As mobile internet access continues to surge, consumers are transmitting most of their personal and business information through their mobile devices. The security of their data is increasingly at risk given the growing frequency of cyber attacks, malware, and Trojans. Cyber terrorists, hackers, and identity thieves are constantly seeking new vulnerabilities to facilitate the next generation of criminal methodology, and mobile devices constitute a fresh target. “This is bound to get worse. Phones are a much more attractive platform [than PCs],” says Steven Cohn, senior Linux administrator at Sovrn Holdings. He goes on to explain that as worldwide phone use expands, there is a growing pool of unsophisticated users who fail to take even the most basic security precautions. Furthermore, the exponential number of new features and apps added to mobile devices every day means that countless gateways are open and ripe for hacking. Here are the dimensions of this growing problem:
Why is Mobile Security So Problematic?
Mobile devices represent a unique security challenge for several reasons. As an essential 24-hour-a-day tool, the smartphone or tablet is used in airports, on street corners, in coffee shops, and everywhere else. The growing reliance on mobile phones means that people expect instant access to every transaction, and this leads to poor smartphone “hygiene”.
Quantity and Bandwidth
Data usage on mobile devices has increased by over 50 percent every year for the last three years, and web browsing accounts for a significant share of that increase. Because customers are charged for LTE data accessed through their cellular provider, most people try to connect their phones to free WiFi hotspots when those are available. In areas where only 3G service is available, web browsing via cellular connections may be unreasonably slow. More and more online content is being delivered in video format, demanding so much bandwidth that users have a powerful incentive for accessing it via WiFi – and unsecured WiFi gives rise to a host of risks.
Urgency Leads to Carelessness
Whether a person uses their mobile device for work or personal reasons, there’s often a component of urgency involved when they pick up their phone. They need to find something out or communicate with someone right then, and they will disregard and overlook security warnings. Unsecured public WiFi connections prompt a warning to be shown, providing the option to decline the connection, but 92 percent of users will simply approve the connection even after reading the warning. People depend on their phones and are either willing to gamble that they won’t be hacked or do not know just how unsafe an unsecured connection is. Either way, if they can complete the communication or transaction that they need to is what truly matters to them.
Apps Represent an Entry Point for Hackers
Apps are proliferating, now accounting for an estimated 89 percent of mobile users’ media time, and as users download them it’s not always obvious which ones are unsafe. Even legitimate-looking apps can be hacked to include malware, which can then take over the user’s phone.
In late 2016, the “Gooligan” attack gained entry into the Google accounts of more than a million Android devices, by scamming legitimate marketing companies. This sophisticated hack netted its originators over half a million dollars a month by making phones download and open dozens of apps without the users’ knowledge. However, access to Google accounts is potentially much more dangerous, because cyber thieves can reset passwords to financial accounts.
Tiny Screens Obscure Security Risks
Some security problems simply result from the small screen size of mobile devices. Limited screen real estate makes it more difficult for consumers to know when they are engaged in risky online activities, especially if malicious sites are disguised as legitimate ones. Mobile user interfaces are designed with simplicity as the top priority, and as a result, less information is shown in the browser. Awareness of this design constraint can lead to functional workarounds, such as recognizable padlock icons and other obvious safety indicators.
How Browser Settings Can Help Protect Mobile Users
Features and capabilities such as URL filtering, download protection, and do-not-track have truly transformed desktop browsers, whereas on mobile devices the parameters are very different. Users must optimize their browser settings to ensure they are browsing the internet securely, safely, and privately. Not adhering to a browser’s security features or heeding their recommendations puts people at higher risk for cyber attacks.
One simple action that all users need to take is keeping their mobile operating system and applications up to date. In most cases, the updates require active consent, and a user in a hurry is more likely to ignore the prompt and click “remind me later” several different times, instead of stopping to install the update immediately. Avoiding unsafe links, drive-by downloads and browser exploits are some other ways that educated consumers can ensure mobile security.
HTTP (hypertext transfer protocol) allows for communication between various systems; for example, data transferred from a web server to a web browser. When using just HTTP, user information is not encrypted and can easily be intercepted by a third party. HTTPS (the secure version of HTTP) is the most basic aspect of online safety these days, and without it, all data moved on the web is vulnerable. This is particularly of concern when it comes to sites where personal and sensitive information is exchanged, such as making a purchase with a credit card, or a login area that requires a username and password.
If a company has not yet migrated their site from HTTP to HTTPS, this should be considered a critical next step. While there is a modest ongoing cost of around $100 per year associated with HTTPS, today’s organizations treat this as a basic requirement for doing business. Furthermore, in addition to building user trust by protecting their information, HTTPS gives businesses a boost in search engine rankings. Making the switch to HTTPS is a one-time change for most business websites, but is complex enough to require the assistance of an experienced developer. One aspect of this change-over involves purchasing and installing an SSL (secure sockets layer) certificate, also referred to as a digital certificate.
A Secure Sockets Layer (SSL) certificate encrypts all information communicated between a web browser and a web server. In order to create this safe connection, it authenticates the identity of the website visited and encrypts the transmitted data. Any business that uses their website to collect, process, store, or display personal or sensitive information should purchase an SSL certificate.
Purchasing an SSL certificate is part of the process of switching a site over to the HTTPS protocol, and the site owner has choices regarding which type of SSL certificate they prefer. Some SSL certificates offer lower-level security, merely verifying domain ownership. These certificates cost less and are available instantly. Extended Verification (EV) SSL certificates take longer to acquire because they require validation of the person and business ordering the certificate. An EV SSL certificate results in a green padlock symbol appearing in the address bar, giving the user confidence that they will be protected against phishing, and other types of fraudulent practices.
While SSL encryption protects users on any device, it can result in some issues on mobile browsers. For example, even the newest models of Android phones can respond with an unhelpful error message when a user accesses a mobile site protected by SSL encryption. It’s important for companies to be aware of this problem and not let it discourage them from installing security features since the issue is fixable by working with the hosting provider. Furthermore, mobile browsers have limited ways to show if a site is, in fact, using SSL, and certain advanced features may not be overly apparent to a consumer.
Virtual private networks (VPNs) have become a popular option through which organizations allow their people to safely access the internet, especially when working from remote locations. The VPN acts as its own network and encrypts all communications, making them virtually impossible for a third party to hack or steal. Furthermore, it blocks the user’s location from prying eyes and can be proxied through any of a number of different countries.
However, until recently, VPNs were not available for mobile devices. These networks were tied to a particular location, and if a mobile user tried to keep a connection open while they physically moved around, the conventional VPN could not maintain the point of contact. Now, mobile VPNs have been developed that create “tunnels” tied to logical IP addresses instead of physical IP addresses. The technical details for this option can be left to developers, but it’s important for companies to be aware that mobile VPN capability is now offered by a number of providers. These include Nokia, Columbitech, Motorola, Ecotel, and more. Using this protection, users can be sure their connections with the corporate network are secure as they move from one wireless access point to another, or switch from WiFi to cellular data transmission.
“At the end of the day, everything is hackable. What I am surprised about is that people sometimes forget that it’s so easy to hack into these devices,” states intelligence expert Adi Sharabani, co-founder of mobile security company Skycure. And Eric Klein, director of mobile software at VDC Research, adds: “It’s high time developers and IT paid attention to mobile browser security and platform support when deploying mobile web apps.” Just as the vulnerability is increasing, the methods and approaches for protecting information are also becoming more numerous and widespread. Awareness is the only prerequisite; when information safety is part of a company’s digital strategy, it’s entirely possible to provide a seamless customer experience that also minimizes the risk of sensitive information from being stolen by hackers, identity thieves, and other cybercriminals if accounted for properly.