16 August 2017
Robert Siciliano

Identity Theft Expert

Robert Siciliano - IDTheftSecurity.com

739Posts 2,009,942Views 62Comments

Mobile Phone Operating System Insecurity

26 April 2011  |  4038 views  |  2

As more online retailers introduce mobile ecommerce applications, criminal hackers are taking notice. Existing mobile operating systems are under attack and, like standard PC operating systems, they sometimes fail to provide the necessary security to support a payment application.

Current research is primarily geared towards securing mobile payments, but there is a lack of coordination between mobile payment developers, device manufacturers, and mobile operating system platform developers. Hackers are taking advantage of the loophole created by this lack of coordination.

Mobile phone spyware has been a concern for years. Legitimate software companies sell mobile phone spyware that allows the user to monitor a spouse, kids, or employees. And criminals deploy mobile phone spyware, as well.

Beijing-based mobile security services firm NetQin Technology reports that an application called Xwodi, which allows third parties to eavesdrop on cell phone conversations, has infected more than 150,000 phones in China. Apparently, the malware targets mobiles running the Symbian platform, and monitors phones by silently activating the conference call feature or microphone.

One security company, Trusteer, informed The New York Times, “Mobile users are three times more likely to fall for phishing scams than PC users…because mobile devices are activated all the time, and small-screen formatting makes the fraud more difficult to spot.” In the same article, another mobile security firm, Lookout, claimed that in May 2010, 9 out of 100 phones scanned for malware and spyware were infected. That’s up from 4 out of 100 infected phones in December 2009.

Protect yourself by refraining from clicking links in text messages, emails, or unfamiliar webpages displayed on your phone’s browser. Set your mobile phone to lock automatically and unlock only when you enter a PIN. Consider investing a service that locates a lost phone, locks it, and if necessary, wipes the data, as well as restoring that data on a new phone. Keep your phone’s operating system updated with the latest patches, and invest in antivirus protection for your phone.

 

TagsSecurityRisk & regulation

Comments: (3)

Mary Freeman
Mary Freeman - Simplify IT Limited - London | 27 April, 2011, 13:19 Apple iPhones now come with a remote wipe facility (providing you have subscribed to their Mobile Me service). Here is how: http://www.macworld.com/article/141605/2009/07/remotewipe.html
There is also the capability for administrators to remotely wipe Company 'phones for iPhones and Blackberries. For non-corporate owners, BlackBerry Protect is now available as a downloadable application from their appworld (also has a geo-locate-as-I-left-it-in-the-office and loud-ring-from-where-it-dropped-under-sofa function as well as remote wipe if it has been stolen ... unless you have encrypted it). However Android 'phones need third party security applications, such as the one offered by F-Secure or McAffee WaveSecure.
Remember also to wipe your 'phone, e.g. by reverting to factory settings, if you hand it back in to IT or sell it on e-bay... http://www.tuaw.com/2009/08/23/dont-forget-to-wipe-your-iphones-data/
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Robert Siciliano
Robert Siciliano - IDTheftSecurity.com - Boston | 27 April, 2011, 13:24

Thanks Mary!

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 27 April, 2011, 17:50

There's another aspect to security, where I believe mobile scores well over PC, although it calls for an application design mindset that leverages the full power of mobile technology instead of treating it merely as a mobile-version of a PC-based application. 

Let me recount my last three mobile "commerce" transactions from three different apps: (1) Check bank balance (2) View stock portfolio (3) Order an additional channel from my satellite TV provider.  

On thing is clear: Each of these transactions works ONLY from a registered mobile phone # (mine), which can emnate ONLY from one handset (mine, again).

Thanks to SIM, "device authentication" is elementary to mobile technology. Judging from my experience it seems possible to incorporate it easily into any mobile app. I doubt if this is the case with PC-based applications. Besides, mobile phones are on all the time and carried almost everywhere, so configuring a mobile app to only work on a single handset is hardly a restriction. This can't be said for PC-based applications. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Robert

What Was Scary About Blackhat 2017?

02 August 2017  |  5452 views  |  0 comments | recomends Recommends 0 TagsSecurity

Black Hat 2017 was an Amazing Event

29 July 2017  |  6066 views  |  0 comments | recomends Recommends 0 TagsSecurity

Blackhat Hackers Love Office Printers

28 July 2017  |  4780 views  |  0 comments | recomends Recommends 0 TagsSecurity

Getting Owned or Pwned SUCKS!

13 June 2017  |  5558 views  |  0 comments | recomends Recommends 0 TagsSecurity

Parents Beware of Finstagram

27 April 2017  |  5063 views  |  0 comments | recomends Recommends 0 TagsSecurity

Robert's profile

job title Security Analyst
location Boston
member since 2010
Summary profile See full profile »
Security analyst, published author, television news correspondent. Deliver presentations throughout the United States, Canada and internationally on identity theft protection and personal security....

Robert's expertise

Member since 2009
732 posts62 comments

Who's commenting on Robert's posts

Ketharaman Swaminathan
Adedeji Olowe