Smartphones - more mobile, more vulnerable

By Matt Greenop

Herald online·

9 Feb, 2011 01:58 AM5 mins to read

A 'smishing' message offering US$500,000 from the USA Mobile Lottery. The email address is a Windows Live account in China. Dubious? Photo / Supplied

Smartphones are now totally ingrained in many of our lifestyles, but come with more risk than most realise, according to security specialist RSA.

Checking email, web surfing, online banking or shopping, even updating the ol' Facebook - jobs that once required sitting down at a computer - can now be done from almost anywhere, depending on your network provider.

But as we take our entire lives on the road, many of us forget that a number of the risks associated with PCs are just as applicable to our beloved smarphones.

The devices do just about anything that can be done on a computer, which makes them targets to legions of cyber criminals.

RSA's anti-fraud command centre put mobile malware - software designed to invade and exploit cellphones - right at the top of its annual report on cybercrime threats to watch this year.

It singled out mobile application downloads, which IDC says will double to 25 billion this year.

"As the industry looks to remove barriers to make it as cheap and easy as possible for application developers to meet the demand of mobile users, the proliferation of malware targeted at these applications and devices is inevitable," RSA's report said.

RSA believes that the crossover of consumer devices - like iPhones - into enterprise offers a very real threat to companies. Whether employees are provided with devices, or use their own in a work environment, there is potential to open up a backdoor for malware to sneak into corporate systems.

Banking is one area that, for obvious reasons, attracts the scum of the cyber world.

"Many banks use out-of-band phone calls or SMS authentication as an extra security measure to validate high-risk transactions," said the RSA threat report. "To circumvent these extra layers of security cybercriminals have already developed tools to work around them."

RSA research says that for US$25 a cybercriminal can order a telephony denial-of-service attack. This 'floods' a consumer's mobile device with call requests, rendering it unavailable for incoming calls or text messages and stopping a bank checking a transaction.

It has also found that SMS forward services are available to criminals, whereby the one-time SMS passcode sent to a user's phone is intercepted and forwarded directly to the cybercriminal's phone instead.

A fairly recent move by the cyber underworld uses one of the tried-and-true methods of trapping unwary internet users - phishing.

This is a simple concept, whereby botnets - large groups of computers already infected by malware - are used to fire out huge volumes of spam. Popular - and surprisingly effective - methods include spoofed bank or credit union emails demanding users enter their details including passwords for some official reason or another.

We've all seen this type of nasty junkmail, and other spam types advertising everything from penis enlargement pills, Viagra and 'genuine' Rolexes on the cheap, to ever-hopeful Nigerian money scams - just enter your credit card number and watch your bank account disappear.

Most of us laugh at these obviously dodgy emails that trickle through - but the horrendous truth is that people, lots of people, click these links.

Phishing has been given a smartphone makeover for 2011 - and is now known as Smishing, or SMS phishing.

"Smishing is a growing problem for all banking segments including credit unions, regional banks and large nationwide banks," said the RSA reports.

"Large nationwide banks have been the hardest hit by smishing as cybercriminals can distribute their SMS spam to a wider base of mobile users who are more than likely to have some form of financial account at one of these institutions.

Smishing has now become more successful than its well-established desktop computer cousin, partially because while there are spam-filtering systems in place with internet service providers, and again on individual machines, no well-developed mechanism exists for weeding out suspect text messages.

"Success rates are higher with a smishing attack compared to a standard phishing attack as consumers are not conditioned to receiving spam on their mobile phone, so are more likely to believe the communication is legitimate."

Smartphone precautions

Apps - if you are unsure of the origin of an application, don't install it. When downloading from an online store, read user reviews and ratings.

SMS - text messages from your bank are unlikely to require a password. If you receive an official-sounding SMS requesting your personal information, ring the institution concerned and check that it's legit.

Passwords - while remembering the huge number of passwords our lives require is a hassle, it pays to use different ones for different sites. If your information is compromised through no fault of your own, it's better to restrain the potential damage as much as possible, rather than giving access to every password-protected website you use.

Stupidity - don't be embarrassed about reporting suspicious activity, even if you're wrong, your data will still be safe. And remember, cleverer people than yourself have fallen victim to these scams.