Mobile devices have forced a radical shift in the way human beings deal with their day-to-day activities and how organizations service their customers. Earlier, there was a clear distinction between Internet, the intranet and internal corporate network. But today, with miniature yet powerful mobile devices carrying data, sending emails, social networking, banking, gaming, downloading music and videos, the situation is more like scrambled eggs.
In a June 2010 report on Internet trends, Morgan Stanley predicted that by 2012 the number of smartphones shipped will exceed the total number of desktop and notebook PCs. Compact and relatively inexpensive, these devices can be used for many functions, including sending and receiving electronic mail, storing documents, delivering presentations and remotely accessing data.
Even before the advent of smartphones, malicious software and viruses were already a recognized threat to mobile devices. As of 2009, applications allowing users to view and manipulate financial accounts, auction listings, and shopping accounts linked to credit cards are becoming commonplace. Whether simple rogue text messages, fictitious billing scams or more malicious attacks using malware installed on the device, the number of attacks are increasing at an alarming rate - mobile malware increased by more than 45% in 2010. With less education about mobile threats and the lack of security on these devices, users seem more inclined to fall victim to them during mobile sessions.
In June 2010, a developer hacked around 400 iTunes accounts. At the end of July, 4.6 million Android users had downloaded a suspicious app that transmits data to a site in China. In the mad haste to market the products and offer increased functionality, neither mobile devices, corresponding software nor applications are designed with security as a priority.
As a result, there are increasing problems from applications that upload malware or exploit vulnerabilities in new operating systems, either inadvertently or deliberately. This opens opportunities for cyber criminals to use apps to install a backdoor on such devices to use it for a range of purposes, such as sending spam or recording keystrokes to steal bank details.
Sophisticated cybercrime groups have emerged as online fraud leaders deploying malware for phishing, SMiShing and spear-phishing attacks. The execution is what is known as a “man-in-the-browser” attack. The man-in-the-browser (MITB) attack leverages a Trojan Horse (or simply a Trojan) - malicious software that is somehow installed - often initiated by various social engineering tactics - and resides concealed on the user's device. It wakes up when the user visits a target site, and functions by simply capturing and modifying information as it filters communication between the browser's user interface and the Internet. These attacks usually result in a loss of funds for the end-user or business, and a loss of credibility for the victim institutions.
Mobile devices are particularly susceptible to attacks for a number of reasons:
- The distribution of applications to the devices, via third-party app stores, makes them susceptible to the distribution of malware. And there are no application certification rules.
- Users regularly check email on mobile devices and the current limitations of mobile browsers make it more difficult to identify fraudulent messages and sites. This increases the risk of clicking on or being duped by fraudulent messages. The tendency for quick communication and instant response reinforces the risk.
- There are no restrictions on email forwarding.
- There are no default browser permission rules.
In the expectation for prompt, unobtrusive communication, creating a culture for mobile security is essential. A few ways to enhance mobile security would be:
- Using effective passwords that are changed regularly.
- Using a powerful AntiVirus and AntiSpyware program and updating it regularly.
- Having backups of all important data and encrypting sensitive data.
- Having an emergency response plan for mobile and wireless security breaches.
- Blending proactive education with appropriate technology that protects network, mobile and wireless connections.
With mobile security turning out to be the elephant in the room, end-user security and strong authentication needs to be simple, quick and transparent.