Mobile Security: Tips for Using Personal Devices at Work

Businesses in all forms operate under numerous business regulations. Small businesses such as finance healthcare, or one where a fine might be imposed if a data breach occurred need to recognize mobile security as a fundamental layer of yours or your company’s information security process.

Mobiles are smartphones and used for ecommerce for consumers and they are used for business tasks as Point of Sales to process credit cards or make payments.

A hospital is a perfect example: Many nurses have mobile phones and many more have tablets for work related purposes. They must be concerned about Health Insurance Portability and Accountability Act also known as *HIPAA: The rule under HIPPA requires health plans, health care providers, and others required by HIPAA to notify individuals (patients) of any breaches of their medical data.

Overall routine patient information is gathered for all hospital patients, such as the patient’s Social Security number, name, address, D.O.B, gender and other data that helps them authenticate the patient’s identity and insurance coverage data.

So if you as an employee of a hospital use your personal device at work and also use it outside of work and it gets lost or stolen, then YES, you and the hospital would be in a great deal of hot water in the event that mobile device was lost.

This is where a BYOD or Bring Your Own Device policy comes into place.  Cozy up to your IT manager and find out what that mobile security policy states. Sometimes they are so restrictive you may not want to use your own device.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussing ADT Pulse on Fox News. Disclosures

Mobile Security App Surpasses 1 Million Downloads on Google Play

If you told me 10 years ago that mobile phone security was going to be a huge issue I would have told you to put down your cocktail and give me your keys. Back then all we had was feature phones or “dumb phones” and your phone was high tech if it had games on it or you could get pictures via text message.

Of course, today we have smartphones and the actual phone function is just one of many features. Today’s mobile devices are high-powered mini personal computers that have most, if not all and many more of the capabilities of a desktop computer.

So I eat crow when I tell you that McAfee Mobile Security was the first mobile security app to combine antivirus, anti-theft, web and app protection and call/text filtering. It also recently surpassed one million downloads on Google Play.

The Android operating system is the most popular target for writers of mobile malware—including text-sending malware, mobile botnets, spyware, and destructive Trojans.  In fact, Android apps can ask for over 100 different types of permissions—and these apps could be invading your privacy and exposing your personal life.

McAfee Mobile Security provides Android smartphone and tablet owners with additional privacy features that help them ensure apps are not accessing their personal information without their knowledge. The app protection feature gives consumers access to an added layer of protection to preserve their privacy and protection against financial fraud, identity theft and viruses. It also checks against a URL reputation database, part of McAfee’s Global Threat Intelligence network, and reports the apps that are associated with and/or may be sending personal data to risky sites, such as adware and spyware networks.

To protect your personal information, finances and privacy from being exposed through apps:

Research apps and their publishers thoroughly and check the ratings before installing.

Purchase apps from a well-known reputable app store market

Watch for permissions (stay away from installing apps that don’t look right)

Install comprehensive mobile security on your mobile device

Robert Siciliano is an Online Security Evangelist to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)

NFC at the Summer Games Could Be Exploited

NFC is an acronym for near field communication, a wireless technology that allows devices to talk to each other. In the case of a mobile wallet application, those devices would be a mobile phone and a point of sale device at a checkout counter.

Visa is testing out its NFC service PayWave contactless payment service at the Summer Olympics in London. Every athlete will get a Samsung Galaxy SIII phone enabled with near-field communication (NFC) along with Visa’s payment app.

NFC can be used in other ways beyond credit card transactions. It can integrate with hardware, such as your car, to unlock a door. It can activate software.

Soon enough, using your phone as a credit card will be commonplace. Mobile contactless payments, in which you pay by holding your phone near the payment reader at the register, are expected to increase by 1,077% by 2015.

All of this is good and well, however, there are security issues with NFC that still need addressing. McAfee researchers point out a scam called “fuzzing the hardware”, which involves feeding corrupt or damaged data to an app to discover vulnerabilities. Once such vulnerability is found, the attacker must research and develop an exploit to perform various attacks (e.g. steal credit card info. export the data to the attacker, leak credit card info to any requester). The attacker will then need to find a method to have the victim run the exploit. This entire process costs attackers and criminals in time and money, which can be justified in the case of NFC enabled phones and a multitude of stores with card readers.

McAfee discovered exploitable vulnerabilities on Android and iOS phones. If someone has NFC turned on, an attacker in close proximity can pick up every signal to gather private information or payment information on an athlete’s device.  It is almost like pick pocketing, but they don’t even have to touch you.

McAfee researcher Jimmy Shah stated an attacker wishing to target the Samsung Galaxy SIII devices at the summer games can purchase one easily and use the researcher’s data to help find vulnerabilities and eventually develop exploits to steal a victim’s credit card. The large number of readers at the Olympics will provide places where a successful attacker can use stolen credentials to make purchases.

Users can protect themselves by obtaining apps from the Google Play Market, Amazon’s Appstore, or their carrier’s app store, avoiding 3rd party stores that may have pirated or maliciously modified software. Reviews from other users are also helpful in determining safer apps.

NFC handsets are set to increase to about 80 million next year. Gartner estimates that that 50% of Smartphone’s will have NFC capability by 2015. Pay attention to what’s happening in the world of NFC, mobile payment and mobile security  because before you know it, your wallet will be your mobile phone.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Mobile Security Apps and Tips

Nearly three-quarters of Americans have never installed any type of data protection or security software on their mobile devices, leaving themselves completely open to data loss, viruses, and malware. 72% of us, to be exact, have unsecured smartphones, even as they take on an increasingly important role in our digital lives.

Update your OS: The expanding selection of mobile devices results in more complex operating systems and applications, which ultimately increases attack opportunities. One hopes that, as criminal hackers and security researchers expose new vulnerabilities, OS manufactures will role out timely updates to fix flaws.

Most OS updates require a USB connection to your Mac or PC and a desktop application that bridges the connection between your device and the manufacturer’s website. Newer OS updates can sometimes be downloaded directly to a phone through a Wi-Fi connection or your carrier’s network.

Update your applications: Just as an operating system can have a security or privacy vulnerability, so can an application. Most applications require functionality updates in order to remain compatible with OS updates. Updating an application should be fairly straightforward. Apps can usually be updated from the phone by accessing the official app store through the carrier’s network. Depending on the size of the download, a Wi-Fi connection may sometimes be necessary.

Lock your mobile device: 4-digit PINs for iPhones; or pattern recognition for Androids, are the current standard security measures. These flimsy defenses need to be updated to a more secure alternative, or at least a longer alphanumeric string, especially for the phones used for business purposes.

A very high percentage of owners lock their devices with a short PIN, and may be unaware of the alternatives to this bare minimum, such as a “non-simple” security option on the iPhone. And most PINs are weak as well as short. Five basic combinations ¾ “1234,” “0000,” “1111,” “2580,” or “0852 ¾ make up more than 10% of all PINs.

Install antivirus protection: Just like on a PC, mobile antivirus products should provide real-time protection against viruses, worms, spyware, Trojan horses, and battery-sapping malware. Adequate mobile antivirus protection guards against threats that originate via email, instant messaging, and Internet downloads. It detects data received from multiple entry and exit points, including email, instant message attachments, Internet downloads, SMS, MMS, WiFi, and Bluetooth.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures