s:
1. Lock your screen with a pin code or password. While this seems simple, anything that provides an extra layer of difficulty for an untrustworthy user is beneficial.
2. Install and enable remote services. All major smartphone operating systems (Blackberry, iOS, Android, Windows Mobile) can be enabled with some or all of these features: remote lock, remote wipe, and even GPS location (for finding where your phone went) are available in many cases. This goes hand in hand with No. 3.
3. Back up your data. Either through a product that offers this functionality, or simply by copying your documents, pictures and info to your computer. This can save you in the event of a lost, stolen, destroyed, or otherwise non-functioning phone.
4. Use encryption where available. Though not offered on every platform, if you can use it, you should. Even in cases where you lock your phone, the data on your device storage can, in some cases, be accessible unless it is encrypted. This includes external memory cards, such as SD cards, installed in the device as well.
5. Use Antivirus. The mobile malware landscape is developing more quickly now than ever before, due to increased reliance on smartphones for everyday tasks such as banking, paying bills, and managing finances. As a direct result, malware writers will likely show an ever increasing interest in gaining access to your money.
The Don’ts
1. Don’t jailbreak, root, or otherwise unlock your phone. While this may add some small increase in functionality, it can also completely disable the security architecture of your device.
2. Don’t connect to untrusted Wi-Fi access points. The coffee shop, the airport or other points of connectivity can be compromised or otherwise provide a way for others to access your secure data. Login data or personal information that you provide over these networks can sometimes be accessible to other people either connected to, or operating these access points. It is also worth mentioning that many services on current devices will “auto-synchronize” in the background without any user action. The information used to synchronize, or the information you send or receive during the syncing process could be available to others in this circumstance.
3. Don’t wait to report a problem. Immediately notify your network administrator or other responsible security person if your phone has been lost or stolen. Treat your phone as though it is your wallet. If you have backed up your data, you will recover.
4. Don’t skip updates. Update your operating system, update your apps. Security flaws are found in both operating systems and applications every day. The longer you wait, the longer you risk being exposed.
5. Don’t assume your mobile device is any safer than your computer. It is a fact that viruses and other malware exist for mobile devices. Phishing attacks often still work on mobile browsers. Employ all the safety tactics you’d use on your regular computer. Check the address of the site you’re trying to access, avoid clicking links in email, or SMS/text messages, and avoid providing personal data whenever possible, even via SMS/text message.