Protect yourself from smartphone scams

Posted on October 7, 2013 10:40 am

When it comes to computing devices that contains sensitive information and accesses the Internet, security and privacy are a major concern. Losing computing devices like Tablets, Smartphones is one of the most common problem people are facing today. Your mobile phone landing in criminal’s hands is disastrous. Imagine losing a goldmine of personal, business and work information into the wrong hands of crooks and criminals. I always advise that in case someone unknown to you comes to borrow your mobile device for a quick phone call be careful and vigilant otherwise you can land in trouble. Me equates such a move to granting a third party temporary access to your device that holds very sensitive data about yourself may it be private pictures, emails, text messages to mention but a few to handing over car keys to a robber. Before granting that request, ask yourself how long would it take to download malware on your phone. It takes less than the time one need to make a fake phone call to download and render your security and privacy irrelevant. When it comes to the desktop and laptop, physical security has always meant no security. Physical access to a mobile and computing devices no longer means breaking into brick and mortar facilities. It is tough for the IT industry because historically it’s been proved that it’s just a matter of time before an individual is able to break through any physical security measures to access data on a disk.

The solution to this menacing problem is to design systems assuming physical access that will be granted to untrusted parties, and not to assume that any physical security layer will stand the test of time. Securing data on disk relates closely to the previous issue, which is the physical loss of mobile phones. Losing a mobile device will be a non-issue if the data stored on that device is inaccessible to unauthorized parties. However, most of the information on many mobile applications is stored locally, including password files and authentication tokens, which all need to be protected as well. The ability to store sensitive information locally in a secure manner, and also to keep it accessible to the applications that need it to function properly, is an important requirement for secure mobile computing. Strong authentication that uses a combination of letters, numbers, special characters, and a space is now the industry standard. But it is difficult trying to use same standard on a mobile keyboard is difficult. The need to uphold strong authentication requirements is imperative, especially if the access is to sensitive data. Enforcing such standards on a mobile keyboard makes even the most paranoid security professional rethink their password strategy. On a mobile phones no such thing as logging into a mobile device as a separate user unlike the case with desktops and laptops. You just enter a four-digit PIN, then your logged into the system. Under such circumstances, if one application is used purely for business purposes, and the others are personal use, there is no distinction from one application to the next.

The challenge is that each application may need a different security model so the data from one does get exposed to the other and because there is one user profile, your phone may or may not to be able to support the distinction. A safe browsing environment is a must and not an option when it comes to mobile phone Internet access and the biggest exposures to a mobile device is the user’s browsing behavior. For example, a lack of real estate on a mobile device simply makes a phisher’s life easier. Take an example, the inability of some android and windows smartphones to view an entire URL on a mobile browser and in some cases the inability to view the URL at all makes all those phishing links significantly more effective. Furthermore, the fact that links are followed a lot more on mobile devices also makes a scammer’s life a lot easier and this has been the case with many incidents. Also, be wary that the use of social networking sites on mobile devices combined with the heavy reliance on URL links posted on most social networking sites like Google plus, Facebook, Twitter and others make it next to impossible for most user’s to determine which links are safe and which are insecure. Mobile browser security model in most smartphones need to pay special attention to such common but burdensome issues otherwise consumers will find themselves in problems. As we have witnessed with recent revelations by Edward Snowden, a fugitive America security contractor securing an operating system is no easy task, but it is a task that every mobile software vendor needs to undertake for the sake of securing the user’s security.

The task is difficult due to all the constraints I have mentioned but how well the mobile device vendors address security issues will directly translate to a strong user experience. In my software development experiences, I have learned that security often correlates to data loss and system downtime. Simply put, if strong security can prevent a user from making a phone call on their mobile device, then the user experience will be tremendously weakened. In my third and the last series of mobile security, I want to dwell on applications and apps security location privacy and security more than anything else. Privacy is one of those things that are hard to pinpoint with users. Most mobile users want privacy but most of them give it away by using products such as Google Latitude and applications that requires someone location before downloading. Google Latitude allows a user to control whom they share their location with. Phone owners loss of location privacy is a moot point because most mobile phone users always assume their location privacy was lost as soon as they started carrying a mobile device especially smartphones. This may or may not be true, but use of a GPS, location software, or simply one’s Twitter, Facebook or Google+ page to alert friends about one’s whereabouts introduces a new level operating system security issues that has never really been a concern for desktop and most laptop operating systems. Mobile application layer is where users install items if the framework architecture was designed correctly but device drivers such as Bluetooth and video drivers will need full access to the system in order to perform their functions properly. Most users I’ve come across do not download device drivers on a weekly basics meaning that any device driver that has not been secured properly could be under attack.

A study carried out two years ago by a German university said that many mobile operating systems have built in a variety of strong security protection schemes again system-level access to the operating systems like Android but if third-party drivers provide a method to get around these protection schemes via their potentially insecure code, the device will be exposed to attackers. Bluetooth driver can allow an attacker to get system access on a phone, the manufacturer of that phone and the operating system vendors will be assumed guilty by the user, not the vendor of the device driver. Another security issue that must be taken into account is the multifactor authentication commonly referred to as MFA on mobile devices is strongly needed. Mobile phones can fall into the hands of any person and in order to address this issue, mobile web applications should be built in soft multiple factor that is authentic and invisible to the user. MFA soft forms can be spoofed by attackers through authenticating users via the use of a similar browser, the same source IP range, and also HTTP headers. When a phisher is able to collect a user’s credentials, the attacker will be able to replay the user’s browser information to the mobile web application and pose as the user despite the MFA. Having thick client mobile apps is most appropriate way multifactor can then authenticate on mobile web applications that will uniquely identify a mobile device. Most of mobile web applications that I have seen attempt MFA by creating a device signature associated with the user’s mobile phone. The signature is a combination of HTTP headers and properties of the device’s connection. When a user attempts to log in, the device signature will be recomputed and compared to the value stored within the mobile web application’s database. In case the signature does not match, the user must complete a challenge sequence involving out-of-band confirmation through e-mail, SMS, or a phone call. Hope you have learned how to keep your mobile phones safe, safely and secure.

Contador Harrison