Now most of the types of various advanced mobile phones are seen among the people almost in the form of smartphones or personal computers (PC). In this sense the vulnerabilities of smartphones make many people targets for attackers. According to a report released earlier this year, smartphones sold more than PCs for the first time, and now attackers are taking advantage of this growing market by using old techniques. An example of this was this year’s Valentine’s Day attack, where attackers distributed a mobile picture-sharing application that sent premium-rate SMS messages to users without notifying them from their mobile. One study commented that there was a 42 percent increase in new vulnerabilities with mobile operating systems from 2009 to 2010. The number of mobile attacks around the world and the sophistication of attacks are increasing day by day – however, countermeasures have been slow in coming.
Currently, all modern handheld devices, whether a smartphone or a personal digital assistant (PDA), provide mobile access to emailing, browsing the Internet, GPRS navigation, and many other applications. But smartphone security doesn’t match its traditional counterpart in computing. Many features such as firewall systems, antivirus systems, and encryption systems are generally not available on such handphones, and mobile phone operating systems are also not as updated as personal computers. Mobile social networking applications lack detailed privacy controls compared to their PC counterparts. Most smartphone users do not notice these flaws in security. Many users have various important security software and systems loaded into their phones and they feel that accessing the Internet through their phone is as safe as using a computer.
Mobile phones are becoming increasingly attractive targets for attack. More people increasingly use smartphones for a variety of personal activities—such as storing sensitive data like email, calendars, contact information, and passwords. These types of mobile applications such as Facebook and Twitter are valuable tools for personal data accumulation. The automation of mobile commerce is further promoting mobile biometric identification, which allows users to conduct various transactions, such as purchasing goods and applications over wireless networks, redemption of coupons and tickets, banking, at points of sale. Process payments, and even pay cash at the register.
Typical Attacks Leverage Portability And Similarity To Pcs
The first point is that although mobile phones nowadays have most of the same vulnerabilities as PCs, characteristics such as portability, ease of use, and modification make them vulnerable to many attacks.
1. Perhaps the simplest example is the matter of portability; This makes it really easy to steal mobile phones and PDAs. A person who has lost his or her mobile phone may lose all kinds of data stored in it—from personal identifiers to financial and corporate data; Worse, over time, sophisticated attackers are able to circumvent most security features of a mobile device and gain access to the information inside.
2. Nowadays many apps are considered malicious, yet they are offered as legitimate software applications. Some of these ubiquitous mobile operating systems allow anyone to develop apps, including mobile service providers who provide third-party applications with little or no assessment of their own security. Other sources not affiliated with mobile service providers may also provide unregulated apps that access locked capabilities of these phones. Some users root or jailbreak their devices to download these apps and bypass their operating system’s lockout features.
3. Even legitimate smartphone software can be exploited. Mobile phone software is no different from that in a PC environment—the software and network services associated with mobile phones have their own vulnerabilities. For so long, attackers have been using mobile phone software to listen in on your conversations, crash the phone software, and do many other things. This can be triggered by a user, such as clicking on a maliciously created web link that exploits a vulnerability in a web browser. However, a user may also be passively exposed to an attack simply because of a device with a vulnerable application or network service running in the background.
4. Currently, the entire world is experiencing phishing attacks, which use multiple electronic communications to trick unsuspecting users into installing malicious software or revealing sensitive information. While email phishing is nothing new when it comes to PCs, it is just as bad for email-enabled mobile phones. Mobile phone users are also at risk of becoming victims of phishing voice calls, known as vishing, and SMS/MMS messages, known as smishing. These attacks target feature phones as well as smartphones, sometimes with the aim of tricking them into making fraudulent charges against their phone bills. There are such devices. Phishers will amplify actions taken immediately after a current event, making their communications appear like news stories or solicitations for donations. Spammers adopted the same method after the March 2011 earthquake and tsunami in Japan.
Consequences Of A Mobile Attack Can Be Severe
Almost all users can agree that mobile phone security is less important than PC security, but this does not reduce the risk of mobile attacks. Such malicious software can turn the phone into a bastion of a network of devices that can be operated by an attacker (also known as a botnet). It can send information about the device to attackers and generate other harmful commands. Viruses can also spread from mobile devices to the PCs they connect to.
In earlier times, losing a mobile meant losing only contact details, call history, a few SMS and maybe a few photos. However, more recently, losing a smartphone means losing all the financial information stored by banking and payment apps on the mobile and the usernames and passwords used for app and online service access. If someone’s phone is stolen, the attackers will use this information in different ways to access the bank account details or credit card account details and debit card account details of that particular user.
The attacker is now able to steal, disclose or sell to the world the personal information stolen from the device such as user information, contact information and GPS location.
Additionally, even if the victim gets the device back, he or she may still receive spam emails or SMS/MMS messages and may now be targeted for other phishing schemes.
Some personal and business services add authentication barriers for such users by calling the user’s mobile phone or transmitting an additional password over SMS before allowing access to the site. The attacker has closed the gap of gaining full access to the services only because the user will be able to access the login for that service if the device has the owner’s username and password regarding the service.
Take Steps To Protect Your Mobile Device
1. Although smartphones now come with many features that were previously exclusive to PCs, mobile security measures are neither as sophisticated nor as comprehensive as those on PCs. This means that much of mobile phone security depends on the user making smart and careful decisions. Even the most careful user can become a victim of a mobile phone attack. But in the end, following best practices regarding mobile phone use reduces the likelihood or impact of most incidents.
2. When buying a mobile phone, check its security features. Ask the service provider if the device offers authentication features like file encryption, the ability for the provider to remotely locate and erase the device, remotely remove known malicious apps, and a password to access the device. If you back up your phone data to a computer, check the option to encrypt the data. Also, if you plan to use the device for VPN access as some users do on work networks, ask the service provider if the device supports certificate-based authentication.
3. Secure your device. Many smartphones have a password feature that locks the device until the correct PIN/password is entered. Make sure it’s enabled and choose a password that is appropriately complex. Make sure you also have encryption, remote wipe, and anti-virus software enabled, if available.
4. Set up secure connections for web accounts. Secure accounts for some websites may also have a secure, encrypted connection under account settings (see HTTPS or SSL in the account options pages). Enabling this feature discourages attack attempts by spying on web sessions. Most of the popular mail and social networking sites provide this feature.
5. Never click on links available in such suspicious emails or text messages, as those links may take you to malicious sites. Limit your mobile phone number. Before requesting to add your mobile phone number to a public website, consider this very carefully. Attackers can use software to extract mobile numbers from the Internet and later use them to carry out attacks.
6. Consider very carefully the details that will be stored on the device. Remember that given enough time, sophistication, and access to the device, an attacker can obtain everything stored on it.
7. Be selective in choosing and installing apps. Do a little research on apps before installing. Find out the permissions required by the app. If such permissions are much higher than those expected for such an app, do not install it as it is probably a Trojan or malicious code disguised as attractive.
8. Do your best to maintain physical control of the device, especially in public or semi-public places. Portability makes mobile phones very easy to lose and most importantly to steal.
9. Turn off any interfaces you don’t use, such as Bluetooth, infrared, or Wi-Fi. Attackers can find ways to hack a device with software that uses these interfaces.
10. Set Bluetooth devices to non-discoverable. When in Discoverable mode, your Bluetooth-enabled devices are visible to other nearby devices, which may alert an attacker or infected device to target you. When in non-discoverable mode, your Bluetooth-enabled devices are invisible to other unauthenticated devices.
11. Resist the urge to use anonymous Wi-Fi services and public hotspots. People can create fake Wi-Fi without anyone’s knowledge to attack mobile phones and sometimes they scan public Wi-Fi hotspots to find vulnerable devices. Also, enable encryption on your home Wi-Fi network.
12. Delete all information on the gadget before destroying it. Check the device manufacturer’s website for information about securely erasing data. Your mobile phone provider may have more useful information about securely erasing your device.
13. Beware of misleading social network applications. Most of these apps expose your personal information to the wrong people without your knowledge. Additionally, some sites, such as tracking, may disclose your location to an unauthorized person or persons.
14. Do not root and jailbreak the device. Most third-party device firmware is used to unlock access to locked features of the device. It may contain viruses or be weak in security. Changing firmware may also void the warranty on future upgrades provided by the operating system, most security updates, and other upgrades to features.
Take Immediate Action If Your Mobile Phone Or PDA Is Stolen
1. Notify your organization and your mobile service provider immediately of theft or loss. If the phone or PDA is provided by your organization and confidential information is accessed, notify your organization immediately. If the phone or PDA is a personal device, report the loss to your phone service provider as soon as possible to prevent anyone from using the device to make unauthorized calls and to limit the amount of fraudulent charges.
2. Report theft or loss to the police station or local authorities. Depending on the circumstances, it may be appropriate to notify essential personnel and/or local police.
3. Change account credentials. Let’s say you accessed remote resources, such as a corporate network or social networking sites, through your phone or PDA. In that case, you need to revoke all credentials placed on the stolen device, possibly by contacting your IT department to revoke issued certificates or logging into websites to change your password.
4. Wipe the phone if necessary. Some mobile service providers offer remote wiping, allowing you or your provider to remotely erase all data on the phone.
Read Also:
- Development and Future Forecast of China’s Mobile Phone Industry
- Discussion On Foldable Mobile Phone
- Factors Affecting The Use Experience Of Folding Mobile Phones
- Analysis Of The Impact Of Folding Mobile Phone Design On People’s Lives
- Awareness Note On Mobile Tower Radiation & Its Impacts On Environment
Leave a Reply