 |
Smart Phones: The Next Cyber Crime
Frontier
By John Jaser,
Internet Services Manager |
A few years ago, a
colleague showed me an idea for a movie thriller
where computer hackers take control of a
neighborhood’s PCs, smart phones, thermostats,
toasters, cars, even pacemakers to extort money
from helpless residents. Today, my colleague’s
movie idea could be playing in any neighborhood
in the United States.
He’s not looking
for royalties. As a matter of fact, we both wish
the idea remained a matinee fantasy, not an
emerging cyber crime reality.
Apple’s
acclaimed iPhone was hacked within hours of its
initial release in June, 2007. Fast forward to
June, 2010, and we see Apple still battling
iPhone security issues. A new release of the
iPhone mobile operating system closed 65
vulnerabilities. More security measures were
required to prevent consumer account breaches in
Apple’s online iTunes store. An ongoing problem
with iPhone ‘data leaks’ is still unsolved.
The iPhone’s popular cousin, ‘Droid’ by
Google and Motorola, reportedly has similar
security issues. Back in December, 2009, we
heard reports of criminals gaining control of
other users’ Android 2.0 or Android 2.0.1
version phones.
Apparently, the
criminals are lacing free smart phone
applications with their own code to attack
users’ phones. The users download the free
applications and get a lot more than they
bargained for. It’s an old infection technique
honed from PC days, but smart phones raise the
risks to an entirely different level.
You
see, every smart phone has ‘gadgets’, such as a
camera, microphone and geo-location service
(GPS). When infected, the smart phone’s gadgets
can be controlled by criminals who can literally
track the user’s location, such as when the user
enters a sensitive facility. The criminals can
then activate the smart phone’s camera and
microphone, giving them eyes and ears where the
user wants them least.
Couple this type
of exploit with a growing smart phone ‘botnet’
(thousands of hacked smart phones operating
under the control of criminals) and we are
looking at a thriller beyond Hollywood
proportions. More ominous, the code to do this
has been published on the web for other
criminals to review, refine and reuse.
Apparently, the criminals have wasted little
time. In January, 2010, Google removed nearly 50
applications from its Android Market in response
to concerns that they might be malicious. The
applications offered access to bank accounts at
JPMorgan Chase, HSBC, and ING. At least one of
the applications was infected with an exploit
designed to steal the user’s bank login
credentials.
This has not stopped Bank
of America, TD Bank and USAA from forging ahead
with their own Android-friendly mobile
applications. Chase Bank recently added remote
deposit capture and peer-to-peer (P2P) payments
to its iPhone application. I can’t imagine that
other banks won’t follow suit, with early
adopter customers not far behind.
Certainly, we are heading into a ‘Gold Rush’ for
killer smart phone banking apps, and just as
certainly, the criminals are watching every move
with cunning, guile and greed. After our
experiences with phishing, botnets and other
debilitating attacks on the Internet banking
channel, we should be smarter about preventing
criminal activity on smart phones.
Smart
phones are essentially online laptop computers
equipped with GPS and hundreds of third party
applications. Banks need to regard smart phones
as untrusted platforms since they don’t know
what the user has installed or subverted,
intentionally or not.
All of this
screams ‘opportunity’ to the security
application community, and sure enough,
solutions such as Lookout have already attracted
one million users, according to the technology
weblog TechCrunch. Norton, Kaspersky, Trend
Micro and F-Secure are now peddling their smart
phone security solutions as well.
The
challenge for banks is to ensure that their
mobile banking customers have installed and are
using security solutions on their smart phones.
Applications do exist for this purpose, and
banks would do well to deny transactions from
customers who aren’t protected.
Marketing might howl and customers might
threaten, but banks should remind them that
criminally-controlled smart phones are not in
their best interest, except, of course, in a
movie theater on the big silver screen.
|
