Every week at HackSurfer we speak to various experts in the areas of cybercrime and cybersecurity. One thing that comes up in every single conversation, no matter the industry, is mobile. How is it used? Is BYOD safe for business, or is it only a convenience? Where’s the future going to take the technology?
Perhaps no one has summed up the mobile problem better than Nathan McNeill, co-founder and chief strategy officer for Bomgar: “That can be not a problem, or that can be a big problem.”
It’s interesting to see what’s going on in the minds of the people deep in the trenches of cybersecurity. Here are some of their responses.
Mobile as an Identity Vehicle
– Mike Byrnes, product manager at Entrust
“It’s a big trend where mobile is becoming more and more trusted as an identity vehicle if I could use that term. I bet you, I mean who knows what is going to happen, but I bet you down the road within three, four, five, six years you will be using your mobile phone to get into your home, to start your car. You’ve heard of mobile payments, right, about using your mobile phone to pay for coffee at Starbucks? It’s really all the same concept. It’s using your mobile phone as your digital identity, whether to log into a computer, pay for a coffee, start your car, access a building, mobile becomes your central identity vehicle that’s secured and very convenient because you always have it with you.”
Mobile Email Threat
– Ken Takahashi, general manager of anti-phishing solutions at Return Path
“Emails often look different over mobile devices when you read them, so it might not look as weird to get an email confirmation or something from a brand that looks a little off, just because it always looks a little off over mobile. I think that’s a huge threat for email. But also in terms of mobile is the rise of not just phishing or voice-based phishing or SMS phishing, but there are rogue apps out there all the time. And many of our clients who work in cyber-intelligence, who are concerned about email, are also concerned about rogue apps that are out there, and that’s tough because there are just so many apps that are being pushed out in a relatively quick speed.”
Not Everything Needs to Be Connected
– Dan Ford, chief security officer at Fixmo
“Some data should not be able to be accessed outside your brick-and-mortar enterprise. The example that people typically bring up is the Coca-Cola recipe. Should that ever really be accessed outside of the brick-and-mortar headquarters at Coca-Cola? I would say probably not.”
Building a Comprehensive Profile
– Julian Evans, a mobile security specialist working with NQ Mobile
“It’s very, very specialized. It’s very, very well-funded in the underground economy, this type of action and activity. You don’t hear about it that much because it’s still – how can I put it – it’s still developing within mobile. Within mobile, one of the attack areas is obviously the information we store on our phones. … In most instances cybercriminals, fraudsters and countries are looking to for information, and they’re then looking to build profiles around that information. So they may be able to get a mobile number. They may well be able to get parts of an address or a zip code, but they’ll be looking to complete a profile, otherwise what’s referred to as a mark. … It’s all about building a more comprehensive picture for that individual which will inevitably lead to one thing – fraud.”
Wrong Impressions About Security
“Most people are under the impression that mobile is more secure for the wrong reasons. Mobile is more secure, but it’s, in my opinion, only temporarily. … The more and more widespread a platform an operating system becomes, the more lucrative it becomes in terms of it’s now worthwhile to develop proprietary or adapt existing malware that you have to its operating system, and therefore they’ll get infected.
And I think that one of the conflicts of us using a mobile device as our second-factor authentication device – that’s really become the best practice over the last year, so if I want to deliver you a one time password I send an SMS to your mobile device. I’m sending you an SMS to your mobile device not because the mobile device is more secure, but because it’s what’s known as an out-of-band authentication method. I’m using a different channel of communication than the main channel on which my password’s provided. The PC’s the main channel.
The mobile or the SMS is going to a different channel. If the mobile, if your tablet, if your mobile device becomes your primary channel for communicating with your accounts, with your bank, that’s where you input your password, it will be just as insecure sending you one-time passwords and using that as an authentication device as your PC. It will just become the main medium with which you communicate. You’ll have to find other methods to deliver a secure password.”