Dealing with mobile security threats

DEALING WITH MOBILE SECURITY THREATS

The types of threats to mobile devices are changing fast, and have accelerated in number and complexity during the pandemic. So what are some of the emerging threats, and how can organisations manage secure communications and guard their systems from such risks?

Mobile phones are no longer seen as devices that let you make voice calls or send messages. Instead they have become indispensable gateways to applications as varied as building access, travel tickets, payments, shopping and banking. They are increasingly used to sign up to financial and government services, often using built-in cameras to verify identity.

The fact that the vast majority of the world’s population became particularly important during the pandemic, when consumers relied more heavily than ever on their mobiles to shop, bank and access health services. New apps, such as tracking and tracing people likely to have been in contact with those infected with the Covid-19 virus, were only made possible by the ubiquity of mobile phones.

ACCELERATING MOBILE USAGE

The evidence is that users will continue to rely on mobile services now that lockdown has eased in many areas of the world. Deloitte’s Digital Consumer Trends survey, carried out in May 2020, found that 40% of respondents did more online shopping during lockdown and 14% had more remote (phone or video) appointments with health practitioners.

When asked whether they will continue to use mobile phones to access services once social distancing rules ease, 62% said they would use mobile applications more for banking, 50% for shopping and 25% for medical appointments.

This changing behaviour is important for government institutions not just because they too need to consider how to provide applications to deliver services, but also because most people expect to use one device for home and work. It may be a device provided by an organisation, or one owned by the individual, but either way there are risks associated with mobile phones in terms of protecting the organisation’s data.

The accelerating use of mobiles is therefore increasing the risks of data breaches for government organisations, which can be both costly and create reputational damage. It also means that organisations need to consider how to use secure, encrypted applications for work purposes more carefully than ever before.

COMMON RISKS

The very nature of mobile devices, which can operate anywhere, anytime, mean they are more open to certain kinds of risk than desktop PCs in the home or office. Phishing attacks, for example, where users are contacted by text messages and asked to click on a link, or download a new app, have risen in volume significantly. Users are more likely to respond to a text than an email, and criminals have responded by upping their activity in this area as a result.

Data leakage and open Wi-Fi are two more risks that mobile phone use can trigger. Data leakage happens in a few different ways, including personal data (which could include network log-on information) being logged in insecure systems that can be accessed by hackers.

Open Wi-Fi can cause problems when users are logging into the organisation’s systems over an insecure network, or even a fake hotspot set up deliberately in a location such as an airport lounge or coffee shop. Data can be monitored and stolen from such channels without a user being aware they have been targeted. As well as collecting data from open and insecure channels, criminals implant malicious software (malware) and spyware on mobile phones to harvest data. Malware is often designed to make ‘too good to be true’ offers to users, such as vouchers or free premium content, that never arrive and enable criminals to access personal information.

Spyware enables perpetrators to potentially listen into conversations, take pictures and read texts and emails, as well as track a mobile user’s movements.

Some of the most common risks are associated with actions taken not by criminals, but by users and organisations themselves. Users can lose or mislay phones that provide a route into the organisation’s network, disable the lock screen or fail to update passwords, while their employers neglect to update devices or the software that runs on them.

EMERGING CHALLENGES

Unfortunately, while only a small proportion of users are currently thought to succumb to phishing or malware attacks, such incursions are only going to become more sophisticated in line with ever more powerful technology.

One example is mobile advertising. Mobile ad spending is predicted to hit $156.38 billion by 2023, according to eMarketer, driven by the greater use of mobile devices.
As well as introducing a new route for malware attacks, mobile ads can be targeted by hackers that generate fraudulent clicks on regular ads that appear. The software that is used for this activity runs in the background of phones, slowing down performance and impacting productivity.

Another example is cryptojacking, where a bitcoin miner harnesses the processing power of mobile phones without the owner’s knowledge to search for currencies. Again, the idea here is to steal the processing resources of corporate or personal mobile phones, which has an impact on how well the devices can work

Deepfakes and voice cloning technologies are also causing problems, particularly for corporates. This type of attack involves tricking mobile phone users to carry out actions in response to a voice or face-to-face message, which purports to be from a senior colleague and requests funds to be transferred.

While voice cloning has some legitimate and useful applications, the risk is that artificial intelligence software can be used to recreate someone’s voice from online snippets, perhaps a chief executive making a speech. The software can then be used to create a whole new conversation with a target victim just by typing words into a keyboard.

PUTTING AN ACTION PLAN IN PLACE

There are a number of actions that organisations and corporates can take to prevent malicious attacks on the mobile devices that they provide to employees:

Keep devices updated, so that they are always running the latest versions of software provided by manufacturers
Create a security policy for mobile users, covering permitted sources for apps, guidance on disabling security features and usage in insecure public locations
Provide advice and training on how criminals will use social engineering to access personal and corporate data, and how to spot fake information
Consider implementing a centrally controlled mobile security platform that provides true end-to-end encrypted sessions directly between devices to eliminate server attacks, as well as encrypted mobile storage for chat history, phone books, and settings.

The convenience and flexibility of mobile phones are undeniable. However, the accelerated use of mobiles can introduce new and significant risks to organisations that fail to protect their data, including costly fines for breaches of sensitive information.

As attacks become increasingly sophisticated and the use of mobiles gets ever more ubiquitous, having a detailed policy and a secure mobile technology platform cannot be left to chance.