According to a recent report from McAfee**, the primary motivation for mobile attacks is financial gain with more targeted attacks on account holders of large multi-national and regional banks, more virtual bank robberies and more targeted surveillance can be expected. The increase in the use of IoT devices was also seen as adding to the risk.
So, what are the most common types of attack and what can be done to protect both the mobile phone user and a company from becoming a victim?
Public wi-fi networks
Firstly, mobile users should be particularly careful using public wi-fi networks. Whilst most are legitimate they are not secure. An unsecured wi-fi network doesn’t require you to enter a password or login credentials to use the network. These “open” networks also involve un-encrypted connections, leaving users at great risk. Using password protected wi-fi connections help to keep unwanted third parties from carrying out man-in-the middle attacks between the user’s device and the intended destination. Fake wi-fi networks are often set up by hackers in coffee shops or shopping malls, tricking users to the legitimacy of the site and providing users with free wi-fi in exchange for information which can lead to the hacker gaining access to email addresses and passwords. As users often have common passwords for different applications, this can provide access to other more lucrative applications and information. Yet the use of a VPN can provide protection by encrypting your internet connection ensuring that your privacy and security is maintained at all times. However, the best security is simply not to connect to the company network and sensitive information on unsecured public wi-fi.
Fradulent emails
Phishing remains a threat to mobile users, particularly as their devices are always on. This means that they are more likely to see and succumb to a fraudulent email that demands some immediate action. Many attackers still rely on malicious e-mail attachments to infect devices. The simple rule is not to open attachments and click on links from unknown sources. The same applies to downloading apps. It is highly recommended only to install apps from trusted sources, check on what permissions are being requested particularly when it comes to free or ad supported apps. If something sounds too good to be true, it’s probably a scam. Gift scams with fake promotions can lure you to websites that subsequently infect your device.
Mobile operating system updates
Updates to your mobile phone’s operating system are often released and it’s important to ensure that these are installed. Often, these are updated to secure a weakness that has been exposed by a hacker. Of course, users and companies can help protect themselves by installing antivirus protection on their devices. Many of them do much more than run automatic scans, and they’ll actively try to prevent malicious web pages and files from being opened or downloaded in the first place. Another useful feature is “in app- locking where your device will ask for a PIN before opening certain apps. Some also have anti-theft features allowing you to remotely lock or wipe an Android device if it goes missing, track its whereabouts and even take a picture of the thief. Setting an automatic lock and using a strong password to open your device is also recommended and features such as fingerprint scanning and facial recognition are also now more widely available and add to the security.
Human error
Probably the most common reason for security breaches is simply down to human error. This is particularly the case with mobile phones where work and life often becomes merged. Whilst using your mobile phone at work is often an easy option, employees need to appreciate the need to adhere to the company’s security policy and that an IT department needs to protect company assets. Of course, most employee lapses aren’t deliberate, they are more often simple mistakes such as posting a company file to a public cloud storage platform, forwarding an e-mail to the wrong recipient or losing the device. Humans are often the weakest link. Data loss prevention tools are intended to prevent inadvertent or malicious loss of sensitive company information by identifying content, tracking activity and potentially blocking sensitive data from being moved.
Bring your own device
BYOD has become increasingly popular but it also requires extra diligence and controls. When employees bring their mobile phone into the workplace, information about that device is unknown. The risk of malware infiltration and exposing the company to the risk of data loss or leakage increases. By default, corporate provisioned devices will have security controls in place. To be effective, BYOD users will require access to the corporate network both in and out of the workplace. A basic level of controlling access to the company network is essential. Indeed, most companies will be required to have a degree of management over the devices to track their usage.
*Ericsson as reported by Tech Crunch
** McAfee Mobile Threat Report Q1 2018
Sources & Acknowledgements: Symantec, McAfee, Computer Weekly, TechRadar, Kaspersky