Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

If You Build It, They Will Still Come. They Just Won’t Be Able to Hack Your Cell Phone.

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

Cybercriminals are classic entrepreneurs who, seeing a growing market, jump in and exploit it. In 2012, that growing market is cell phones. And with the crush to get smarter and smarter ones, cybercrooks have found smarter and smarter ways to hack them. Which means cell phone owners had better get smarter and smarter defenses.

To find out how to build a wall between cyberthieves and cell phones, reporter Kate Murphy contacted Chuck Bokath, an engineer at Atlanta’s Georgia Tech Research Institute.

According to her article in The New York Times, “Mr. Bokath can hack into your cell phone just by dialing the number. He can remotely listen to your calls, read your text messages, snap pictures with your phone’s camera and track your movements around town — not to mention access the password to your online bank account.” Bokath says hacking into a cell phone is “trivial.” By trivial, we assume he means easy. Maybe that’s because instructions on hacking are available online. (Note: If you decide to check out whether hacking instructions are really online, make sure the website and link are safe or you’ll end up hacked yourself. Of course, if you’re planning on taking up a career in cybercrime hacking, please feel free to ignore this advice.)

Current estimates by experts say that more than a million phones have already been hacked. With more and more financial and personal information stored on cell phones, it’s either get protected or get two tin cans and a very long string.

Following are some hacker traps and how to avoid them.

The man-in-the-middle attack (MitM). That’s when a cybercriminal hacks into a phone’s operating system and reroutes data to a third party before sending it on to its destination. ”[T]he hacker can listen to your calls, read your text messages, follow your Internet browsing activity and keystrokes and pinpoint your geographical location. A sophisticated perpetrator of a MitM attack can even instruct your phone to transmit audio and video when your phone is turned off so intimate encounters and sensitive business negotiations essentially become broadcast news.”

How does the cybercriminal get into the operating system in the first place? “[A] common ruse …is to send the target a text message that claims to be from his or her cell service provider asking for permission to ‘reprovision’ or otherwise reconfigure the phone’s settings due to a network outage or other problem.”

Countering the MitM. Countering the attack can be a matter of just plain old common sense. If you have even the slightest doubt about a request or question a link, call your carrier to see if the message is bogus.

To bump up security another notch, use a prepaid SIM (subscriber identity module) card. SIMs are supported by AT&T and T-Mobile. (Note, they are not supported by Verizon or Sprint.) Then, after the line of credit is used up, throw away the card. “A SIM card digitally identifies the cell phone’s user, not only to the cell phone provider but also to hackers. It can take several months for the cell phone registry to associate you with a new SIM. So regularly changing the SIM card, even if you have a contract, will make you harder to target.”

The app with the added “bonus” feature – malware. With a phone app for just about every occasion, you might expect there’d be phone apps for hackers to upload malware and download stolen data. And there are — many. But, even some legitimate apps are so poorly designed, hackers are able to exploit their security weaknesses and leave malware on a cell.

Countering the malware threat. “Roman Schlegel, a computer scientist at City University of Hong Kong who specializes in mobile security threats, advise[s], ‘Only buy apps from a well-known vendor like Google or Apple, not some lonely developer.’”

Schlegal also advises actually reading apps “permissions” before downloading. Yeah, it’s easy to be lazy or dismiss permissions as boilerplate. Don’t. Apps asking for permission to make phone calls, connect to the Internet or reveal the user’s identity and location, are apt to be bad-news — unless you’re a cyberthief.

“The Google Android Market, Microsoft Windows Phone Marketplace, Research in Motion BlackBerry App World and Appstore for Android on all disclose the permissions of apps they sell. The Apple iTunes App Store does not, because Apple says it vets all the apps in its store.”

Additionally, security experts say it’s a good idea to avoid free or unofficial versions of apps like Angry Birds or Fruit Ninja, because malware is often hidden in their code.

Some of the following is a “well duh,” but repeating it can’t hurt unless you’re bored easily. Okay: “Clues that you might have already been infected include delayed receipt of e-mails and texts, sluggish performance while surfing the Internet and shorter battery life. Also look for unexplained charges on your cell phone bill.”

So, what happens if you discover your phone has been hacked. Well to instantly stop the flow of information to the hacker, just yank out the battery. However, if you’re mechanically challenged and aren’t sure how to remove the battery, simply take your phone, place it under your auto’s right front tire. Then, making certain the road is clear, put your car in drive. (The same procedure works equally well with cars with a stick shift.)

Anyway… As a general rule it’s safer using a 3G network than public Wi-Fi where it’s easier for hackers to get a shot at your data.

Now, if after you’ve taken all the precautions previously mentioned, but still feel vulnerable…and you have a spare $3,000 lying around, you might want to look into General Dynamics’ Sectéra Edge. Commissioned by the Department of Defense, this phone is super secure. Currently, it’s only available to U.S. government agents and the military. Sorry we got your hopes up. But, were you really going to spend three grand on a smartphone?

ThreatMetrix™ offers a complete package of online protection including secure browsing technology that protects smart phones and other devices against malware and stops MitB attacks.

Most recently ThreatMetrix announced TrustDefender™ Mobile, a new mobile software development kit (SDK) that helps identify fraudulent transactions originating from mobile applications.

“The PC era is in its sunset years and unfortunately smartphones have more limited form factors that make remote device verification difficult,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “The iPhone blocks third-party cookies by default and when Apple released iOS 5, gone was the ability to globally identify a device based on its UDID. TrustDefender Mobile ensures that trusted user device identification and reputation is tightly integrated into a single platform for reducing risk across all web transactions and applications. This additional anonymous machine-level intelligence helps identify suspicious activities, such as when a criminal jailbreaks an iPhone in order to wipe the device’s identity.

“TrustDefender Mobile is introduced during a time when the mobile channel is becoming a hotbed for fraudsters. Enterprise security organizations are still grappling with the increase in the number of unmanaged endpoint devices that are not owned and supported by internal IT.  Since many companies are allowing employees to use their own personal mobile device today, confidential company information passes over an unprotected device. There are also personal transactions made on the same device used for work, which if not fully protected, can lead to hacked company information and infiltration,” added Faulkner.

By ThreatMetrix Posted