When data threats go mobile

Thanks to today’s impressively powerful processing, mobile phones are being used in business more than ever before.

Whether employees are working from company-issued phones or have been granted high-level access from personal devices, smartphones are now starting to take the place of desktops. But they don’t offer nearly the same level of control or inbuilt security.

Mobile device security threats are on the rise and evolving in scope. To protect both devices and data, everyone in an organisation must understand the associated risks.

Richard Menear of Burning TreeRichard Menear (left) of Burning Tree, a Hampshire-based company that specialises in high-level information security consulting, takes a look at six of the most common threats.

Lost or stolen devices: An unattended device can be a major security risk — especially if it doesn’t have full data encryption and a strong password or biometric security to guard it. If the device isn’t properly protected and gets into the wrong hands, it’s easy for criminals to gain access to a whole load of data. However, hackers don’t need to physically have the phone in their hand to be able to exploit it…

Poor password hygiene: It doesn’t matter how many times we say it; we still frequently see poor password practices across companies of all sizes. This becomes especially problematic when staff are carrying around mobile phones that contain both company accounts and personal sign-ins.

When people want to sign in quickly to various apps, sites and services, they’ll often use the same password for everything. Even if just one employee types a company account password into a prompt on a random site, this could pose a considerable risk to the organisation. What’s more, studies have shown employees frequently share their passwords with co-workers across personal and work accounts accessed via their mobile devices.

Out-of-date devices: Unlike desktops, smartphones and other smaller connected devices generally don’t come with the same guarantees of timely and ongoing software updates, posing a real risk to enterprise security. Android manufacturers, in particular, have been famously ineffective at keeping products up to date.

And even if frequent updates are available on an employees’ devices, there’s no guarantee they’ll carry them out. Many people will continuously hit “remind me later”, but they must update their devices regularly to benefit from the latest security features.

Unsecure W-Fi: Unless employees have a substantial data allowance, chances are they’ll be seeking out public Wi-Fi whenever they’re away from home or the office. However, one of the sneakiest ways hackers take advantage of the vulnerabilities of mobile devices is through unsecured wireless networks.

Although free public Wi-Fi in places like coffee shops and airports might seem reputable, they could be traps set up to lure users into the network. In some cases, users will need to create an “account”, complete with a password, to access the network.

SMS fraud: Most people are familiar with the term ‘phishing’ — a way for hackers to extract sensitive personal and corporate data through seemingly legitimate emails. On mobile devices, users might also receive a text message from a sender pretending to be someone they know.

The sender will exchange texts with the recipient and then ask them to send personal information such as passwords or bank details. Alternatively, they might ask the user to call a number; when the user calls, data is then easily extracted from the phone.

SMS fraud can also take many other forms. Spam messages might direct a recipient to a web link asking them to enter their details. Grey routes and SIM farms allow businesses to send bulk messages to customers through unsecured delivery methods that could expose sensitive information to cyber criminals. Fraudsters can also infiltrate someone’s text messages and steal their data if they connect to a network in a foreign country — known as “roaming”.

SIM swap fraud is similar to but more complicated than phishing, as it exploits two-factor authentication. Hackers will “port” the user’s phone number to another SIM and intercept any passwords and personal information sent via SMS. One Watchdog viewer found this out the hard way when hackers stole more than £5,000 from his bank account by hijacking his mobile phone account through an SMS message and using it to authenticate transactions.

If there is no security software in use on the mobile device, neither the employee nor the company may even be aware of the breach. Therefore, it is crucial to educate employees on the importance of not taking calls from or replying to messages from unknown numbers.

Fake apps: Perhaps one of the most significant risks associated with the use of phones is mobile applications. Often, employees will download apps they believe to be from legitimate companies — but in reality, they will be fake applications containing malware.

Mobile apps regularly cause unintentional data leakage, too, when employees give them sweeping permissions without checking security. Free applications found in official app stores will typically perform as advertised but also send personal (and even corporate) data to a remote server — where it is then mined by advertisers or, potentially, cyber criminals.

For more information: Burning Tree

Also see: The cost of dodgy phone signals