The biggest risk to security in the mobile channel is the convenience with which users can engage in risky activities such as downloading malicious software and divulging personal details.
Mark Crichton, tech director for fraud and risk solutions at RSA, and Charles McColgan, chief technology officer at TeleSign delivered that message at the RSA conference during their presentation on the True cost of fraud and cyber-crime against your mobile channel.
“The more you can do on them and the more convenient you can make it, I will do it,” Crichton told SCMagazineUK.com. “I think that opens us up to all the data, systems, whatever it might be – and that's the biggest risk to security.”
When all a mobile phone could do was send text messages, it wasn't much of a security threat, he added.
Consumers may download a seemingly innocuous app and unknowingly grant that app permissions and access to other features on the phone at the same time, effectively turning the phone against its owner.
“You might download a torch app for your phone but what it's actually doing is every couple of minutes sending a text to a premium rate number or making a call,” Crichton said.
Another phone exploit is to put malware on someone's phone and then wait for a text message from their bank which contains a one-time authentication, a problem that is more prevalent in Europe and Latin America than it is in North America, he said. “The malicious apps are forwarding those messages to fraudsters in real time, never displaying them on the device.”
It's certainly the case that mobile phones increase the opportunity for attack, McColgan told SC. “I always look at security from a surface area perspective and as it gets bigger and bigger, it gets harder to protect.”
A self-confessed gadget person, he said he has networked a lot of devices in his house including entertainment systems and lights but one thing he won't add to the network, even though he could, is the front door locks. “I don't want high school kids as a prank unlocking my house as they drive by,” he said.
McColgan said that in the UK, there have been cases of fraudsters calling mobile phone companies to report a stolen phone and then getting the service provider to switch the phone number to another handset. This is then followed up by initiating a transaction with the bank who think that they have confirmed the transaction with a valid mobile phone.
“Now UK banks are starting to put in SIM swap detection so when you see fast SIM swaps it becomes a fraud signal,” he said.
They agreed that mobile phone manufacturers have done a good job of building biometric security into phones in a way that preserves user privacy. Not only do they encrypt the data but they also store it on the phone, rather than transmitting it to a server, to make it more difficult to intercept.
And they agreed that the two major flavours of mobile phone operating system – IoS and Android – were equally secure in themselves but that Apple, with its walled garden approach to app certification, has the advantage over Samsung in protecting the less tech savvy user.
“If you, as a user, are not knowledgeable about what you are doing then Android is probably less secure than Apple,” Crichton said. “Apple has taken steps to kind of prevent users from making silly decisions.”