Mobile Malware is Here: Beware!

iPhones, Androids and other smartphones are much more than just a way to call our friends and family and store their phone numbers. Today’s smartphones have become our most personal computer and contain much more than pictures and contacts. They now allow us to access financial data, bank accounts, and medical information from anywhere at any time. And for many people, their mobile device has or is replacing their PC.

With all this convenience and access, comes some risk. Criminal hackers see this as an opportunity for them to access your information and make money. And so as the number of mobile devices has grown, McAfee has seen the amount of mobile malware grow.

The Android platform remains the largest target for both mobile malware and spyware. In fact, we see very few mobile threats that are not directed at Android phones. After a slight decline earlier in the year, Android malware has rebounded and almost doubled this quarter with over 20,000 samples.

The infographic below illustrates some of the ways that cybercriminals use to “infiltrate” your mobile device.

What most of these attacks have in common is that they allow a cybercriminal to take over your mobile device in some way. This is why it is critical to protect your mobile device.

Only buy apps from a well-known reputable app store, such as Google Play

Keep your operating system software updated

Be selective about websites you visit

Avoid clicking links in text messages or emails, especially if they are from people you don’t know

Stay educated on the latest tricks, cons and scams

Use comprehensive mobile security, like McAfee Mobile Security that includes antivirus, anti-theft, and web and app protection or comprehensive device protection like McAfee All Access that protects all your devices including your mobile devices

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

Benefits of an Electronic Passport While Traveling

With the U.S. requiring ePassports or Visas from visitors as standard, and the European Union’s push for electronic travel documents, authorities are now requiring citizens to have new, safe ID documents, giving themselves and their citizens the peace of mind they need.

An Electronic Passport is the same as a traditional passport with the addition of a small integrated circuit (or “chip”) embedded in the back cover. The chip stores the same data visually displayed on the data page of the passport; a biometric identifier in the form of a digital image of the passport photograph, which will facilitate the use of face recognition technology at ports-of-entry, the unique chip identification number and a digital signature to protect the stored data from alteration.

The Electronic Passport facilitates travel by allowing automated identity verification, faster immigration inspections and greater border protection and security.

The Electronic Passport is designed to function for the passport’s full validity period under normal use.

The special features of an Electronic Passport are that it securely stores biographical information and digital image that are identical to the information that is visually displayed in the passport. And the contactless chip technology that allows the information stored in an Electronic Passport to be read by special chip readers at a close distance and the digital signature technology that is used to verify the authenticity of the data stored on the chip. This technology is commonly used in credit cards and other secure documents using integrated circuits or chips.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

Cyber-Scrooges Set in Motion the 12 Scams of Holidays

The holidays are supposed to be a fun-filled time for celebrating with family and friends, but cybercriminals see this as a time of opportunity. They look to take advantage of us during this time when we’re in the spirit of giving and when we’re scrambling to get our gifts purchased, trees trimmed and donations made.

In a recent study, McAfee found that 70% of Americans plan to shop online during the holiday season and that 24% of us will be doing that shopping via our mobile devices. The scary part is that 88% of us would be willing to trade personal information in order to receive a great offer—something that could cause us to fall into scammers’ traps.

Here are the “12 Scams of the Holidays,” the dozen most dangerous online scams to watch out for this holiday season, revealed today by McAfee.

To make sure your holidays are not stolen by the Grinch, here are some tips on how to protect yourself against scams during the holidays, and year-round:

Stay suspicious—Like mom said, be wary of any offer that sounds too good to be true.

Practice safe surfing—When searching for holiday gifts, use a safe search plug-in such as McAfee SiteAdvisor®.

Practice safe shopping—Make sure you stick to reputable e-commerce sites that have been verified as safe by a trusted third-party, like the McAfee SECURE™ mark. Also look for “https” at the beginning of a site’s web address, which indicates that the site is secured.

Use strong passwords— Make sure your passwords are at least eight characters long and contain a variety of upper and lower case letters, numbers and symbols.

Be careful when clicking—Don’t click on links in messages from people you don’t know, and use a URL expander to know what site you are going to before clicking on a shortened URL.

Use comprehensive computer security—Make sure you have up-to-date security software that includes antivirus, anti-spyware, anti-spam, and anti-phishing protection for all your devices, including your mobile phone and tablet.

Educate yourself—Keep up-to-date on the latest scams and tricks cybercriminals use, so you can learn to recognize scams and avoid potential attacks.

Robert Siciliano is an Online Security Expert for McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Upgrading Your Driver’s License- Why Technology is Needed for Identity

The driver’s license is a document with multiple uses. On the road, it gives its holder the right to drive certain vehicles. Very often, it also serves as an identity document, particularly in countries that do not have a national identity card program.

This is just one more reason why it has to be highly secure. Historically, it has often been not more than a paper-mounted document with little or no security.

Identity is a simple idea that has become a complex problem. It has become complex due to fraud that is  motivated by money, easy credit, and the ease of account takeover. Because identity has yet to be effectively established, anyone can be you.

We have as many as 200 forms of ID circulating from state to state, plus another 14,000 birth certificates and 49 versions of the Social Security card. We use “for profit” third party information brokers and the lowly vital statistics agency that works for each state to manage the data. All of these documents can be compromised by a good scanner and inkjet printer. This is not established identity. This is an antiquated treatment of identity and ID delivery systems.

The international ISO/IEC 18013 standard, which came into force in 2009, outlines the framework for migration towards a secure identity document. The standard stipulates the use of visual security elements comparable to those used on other identity cards and passports.

As with all other secure documents the standard proposes the addition of a chip (microprocessor) to extend the range of possibilities offered by the card. There are many benefits to using a smart card for driver’s licenses, security being the most important one.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

1 in 4 Report Being a Victim of Card Fraud

The 2012 Global Card Fraud Survey by ACI Worldwide represents the insights and opinions of more than 5200 card holders from 17 countries and focuses exclusively on the impact to the card holder and their state of mind. Residents of Mexico and the United States reported the highest rate of card fraud experience. Some of the survey’s other key findings include:

  • Financial Institutions are running the risk of losing customers due to fraud, either directly, or through a decreased use of their cards.
  • Consumers report they fear identity theft most and would like to be notified immediately by banks of any potential fraud. They would like to be kept informed of the progress of any fraud disputes.
  • While fearing identity theft consumers are also demonstrating continued risky behaviors such as writing down personal identification numbers (PIN), failing to destroy personal documents and sharing credit card data on electronic devices lacking security software.
  • Consumers also shared their thoughts regarding what types of transactions they trust most and who they most trust in the event of fraud happening.

Financial Institutions have to comply with additional regulations including recommendation from the Federal Financial Institutions Examination Council (FFIEC). That includes sophisticated methods of identifying devices and knowing their reputation (past and current behavior and other devices they are associated with) the moment they touch the banking website.

Protect yourself from card fraud by paying attention to your statements every month and refute unauthorized charges immediately. I check my charges online once every two weeks. If I’m traveling extensively, especially out of the country, I let the credit card company know ahead of time, so they won’t shut down my card while I’m on the road.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Cyber Security in This Year’s Election – The Role It Played In 2012

For more than a decade, we have been at risk of cyber war and cyber terror due to political disputes or hacktivists bent on disruption. Our information, financial systems and critical infrastructures are the main targets. In 2012, cyber security became part of our popular culture due to the elections.

The Obama administration made the most significant advances in 2 ways: moving the discussion forward in creating minimum cyber security standards for all those responsible for critical infrastructure and moving forward in creating trusted identities in cyberspace. The National Strategy for Trusted Identities in Cyberspace (NSTIC) envisions a cyber world – the Identity Ecosystem – that improves upon the passwords currently used to log-in online. It would include a vibrant marketplace that allows people to choose among multiple identity providers – both private and public – that would issue trusted credentials that prove identity.

And of course the Democrats and Republicans do not agree on next steps. The Republicans have stated Obama’s plans cost too much and are ineffective. Both candidates disagreed throughout the campaign.

ABC News reports  “The uncomfortable reality of our world today is that bits and bytes can be as threatening as bullets and bombs,” Gen. Martin Dempsey, the chairman of the Joint Chiefs of Staff, told lawmakers.

Now it is up to this administration to follow through and get citizens properly identified and to properly protect our critical infrastructure.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

Many Die in World of WarCraft Hack

In a war like event thousands of players avatars dropped dead for no apparent reason. Hackers, or players using some form of exploit hacked the game and something went wrong. World of WarCraft is a massive multiplayer online game (MMO)where people from all over the world can ply online.

In a forum post a Community Manager wrote “Earlier today, certain realms were affected by an in-game exploit, resulting in the deaths of player characters and non-player characters in some of the major cities. This exploit has already been hotfixed, so it should not be repeatable. It’s safe to continue playing and adventuring in major cities and elsewhere in Azeroth. As with any exploit, we are taking this disruptive action very seriously and conducting a thorough investigation. If you have information relating to this incident, please email hacks@blizzard.com. We apologize for the inconvenience some of you experienced as a result of this and appreciate your understanding.”

iovation’s ReputationManager 360 is a proven service that helps protect MMOs against chargebacks, virtual asset theft, gold farming, code hacking, and account takeovers. The service identifies devices being used to play and examines their history and reputation as they are interacting with the game – setting off alerts that could relate to velocity triggers, geolocation, device anomalies, past gold farming abuse, financial fraud, chat abuse, and more.

For years, leading game publishers have prevented game abuse and ensured a safe and fun experience for players with the help of iovation’s device reputation service. These publishers (along with iovation’s network of more than 2,000 fraud analysts from other online businesses) share information, trends, and best practices with iovation and with each other in order to stay one step ahead of cheaters and criminals.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Laptop Theft is a Serious Problem

Almost all of us know someone who has lost or had their mobile device stolen. Thieves are becoming more sophisticated every day. They are after your personal information.

But what about losing your laptop computer?  Petty thieves used to steal a laptop for its quick resale value. But as laptop prices have come down and their computing power goes up, it is the data contained on them where the money is for a criminal.

With readily available IT tools, they can access your hard disk and extract all your personal information. The results can be much more serious than leaving your wallet or purse at the coffee shop. According to the FBI, a laptop is stolen every 53 seconds and 97% of stolen laptops never recovered, so it’s more important than ever for all of us to protect our digital assets.

McAfee is helping protect you with the new release of McAfee Anti-Theft, security software designed for Ultrabooks to protect your property and personal information. This latest product is a collaborative effort with Intel that leverages Intel Anti-Theft Technology to provide device and data protection for consumers in today’s connected world.

This smart security tool combines hardware with software to detect potential theft, help you track your lost or stolen Ultrabook, and lock it down remotely so your personal files stay that way. Once your PC is returned, getting back to normal is as easy as typing in your personal password. And with the provided Intel Anti-Theft stickers, thieves may think twice about stealing a laptop that’s so well protected.

McAfee Anti-Theft is available on Ultrabook devices. It’s just one more way McAfee helps you keep your personal information protected for a more worry-free digital life.

Robert Siciliano is an Online Security Evangelist to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)

Breach Means More Retailer Card Fraud

Over the past 5 years a scam known as electronic funds transfers at the point of sale (EFTPOS ) skimming. People commonly swipe both credit and debit cards through the in-store machines to pay for goods and services and hackers have figured out how to skim customer cards.

In Australia, Fast-food, convenience and specialist clothing stores are bearing the brunt of the crime. McDonald’s is among the outlets whose EFTPOS machines have been targeted for card skimming.

Officials say the problem is so bad they urged people to change credit and debit card pin numbers weekly to avoid the possibility of having their account balances wiped out, as it was likely more cases would be identified.

In the United States a similar card skimming scam was pulled off at the Stop and Shop Supermarket chain.

 

The most recent large card data breach was from Barnes & Noble.   “Barnes & Noble has detected tampering with PIN pad devices used in 63 of its stores. Upon detecting evidence of tampering, which was limited to one compromised PIN pad in each of the affected stores, Barnes & Noble discontinued use of all PIN pads in its nearly 700 stores nationwide. The company also notified federal law enforcement authorities, and has been supporting a federal government investigation into the matter. Barnes & Noble has completed an internal investigation that involved the inspection and validation of every PIN pad in every store.  The tampering, which affected fewer than 1% of PIN pads in Barnes & Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases.  This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads.”

When the use of these stolen credit cards go online, iovation’s ReputationManager 360 helps banks and online merchants avoid fraud losses by detecting high-risk behavior and stopping cybercriminals in their tracks. iovation’s device identification and device reputation technology assesses risk on activities taking place at various points within an online site such as account creation, logging in, updating account information, attempting a purchase, or transferring funds. These checks can be customized and fine-tuned to suit the needs of a particular business, detecting fraudulent and risky behavior in order to identify and block cybercriminals for good.

Consumers must pay close attention to their statements and refute unauthorized charges within 60 days. I recommend going online at least weekly and looking closely at all your charges no matter how small they are.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

What Threats Are Unique To My Mobile Device?

Imagine your body being targeted by 75 million viruses. That is exactly what’s happening to your digital devices and mobile devices are being targeted like never before. Mobile smartphone and tablets are being targeted in record numbers.

Android has become the most popular platform for new malware, and in McAfee’s Second Quarter Threats Report, was targeted exclusively by all new forms of mobile malware. The Symbian OS (for Nokia handsets) remains the platform with the all-time greatest number of viruses, but Android is the main target for hackers now.

With the increase in mobile malware, it’s always a good idea to stay educated on how you could be exposed. And there are some things to be aware of that are unique threats to your mobile device such as:

QR Code Scams
QR code infections are relatively new. A QR scamworks because, as with a shortened URL, the link destination is obscured by the link itself. Once scanned, a QR code may link to a malicious website or download an unwanted application or mobile virus.It’s a good idea to refrain from clicking QR codes from unfamiliar sources. Stick to codes provided by known advertisers or vendors, as these are least likely to be infected.

SMiShing
SMiShing is a version of phishingin which scammers send text messages rather than emails, which appear to have been sent by a legitimate, trusted organization and request that you click on a link or provide credentials in a text message reply. The term is a condensed way of referring to “short message service phishing,” or “SMS phishing.”Once you understand how it works, you are better positioned to recognize SMiShing, and to avoid clicking links within text messages or otherwise responding to such ruses.

Premium SMS fraud
McAfee Labs™ reports one of the simplest ways to generate profit from malware attacks on mobile devices is to place a call or send texts to pay-for premium numbers. If this activity is infrequent (for example, only once a week during the night) and concealed (by erasing the logs and using the hiding capabilities of rootkits), then it may go unnoticed for a long time.The key property to this malware’s popularity is the software’s ability to covertly send messages. In this case, Android is more risky than iOS because in Android permissions are assigned once at installation and cannot be dynamically controlled.

Jailbreaking or Rooting
Jailbreaking is the process of removing the limitations imposed by Apple and associated carriers on devices running the iOS. To ”jailbreak” means to allows the phones owner to gain full root access to the OS and access all its features. Similar to jailbreaking, “rooting” is the term involving the process of removing the limitations on any mobile or tablet running the Android operating system.Jailbroken and rooted phones are much more susceptible to viruses and malware because users can avoid Apple and Google application vetting processes that help ensure users download virus-free apps.

Expect more scams and more scam warnings directed toward your mobile devices going forward. As mobile cybercrime evolves and criminals begin to make some money, they will have the resources to hire crackerjack programmers to do their deeds. The time is now to secure your devices.

Robert Siciliano is an Online Security Evangelist to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)