Security on mobile devices is a topic that companies are increasingly studying in greater detail. If you do not have the right system for the protection of these equipment, banking transactions, exchange of information and private data will be vulnerable.
By Víctor Alejandro Galvis González
Mobile devices have become a vital tool for small, medium and large businesses. The fact of being able to send and receive information, pay bills or do banking procedures through smartphones or tablets, makes them advantages that companies and entrepreneurs can hardly ignore.
In fact, according to a recent study by international technology companies IDC and Unisys, in 2012 40.7% of employees use personal devices for their work tasks, 10% more than they did the previous year.
However, due to the increasing popularization of this technology, hackers and computer crimes have also proliferated; According to data from McAfee Inc. and Science Applications International Corporation, 25% of organizations have suffered a merger or acquisition shutdown or delay due to a data breach.
That is why security in devices is an issue that is increasingly important in all institutions. "Currently one of the most common measures to protect electronic transactions, not only on mobile devices but on traditional computers, is the use of a second authentication factor; in addition to the traditional web access password," said Carlos Castillo, a mobile malware researcher at McAfee.
"Generally when a user makes an electronic transaction he is first asked for an access password on the bank's website which allows him to make inquiries about balance and movements. However, when the user wishes to make a payment or a transfer, they are asked for another access credential which may be another password, specific numbers on a coordinate card, a one-time password on a physical token or a special code sent to the mobile device in a text message (SMS)." explained the expert.
The objective of this second authentication factor is to avoid that with only the first password you can consult the account or make electronic transactions.
Even so, the security of a user does not depend only on the protection that can be provided to the device at the time of a transaction, also, the theft of data in email accounts, usually used in these devices, could mean fraud in the medium or long term.
Enrique Navarrete, complete manager of Check Point, said that "currently 78% of companies are not clear about the security strategy for mobile devices and what they usually do is secure the LAN or internal network."
Today, the 7 billion people living in the world use more than 4 billion cell phones, not counting the millions of tablets that circulate and, even so, 32% of users think they do not need security software for their mobile devices.
According to the cybercrime study developed by the Internet Address Registry for Latin America and the Caribbean (Lacnic), phishing or theft of personal data means annual losses of about US $ 93,000 million, and affects some 2,500 banks operating in the region, while thefts from customer accounts add up to another US $ 761 million.
"Companies have to warn that hackers are taking advantage of the vulnerability of mobile ports to introduce malicious code into the company," said Enrique Navarrete, who warned that "what institutions normally do is secure the LAN or the internal network and do not see that a very high percentage of emails or applications can contract the malicious code or vulnerability."
Ways of protection
The use of smartphones or tablets is one of the most significant advances in recent years regarding electronic transactions and their security; as it replaced the traditional magnetic stripe plastic cards which can be easily cloned.
"In general, the idea is for the phone to store card information securely in such a way that when the transaction is to be made, such data is securely transmitted from the phone to a special reader through the use of NFC short-range data transmission technology which is currently beginning to become widespread worldwide, "- explained Carlos Castillo of McAfee.
One of the pioneers in the use of smartphones as digital wallets is Google with its Google Wallet app that works on the Samsung Nexus S device in the United States.
On the other hand, companies such as Check Point, integrate the solution called Mobile Access which works by replicating the security measures of the firewall to mobile devices.
Enrique Navarrete, complete manager of this company, clarifies that this solution "is very effective, since it makes a new security policy and replicates everything you determined about security for each of the users, that is, if I have any type of security policies already defined for me as a user, that same security policy is sent or copied to the mobile device and can already be much safer, since at the end of the road, it is interacting with my network."
"The issue is that many companies do not realize, that is, they are not thinking about that security in mobile devices and believe that with being safe in the LAN network they already have the complete layer," concludes the expert.
The biggest difficulties
Malware, or malicious code, is one of the biggest security threats for mobile devices, especially Android. "Even malicious applications have been found that affect the security of electronic transactions, this is the case of the components for mobile devices of the banking Trojans: ZeuS and Spyeye," explained the researcher Castillo.
These two malware families are common to traditional computers and generally affect Windows users. "However, last year components were found for mobile devices that aim to obtain the second authentication factor of the electronic transaction," the expert said.
The infection develops as follows: the attack begins on the traditional computer (usually Windows) infected with one of these two malware. Once the first password is stolen, the malicious code on the PC displays a fake web page where it asks the user to enter a URL on the mobile device. This address contains the malicious application for Android which deceives the user into believing that it is a security tool but actually monitors the text messages that the user receives in order to obtain the second authentication factor and send it to the attacker. Once you have both credentials it is possible to make transactions without the user's consent.
An evolution of this attack was recently discovered where the malicious application impersonates a bank simulating the generation of the second authentication factor but in reality, as with the other malware, it also forwards the messages to a remote server in order to obtain the second authentication factor. One of the new features of this malware is that the attack can be performed directly on the mobile device because the user is tricked into entering their first key. The other important functionality is that malicious code can be controlled remotely because it can execute commands sent from a server on the internet.
Finally, Google Wallet is a fact that, although it is a great advance in security compared to traditional credit/debit cards, it is not infallible. This was recently demonstrated with the discovery of a vulnerability in the application that allowed to obtain the 4-digit access PIN in a matter of seconds with which you have full access to all the data of the cards stored in the device.
On the subject of navigation, applications, being sending sensitive and confidential information within your own device, also ensures that this information is somehow visualized by the security policy that was established, according to the explanations of the McAfee company.
The specialist Enrique Navarrete, mentioned that "unfortunately through mobile devices is entering an era where practically 44% of the work is on the device, so it becomes one of the most vulnerable tools that we must put a lot of focus on".
We really see that the issue of email with more risks that today we are living access to social networks, we feel that they are the risks that are the most important, that is living today to have access. To your devices, the social network where information is usually being shared.
What happens in case of loss?
The security of the lock of the mobile device depends largely on the user, currently the operating systems for these computers provide different locking and authentication mechanisms (PIN, password, pattern, face) to prevent unauthorized access in case the device is stolen.
Such mechanisms can be configured to reduce the risk of unauthorized access; for example, prevent the pattern or password from being visible when it is being drawn or lock the device automatically when it is idle for a certain amount of time.
In business environments there are usually security policies that require the correct configuration of these measures although many times users do not apply them.
To ensure the correct implementation and application of policies, solutions such as EMM (McAfee Enterprise Mobility Management) allow, among other things, to ensure compliance with security policies on the company's mobile devices.
In addition, it is important to have a copy of the data, contact book, settings, etc. The ideal is that if tomorrow you lose a device the next day you are working on another of the same characteristics without major inconvenience. It is a way to ensure the continuity of a business.
Security is provided by the user
It is essential that the user also takes into account the security protocols to increase the shielding of the equipment, for example lock it with a pin number or passwords, install only applications developed in trusted sources and create data backup.
Likewise, keep the system updated, close sessions of the electronic banking and online shopping websites and disable wi-fi or geolocation and bluetooth services when not in use.
Finally, it is important for the user to avoid sending personal information via email text messages and install a security app on the device.
According to data from these companies, the use of the internet for this type of technology in 2014 will surpass internet browsing from a desktop computer, which could make mobile devices an even more interesting target for scammers and cybercriminals.
By 2016, meanwhile, electronic transactions will reach a value of US $ 31,000 million, so it is critical that consumers know how to buy safely from their mobile devices. McAfee says that by 2015 the number of mobile banking users is expected to reach 500 million worldwide.
Leave your comment