The mobile phone, its (lack of) security, and the future
Over the last few days there have been at least three major security reports:
- the IBM X-Force 2010 Trend and Risk Report (IBM)
- The Holistic Portfolio: Decision Making in the Mobile Ecosystem (TNS)
- Underground Economies (McAfee/SAIC)
All three are worth reading – but I’m going to cherry-pick from them in order to justify my own preconceptions about the future of mobile security. But first I must ask you to accept a personal observation: the majority of mobile phone users do not recognise a need for security, and currently have little or no security.
We’ll start with the future direction of threat suggested by McAfee/SAIC:
The targets for the underground economy have shifted significantly in the last couple of years. While it remains a profitable enterprise to buy and sell stolen credit cards, lately, intellectual capital has become the new source of large and easy pay-outs.
We don’t really know how long this has been going on, but it came to the fore in early 2010 with Google’s revelation of what became known as Operation Aurora and the advanced persistent threat (APT). IBM concurs with this view: “The single most common threat vector used over the past few years as observed by ERS [IBM’s Emergency Response Services] is spear phishing where an object contains a link to a web page that contains malware.” Spear phishing is the targeting of an individual or small group of people for a specific purpose – such as the theft of intellectual property.
How is this relevant to the mobile market? Well, it isn’t; at least, not yet. However, the IBM report shows the increase in mobile vulnerabilities, with these two graphs showing how matters have escalated over the last year:
Nevertheless, IBM says these figures should be seen in context. It points out that
First, most of what is considered best practice around securing mobile devices is still not nearly as well defined as it is in the corresponding personal computing space. Second, the underlying platforms themselves are substantially untested and likely contain years of vulnerability discovery ahead of them.
And it further comments that
We aren’t seeing a lot of widespread attack activity targeting these vulnerabilities today, because mobile devices likely do not represent the same kind of financial opportunity that desktop machines do for the sort of individuals who create large Internet botnets. As e-commerce involving mobile phones increases in the future, it may bring with it a greater financial motivation to target phones, and an associated increase in malware attacks. However, mobile devices do represent opportunities for sophisticated, targeted attackers today.
Our conclusion so far, then, is that mobile phones are not yet heavily targeted; but that the potential already exists.
Let’s now apply IBM’s comments to the threats defined by McAfee/SAIC: stolen credit cards (that is, mass identity theft typically delivered as malware and phishing spam via botnets); and intellectual property theft via spear phishing. Neither of these appear to be happening to any great extent in the mobile market; but IBM points to the increasing use of mobile e-commerce as a spur for the former, while the potential for the latter already exists. This is where we turn to the TNS survey, which shows in particular, that the use of mobile phones for mobile banking (including the e-wallet) and social networking are the main drivers behind the future use of mobile phones.
Mobile banking and mobile payments will mean an increasing likelihood of account details and passwords being stored on mobile phones. That will attract the criminals seeking to steal credit card details. Social networks are an ideal source of the personal information that can be used for the individual social engineering that lies at the heart of spear phishing. And that will attract the criminals seeking to penetrate corporate networks in order to steal intellectual property. An increasing use of mobile phones for social networking is a given; the only question is how quickly and to what extent will banking and payments migrate to the mobile platform. Well one technology (not new, but only now taking off) that has the potential to change things very quickly is near field communications (NFC).
NFC is already in use, although not yet widespread in phones, in Barclaycard’s contactless payments. “This allows people who have a Barclaycard to swipe their card across a payment terminal (if the retailer has an appropriate terminal, such as at Prêt a Manger), without entering a pin for purchases of up to £15,” explained Amali de Alwis, a senior research consultant at TNS. “It is a similar line of technology that will be incorporated into mobile phones to allow people to make payments using their mobile instead of a card.” In other words, the migration of bank cards onto mobile phones is technologically easy via NFC, and already well in hand (as seen by Barclaycard’s presentation at the Barcelona Mobile World Congress last year).
“According to recent press, Apple are looking to incorporate this technology into their i-Phones, and additionally Google have teamed up with Citigroup and MasterCard to facilitate these types of services on Google Android phones – buzz is saying within the coming year,” continued Amali.
“From our Mobile Life study we also have consumers telling us directly that there is a demand for these types of services to be available, and that consumers are already willing to consider the use of their mobiles as an e-wallet/payment device (and in some cases, such as with the use of M-Pesa in Kenya, are already doing so), and we see growth potential here not only as a device for paying for goods in store, but also for services such as bill payments.”
If we put all of these elements together we have a new platform that is not yet fully exploited by the bad guys, but one that offers a mass target that will increasingly hold financial details ripe for identity theft, and personal details ripe for socially engineered intellectual property theft – and yet it remains a platform where security is hardly considered by the user. Unless the security industry and/or the phone manufacturers can rapidly explain the need for, and implement adequate security – that is one hell of a window of opportunity for the bad guys over the next few years. My suspicion is that IBM’s current observation that “we aren’t seeing a lot of widespread attack activity targeting these vulnerabilities today” will change dramatically, very quickly.