Posts

Mobile Security Myths

Mobile computing is the new frontier of personal technology. Whether you are on a phone or tablet, if you have a carrier connection, you are mobile.

Today, most of us can’t live without our mobile devices. We live in an always on, always connected world. While this is convenient in many ways, it also brings about new security risks that many people don’t think about.

For example, most of us know that we need to use security software on our PCs. But how many of us know to use security on our mobile devices? Mobile devices are our most personal computers, yet they open the door to many vulnerabilities that don’t exist on a traditional PC.

Here’s some fact vs. fiction around mobile devices:

Mobile Myth #1: The best way to locate my lost phone is by calling it.

False. While “Call Me Maybe” may be your theme song, and this is sometimes a viable option, it’s much easier to use security software that lets you locate your phone by GPS or make it “scream” so you can find it (this is much louder than your ring tone). You can also display a message on your lost phone if anyone does find it, so you can tell them how to get in touch with you.

Mobile Myth #2: It’s ok to have my apps automatically log in to my accounts if I have my phone protected with a PIN.

False. Even though a PIN is a good start, this is not complete protection. Hackers are often able to guess PIN codes and also have programs to help them quickly figure out your 4 digit combination. Make sure you use a PIN that is not 1111 or 1234 and that you do not set your apps or mobile browser to use the “remember me” function. If your phone falls into the wrong hands, that gives the person easy access to your accounts.

Mobile Myth #3: Phishing is just for PC users.

False. In fact, one study showed that mobile users are 3x more vulnerable to phishing scams than PC users. Hackers can use phishing attempts via email (if you access your email via your phone or tablet) but also via text and social media apps. Also, it is much harder to tell if links are “real” in a mobile browser or email, so you should use mobile security software that warns you if you are going to a malicious site.

These are just a few mobile myths that exist out there. To really test your mobile knowledge, play ourMobile Mythbusters quiz on Facebook, where you can also enter to win great prizes like a Galaxy tablet, Kindle Fire, or a copy of my e-book “99 Things You Wish You Knew Before Your Mobile Device Was Hacked,” all with a 1-year subscription to McAfee Mobile Security.

Capture

In addition, share you’re your mobile myths with @McAfeeConsumer using the hashtag #MobileMyths to help debunk mobile security myths and protect yourself and others. Top tweeters will win a copy of McAfee All Access or McAfee Mobile Security.

And if you’re going to be at Mobile World Congress, stop by to visit McAfee and see our product demos. We’re in the Intel booth in Hall 3, Stand C34. You may even get a small gift if you show that you’ve liked McAfee on Facebook or followed us on Twitter when you come see the people in the red shirts!

 

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

Mobile Security: Tips for Using Personal Devices at Work

Businesses in all forms operate under numerous business regulations. Small businesses such as finance healthcare, or one where a fine might be imposed if a data breach occurred need to recognize mobile security as a fundamental layer of yours or your company’s information security process.

Mobiles are smartphones and used for ecommerce for consumers and they are used for business tasks as Point of Sales to process credit cards or make payments.

A hospital is a perfect example: Many nurses have mobile phones and many more have tablets for work related purposes. They must be concerned about Health Insurance Portability and Accountability Act also known as *HIPAA: The rule under HIPPA requires health plans, health care providers, and others required by HIPAA to notify individuals (patients) of any breaches of their medical data.

Overall routine patient information is gathered for all hospital patients, such as the patient’s Social Security number, name, address, D.O.B, gender and other data that helps them authenticate the patient’s identity and insurance coverage data.

So if you as an employee of a hospital use your personal device at work and also use it outside of work and it gets lost or stolen, then YES, you and the hospital would be in a great deal of hot water in the event that mobile device was lost.

This is where a BYOD or Bring Your Own Device policy comes into place.  Cozy up to your IT manager and find out what that mobile security policy states. Sometimes they are so restrictive you may not want to use your own device.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussing ADT Pulse on Fox News. Disclosures

Mobile Security App Surpasses 1 Million Downloads on Google Play

If you told me 10 years ago that mobile phone security was going to be a huge issue I would have told you to put down your cocktail and give me your keys. Back then all we had was feature phones or “dumb phones” and your phone was high tech if it had games on it or you could get pictures via text message.

Of course, today we have smartphones and the actual phone function is just one of many features. Today’s mobile devices are high-powered mini personal computers that have most, if not all and many more of the capabilities of a desktop computer.

So I eat crow when I tell you that McAfee Mobile Security was the first mobile security app to combine antivirus, anti-theft, web and app protection and call/text filtering. It also recently surpassed one million downloads on Google Play.

The Android operating system is the most popular target for writers of mobile malware—including text-sending malware, mobile botnets, spyware, and destructive Trojans.  In fact, Android apps can ask for over 100 different types of permissions—and these apps could be invading your privacy and exposing your personal life.

McAfee Mobile Security provides Android smartphone and tablet owners with additional privacy features that help them ensure apps are not accessing their personal information without their knowledge. The app protection feature gives consumers access to an added layer of protection to preserve their privacy and protection against financial fraud, identity theft and viruses. It also checks against a URL reputation database, part of McAfee’s Global Threat Intelligence network, and reports the apps that are associated with and/or may be sending personal data to risky sites, such as adware and spyware networks.

To protect your personal information, finances and privacy from being exposed through apps:

Research apps and their publishers thoroughly and check the ratings before installing.

Purchase apps from a well-known reputable app store market

Watch for permissions (stay away from installing apps that don’t look right)

Install comprehensive mobile security on your mobile device

Robert Siciliano is an Online Security Evangelist to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)

NFC at the Summer Games Could Be Exploited

NFC is an acronym for near field communication, a wireless technology that allows devices to talk to each other. In the case of a mobile wallet application, those devices would be a mobile phone and a point of sale device at a checkout counter.

Visa is testing out its NFC service PayWave contactless payment service at the Summer Olympics in London. Every athlete will get a Samsung Galaxy SIII phone enabled with near-field communication (NFC) along with Visa’s payment app.

NFC can be used in other ways beyond credit card transactions. It can integrate with hardware, such as your car, to unlock a door. It can activate software.

Soon enough, using your phone as a credit card will be commonplace. Mobile contactless payments, in which you pay by holding your phone near the payment reader at the register, are expected to increase by 1,077% by 2015.

All of this is good and well, however, there are security issues with NFC that still need addressing. McAfee researchers point out a scam called “fuzzing the hardware”, which involves feeding corrupt or damaged data to an app to discover vulnerabilities. Once such vulnerability is found, the attacker must research and develop an exploit to perform various attacks (e.g. steal credit card info. export the data to the attacker, leak credit card info to any requester). The attacker will then need to find a method to have the victim run the exploit. This entire process costs attackers and criminals in time and money, which can be justified in the case of NFC enabled phones and a multitude of stores with card readers.

McAfee discovered exploitable vulnerabilities on Android and iOS phones. If someone has NFC turned on, an attacker in close proximity can pick up every signal to gather private information or payment information on an athlete’s device.  It is almost like pick pocketing, but they don’t even have to touch you.

McAfee researcher Jimmy Shah stated an attacker wishing to target the Samsung Galaxy SIII devices at the summer games can purchase one easily and use the researcher’s data to help find vulnerabilities and eventually develop exploits to steal a victim’s credit card. The large number of readers at the Olympics will provide places where a successful attacker can use stolen credentials to make purchases.

Users can protect themselves by obtaining apps from the Google Play Market, Amazon’s Appstore, or their carrier’s app store, avoiding 3rd party stores that may have pirated or maliciously modified software. Reviews from other users are also helpful in determining safer apps.

NFC handsets are set to increase to about 80 million next year. Gartner estimates that that 50% of Smartphone’s will have NFC capability by 2015. Pay attention to what’s happening in the world of NFC, mobile payment and mobile security  because before you know it, your wallet will be your mobile phone.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Mobile Security Apps and Tips

Nearly three-quarters of Americans have never installed any type of data protection or security software on their mobile devices, leaving themselves completely open to data loss, viruses, and malware. 72% of us, to be exact, have unsecured smartphones, even as they take on an increasingly important role in our digital lives.

Update your OS: The expanding selection of mobile devices results in more complex operating systems and applications, which ultimately increases attack opportunities. One hopes that, as criminal hackers and security researchers expose new vulnerabilities, OS manufactures will role out timely updates to fix flaws.

Most OS updates require a USB connection to your Mac or PC and a desktop application that bridges the connection between your device and the manufacturer’s website. Newer OS updates can sometimes be downloaded directly to a phone through a Wi-Fi connection or your carrier’s network.

Update your applications: Just as an operating system can have a security or privacy vulnerability, so can an application. Most applications require functionality updates in order to remain compatible with OS updates. Updating an application should be fairly straightforward. Apps can usually be updated from the phone by accessing the official app store through the carrier’s network. Depending on the size of the download, a Wi-Fi connection may sometimes be necessary.

Lock your mobile device: 4-digit PINs for iPhones; or pattern recognition for Androids, are the current standard security measures. These flimsy defenses need to be updated to a more secure alternative, or at least a longer alphanumeric string, especially for the phones used for business purposes.

A very high percentage of owners lock their devices with a short PIN, and may be unaware of the alternatives to this bare minimum, such as a “non-simple” security option on the iPhone. And most PINs are weak as well as short. Five basic combinations ¾ “1234,” “0000,” “1111,” “2580,” or “0852 ¾ make up more than 10% of all PINs.

Install antivirus protection: Just like on a PC, mobile antivirus products should provide real-time protection against viruses, worms, spyware, Trojan horses, and battery-sapping malware. Adequate mobile antivirus protection guards against threats that originate via email, instant messaging, and Internet downloads. It detects data received from multiple entry and exit points, including email, instant message attachments, Internet downloads, SMS, MMS, WiFi, and Bluetooth.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures