By Arpinder Singh & Mukul Shrivastava
The global security and privacy revolution has catapulted the process of managing, storing and exchanging data to unprecedented levels. According to a GSMA report, over 5 billion people globally are connected to mobile devices right now. App downloads are soaring—2018 was estimated to have over 200 billion downloads as per a Statista Report. Safeguarding and protecting data has become paramount as cybercriminals are constantly on the look-out for means and channels to exploit devices as well as digital and media assets. So how safe are the contents of your mobile phone? And can organisations know if hackers are following every keystroke of company-owned devices?
Mobile hacking – an easy bet?
The mobile threat landscape has certain tell-tale signs that are typically red flags, and should be taken note of immediately.
For instance, are there unfamiliar apps or unrecognisable files in the device? Has the phone been suddenly heating up? Did the user click on links or downloaded attachments from unknown websites? Were any freeware files installed?
The perils of using free Wi-Fi are quite well-known, but many users tend to overlook it. They may also infect the device with malware or spyware by either physically accessing phones, or by the user installing software from unfamiliar third-party stores. Another way is to misdirect unsuspecting users to fake versions of legitimate mobile sites through phishing attacks. In one case, users of several companies were affected by bogus bank mobile apps making their way to the app store.
There may be cases of a SIM swap wherein the hacker clones the original SIM, rendering it invalid, and then misuses the device. Another way is through ‘credential stuffing’, a method of hacking by automated attempts on accounts by using partial login information or compromised usernames and passwords. Mobile advertising brings risks such as click fraud, fake installs, fake user profiles, madware, etc.
Bots can be used to spook a single mobile device to look like several unique devices, thereby generating fraudulent clicks, downloads or installs. Cybercriminals can create a ‘fake’ cell tower emitting an International Mobile Subscriber Identity (IMSI) number with a strong signal, thereby luring users, or trace the device’s location using Signaling System 7 (SS7).
Drawing a robust line of defense
Some of the key ways users or organisations can augment mobile security include ensuring regular testing of the strength of the security system, establishing a multi-factor authentication to verify the user’s identity when logging in or making transactions. For instance, a user may be granted access only after a two-step authentication process.
Organisations can look at using a secure app on mobile devices for official email, calendar and browsing; they may also set up and maintain an online activity log, conducting behavioural analysis. Instituting proactive fraud monitoring solutions can also help identify issues beforehand. But the most important aspect is educatingall stakeholders on the importance of secure authentication practices and the dangers of using old, frequent or simplistic passwords.
Arpinder Singh is partner and head – India and Emerging Markets, Forensic & Integrity Services, EY. Mukul Shrivastava is partner, Forensic & Integrity Services, EY