Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Smartphone

Mobile phone users are not concerned with security until there is a breach and then they blame their provider

Crossbeam Systems have released research into Mobile Phone user’s opinions on security. 

The most revealing finding was that compromised security, rather than high monthly fees, would be the biggest reason for UK smartphone users to change mobile network providers. 

The independent blind survey of 1,076 UK adult smartphone users and bill payers examined: –

  • usage habits
  • the importance of mobile security and data services
  • purchasing considerations
  • what would motivate them to switch providers

A summary of the survey results are below:-

  • 75.6% of those surveyed would change mobile providers if their current, operator-supplied smartphone was compromised by hackers, malware or other security failure
  • 79% of 648 women surveyed stating they would change networks if their smartphone fell victim to a security issue.
  • 70% of 428 men surveyed would also change networks following a security incident
  • 56% of global respondents don’t know if their mobile network provider has measures in place to secure their smartphone
  • 35.7% of respondents were aware that their smartphone contained applications that stored or had access to financial information such as PayPal, retail apps with saved card payment information and mobile banking apps, and that third parties accessing these would be a concern
  • 52.9% would be scare of other people having “Access to my personal information, such as passwords and credit card details”
  • 5.8% said a lack of security would drive them away from their current network provider

If your smartphone was hacked by a criminal whose fault would it be?

  • 37.5% My mobile network provider (Vodafone, O2 etc.)
  • 31.6% Mine
  • 17.9% My smartphone manufacturer (Apple, Samsung, HTC, etc.)
  • 12.9% Other please specify

Smartphone users, like most people, don’t think about the security of their devices until they’ve been hacked. This may be misleading mobile network operators to focus less of their attention on customer security and underestimate the risk it creates said Peter Doggart of Crossbeam

The good news is 53 percent of global respondents expressed a willingness to pay their network provider additional fees to help improve security.

Advertisements

Guidance for merchants on how to securely accept mobile payments the PCI way

This has been coming for a while but finally the PCI SSC has published a fact sheet outlining how merchants can securely accept payments using mobile devices such as smartphones or tablets.

The “At a Glance: Mobile Payment Acceptance Security fact sheet” provides merchants with actionable recommendations on partnering with a Point-to-Point Encryption (P2PE) solution provider to securely accept payments and meet their PCI DSS compliance obligations.The ability to use smartphones and tablets as point-of-sale terminals to accept payments in place of traditional hardware terminals offers great flexibility. As mobile technology continues to change at a rapid pace, the Council continues to work with the industry to ensure data security remains at the forefront of mobile evolution.

This latest educational resource is the product of the Council’s Mobile Working Group and is the result of valuable input from leading merchants, vendors and organizations actively involved in the mobile payment acceptance industry. The document helps clarify and distill some of the more complex technology and security terminology into straightforward, practical guidance that can help merchants to:

  • Better understand their responsibilities under PCI DSS, and how they translate to mobile payment acceptance
  • Leverage the benefits of the Council’s recently published Point-to-Point Encryption (P2PE) standard and program
  • Choose a mobile payment acceptance solution that complements the merchant’s PCI DSS responsibilities, for example a P2PE solution provider

Using this resource to guide them in how PIN Transaction Security (PTS) and P2PE standards work together, merchants can better understand how to securely use external plug-in devices with smartphones or tablets to accept payment cards by first encrypting and securing the data at the point that the account data is captured. The smartphone or tablet has no ability to decrypt the data, thus simplifying PCI DSS scope for the merchant.

“We know merchants are eager to take advantage of their existing smartphones or tablets to accept payment cards,” said Bob Russo, general manager, PCI Security Standards Council. “And the Council and its stakeholders want to help the market to do this in a secure way. We’re excited about this easy-to-use reference that will help merchants understand how to use the suite of PCI Standards to enable their businesses while still keeping data security top of mind.”

As with all SSC fact sheets, this guidance does not replace or supersede any of the PCI Standards

The Council continues to work with the payments community to address mobile payment acceptance security and evaluate whether additional requirements are needed in this area. As part of this ongoing initiative, the Council plans to publish best practices for securing mobile transactions later this year.

“The PTS and P2PE standards are being leveraged by mobile solution providers today. With this fact sheet we hope to help merchants understand how these standards work and the options that are available to them for accepting mobile payments in a secure and PCI DSS compliant manner,” said Troy Leach, chief technology officer, PCI SSC.

The link to the At a Glance: Mobile Payment Acceptance Security fact sheet is here.

Serious Disconnect Between Businesses and Mobile Users

Image representing McAfee as depicted in Crunc...
Image via CrunchBase

McAfee have released their report “Mobility and Security: Dazzling Opportunities, Profound Challenges”.

“Devices are no longer just consumer devices or business devices. They are both,” said Richard Power, a CyLab Distinguished Fellow at Carnegie Mellon University, the primary author of the report. “Devices are more than extensions of the computing structure, they are extensions of the user. The way users interact with their personal data mirrors the way they want to interact with corporate data.”

Key Report Findings:

  • Reliance on mobile devices is already significant and accelerating rapidly; the emerging mobile environment is both diverse and freewheeling
  • IT is becoming increasingly consumerized as evidenced by the fact that 63 percent of devices on the network are also used for personal activities.
  • Lost and stolen mobile devices are seen as the greatest security concern for IT professionals and end-users – Four in 10 organizations have had mobile devices lost or stolen and half of lost/stolen devices contain business critical data. More than a third of mobile device losses have had a financial impact on the organization and two-thirds of companies that had mobile devices lost/stolen have increased their device security after this loss.
  • Risky behaviors and weak security postures are commonplace – Although the need for mitigating mobile security risks and threats is acknowledged, fewer than half of device users back up their mobile data more frequently than on a weekly basis. Around half of device users keep passwords, pin codes or credit card details on their mobile devices. One in three users keeps sensitive work-related information on their mobile devices.
  • There is a serious disconnect between the policy and reality – 95 percent of organizations have policies in place in regard to mobile devices
  • Mobile devices are being used by much of the workforce, over extended periods of time, for a significant percentage of tasks previously conducted on desktops.
  • On average, employees use mobile devices for work purposes between 2 and 4.5 hours a day. On average, use of laptops was 4.5 hours per day.

Mobile devices are used in a wide range of job functions

  • Business executives using them most – 56%
  • Sales and others in the mobile workforce – 47%

Mobile phone usage

  • Email – 93%
  • Contacts – 77%
  • Web access – 75%
  • Calendaring – 72%

Four different types of mobile devices are used by at least one-third of employees both for professional and personal use,

  • Laptops – 72%
  • Smartphones – 48%
  • Removable media, including USBs – 46%
  • External hard drive – 33%

Almost Half of Users Keep Sensitive Data on Mobile Devices

  Passwords/Pin Codes Credit Card details
Professional & personal information & data 23% 19%
Only professional information & data 11% 7%
Only personal information & data 17% 15%
I do not use, store or send this information or data using mobile devices 49% 58%

Recommendations for Businesses

  • Mobility is ushering a new computing paradigm into the workplace. With devices eclipsing PCs and virtually every business application being device-ready, mobile computing offers an opportunity to make workers more productive, competitive, and happy. Mobility done right is a major competitive advantage in the workplace.
  • Consumerization of IT is here to stay. Many smart companies are allowing, encouraging, and, in some cases, providing a stipend for,  employee owned technology to work. Businesses need to find ways to enable, secure, and manage employee-owned technology in an optimal way to drive cost savings.
  • Users are changing the way they think about policies. Because employee-owned devices are artifacts of the more entrepreneurial employee-employer relationship, organizations need to apply policies in a nuanced, risk-based way that depends on the industry, the role, and the situational context.
  • Data loss and leakage are of utmost concern to individuals and enterprises, and there is no silver bullet. Classify data, even at a high level, and apply data leakage processes and mechanisms in order to protect corporate data while respecting users’ privacy.
  • User awareness about mobile threats is still nascent. Apply security and management paradigms from laptops and desktops to mobile devices. Educate users about the risks and threats through employee agreements and training. “Businesses must find ways to protect corporate data, and call it back when an employee leaves, while ensuring the privacy of the employee,” says David Goldschlag, vice president of Mobility for McAfee. “Employees are no longer lifelong members of the organization, but rather consumers, who often change jobs every few years. When they do, they come with a kit of stuff, but once they leave, they need to give you back the data that belongs to the company. Businesses need a way to facilitate that process while respecting the ‘kit’ that the employee brings to the company.”

Recommendations for Mobile Users

  • You are part of a computing sea of change. With devices eclipsing PCs, and virtually every app device-ready, mobile computing offers you an opportunity to be entertained, informed and connected wherever you are. Use this to your advantage to be more productive on the go.
  • Driven by users’ desire for device choice and employers’ need for cost savings, individuals are increasingly bringing their own devices to work. Take advantage of your employers’ program and use your technology to be more nimble in your work.
  • Familiarize yourself with your employer’s mobile device policy and the intent behind it, and decide whether it fits your needs. If so, accept the policy and move on; if not, use two devices, one for personal use and one for work.
  • Take steps to secure your device. Install anti-theft technology, and back up your data. Configure your device to auto-lock after a period of time. Don’t store data you can’t afford to lose or have others access on an insecure device.
  • Be aware of mobile device threats. In many ways, they are the same as in the online world. You can be hacked, infected, or phished on a mobile device just as easily (and often more easily) as you can online.

The McAfee White Paper can be found here http://www.mcafee.com/us/about/news/2011/q2/20110523-01.aspx

.

Mobile Device Vulnerabilities at an all time high

Juniper Networks @ Sunnyvale, CA
Image by DIKESH.com via Flickr

In study commissioned by Juniper Networks the study found that enterprise and consumer mobile devices are being exposed to a record number of security threats.

The study’s key findings Include:

  • App Store Anxiety: The single greatest distribution point for mobile malware is application download, yet the vast majority of Smartphone users are not employing an antivirus solution on their mobile device to scan for malware
  • Wi-Fi Worries: Mobile devices are increasingly susceptible to Wi-Fi attacks, including applications that enable an attacker to easily log into victim email and social networking applications
  • The Text Threat: 17 percent of all reported infections were due to SMS Trojans that sent SMS messages to premium rate numbers, often at irretrievable cost to the user or enterprise
  • Device Loss and Theft: 1 in 20 Juniper customer devices were lost or stolen, requiring locate, lock or wipe commands to be issued
  • Risky Teen Behavior: 20 percent of all teens admit sending inappropriate or explicit material from a mobile device
  • “Droid Distress”: The number of Android malware attacks increased 400 percent since Summer 2010

“These findings reflect a perfect storm of users who are either uneducated on or disinterested in security, downloading readily available applications from unknown and unvetted sources in the complete absence of mobile device security solutions,” said Dan Hoffman, chief mobile security evangelist at Juniper Networks.

“App store processes of reactively removing applications identified as malicious after they have been installed by thousands of users is insufficient as a means to control malware proliferation. There are specifics steps users must take to mitigate mobile attacks. Both enterprises and consumers alike need to be aware of the growing risks associated with the convenience of having the Internet in the palm of your hand.”

“The last 18 months have produced a non-stop barrage of newsworthy threat events, and while most had been aimed at traditional desktop computers, hackers are now setting their sights on mobile devices. Operating system consolidation and the massive and growing installed base of powerful mobile devices is tempting profit-motivated hackers to target these devices”, Jeff Wilson, principle analyst, Security at Infonetics Research.

“In a recent survey of large businesses, we found that nearly 40 percent considered smartphones the device type posing the largest security threat now. Businesses need security tools that provide comprehensive protection: from the core of the network to the diverse range of endpoints that all IT shops are now forced to manage and secure.”

The study specifically reports the following:-

  • 400 percent increase in Android malware since summer 2010
  • 1 in 20 mobile devices was lost or stolen, requiring locate, lock, or wipe commands
  • 20% of all teens admit sending inappropriate or explicit pictures or videos of themselves from a mobile device
  • 61% of Juniper Networks-detected malware infections are from spyware
  • 17% of Juniper Networks-detected mobile malware infections are from SMS Trojans
  • Mobile malware grew 250% from 2009 to 2010
  • 1 in 20 mobile devices is lost or stolen, risking loss of confidential and sensitive data.
  • 83% of teens use mobile technology to stay connected with friends and family.
  • 20% of all teens have been cyberbullied through a mobile device.
  • 20% of all teens admit to sending inappropriate or explicit pictures or videos of themselves from a mobile device.
  • 20% of teens admit to having sent inappropriate or explicit pictures or videos from their cell phones
  • 39% of teens admit to sending sexually suggestive messages from their device
  • 29% of teens admit that they are sending suggestive messages, or inappropriate and explicit pictures or videos to someone they have never met
  • 44% of teens admit that it is common for suggestive messages that were received to be shared with someone else

The study recommends the following: 

For Consumers:

  • Install an on-device anti-malware solution to protect against malicious applications, spyware, infected SD cards, and malware-based attacks on the device
  • Use an on-device personal firewall to protect device interfaces
  • Require robust password protection for device access
  • Implement anti-spam software to protect against unwanted voice and SMS/MMS communications
  • For parents, use device usage monitoring software to oversee and control pre-adult mobile device usage and protect against cyberbullying, cyberstalking, exploitative or inappropriate usage, and other threats

For Enterprises, Government agencies and SMBs:

  • Employ on-device anti-malware to protect against malicious applications, spyware, infected SD cards and malware-based attacks against the mobile device
  • Use SSL VPN clients to effortlessly protect data in transit and ensure appropriate network authentication and access rights
  • Centralize locate and remote lock, wipe, backup and restore facilities for lost and stolen devices
  • Strongly enforce security policies, such as mandating the use of strong PINs/Passcodes
  • Leverage tools to help monitor device activity for data leakage and inappropriate use
  • Centralize mobile device administration to enforce and report on security policies

For further details, click here

.

A short history of Android security issues

In its recent study, Juniper Networks uncovered some very interesting facts on the growing risk to Android base mobile devices.

The time line for the development of the threats is as follows

Android Attacks: 2010

  • January 2010: First bank phishing application for Android
  • March 2010: First Android “botnet”
  • July 2010: GPS monitoring embedded in Tap Snake game
  • August 2010: First Android SMS Trojan
  • November 2010: “Angry Birds” proof-of concept malware demonstrated
  • December 2010: First pirated Android application, Geinimi

Android Attacks: 2011

  • January 2011: ADRD and PJApps available in China
  • March 2011: Myournet/DroidDream, the first Android malware available and distributed through Android Market on a large scale, affects 50,000 users.
  • Google’s solution, the Android Market Security Tool, was also pirated and turned into malware in China.
  • April 2011: Walk-and-Text pirate puts egg on users’ faces.
  • April 2011: Research at IU Bloomington results in “Soundminer” proof-of-concept communications interception application.

Overall there was a 400% increase in Android malware since summer 2010

In summary, the bad guys have see the growth of the Smartphone market and are turning their skills into the development of tools and attack vectors for the operating systems on them, including Android.

.

Smartphone users at risk of ID Fraud

Image representing Equifax as depicted in Crun...
Image via CrunchBase

Credit reference agency Equifax has recently released its research into the implications of Smartphone Theft on Identity Fraud.

The findings of the reasearch are very interesting as they show how cavalier Smartphone owners are with their information and Identity.

The highlights of the research are below:

  • 94% of consumers fear identity fraud and theft yet many keep too much personal data on mobile devices
  • 54% of second-hand phones contain personal data including texts, emails and even banking details, identity fraud expert Equifax is urging consumers to think about what personal data they store on their mobile phone and ensure they delete all data from both the phone and SIM card before recycling or selling it
  • 40% of smartphone users also don’t use the passcode function, leaving them vulnerable to ID fraud. And this jumps when looking at the younger generation that have most embraced the new technologies
  • 62% of 22-25 year olds use their smartphone to regularly check their online banking. Yet despite fears about identity theft, 69% do not use a passcode function on their phone
  • 35% admit to regularly clearing their browsing history after they use online banking. It’s also this generation where there’s probably more chance of them having personal items stolen when out shopping or in bars and clubs, making them the perfect target for fraudsters

 EQUIFAX’S SMARTPHONE SECURITY TIPS

  • Always use the PIN function on your handset
  • Don’t store reminders of passwords on your phone
  • Think about which accounts you access from your phone – would it be better to wait until you’re at the security of your home
  • Wipe browser history, especially if reviewing online banking
  • Keep an eye out for malicious software masquerading as apps
  • Keep your smartphone safe at all times
  • Delete all personal information from the phone and the SIM card before recycling or selling your phone

Read the full press release here.

.

Top 5 Riskiest Places To Use Your Credit Card | B2B News

From B2B News

You can still be a victim of credit card fraud even if you use it with utmost caution. Credit card companies and banks are more and more often putting the onus of catching phony or incorrect credit card charges on the consumer.
The most important thing is to check your billing statement. And there are organizations like Creditcards.com that offer tips on how to keep your cards safe as well. Here, we take a look at 5 of the riskiest places you might use your card, according to Creditcards.com, and what you can do to stay away from dangers.

 Non-Bank Owned ATMs

Encryption at these ATMs is often not as good as at bank ATMs. These ATMs also are more likely to be hacked. And in some cases, people have put up devices that look like ATMs but don’t give out cash. Instead, they are just card-skimming devices aimed at stealing your credit card or debit card information.

 Flea Markets

Flea market merchants are often transient and can be difficult to locate if there is a problem with charges. It’s especially true for vendors who don’t have online credit card terminals and instead make carbon copies of your credit card.

That doesn’t mean those vendors are necessarily fraudulent, but it makes the transaction less secure. The credit card company might have trouble doing a charge back. If you’re going to the flea market, take cash. It’s also easier to negotiate that way.

 Small Shops/Cafes in Foreign Countries

These smaller merchants have a significantly higher percentage of credit card fraud as reported by large banks and credit card companies. Many of these transactions end up being written off by the banks because the merchants simply can’t be located. There’s just a higher chance of fraud when you get outside of the mainstream, so when in doubt, use cash.

Non-Secure Online Checkout

Any safe, reputable e-commerce site is going to have a secure checkout page, like the one shown at left. If that doesn’t appear, it should be a red flag. You can almost be sure it’s not legitimate, and even if it is, you’re opening yourself to that transaction being seen by others.

Purchases on Smart Phones

Purchases on smart phones can also be less than secure. If your smart phone connects to a public wi-fi signal, you’re going to be much less secure. Someone else can potentially see the transaction, or malware can be placed on your device that can potentially transmit your personal information

Top 5 Riskiest Places To Use Your Credit Card | B2B News.

Blog at WordPress.com.

Up ↑

%d bloggers like this: