Three young professionals, while dining out, strike upon an idea to head to Pondicherry during the weekend. One of them takes out the smartphone, logs into IRCTC, checks out availability of train tickets, and goes on to book three tickets to Chennai. They also reserve online a budget hotel accommodation there.
If they were doing it on a PC, they would have perhaps asked themselves if the PC was secure. With smartphones, people aren't yet conscious about the risks involved. The fact is, smartphones, as they become popular, are also becoming vulnerable to cyber-crimes.
A McAfee report released last week says the amount of malware targeted at Android devices increased 76% in the last quarter, to become the most attacked mobile operating system. Cloud security leader Trend Micro has noticed a 14-fold increase in malware targeting Android smartphones in the last six months. Symantec's Internet Security Threat Report released earlier this year noted a 42% increase in mobile vulnerabilities in 2010.
And just as in the use of smartphones, India tops security threats as well. The Symantec report revealed that India ranked second for malicious code globally. Phishing on 21 non-Indian brands was hosted in India in June, and it marked an increase of 17% from May, says the report.
Mobile devices, including tablets, have the same risks that are present on desktops, laptops and netbooks. Few have any good anti-virus or similar safeguards on their mobile phones. "With smartphones of today mimicking PCs in functions and features, PC-based threats are already taking advantage of exploits, botnet functionality, and even rootkit features for stealth on the mobiles," warns Vinoo Thomas, technical product manager, McAfee. Financial transactions An emerging trend is the use of smartphones for financial transactions - be it booking movie tickets or checking bank balances or paying bills. A Boston Consulting Group study estimates that mobile phone transactions may reach $250 billion by 2015. Shantanu Ghosh, VP, India Product Operations, Symantec, says it has become extremely simple to pay utility bills, shop, pay fees and premiums and transfer money through an SMS. All you need is a mobile money identity and a PIN.
The number of people in India who have registered for interbank mobile payments is a staggering 10 million. There are 20 banks that support this service, and 15 banks are in the testing stage. Besides, the Reserve Bank has approved routing merchant payments through this service, which initially was restricted to person-to-person transfer.
About 26% of respondents to a study by Informate Research said mobile banking had made their lives easier and 20% were planning to use mobile banking. But 23% of respondents indicated they don't consider mobile banking to be safe.
Common threats Symantec classifies data loss as the biggest threat to mobile devices. Here the hacker extracts secretly information from the phone. Android.Rootcager steals confidential data like device ID, device serial number, model, carrier information etc. Aurora Feint uploads contacts in an iPhone's address book to the developer's server in an unencrypted form.
Web and network-based attacks are common. Most of them exploit the browser route to implant malware, which then steals data that flows through the browser. When the user visits a malicious website, the phone is infected and data entered into the browser like passwords, credit card numbers are compromised . Traditional computer viruses and worms can also infect mobile phones. Ikee worm targets Apple's iOS based devices, and Pjapps enrols infected Android phones in a botnet.
Another frequent method of attack is social engineering. Making use of media like emails, chats, and social networking sites, miscreants establish contact with the user, win their confidence and trick them into clicking on malicious links or opening infected photos and presentations.
In July 2010, Symantec detected that many phishing sites were spoofing social networking brands. Shantanu Ghosh says the sites posted fake offers for free online mobile phone airtime top-ups. The malicious site generated a Java code that the user had to enter on the address bar after logging on to a legitimate social networking site.
"The code in reality performs many malicious activities that ultimately send messages to people in the user's friends list. The code also manipulates users' profiles and replaces the content with messages promoting this offer," says Ghosh.
The Zeus Trojan previously targeted only Windows PCs, now its mobile version -- Zitmo (Zeus in the mobile) -- is doing the rounds. Vinoo Thomas of McAfee says it exploits the modern feature adopted by many banks to send a security code via SMS to the user's mobile. "The spyware can intercept the SMS sent by the bank to the user's infected phone, and forward it to the attacker, who might then be able to even log on to the bank account and perform a transaction," says Thomas.
Another threat that is common is applications. One reason for Android phones to become popular is apps, and that makes them vulnerable as well. Last December, Google had to pull out 50 suspicious-looking apps from the Android market after proving that these used various banks' names without their permission. Precautions Securing mobile payments are a complex task that involves businesses, consumers and communication service providers. Shantanu Ghosh says financial institutions and retailers must ensure that the users' identity is authenticated at multiple levels.
"Static passwords and user credentials are vulnerable to theft and misuse. Without a second dynamic factor for authentication , anyone with malicious intent who obtains a user's password can transact using his account," he says. He says that service providers have to put in place stronger network security for safe financial data transfer.
People who use their phones a lot for data transfer have to be careful with their usage pattern. Vinoo Thomas of McAfee suggests, "Use strong passwords, go directly to the website instead of clicking on links, and preferably use apps provided by the bank and ensure that you download them from the bank or a trusted site."
Says Amit Nath, country manager, Trend Micro, "If your phone gets infected, don't panic. Just remove the malicious application and scan your phone with security software. Most importantly, change passwords to your online accounts."
Nish Bhalla, founder of SecurityByte, says apps have become vulnerable since they are developed by people who may not have a good knowledge of security loopholes in the apps they develop. "Therefore, it's very important to train developers in security features " he says.
Source:
No comments:
Post a Comment