Financially motivated hackers have traditionally targeted PCs. However, their attention will increasingly turn to smartphones over the next 12 to 24 months, warns Paul Kocher, president and chief scientist at Cryptography Research, a semiconductor security company based in San Francisco. The reason is twofold.
PC security is getting better, while smartphone security is getting worse due to increasing complexity. Soon, many of us may even be using our smartphones as credit cards, potentially opening a whole new can of worms.
Not all experts are so pessimistic, at least when it comes to mobile banking. The threat is more perception than reality, says David Eads of Kony Solutions, a mobile software platform company in San Mateo, Calif. All of the major banks he works with follow best practices of making consumers whole on losses due to mobile-banking fraud.
All three major smartphone platforms have their pros and cons, according to Mr. Kocher. No phone platform is necessarily safer than the others. Android does a great job of preventing applications from accessing parts of your phone without your knowledge, Apple does a better job than the rest monitoring the App Store, and Blackberry is highly proficient in terms of enterprise level security and encryption.
There are three primary ways in which cyber hackers can easily gain access to your phone’s private information, according to Kocher. These include Wi-Fi hotspots, malicious free apps, and websites that exploit security loopholes. We’ll discuss each risk below, and discuss how you can minimize the risks.
1. Public Wi-Fi
“For less than $100 worth of equipment, a hacker can eavesdrop or spoof a Wi-Fi hotspot,” says Kocher. When this happens, thieves can easily see the login and password information floating between your browser and a website without SSL encryption.
You can tell if a website is encrypted, if there is a lock logo in the URL field, or if the website has an “https” address instead of an “http” address. Fortunately, most major banks have encrypted login fields. But hackers know that many people use the same password across many websites, such as e-mail, banking, Facebook, and shopping sites, so it pays to be extra careful if you do extensive surfing at Starbucks over the free Wi-Fi.
What you can do:
If you have a choice between connecting via your phone’s 3G or 4G network or over free public Wi-Fi, definitely go with the 3G or 4G network. According to Kocher, it’s much more difficult and expensive to spoof a cellphone network signal than a Wi-Fi hotspot. Also, don’t use the same usernames and passwords for your financial data that you do for e-mail and social networking sites, and think twice before submitting your credit card number or other data over the network.
2. Be careful with free apps
Every app written for your smartphone has an “angle.” It is intended to make money directly or indirectly in some manner, for some programmer out there. Therefore, you should inherently be cautious of free apps.
These applications must earn the developer a profit somehow, and it’s very difficult to tell what kind of encrypted messages are being sent between the app and the developer’s servers.
Mr. Eads points out that “phishers,” people who try to trick you into giving out your login and password, have attacked the Android marketplace in the past, by releasing fake banking applications that request your login information. However, the Apple store is much more tightly controlled, and requires a copy of a developer’s passport and a notarized form, in the event of information discrepancies.
What you can do:
Be careful when downloading free apps from unfamiliar software vendors. If the app requests access to parts of your phone that don’t make logical sense, get rid of the program immediately. Unless you are downloading from Apple’s App Store, don’t assume a mobile banking app is affiliated with your bank unless you read about it on the bank’s website.
3. Shady websites
Visiting a website with an outdated smartphone browser can leave you exposed to vulnerabilities. Be sure to update your operating system immediately whenever you hear about a patch.
A notable example was the Apple iOS jailbreak vulnerability, which allowed a simple website visit to “jailbreak” an iPhone and take it over. Some advanced iPhone owners use a jailbreak program to get around the Apple’s many iPhone restrictions, but having someone else jailbreak your phone without your knowledge is downright dangerous.
Kocher believes that the increasing complexity of smartphones is causing the number of unpredictable vulnerabilities to balloon. Compounding this issue is the fact that you may have to proactively download patches to fix vulnerabilities, rather than getting automatic updates.
Eads is less alarmist. While there are certainly risks to be aware of, he says that the shadowy people who manufacture viruses blow the risk out of proportion to inflate their own importance. The Apple jailbreak vulnerability was scary, but it was revealed by people trying to prove a point, rather than by hackers. Apple quickly patched the problem with an iTunes auto-update.
What you can do:
Take smartphone security updates seriously. Sync your iPhone with iTunes on a regular basis, and keep an eye out for operating system and firmware updates from Google and Blackberry. These updates are often released after a security flaw has started attacking other phones.
How to prepare for the worst
Given the increasing popularity and complexity of smartphones, we may soon see hacker’s efforts shift from the PC to your pocket. However, only time will tell how big of a security threat these hackers pose to mobile banking and security. Fortunately, even in the worst-case scenario, liability will be fairly limited. Credit card fraud liability is limited by Regulation EFTA to $50, and mobile banking losses are generally covered by banks. However, a lost PayPal password, banking login, or contact list can still cause problems. Just work to make sure you notice it early.
– Tim Chen is the CEO of NerdWallet, a credit-card search website.