Tuesday, February 2, 2010

Best Practices for Securing Mobile

New Phishing Schemes Target Mobile Customers with Bogus Apps

There are some best practices that cell phone users should keep in mind when using their phone, whether for business or for personal use.

Make No Assumptions - Never assume that voice calls are confidential (like fax or email), especially when calling internationally where some countries' phone operators have no encryption security in place at all. Check your signal, calls on 3G are more secure than 2G but often falls back to 2G when 3G is unavailable.

Ensure Physical Security - Keep your phone safe and do not leave it lying around. Skilled attackers can take just a few moments to install a malicious program, compromise the security of the SIM card or install a special battery with a bug in it, all of which can later be used to help intercept calls.

Protect PINs - Use and protect your phone and voicemail PINs in the same way as your bankcard PIN. Never leave confidential messages in voicemails or send confidential texts. Texts in particular are easy to read on the phone and mobile phone voicemails can often be accessed from any phone with the PIN.

Be Mindful of Malware - Be vigilant to prevent malicious software on your phone. Be wary of texts, system messages or events on your phone that you did not ask for, initiate or expect. Turn off Bluetooth if you are not using it.

Take Precautions - Consider installing antivirus/antimalware software. And if you strongly suspect your calls are being listened to, then turn off the phone when you don't need it and remove the battery as an extreme precaution. Also, use voice call encryption software on your phone to secure your sensitive calls that works worldwide and is as easy to use as making a normal phone call.

The financial institutions are no different to any other organization when it comes to protecting valuable phone calls, and this kind of call interception could also potentially extend to the calls made to the institution by customers inquiring about their accounts. Imagine a high-value customer calls into transfer or wire funds, and the call is intercepted.

Who would be responsible for the theft of that customer's money if a hacker got an account number, password or PIN?

"The responsibility angle is very important, as theft of voice call data is not explicitly covered by regulatory, compliance or best practices that already exist for 'data' (which means non-voice data)."


No comments: