Mobile Banking Dangers Denise Butler Rick Hebert & Associates [email protected].
-
Upload
brenda-hampton -
Category
Documents
-
view
223 -
download
0
Transcript of Mobile Banking Dangers Denise Butler Rick Hebert & Associates [email protected].
http://usa.kaspersky.com/internet-security-center/infographics/android-threats
• Email• Places You’ve Been• Photos of Family &
Friends• Calendar• Videos• Passwords• Facebook• Linked In
The Phone is Personal
• Text Messaging• Phone Numbers of
People known to you• Favorite Websites• Games• Music• Banking Apps
• Mobile Phones are outselling PCs• Mobile Phones have all the vulnerabilities
of PCs• Plus Mobile Phones have additional
vulnerabilities• Vulnerabilities are increasing
• Google ties Apple with 700,000 Android apps
(October 2012)
https://play.google.com/store/apps/details?id=com.touchtype.swiftkey&feature=top-paid#?t=W251bGwsMSwxLDIwNiwiY29tLnRvdWNodHlwZS5zd2lmdGtleSJd
SwiftKey replaces the touchscreen keyboard on your phone with one that understands how words work together, giving the world’s most accurate autocorrect - and predicting your next word before you press a key.
The keyboard learns as you use it to make corrections and predictions based on the way that you write. It can learn from your Gmail, Facebook, Twitter or blog to make its insights even more personalized. You can also enable up to three languages simultaneously, for true multi-lingual typing.“mind-reading capabilities”
Permissions• THIS APPLICATION HAS ACCESS TO THE FOLLOWING:• YOUR MESSAGESREAD YOUR TEXT MESSAGES (SMS OR MMS)• Allows the app to read SMS messages stored on your device or SIM card. This
allows the app to read all SMS messages, regardless of content or confidentiality.• NETWORK COMMUNICATIONFULL NETWORK ACCESS• Allows the app to create network sockets and use custom network protocols. The
browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.
• PHONE CALLSREAD PHONE STATUS AND IDENTITY• Allows the app to access the phone features of the device. This permission allows
the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.
• STORAGEMODIFY OR DELETE THE CONTENTS OF YOUR USB STORAGE• Allows the app to write to the USB storage.
MINECRAFT• THIS APPLICATION HAS ACCESS TO THE FOLLOWING:• NETWORK COMMUNICATIONFULL NETWORK ACCESS• Allows the app to create network sockets and use custom
network protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.
• STORAGEMODIFY OR DELETE THE CONTENTS OF YOUR USB STORAGE
• Allows the app to write to the USB storage.• Hide• SYSTEM TOOLSTEST ACCESS TO PROTECTED STORAGE• Allows the app to test a permission for USB storage that will be
available on future devices.• AFFECTS BATTERYCONTROL VIBRATION• Allows the app to control the vibrator.
PermissionsYOUR ACCOUNTSCREATE ACCOUNTS AND SET PASSWORDSAllows the app to use the account authenticator capabilities of the AccountManager, including creating accounts and getting and setting their passwords.ADD OR REMOVE ACCOUNTSAllows the app to perform operations like adding and removing accounts, and deleting their password.YOUR LOCATIONAPPROXIMATE LOCATION (NETWORK-BASED)Allows the app to get your approximate location. This location is derived by location services using network location sources such as cell towers and Wi-Fi. These location services must be turned on and available to your device for the app to use them. Apps may use this to determine approximately where you are.PRECISE LOCATION (GPS AND NETWORK-BASED)Allows the app to get your precise location using the Global Positioning System (GPS) or network location sources such as cell towers and Wi-Fi. These location services must be turned on and available to your device for the app to use them. Apps may use this to determine where you are, and may consume additional battery power.NETWORK COMMUNICATIONFULL NETWORK ACCESSAllows the app to create network sockets and use custom network protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.
PHONE CALLS DIRECTLY CALL PHONE NUMBERS• Allows the app to call phone numbers without your intervention. This may result in
unexpected charges or calls. Note that this doesn't allow the app to call emergency numbers. Malicious apps may cost you money by making calls without your confirmation.
READ PHONE STATUS AND IDENTITY• Allows the app to access the phone features of the device. This permission allows the
app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.
STORAGEMODIFY OR DELETE THE CONTENTS OF YOUR USB STORAGE• Allows the app to write to the USB storage.
SYSTEM TOOLS INSTALL SHORTCUTS• Allows an app to add shortcuts without user intervention.
READ BATTERY STATISTICS• Allows an application to read the current low-level battery use data. May allow the
application to find out detailed information about which apps you use.YOUR APPLICATIONS INFORMATIONRETRIEVE RUNNING APPS• Allows the app to retrieve information about currently and recently running tasks. This
may allow the app to discover information about which applications are used on the device.
• CAMERA TAKE PICTURES AND VIDEOS• Allows the app to take pictures and videos with the camera. This permission allows the app to use the camera at any time
without your confirmation.• OTHER APPLICATION UIDRAW OVER OTHER APPS• Allows the app to draw on top of other applications or parts of the user interface. They may interfere with your use of the
interface in any application, or change what you think you are seeing in other applications.• MICROPHONERECORD AUDIO• record audio• YOUR SOCIAL INFORMATIONWRITE CALL LOG• Allows the app to modify your device's call log, including data about incoming and outgoing calls. Malicious apps may use this
to erase or modify your call log.• READ YOUR CONTACTS• Allows the app to read data about your contacts stored on your device, including the frequency with which you've called,
emailed, or communicated in other ways with specific individuals. This permission allows apps to save your contact data, and malicious apps may share contact data without your knowledge.
• MODIFY YOUR CONTACTS• Allows the app to modify the data about your contacts stored on your device, including the frequency with which you've called,
emailed, or communicated in other ways with specific contacts. This permission allows apps to delete contact data.• READ CALL LOG• Allows the app to read your device's call log, including data about incoming and outgoing calls. This permission allows apps to
save your call log data, and malicious apps may share call log data without your knowledge.
NETWORK COMMUNICATIONFULL NETWORK ACCESS• Allows the app to create network sockets and use custom network
protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.
STORAGE • MODIFY OR DELETE THE CONTENTS OF YOUR USB STORAGE
• Allows the app to write to the USB storage.
ZEDGE
YOUR SOCIAL INFORMATION• READ YOUR CONTACTS• Allows the app to read data about your contacts stored on your device,
including the frequency with which you've called, emailed, or communicated in other ways with specific individuals. This permission allows apps to save your contact data, and malicious apps may share contact data without your knowledge.
• MODIFY YOUR CONTACTS• Allows the app to modify the data about your contacts stored on your
device, including the frequency with which you've called, emailed, or communicated in other ways with specific contacts. This permission allows apps to delete contact data.
• READ CALL LOG• Allows the app to read your device's call log, including data about incoming
and outgoing calls. This permission allows apps to save your call log data, and malicious apps may share call log data without your knowledge.
• WRITE CALL LOG• Allows the app to modify your device's call log, including data about
incoming and outgoing calls. Malicious apps may use this to erase or modify your call log.
ZEDGE
NETWORK COMMUNICATIONVIEW NETWORK CONNECTIONS
• Allows the app to view information about network connections such as which networks exist and are connected.
SYSTEM TOOLSMODIFY SYSTEM SETTINGS
• Allows the app to modify the system's settings data. Malicious apps may corrupt your system's configuration.
SET PREFERRED APPS
• Allows the app to modify your preferred apps. Malicious apps may silently change the apps that are run, spoofing your existing apps to collect private data from you.
TEST ACCESS TO PROTECTED STORAGE
• Allows the app to test a permission for USB storage that will be available on future devices.
ZEDGE
YOUR APPLICATIONS INFORMATIONRUN AT STARTUP• Allows the app to have itself started as soon as the system has finished
booting. This can make it take longer to start the device and allow the app to slow down the overall device by always running.
WALLPAPER• SET WALLPAPER• Allows the app to set the system wallpaper.
ZEDGE
NETWORK COMMUNICATION FULL NETWORK ACCESSAllows the app to create network sockets and use custom network protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.PHONE CALLSREAD PHONE STATUS AND IDENTITYAllows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.
• STORAGE MODIFY OR DELETE THE CONTENTS OF YOUR USB STORAGE• Allows the app to write to the USB storage.• NETWORK COMMUNICATION VIEW NETWORK CONNECTIONS• Allows the app to view information about network connections such as which networks exist and are
connected.• RECEIVE DATA FROM INTERNET• Allows apps to accept cloud to device messages sent by the app's service. Using this service will incur data
usage. Malicious apps could cause excess data usage.• VIEW WI-FI CONNECTIONS• Allows the app to view information about Wi-Fi networking, such as whether Wi-Fi is enabled and name of
connected Wi-Fi devices.• SYSTEM TOOLSTEST ACCESS TO PROTECTED STORAGE• Allows the app to test a permission for USB storage that will be available on future devices.• AFFECTS BATTERY PREVENT DEVICE FROM SLEEPING• Allows the app to prevent the device from going to sleep.• CONTROL VIBRATION• Allows the app to control the vibrator.• DEFAULT CHANGE SCREEN ORIENTATION• Allows the app to change the rotation of the screen at any time. Should never be needed for normal apps
• Easy to steal• All information is lost• Attackers can gain access to any information
stored
Portability
• Apps that appear legitimate may be malicious• Few safety evaluation processes are present
for Apps• Unregulated sources of Apps may encourage
bypassing security to make an App run• Users anxious to use an app are willing to
bypass security features, called “root” or “jailbreaking”
Apps
• Eavesdropping (listening in)• Crashing the phone software• Attacks can originate from a website• Services installed on a mobile phone can
perform the attack running in the background
Any software can be exploited
• Phishing – email sent to link to a website – same as on a PC
• Vishing – Call the phone and talk the user into revealing passwords and other information
Phishing & Vishing & Smishing
Smishing – SMS/MMS messages that trick users by falsely soliciting For example, charitable donations, spamming after tragedy or other false advertising
• Using Blue Tooth to Steal Your Data Off Your Phone
• Word, Excel, Email Communications Prevention
o Disable Blue Tootho Use in Hidden Mode
Bluesnarfing
• Mobile Phones can be added to malicious networks and controlled by an attacker (botnet)
• Software can send device info to attackers for purposes of performing additional attacks
• Viruses can harm the phone and phone apps and any pcs or networks the phone is attached to
How Important is Security?
• File encryption• Remote drive wiping• Authentication – device passwords• Encrypt backups• Anti-virus• For VPNs – certificate based authentication
Protection
• Enable the password feature• Use Secure connections and settings for web sites –
https, SSL• Don’t follow email links or text message links if you
don’t know where the email came from• Don’t publish mobile phone numbers on the web
Protection
• Think before you download a file or store information on your phone
• Be wary of all apps, if an app requires you to allow it to have ownership of the phone, don’t use it
• Always know where your phone is
Protection
• Don’t join unknown Wi-Fi networks
Protection
• Remove information on your phone before you get rid of the phone
• Check with the manufacturer on how to wipe it clean
• Turn off location tracking for applications that don’t require it
• Understand how the location information will be used before using it
Location
Root and Jailbreak• Don’t use 3rd party software that lets you access
portions of the operating system and firmware that you shouldn’t
• Rooting / Jailbreaking might prevent future releases and feature from being installed
3rd Party Access
• Report it to your company• Contact the Mobile phone provider to limit
malicious usage• Report to local police• Change all passwords, passcodes and other
credentials• Wipe the phone• Use software that can find your phone with
GPS
What to Do if you Lose Your Phone
Sources:http://news.cnet.com/8301-1035_3-57542502-94/google-ties-apple-with-700000-android-apps/http://www.us-cert.gov/reading_room/cyber_threats_to_mobile_phones.pdf
Additional Resources • US-CERT Resources
• “Technical Information Paper: Cyber Threats to Mobile Devices” (http://www.us-cert.gov/reading_room/TIP10-105-01.pdf) • “Protecting Portable Devices: Physical Security” (http://www.us-cert.gov/cas/tips/ST04-017.html) • “Protecting Portable Devices: Data Security” (http://www.us-cert.gov/cas/tips/ST04-020.html) • “Securing Wireless Networks” (http://www.us-cert.gov/cas/tips/ST05-003.html) • “Cybersecurity for Electronic Devices” (http://www.us-cert.gov/cas/tips/ST05-017.html) • “Defending Cell Phones and PDAs Against Attack” (http://www.us-cert.gov/cas/tips/ST06-007.html)