IT AUDIT & SECURITY

Mobile Phones Not Making The Grade When It Comes To Cybersecurity

Michael W. Hammond

Principal, CISA, CRISC, CISSP

8 October 2019

Cybercrime does not begin and end with servers, desktops, and laptops. According to Javelin Strategy & Research, between 2017 and 2018 the number of fraudulent mobile-phone accounts that were opened grew by 78%. This is cause for concern for all organizations including higher education institutions who have countless mobile device users regularly accessing their networks both on campus and remotely.

How Can A Hacker Gain Access To A Mobile Device?

A mobile phone can be compromised when it is connected to an unsecured network or by taking advantage of a network vulnerability. Most mobile phone users save their usernames and passwords and other personal information right on their phones. It is through the use of these saved credentials, that a thief can access a user’s bank account information, sign up for credit cards and more.

Also, if a hacker gains access to the “right user”, one who works in the registrar’s office and has mobile access to your university’s accounting system for example, they can gain access virtually undetected by using this employee’s login credentials.

Why Are Mobile Phones So Vulnerable?

One of the reasons mobile phones are so vulnerable is that people do not think of the security of their phone as much as they do on their computer. People will install apps without a second thought. Mobile devices rarely contain comprehensive security measures, and often Android mobile operating systems are not updated as frequently as those on personal computers.

Yet, users routinely store a wide range of sensitive information — including contact information, emails, text messages, passwords and identification numbers — on their phones. Geolocation software can track where phones are at any time, and various apps can record personally identifiable information. Hackers can target a phone and use it to trick its owner, or the owner’s contacts, into revealing confidential information. Or phones can spread viruses to computers — a big problem for universities with “bring your own device” policies.

Are There Any Other Methods That Hackers Use To Gain Network Access?

Attackers often obtain virtual access to a mobile device by sending a phishing email that coaxes the recipient into clicking a link that installs malware onto their device.

Apps can be dangerous, too. A user might install an app that turns out to be malicious or a legitimate app with weaknesses an attacker can exploit. A user could unleash such an attack simply by running the app.

What Can Be Done To Protect Your Institution?

First, only allow sensitive data in a sandbox. If possible, use applications that store your data separate from the personal side of the phone. Two-factor authentication is also advisable. This approach adds a layer of authentication by calling the phone or sending a password via text message before allowing the user to
log in.

Phone owners should always activate PINs or passwords, and other options such as touch ID and fingerprint sensors if available. Users should disable Bluetooth and Wi-Fi when not in use and set Bluetooth-enabled devices to be nondiscoverable.

Also, request a freeze on the credit information that is used to open a mobile-phone account with the National Consumer Telecom and Utilities Exchange. This is a credit reporting agency fed by data supplied by phone companies, pay-TV companies, and utility service providers.

Evolving threats

In only a decade, mobile phones have completely changed our daily lives. Unfortunately, fraud has kept an even pace with technology. To protect your institution, it is important to be aware of the constantly evolving threats and partner with IT Audit and Security professionals, like OCD Tech, who can help your institution protect its network from being compromised.