By Vijay Dheap, product manager at IBM Mobile Security Solutions
Mobile handsets once functioned quite simply as portable phones, but they have quickly evolved into primary computing devices, with all the attendant potential security problems that this transformation implies. Providing security for the mobile channel – whether internally for workers or externally for customers – is now as important as the protecting the defunct firewall and company perimeter used to be.
The transformation of the mobile device from a phone into a computer does not end there. Smartphones and tablets are now are consumers’ and bank customers’ favorite books, briefcases, and even wallets. Remember when you used to clutch your briefcase tighter or stuff your hands in your pockets to hold your wallet when walking through a crowd? Well, keeping your mobile device secure is not as simple as maintaining physical ownership of the device, but it something that financial institutions and others have to think about.
We have all learnt to be more vigilant and have grown smarter about practicing safe computing in the PC and Internet era. This is substantiated by the findings of the IBM X-Force 2011 Trend and Risk Report and numerous other surveys, which show a reduction in application security vulnerabilities, code exploits and spam. Customer education and simple internal procedural improvements really do help. Information security is a continual ‘arms race’ however between the hacker/defrauder and the protectors and the mobile arena is just one more battleground to be fought over. Mobility not only reveals old challenges in a new environment, but also exposes new sophisticated threats. Innovation in mobile technologies constantly pushes the boundaries of collaboration and simplifies the movement of data and sometimes money. Generally, security techniques and methods lag behind the introduction of new features and capabilities. Because of this risk and uncertainty, the IBM X-Force security team found that many corporate chief information officers (CIOs) and chief information security officers (CISOs) are adamant in their refusal to allow employees to use personal mobile devices for work, rather than exploring how they can support them. Providing security for external customer is an even greater headache, which requires strong authentication, identity and access controls, perhaps using the geo-location ability of the mobile phone itself.
The most basic threat to our mobile lifestyle comes in the form of malware. Mobile malware has been growing rapidly with some open platforms, such as Google’s Android, being more prone to them than others. The 2011 Mobile Threat Report by Juniper uncovered that mobile malware increased by 155% in 2011 across all platforms – even Apple’s iOS was affected. It is a common misconception that Apple’s trusted iTunes App Store and the long vetting process that it employs for apps prevents malware from infecting iOS devices. While it is true that the process employed by Apple guarantees the integrity of iOS is not compromised by apps, it does not detect vulnerabilities in the apps themselves to malware.
Mobile malware can infect mobile tablets and smartphones via traditional means such as browsers, and mobile specific channels such as SMS and mobile ads. Kaspersky Lab found that nearly 37% of all mobile malware in 2011 was distributed via SMS messages. Malware on the mobile device can not only perform the well-known malicious activities such as key logging and data pilfering but also steal your money. GGTracker in the US and RuFraud in Europe exploited the fact that many networks allow charging user’s phone bills via SMS or calls.
As enterprises become more proactive and users more vigilant to malware threats, the attackers are growing increasingly sophisticated. Trusteer recently identified the emergence of new attacks on one-time-password (OTP) authorisation systems, which are often used by financial institutions. These attacks involve multi-step processes to overcome security measures and cannot be detected by traditional anti-virus solutions. More worryingly, RSA famously had the central database for its OTP scheme hacked last year, and similar ‘going after the source’ attacks have happened this year too.
Additionally, with our lives increasingly accessible via our social networking profiles, enterprising attackers are employing social engineering to exploit our various trust relationships to bypass security infrastructures all together. One approach being employed is to deliver malicious apps that mimic the behavior of legitimate trusted apps, but perform unwanted activities without the user’s knowledge. Another approach is to deliver malicious mobile ads originating from a friend or colleague’s social profile. When clicked these ads secretly download malware. As security comes to the forefront, attackers provide fake security mobile apps to further infect users.
After reading all of this, you might be ready to shut off your smartphone in a lead container and store it in a thick, steel-plated safe. Let me tell you that will not be necessary because you can also use the mobile channel to significantly mitigate the risk of becoming a target. Fraud attacks versus bank customers can quickly be checked with customers using their mobile phone to confirm IDs and transactions, plus you can equip the device with in-built security tools to prevent its infection by malware. Education will obviously need to play a role too, as it has in the ‘static web’. This approach will enable you to quickly detect and recover if an employee’s mobile device or a mobile channel to market is affected.
Viewing mobile security as a system and taking a layered approach is important. Firstly, for device security, make sure the device is password protected. Employ an anti-malware application from a trusted source and provider. Make use of data backup services so in the event that a device is compromised you can wipe and reload the data and apps.
For data, network and access security you rely on a company’s security infrastructure, so double check to verify you are provided with a secure communication channel, protected access to enterprise systems and network detection of threats. Companies can also provide their employees with the ability to centrally manage their mobile devices in the event those mobile devices are compromised (i.e. lost, stolen, or infected). For app security, it is important to employ your best judgment on the sources used to acquire apps and the apps you do acquire. For internal enterprise apps, I recommend that your company establish a secure delivery channel (i.e. enterprise app store) and performs vulnerability testing on those apps to address weaknesses during development and testing cycles. Last but not least, when engaging in social media conversations, be cautious of ads and links even if they appear to be from a trusted source. Teach your customers to be equally wary.
Mobile security will grow in importance but by employing best practices, end users and enterprises can build confidence and safely realise the seemingly limitless personal and business value that mobile devices promise. IT security is always an arms race but with diligence the benefits of the mobile revolution can continue to outweigh the potential problems.