Beware of Rogue Cell Phone Charging Stations

Humans have evolved a new body part: the cell phone. One day it will be part of anatomical illustrations of the body in health and medical books probably an appendage on your head. I’m not a Dr. so don’t quote me.

For now, we have to figure out a way to keep this appendage juiced up without being lured into a data-sucking battery-charge station.

There’s even a name for this kind of crime: juice jacking. The kiosk is designed to appear like a legitimate battery charging station, when in fact, it will steal your phone’s data while it’s hooked up.

Worse yet, sometimes the thief will set the station to deposit malware into your phone. The crook will then have access to all the sensitive information and images that you have on the device.

These fraudulent stations are often set up at locations where users would be in a rush and won’t have time to check around for signs of suspicion or even think about the possibility of getting their personal life transferred out of their phone and into the hands of a stranger.

Are these thieves smart or what?

But you can be smarter.

Prevent Juice Jacking

  • Before leaving your house, make sure your phone is fully charged if possible.
  • Buy a second charger that stays with you or in your car at all times, and make a habit of keeping your phone charged while you drive.
  • Of course, there will be times when you’re out and about, and before you realize it, your device has gotten low on power. And it’s time to hunt for a public charging station.
  • Have a cord with you at all times. This will enable you to use a wall socket.
  • Turn off your phone to save batt. But for many people, this will not happen, so don’t just rely only on that tactic.
  • Plug your phone directly into a public socket whenever you can.
  • If you end up using the USB attachment at the station, make a point of viewing the power source. A hidden power source is suspicious.
  • If bringing a cord with you everywhere is too much of a hassle, did you know you can buy a power-only USB cord on which it’s impossible for any data to be transferred?
  • Another option is an external battery pack. This will supply an addition of power to your device.
  • External batteries, like the power-only USB cord, do not have data transfer ability, and thus can be used at any kiosk without the possibility of a data breach.
  • Search “optimize battery settings” iPhone or Android and get to work.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Top 10 Tips for Securing Your Mobile Devices and Sensitive Client Data

Do you have employees who bring mobile phones to work and use those devices on the corporate network? Do they store company data on these “Bring Your Own Devices (BYOD)”?? Does your company have a policy in place for this?

First, the moment a person brings in their personal phone to work, there is a fusion of personal and business tasks that occur. And, equally as bad, company issued devices are used for personal use as much, if not more than the employees own devices. Not sure you believe this? Here are some stats:

A recent survey asked 2,000 office workers about their habit of using their personal mobile devices at work. Here’s what it found:

  • 73% of people admit to downloading personal apps to tablets they got from their company.
  • 62% of people admit to downloading personal apps to mobile phones they got from their company.
  • 45% of people admit to downloading personal apps to notebooks they got from their company.
  • The people who were most likely to do this were in the 25 to 38-year-old age group.
  • 90% of people use their personal mobile devices to conduct business for work.

As you can see, a lot of people are using their mobile devices on the job, and this could not only put your company data at risk, but also the data associated with your clients. Do you have a plan to minimize or even totally prevent how much sensitive company data is wide open to hackers?

Solutions to Keep Sensitive Business Information Safe

Decision makers and business owners should always consider their personal devices as equal to any business device. You definitely don’t want your sensitive company information out there, and this information is often contained on your personal mobile or laptop device. Here are some things that you can do to keep this information safe:

Give Your Staff Information About Phishing Scams

Phishing is a method that cybercriminals use to steal data from companies. Studies show that it is extremely easy for even the smartest employees to fall for these tricks. Here’s how they work: a staff member gets an email with a sense of urgency. Inside the email is a link. The body of the email encourages the reader to click the link. When they do, they are taken to a website that either installs a virus onto the network or tricks the employee into giving out important company information.

Inform Your Staff that the Bad Guys Might Pose as Someone They Know

Even if you tell your staff about phishing, they can still get tricked into clicking an email link. How? Because the bad guys make these emails really convincing. Hackers do their research, and they are often skilled in the principles of influence and the psychology of persuasion. So, they can easily create fake emails that look like they come from your CEO or a vendor, someone your staff trusts. With this in mind, it might be best to create a policy where employees are no longer allowed to click email links. Pick up the phone to confirm that whatever an email is requesting, that the person who sent it is legitimate.

Teach Employees that Freebies aren’t Always Goodies

A lot of hackers use the promise of something free to get clicks. Make sure your staff knows to never click on an email link promising a freebie of any kind.

Don’t Buy Apps from Third-Party Sources

Apps are quite popular, and there are many that can help to boost productivity in a business setting. However, Apple devices that are “jailbroken” or Android devices that are “rooted” are outside of the walled garden of their respective stores and susceptible to malicious viruses. Make sure your employees know that they should never buy an app from a third-party source. Only use the official Apple App Store or the Google Play Store.

Always Protect Devices

It’s also important that you advise your employees to keep their devices protected with a password. These devices are easy to steal since they are so small. If there is no password, there is nothing stopping a bad guy from getting into them and accessing all of the accounts that are currently logged into the device.

Install a Wipe Function on All Mobile Devices Used for Business

You should also require all employees to have a “wipe” function on their phones. Even if they are only doing something simple, like checking their work email on their personal mobile device, it could get into the wrong hands. With the “wipe” function, the entire phone can be cleared remotely. You should also require employees to use the setting that erases the phone after a set number of password attempts.

Require that All Mobile Devices on the Company Network Use Anti-Virus Software

It’s also important, especially in the case of Android devices, that all mobile devices on the network have some type of anti-virus software.

Do Not Allow Any Jailbroken Devices on Your Company’s Network

Jailbroken devices are much more vulnerable to viruses and other malware. So, never allow an employee with a jailbroken phone to connect to your network.

All Employees Should Activate Update Alerts

One of the easiest ways to keep mobile devices safe is to keep them updated. So, make sure that all employees have update alerts enabled, and make sure that they are updating their devices when prompted or automatically.

Teach Employees About the Dangers of Public Wi-Fi

Finally, make sure your staff knows the dangers of using public Wi-Fi. Public Wi-Fi connections are not secure, so when connected, your devices are pretty open. That means, if you are doing things that are sensitive, such as logging into company accounting records, a hacker can easily follow. Instead, urge employees to use a VPN. These services are inexpensive and they encrypt data so hackers can’t access it.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

How to Avoid Bad Apps

If you think there’s like a million apps out there, that’s not exactly an exaggeration. For sure, there are more than you can imagine, which makes it easy to conceive that many certainly come with security problems.

In fact, out of the top 25 most popular apps, 18 of them bombed on a security test from McAfee Labs recently.

Creators of apps put convenience and allure ahead of security. This is why so many apps don’t have secure connections—creating welcome mats for hackers; they get into your smartphone and get your passwords, usernames and other sensitive information.

Joe Hacker knows all about this pervasive weakness in the app world. You can count on hackers using tool kits to aid in their quest to hack into your mobile device. The tool kit approach is called a man-in-the-middle attack.

The “man” gets your passwords, credit card number, Facebook login information, etc. Once the hacker gets all this information, he could do just about anything, including obtaining a credit line in your name and maxing it out, or altering your Facebook information.

You probably didn’t know that smartphone hacks are becoming increasingly widespread.

bad-apps

So what can you do?

  • Stay current – Know that mobile malware is growing and is transmitted via malicious apps.
  • Do your homework – Research apps, read reviews, and check app ratings before you download.
  • Check your sources – Only download apps from well-known, reputable app stores.
  • Watch the permissions – Check what info each app is accessing on your mobile devices and make sure you are comfortable with that.
  • Protect your phone – Install comprehensive security on your mobile devices to keep them protected from harmful apps.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!

Can an App really act as a Bodyguard?

In the event of an attack, new smartphone applications can be used to send an alarm to a pre-chosen person. And the potential victims location can then be tracked.

1SDBut is this faster and more secure than a woman whipping out pepper spray and blasting a drunken buffoon who has her cornered in a parking garage at night?

No.

Apps meant for personal security are simply one layer of protection but in no way should be relied upon for personal protection. I mean, come on!!!! IT’S AN APP!!!!!!!

For the iPhone and Android, one such app is called STOP-ATTACK. This can be programmed to call 9-1-1. Once this app is activated it will record video and audio that gets sent to a cloud. This way, you’ll have evidence of who was on top of whom or if someone really did reach into their pocket and pull out a metallic-looking object.

The threatening person won’t even know he’s being recorded. STOP-ATTACK also has an alarm and light that, once triggered, might scare off the perpetrator. It can be activated without actually logging into your phone if your device normally requires a security code. You get all this for $3.99 per year.

Will STOP-ATTACK actually stop an attack? NO. The name is misleading.

Others are out there (e.g., StaySafe, Circle of 6, Panic and Guardly), but the bottom line is that there’s really no reason not to have one—even if you’re a big brute. Women concerned about assault represent one slice of the pie. Muggings over smartphones are getting more common, and often, victims are men.

Like with the can of mace, the potential victim needs to be prepared to handle the smartphone’s security feature very quickly, even slyly, before the perpetrator can grab it—whether he just wants the phone or wants to commit assault. So if the phone is in a woman’s purse while she’s walking around town alone past midnight, it does no good.

Nevertheless, an application like this adds a layer of security to the user. The user needs to insert some human factor into the equation when a threat arises. If a woman senses danger, and she must dig into the deep crevasses of her purse to locate her smartphone…she could have already bolted from danger or leveled a right hook into the would-be assailant’s temple. A trained woman can debilitate an attacker with proper training. But please, DO NOT rely on an app to protect you.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Mobile Apps Failing Security Tests

It’s been said that there are over a million different apps for the smartphone. Well, however many may exist, know that not all of them are passing security tests with flying colors.

6WYou may already be a user of at least several of the 25 most downloaded apps And what’s so special about the top 25? 18 of them flunked a security test that was given by McAfee Labs™ this past January. And they flunked the test four months after their developers had been notified of these vulnerabilities.

App creators’ first priority is to produce the next winning app before their competitors do. Hence, how secure it is doesn’t top the priority list, and that’s why there’s such a pervasive problem with security in the mobile app world.

Because these apps failed to set up secure connections, this opens the door for cybercriminals to snatch your personal information such as credit card numbers and passwords. And this is growing because this weakness in apps is so well known and it’s pretty easy for cybercriminals to purchase toolkits that help them infect smartphones via these vulnerable apps.

The technique is called a “man in the middle” attack. The “man” stands between you and the hacker, seizing your personal information. The “man” may capture your usernames and passwords for social media accounts and so much more—enough to open up a credit card account in your name and then max it out (guess who will get the bills); and enough to commit a lot of damage by manipulating your Facebook account.

So What Can You Do?

Here’s some tips to help you protect yourself from these unsecure apps:

  • Before purchasing an app, get familiar with its security features—read reviews and check what permissions the app is asking access to. You don’t want to end up with an app that accesses way more information about you than necessary for what you want the app for in the first place.
  • Download only from reputable app stores, not third-party vendors. This will reduce your chance of downloading a malicious app.
  • Don’t have your apps set to auto login. Even though it may be a pain when you want to access Facebook, it’s better to be safe than sorry.
  • Make sure you use different passwords for each of your apps. Sorry, I know that’s a hassle, but that’s what you must do. And make sure your password is long and strong.

Here’s to staying safe on our mobile devices.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

Mobile Carriers spying on Users

How does my mobile phone know I like tools, electronic gadgets and tarantulas? It keeps showing me ads for these products! Christmas is coming and my kids like bugs, big bugs.

10DHow does it know? It’s called “supercookies”. And they aren’t yummy.

If Verizon is your carrier, that’s why. Verizon uses a “unique identifier token header” for every website the user visits. There are cookies that tag along with the user wherever they go in cyberspace. Advertisers gorge on these cookies because they tell them what products to advertise for each unique person.

You can opt out of Verizon’s program, but this won’t prevent the UIDH (this a Unique Identifier Header) from being stamped on any site you visit and then be visible to a web server.

Even Android’s and iOS’s systems can’t supersede the UIDH system. The UIDH HTTP header is not the same as a typical Internet cookie. This is a lot to digest, it is what it is.

At present, there is no opt-out technology to truly eradicate what some consider spying, and it won’t be around soon, either. And look for AT&T to think possibilities by adopting this UIDH system to track their subscribers’ web journeys.

Though there’s no opt-out-like feature to stop this, there is a way to block it: VPN (virtual private network). Some smartphones have a VPN mode; once activated it will make the user anonymous. I like Hotspot Shield (HSS), which works on Androids and iPhones, easy. And don’t twiddle your thumbs waiting for universal encryption; your toddler will be entering college by then.

If targeted ads (hey, maybe you just love those handbag adverts) don’t phase you, then consider this: Cyber thieves can get ahold of all the sensitive information you have in your phone and learn all sorts of things about you, including any sordid details. Or maybe they just want to steal your identity to drain your bank account. Everyone is being watched by everybody.

Should you worry? That all depends. The Electronic Frontier Foundation is worried. They no likey.

This is where the VPN comes in, especially if you use public Wi-Fi, which is not encrypted. HSS, which is free, will protect your data. There’s also an upgraded version that you pay for; it’s faster. Either version will guard your Internet activities from prying eyes.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Researchers say your Mobile Carrier’s Network isn’t all that Secure

Gee, even the tools that update your smartphone’s operating system over the air have holes that hackers can slip into.

5WIt’s estimated that as many as two billion handsets are vulnerable, and in some instances, security patches haven’t even been released.

The open mobile alliance device management (OMA-DM) protocol is used by around a hundred smartphone companies to release software updates and conduct network administration. And that’s what they say where the problem lies.

A hacker must know the handset’s distinct international mobile station equipment identity (IMEI) number, plus a secret token, to take remote control. It’s not difficult to obtain the IMEI number or the secret token of the company, thanks to lax networks and vulnerable operating system versions.

Researchers discovered they could easily upload code to a phone after following a WAP message from a base station, then proceed like a hacker would.

Another experiment showed that a fake femtocell could be used to get into BlackBerry, Android and some iOS devices by using weak security protocols. Participants turned off their smartphones and set the femtocell to its lowest power setting. The researchers still managed to pick up over 70 handsets.

They found that Android was the most vulnerable, along with BlackBerry. iOS was tougher to crack, but some devices that were run by Sprint were vulnerable.

Another flaw was that devices could be tricked into checking on their OMA-DM servers; the connections had http instead of https.

The researchers reported that most of the manufacturers and carriers had fixed the OMA-DM systems—most, not all.

What are the network threats?

Hackers practically have the cyberworld at their fingertips, able to attack in so many ways, using so many methods, from apps to users, users to users, and various machines to machines. Hackers don’t just want to access data; they want to manipulate it.

4G refers to fourth generation network, succeeding 3G to offer the fastest speed for wireless activity. The protocol for 4G, however, is flawed, allowing for weakening of the protection for phones and their networks.

The hacker would go right for mobile networks to get simpler, wider entry points. Networks for mobile devices, thus, need to be toughened up. If a smartphone is infected, it will be able to target and scan other smartphones within its proximity (since 4G is IP based), all while the carrier has no clue.

The hacker could infiltrate a desired network, access the 4G network, then have a nice, easy launching pad for the crime.

If a hacker uses weak wireless APN connections for his activities, this forces the smartphones in use to rely upon an ongoing network connection. This will make batteries wear out faster. Furthermore, jammed-up signals may lead to denial of service.

One way to protect wireless networks is by using Hotspot Shield to override any insecurities of open free WiFi and to help protect from some of 4Gs failings.

With the fast speed that stands to come with 4G are also weak security levels and lame network structures. Users will not appreciate this price, and mobile operators will need to step quite a bit up on security tactics for keeping hackers out.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

United Airlines Passport Scanning Mobile App: is it safe?

How much easier international travel is for United Airlines fliers: They can now use their iOS or Android device to scan their passports.

PP

If a customer checks in with United’s mobile application for international flights, they can access the passport-scanning feature. One can check in within 24 hours of departure. Fliers will get an option to confirm their stored passport data or to scan their passport.

If a customer chooses the scan, the app will use the smartphone’s camera to capture passport information. United says this is “similar to a mobile banking deposit.” The flier can retrieve the boarding pass after the passport scan is verified.

United says that their passport scanning feature is very time-saving and gives fliers more control.

Since it’s launch, Ive been asked by multiple outlets in regards to its security and the safety of this application, as it pertains to possible data breaches. The company who created the apps backbone is “Jumio” and by all accounts, they seem top notch.

It’s important consumers never blindly download or use any application without doing some due diligence. This is what I found;

Jumio states: “Jumio is PCI Level 1 compliant and regularly conducts security audits, vulnerability scans and penetration tests to ensure compliance with security best practices and standards. To demonstrate PCI compliance a yearly on-site validation assessment by a QSA is carried out. Jumio carries the security controls established to achieve PCI compliance over to PII data which is of comparable sensitivity and has extended the scope of such controls to cover and protect all systems used to transmit/process/store PII data. Doing so, provides Jumio with a coherent and independently tested set of security policies/processes/controls and enables Jumio’s customers to gain confidence that their data – be it credit card or PII – is handled in a secure manner throughout its lifetime.”

This is great. Now let’s hope my airline, Delta, signs on too!

And again, know what you’re getting into with any app because the Wall Street Journal ran a report in 2010 warning people of app developers’ missing transparency. And yes, we’ve come a long way in 4 years but 101 popular applications for iPhone and Android were examined. It turned out that 56 actually transmitted the mobile device’s unique ID to other companies. This was done without the user’s consent or even awareness.

Forty-seven of the apps transmitted the device’s location. Five of the applications sent gender, age and other personal data to outsiders.

This shows how intent that online-tracking companies are at collecting private information on people. Kind of makes you think of that song, “Every Breath You Take,” by the Police, especially the part that goes, “I’ll be watching you.”

Trackers know what apps the user is downloading, how often they’re used and for how long, the whole works. And there’s been no meaningful action taken to curb this. It’s all about money. (Isn’t everything?)

The more “they” know about the user, the more targeted ads will come the user’s way. If they know you love shoes, ads about shoes will pop up. However, all this “transmitted” personal information can also be used for ID theft and other criminal purposes.

Solution:

Be aware. Don’t just blindly downloads and use an application. Do your research, read the terms and conditions and/or terms of service.

The user must weigh the risks and benefits when downloading the next application. In addition, download only from a reputable app store—after you’ve read user reviews and the app’s privacy policy regarding how much personal information it will get into and share.

Other tips include avoiding conducting smartphone transactions over unsecured Wi-Fi connections and keeping the software current in your smartphone: keeping up to date on its operating system, security software and browser.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Using your Mobile to protect you from criminals

The Good:

5WYour mobile phone number is almost as good as your fingerprint: very unique to you, and as a second factor authentication device via text message, acts as access control through which to access certain web sites.

SMS two factor authentication as it’s know is the sending of unique one time pass codes that turns your mobile phone into a recipient of a onetime password or “OTP”. Generally there’s no software to install and it’s just a matter of registering your device with the website. OTPs are sent to smartphones upon entering your username, than a password or after you click a button on the site requesting the SMS OTP

A fraudster trying to infiltrate your account would need not only your password and user name, but would also need to physically have your phone. This is a great layer of security. SMS two factor authentication can be used with site like Facebook, Twitter, your bank, Gmail, Paypal and others.

Web sites link your mobile number with your account for your protection. So next time an online company wants to send you a “code” via your smartphone, don’t get annoyed; feel secure instead, because that’s how the company knows you are you. In fact, companies will likely brand you as a highly suspicious user if you refuse to include your mobile device’s number as part of your registration.

The Bad:

Keep your guard up because fraudsters won’t be stopped from trying to succeed at their plans, however, and they know that the smartphone poses unique vulnerabilities to the user. For instance, people are more likely to click on a malicious e-mail link because the phone’s small screen makes it harder to detect suspicious web site addresses. Criminals are forever trying to get passwords and hack into accounts and wreak havoc. As technology continues to evolve in favor of the honest user, so does the technology of crime.

Your role is to always try to stay one step ahead of the criminals. There are ways you can protect yourself and never let crooks get ahead of you:

  • Never use the same password for more than one account or web site, even though it’s more convenient to have one password for multiple sites. Every app and web site should have a unique password.
  • Every access point you encounter should be safeguarded with a WiFi VPN service such as Hotspot Shield VPN that encrypts your wireless internet and surfing activities. This way, when you peruse cyberspace at hotels, airports and coffee houses, all of your activities are protected from hijackers.
  • Ignore password request e-mails or security alerts, especially on your smartphone, as they are almost always fraudulent.
  • Do you know if your phone (or iPad) is uploading your private data to cyberspace? Find out by installing an app security scanner.
  • Never use third-party apps on your device (or “jailbreak” it). Never let your kids use your phone, either.
  • Your device should be kept up to date with the latest operating system. System updates usually include security enhancements.
  • When installing Android apps, read their security notices. Understand how your sensitive data will be exposed with these apps—before you hit “Okay.”

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

“Predictive Analytics”: Technologies that read your Mind

There’s an app that can practically read your mind via your mobile device. The technology is called predictive analysis, and Google’s Now app is at the forefront. Other apps that utilize predictive analysis include Grokr and Osito: predicting the smartphone user’s next move.

2WHow does this work?

Snippets of information are assembled via an algorithm, leading to a prediction of the user’s next behavior.

An example would be combining snippets of calendar entries with the user’s location data, e-mail information, social network postings and other like information.

The user is then presented with assistance that the app “thinks” is needed. The support-information is called a card. A card might, for example, remind the user about an event whose information was entered previously.

The app will then add directions to the event or show weather conditions at the location—even advise raingear.

Benefits

  • The Now app can “understand” context and filter out irrelevant information, making searchers easier than ever.
  • The Google search engine can now respond to more than just individual keywords and can seemingly grasp the meaning of a search query. This algorithm is called Hummingbird and impacts 90 percent of searches.

An example is that Google can compare items upon request or dig up facts about various things. For example, just type in the name of a famous landmark—once. If you seek trivia, you’ll get answers, but if you then seek directions, Google will know that you want directions to this landmark without you having to type in its name again.

  • Future locations of the user can be predicted (based on locations visited previously), not just the current location.
  • Recently, Google and Microsoft researchers came up with a software, Far Out, that can figure out a user’s routine via GPS tracking. This data is then assembled so that future locations of that user can be predicted.
  • The configuring can even adjust to correlate with the user’s changes in residence or workplace.

As advanced as all of this seems, this is only the start of a new wave of technology that can “think” for us—a big benefit to those whose lives are so hectic that they’ve become absent minded, and for those who simply enjoy the idea of having to do less mental work.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.