Mobile Devices: Convenient and Useful, but Present Special Risks

Who doesn’t have a smartphone? We conduct business from them, run our homes, shop, bank and track our health from them. How many have given up landline phones and only use their mobile phones? There is no question, they pervade our lives and have access to or carry data critical to our livelihoods and lives. The concerning aspect of all this is that smartphones are rarely considered as needing to be kept secure. Granted, there are those who have implemented secure passphrases to access the device, but how many more use a simple PIN or worse, nothing? As an employer, do you allow your employees to use their phones for business purposes? If so, what steps have you taken to ensure that your business will not be exposed to undue risk?

Just today in a single publication were headlines for new Android and Apple/iOS vulnerabilities. Reputable vendors tend to work very hard at mitigating identified risks with patches as quickly as possible, but the onus lies with users to install them. Users, however, tend to ignore updates while also engaging in risky behaviors–making devices and the data they access more likely to be compromised by malware. By nature of their small size, viewing web pages and email on a smartphone or even tablet, obscures details that on a computer would make a user suspect and avoid interaction. With the advent of smishing (phishing by SMS) and vishing (phishing by phone calls), cell phones again present elevated risk. The number displayed on an incoming call or text message cannot be trusted. Faking numbers is very easy to do. Responding to questions on a call from someone of uncertain identity or clicking a link in an SMS which may be crafted to take you to a compromised page, can give cybercriminals information they need to carry out a compromise of the device, user and/or business.

Apps, many installed by the carrier, are developed so quickly for functionality with little regard for security. They often include unnecessary permissions to access aspects of the phone and its data for marketing purposes at a minimum. These apps are easily compromised by malware to “leak” data. Apps in the respective Apple or Google stores are vetted to some degree, but there are regular stories of malicious apps found on both platforms and subsequently removed from the stores after they’ve already been installed on devices. These apps might function as Trojans, installing more malware or they may harvest and deliver confidential information to cybercriminals–information like credentials used by other apps or in web browsers. Think email accounts, banking and shopping apps, maybe custom work apps.

Users are focused on accomplishing tasks, not on being secure–unless they are regularly reminded of the necessity of security. Consider implementing security awareness training. Short, frequent emails and videos keep users aware of risks they, or you, may not otherwise see and give practical tips on recognizing and avoiding them. Besides failing to install security updates and installing insecure apps, users often do not limit app permissions manually, will often use public wifi, and may leave their phones physically vulnerable to theft. There are some simple, no-cost steps that can be taken to secure mobile devices and the Federal Communications Commission has put an interactive tool and a pdf checklist on their website.

For all those accounts used for business, banking, shopping, controlling your security cameras, thermostats and all those other IoT functions, make sure credentials are strong and unique to begin with. Enable MFA (Multi-Factor Authentication) wherever possible. A call or text to your mobile phone may be the simplest, but apps designed for the purpose can be harder to compromise. The Microsoft Authenticator App and the Google Authenticator App are available for both iOS and Android in their respective stores. Both are easy to use, but be sure to keep track of credentials used to set up the app and follow vendor instructions when transferring to a new device. The Microsoft Authenticator App is more user-friendly in that it makes backup and transfer simpler. It also allows users to give each account setup within the app a friendly name whereas the Google Authenticator App takes a default name from the site. Bank sites especially often transition logins to external sites that don’t have the bank’s name in them, so looking at 20 different accounts can make it difficult to find the right one. Additionally, the Microsoft Authenticator App allows entries to be manually arranged, so the more frequently needed can be moved to the top of the list.

The way these apps work is that you install them on your phone or tablet. Then, whether from your computer (easiest when setting up the authenticator) or other device, you setup MFA for your bank account as an example. Login to your bank account and in the account security settings, look for options to set up MFA. There is likely to be an option to set up an app. Load your app on the phone and choose to add an account. You will be prompted to either scan a barcode on the website you’re setting up (this is why doing this bit from a computer is easier) or type in a code given on the screen. The app then creates an account and presents another short code that you type in back on the website to confirm the link. Now, the next time you login to that site, you will be prompted to enter the confirmation code, so you go to your phone or tablet, open the app, find the account in the list and type in the code from the device to the account. These codes change every sixty seconds, making it more difficult to compromise them. You can further secure these codes by making sure that your device is encrypted and protected with a complex password containing a mixture of numbers, upper and lower-case characters. Once set up, logging into accounts from browser pages on your phone will also prompt for codes which are easy enough to either commit to short-term memory or copy and paste from one app to the other.

The auth apps generally are not useful for authenticating within other apps such as banking, shopping or IoT device management. Instead, as the user, you need to make sure those apps are hard to access by anyone other than you. How? Encrypt your device if it is not by default–the option is usually in settings somewhere, typically in the security section. Next, make sure you have a complex password to access the device and set the screen to lock after a minute of inactivity–or better yet, get in the habit of manually locking it when you put it down. Speaking of putting it down, don’t leave it laying around in public. Log out of your apps when you’re not actively looking at them and don’t use them over public wifi. Another useful step to take is set accounts to alert you to any activity from login to changes to transactions. You can always dismiss an alert if it was your own activity, in the case of nefarious activity, you will be alerted before too much damage can be done.

Install malware protection which automatically updates and scans. Some trustworthy names are Lookout, F-Secure, Trend Micro, Bitdefender, and Malwarebytes. Each has their own mix of tools. Enabling VPN features can give you more security and privacy, but understand that all VPNs are not created equal and are only as privacy and security focused as the company that makes them. Make sure that if your device is lost or stolen, you can login to a management account to possibly locate it, or wipe it. Set the screen lock to wipe the device after several failed login attempts. Before getting rid of an old device, be sure to wipe the data and remove any external memory cards.

So, we’ve covered some ways to make the device more secure, but what about using it more securely? As previously noted, when viewing email and web pages on the phone, a lot of visual cues to malfeasance are not present. Let’s say you get an email that looks legit, but something seems off. It would be best to either wait to check it out from your computer where you can inspect the sending address and hover over links to see the URL they are taking you to, or if the sender is known to you, give them a call or send a separate email (not a reply) to validate the message you are inspecting. When in doubt, skip over it until you can review it from the computer. Unless you are very sure of links in a message or browser, again, put off navigating to them until you can do so from your computer. Consider installing a Mozilla browser. Mozilla Firefox is aimed at privacy and security. Since trackers comprise a major portion of suspect websites, some of the worst will be blocked.

If you’ve given anyone your cell number, then you’ve likely gotten smishing text messages. Just like email phishing, they can be full of the typical typos and grammatical errors, or, more likely, they look legitimate: like notices from your bank, shipping notices on your orders, etc. The common feature to smishing texts is that they lure you into a response to click on a link to call someone or visit a website. All are scams. Just like “unsubscribing” is no longer advised for spam emails, replying “stop” to a smish only validates your number. Calling numbers provided or clicking on links to verify your account are aimed at compromising your account credentials and/or infecting your device with malware. The sending number on these smishing messages are often spoofed, just like those calls you get with caller ID indicating they’re in your city but then you can tell if you pick up are being made out of some huge boiler room–probably off shore so our laws don’t apply. There is an excellent article on smishing with some very clear examples on the hashedout blog by The SSL Store. If you don’t recognize the sender of the message, delete it. If it appears there may be a problem with your bank, a recent order or anything else, check it out by logging into your account by another means: a web browser on your device or computer or a secured app not linked to the message.

Increasingly, scammers are resorting back to phone calls to extract lesser-known details from individuals and companies. They often start with a bit of research into public information: websites, social media, news stories. Then they spoof their number to look like it’s local to you–maybe it’s even your own number! When they call, they know just enough to sound like a legitimate vendor or potential customer, but then start asking questions which help them to fill in gaps in their knowledge with more confidential information. These calls increasingly are utilizing AI (artificial intelligence) to either engage you or manipulate your responses. This then allows a future, more targeted phishing attack referred to as spear phishing. These kinds of attacks can result in serious data breaches and identity theft. Just as with phishing emails, if you get a suspect call and happen to answer, simply hang up once you suspect anything. Be careful with initial engagement, try to not answer questions. The less you say, the better!

Technology definitely makes our lives better by simplifying tasks, allowing more ready access to resources and being easy to transport. We’ve come a long way from the days of the telegraph. However, what makes it all so wonderful makes it just as wonderful to those looking to make illicit wealth. Scammers and hackers make good money. These are not often individuals with a side hustle. Instead, these are fully functioning businesses. Where there is a will, there will always be a way, so set your will to be informed and watchful.