Saturday, July 23, 2011

Don't bank on your phone: Too easily hacked

Alex Fidgen of MWR InfoSecurity, one of the biggest cybercrime-busting outfits in Britain came out with a very scary statement this week.

It's normal line of business is to legally hack into computers to test and improve their company's security. More recently MWR has turned its attention to smartphones and found that it can crack open every new handset it sees.

"The mobile phone industry is not fit for purpose, especially for financial transactions," says Fidgen. "The evidence is irrefutable. You cannot be assured of security with modern smartphones. As soon as the handset is compromised, then any data is up for grabs."

Fidgen says the fault lies with the handset manufacturers rather than the network providers or banks. In the race to bring new phones and new features to the market, many have left security low on the agenda.

Yet modern smartphones are in effect PCs with phones attached and, particularly when they are used in public Wi-Fi hotspots, they can become fatally compromised.

Trojans can enter a smartphone in many devious ways. All you have to do is click on a link or attachment that contains the virus, and within seconds it can secretly seize control of the phone. That link might be a tinyurl in Twitter. The attachment could be a vCard, the standard format for sending a business card to a phone.

Or it could be that you are accessing a website in a cafe. At Wi-Fi hotspots, fraudsters create bogus gateways, known as "evil twins", to which the latest mobile phones will automatically connect.

As the Guardian revealed in April, once a connection is established, all the information passing through the gateway can be read directly or decrypted, allowing fraudsters to harvest user names, passwords and messages.

Until now, these attacks have been rare but now experts say that's just because smartphones are still taking off. "We're walking into a minefield," says Fidgen, who has been warning about the risks of mobile banking for several months, "but nobody's bloody listening."

No comments:

Post a Comment