Smartphones: Protect your phone from these hackers' traps
Financially motivated hackers have traditionally targeted PCs. However, their attention will increasingly turn to smartphones over the next 12 to 24 months, warns Paul Kocher, president and chief scientist at Cryptography Research, a semiconductor security company based in San Francisco. The reason is twofold.
PC security is getting better, while smartphone security is getting worse due to increasing complexity. Soon, many of us may even be using our , potentially opening a whole new can of worms.
Not all experts are so pessimistic, at least when it comes to mobile banking. The threat is more perception than reality, says David Eads of Kony Solutions, a mobile software platform company in San Mateo, Calif. All of the major banks he works with follow best practices of making consumers whole on losses due to mobile-banking fraud.
All three major smartphone platforms have their pros and cons, according to Mr. Kocher. No phone platform is necessarily safer than the others. Android does a great job of preventing applications from accessing parts of your phone without your knowledge, Apple does a better job than the rest monitoring the App Store, and Blackberry is highly proficient in terms of enterprise level security and encryption.
There are three primary ways in which cyber hackers can easily gain access to your phone鈥檚 private information, according to Kocher. These include Wi-Fi hotspots, malicious free apps, and websites that exploit security loopholes. We鈥檒l discuss each risk below, and discuss how you can minimize the risks.
1. Public Wi-Fi
鈥淔or less than $100 worth of equipment, a hacker can eavesdrop or spoof a Wi-Fi hotspot,鈥 says Kocher. When this happens, thieves can easily see the login and password information floating between your browser and a website without SSL encryption.
You can tell if a website is encrypted, if there is a lock logo in the URL field, or if the website has an 鈥渉ttps鈥 address instead of an 鈥渉ttp鈥 address. Fortunately, most major banks have encrypted login fields. But hackers know that many people use the same password across many websites, such as e-mail, banking, Facebook, and shopping sites, so it pays to be extra careful if you do extensive surfing at Starbucks over the free Wi-Fi.
What you can do:
If you have a choice between connecting via your phone鈥檚 3G or 4G network or over free public Wi-Fi, definitely go with the 3G or 4G network. According to Kocher, it鈥檚 much more difficult and expensive to spoof a cellphone network signal than a Wi-Fi hotspot. Also, don鈥檛 use the same usernames and passwords for your financial data that you do for e-mail and social networking sites, and think twice before submitting your number or other data over the network.
2. Be careful with free apps
Every app written for your smartphone has an 鈥渁ngle.鈥 It is intended to make money directly or indirectly in some manner, for some programmer out there. Therefore, you should inherently be cautious of free apps.
These applications must earn the developer a profit somehow, and it鈥檚 very difficult to tell what kind of encrypted messages are being sent between the app and the developer鈥檚 servers.
Mr. Eads points out that 鈥減hishers,鈥 people who try to trick you into giving out your login and password, have attacked the Android marketplace in the past, by releasing fake banking applications that request your login information. However, the Apple store is much more tightly controlled, and requires a copy of a developer鈥檚 passport and a notarized form, in the event of information discrepancies.
What you can do:
Be careful when downloading free apps from unfamiliar software vendors. If the app requests access to parts of your phone that don鈥檛 make logical sense, get rid of the program immediately. Unless you are downloading from Apple鈥檚 App Store, don鈥檛 assume a mobile banking app is affiliated with your bank unless you read about it on the bank鈥檚 website.
3. Shady websites
Visiting a website with an outdated smartphone browser can leave you exposed to vulnerabilities. Be sure to update your operating system immediately whenever you hear about a patch.
A notable example was the , which allowed a simple website visit to 鈥渏ailbreak鈥 an iPhone and take it over. Some advanced iPhone owners use a jailbreak program to get around the Apple鈥檚 many iPhone restrictions, but having someone else jailbreak your phone without your knowledge is downright dangerous.
Kocher believes that the increasing complexity of smartphones is causing the number of unpredictable vulnerabilities to balloon. Compounding this issue is the fact that you may have to proactively download patches to fix vulnerabilities, rather than getting automatic updates.
Eads is less alarmist. While there are certainly risks to be aware of, he says that the shadowy people who manufacture viruses blow the risk out of proportion to inflate their own importance. The Apple jailbreak vulnerability was scary, but it was revealed by people trying to prove a point, rather than by hackers. Apple quickly patched the problem with an iTunes auto-update.
What you can do:
Take smartphone security updates seriously. Sync your iPhone with iTunes on a regular basis, and keep an eye out for operating system and firmware updates from Google and Blackberry. These updates are often released after a security flaw has started attacking other phones.
How to prepare for the worst
Given the increasing popularity and complexity of smartphones, we may soon see hacker鈥檚 efforts shift from the PC to your pocket. However, only time will tell how big of a security threat these hackers pose to mobile banking and security. Fortunately, even in the worst-case scenario, liability will be fairly limited. liability is limited by to $50, and mobile banking losses are generally covered by banks. However, a lost PayPal password, banking login, or contact list can still cause problems. Just work to make sure you notice it early.
鈥 Tim Chen is the CEO of NerdWallet, a credit-card search website.
