Hackers are taking notice of our mobile transactions and creating virus and malware that target mobile users specifically. Let’s be honest, we aren’t going to give up on our on-the-go lives any time soon—so what is the best way to protect our data?
The type of data stored on smartphones is becoming increasingly sensitive as we live more of our lives on our mobile devices. Arguably, most heavy smartphone users would be more horrified to lose their mobile device than even their wallet. “Users store all kinds of things on their devices,” says Ayman Mohammed, Practice Head of Security Systems, CNS, “Sensitive data, such as email, calendars, contact information and passwords are saved and stored on smartphones.” Of course, it is not smartphones alone that are made targets.
Far beyond a collection of selfies and SMS conversations, this increased use of mobile devices for things such as financial transactions has opened up a whole new world for would-be hackers. “The growth in the use of mobile devices has created a new target for cyber-criminals to launch attacks that can result in financial loss, reputational damage and data breaches against both individuals and organisations,” explains Paul Wright, Manager of Professional Services and Investigation Team, Middle East, India and Africa, AccessData. To target these devices, criminals are relying not only on malicious coding, but on the behaviour of users as well. Megha Kumar, Research Manager – Software, IDC MEA, points out that in the Middle East, users are quite vulnerable to behavioural attacks, “In the region, social engineering attacks and spam are quite prominent.”
Savvy cyber-criminals know that mobile security is, when compared to traditional PC security, only now being taken seriously by individual users. “One interesting thing I’ve noticed in recently months in the Middle East,” notes Saeed Agha, General Manager, Middle East Palo Alto Networks, “is a shift in attitude toward mobile malware. Years ago, many people seemed to view mobile malware as a construct rather than a real world issue. While acknowledging that is was a concern, other priorities took precedence.”
Today, however, individual users as well as organisations are stepping up their game when it comes to protecting their devices. There is no question that mobile malware is an issue, in the region and globally.
The motivation of cyber-criminals is usually fairly obvious—financial gain. “In addition to photos and contact information, mobile devices are used for online banking, performing financial transaction and private and business voice calls,” echoes Ahmad Enaya, SE Manager, Middle East, Aruba Networks, “Typically this consumer grade equipment has no security turned on by default, and most users do not bother with additional configuration steps to turn on even basic security.” This perfect storm of sensitive information and lack of security can lead to disaster.
Indeed, when speaking on mobile malware, iPhone users may look at their device with a sense of security. Though instances of attack on Apple’s iOS are admittedly far fewer than its counterparts, iPhone users are should not assume they are safe. Apple keeps its users safe from malicious apps by heavily regulating what apps are made available. However, it is these very restrictions that often cause users to jailbreak their devices. “Apple has restrictions that push users to jailbreak their phones,” explains Cherif Slieman, General Manager, Middle East, Infoblox, “If you have not jailbroken your iPhone, removing all the restrictions implemented by Apple, you are very safe from malware. But these restrictions are one of the most frustrating issues for iPhone users and many are jailbreaking to enable them to add apps that Apple doesn’t allow.”
In addition to these behavioural flaws that can compromise iOS, the platform itself has experienced more attacks than ever in the past few years. “According to Juniper Research, mobile malware grew by 155 percent across all platforms-Apple’s iOS, Research In Motion’s BlackBerry and Symbian,” warns Mohammad Ismail, Identity and Access Solution Manager, Middle East & Africa, Gemalto.
Roman Unuchek, Senior Malware Analyst at Kaspersky Lab agrees with Ismail’s concern, pointing out attacks specific to the Apple OS in the recent past, “The myth about Mac OS security was demolished when in 2012 the quantity of created antivirus entries has grown by 30 percent in comparison with 2011, and the notorious Flashback Trojan managed to create the biggest Mac OS botnet which consisted of 700 thousand devices all over the world.”
As Apple’s market share increases, their flaws in their OS are becoming targets, “An iOS 6 security flaw was also found, which could grant complete access to an iPhone or iPad running the iOS platform,” says Tony Zabaneh, Senior Sales Engineer, Trend Micro Middle East.
Ray Kafity, Regional Sales director, Middle East, Turkey and Africa, FireEye, agrees, “FireEye mobile security researchers have found several severe security flaws in the iOS7 architecture which allows malicious app to monitor every screen tap and button press and other events in the background on non-jailbroken iOS7.”
With no operating system safe, it is paramount that users and organisations do all they can to protect their mobile devices. Nicolai Solling, Director of Technology Services, Help AG, explains that the first step is to change user perceptions. “Any user needs to understand today that a smartphone is a computer and when the data on this computer is valuable the device becomes a target. The easiest point of entry is the user, so the user will be the target for social engineering attacks, where cyber criminals will exploit the user’s lack of security know-how.”
Indeed, the first step in cyber-security—be it traditional PC security or mobile security—is education. Users need to learn to recognise phishing sites, the importance of keeping their software up to date, and how to avoid behaviours that will compromise their devices.
Ismail asserts that a little common sense can go a long way to protect sensitive information, “Consumers can respect simple security rules when communicating important personal information using their mobile. They can also make sure that a reliable identification is taking place between them and the network, using strong authentication technology.”
In addition, users should be sure that their devices are running the latest versions of their preferred OS. “For software security, it is important to make sure that the latest OS and patches for your operating system are installed. Moreover, make sure not to download any software from unknown or untrusted sources,” says Enaya.
As for businesses and organisations, education remains key. Businesses need to ensure that employees—whether they are using their own devices for business or corporate provided gear—are educated on the basics of safe mobile behaviour.
In addition, companies providing a BYOD program need to be particularly vigilant. “A successful BYOD program involves a defined segmentation of corporate and personal data applications,” says Wright.
A lack of corporate planning when it comes to BYOD programs can lead to the compromise of the entire company. “The main issue of mobile devices is that they are owned by the employees in most cases, and they contain personal and enterprise applications on the same device. In many cases, they lack the level of security and management of corporate devices, while they might contain critical business or private information,” warns Enaya.
Keeping software updated, avoiding unauthorised software and installing security software are all paramount in keeping mobile devices safe. However, they key to protecting mobile data is user behaviour. Users need to be aware of how they use their devices or the damage could be devastating and almost impossible to fix.
“Cyber-crime has no boundaries, in particular it has no boundaries in relation to jurisdiction. In addition when an incident takes place the amount of data compromised is not always known, and when missing data is retrieved, if the data is not protected or encrypted, there is no assurance that is it has not already been duplicated, stored elsewhere, or forwarded to another,” Paul Wright, Manager of Professional Services and Investigation Team, Middle East, India and Africa, AccessData.