Mobile devices have become an integral part of people’s daily life. Accordingly, Americans check their phones, on average, 262 times a day – for business, social media, games, dating, driving navigation, and other activities.
This increasing reliance on mobile devices is linked to the growing capabilities of smartphones and the rising number of applications. Google Play Store alone offers 3.48 million apps for Android users, while Apple Apps Store offers around 2.22 million apps. Two decades ago, a cell phone’s usability was limited to texting, calling, taking photos, and simple mobile games. Now, the possibilities are endless.
However, with this rising dependence on smartphones also comes increasing security threats. The record of mobile phone account takeovers increased by 78.6% from 2017 to 2018. In 2020, Kaspersky detected an average of 360,000 malicious files a day, many of which target mobile devices. In the same year, a series of SIM-swapping attacks on high-profile victims in the United States resulted in a loss of over USD100 million in cryptocurrencies.
Mobile threats and scams are getting more elaborate. This puts organizations at risk as members use mobile phones for different functions. Learning about these threats will help businesses to better protect the company, employees, and customers. Take a look at the top security threats to mobile devices and how to prevent them.
Network Spoofing
Network spoofing is where cybercriminals create a fake access point and pose it as a legitimate network. They usually name these networks common names like “Public Wi-Fi” or “Airport Wi-Fi” to lure people into believing these are trustworthy networks. Once the user connects to it, the hacker gains access to the information transmitted across the network.
To avoid the consequences of network spoofing, organizations should recommend using a virtual private network (VPN) if employees need to connect to a public network. They can also provide its employees, especially its remote workers, with practical data plans to ensure a secure work network.
Phishing Attack
A phishing attack is a technique that uses a disguised digital message, such as an email or SMS to steal user data. The message has links that redirect the user into a form requiring them to enter their username, password, and other information. Primary targets of phishing attacks are login credentials and credit card numbers. The entered information then gives the attackers access to the user’s accounts.
Because mobile users check their messages and emails more often, they are more vulnerable to these attacks. Lookout’s 2020 Mobile Phishing Spotlight Report showed a 37% increase in phishing attacks targeting mobile users worldwide.
Teaching employees how these attacks happen and training them with phishing prevention techniques will prevent them from falling for these attacks. Some precautions include checking the email addresses or senders of digital messages, never clicking links from unfamiliar sources, blocking suspicious messages, and reporting them to the IT department.
Since one of the primary targets of phishing attacks are users’ passwords, integrating a passwordless authentication solution like LoginID can eliminate the risk of phishing attacks.
Spyware
Spyware is malicious software designed to infiltrate a device, gather data, and stream it back to cybercriminals. This could be deliberately installed in the device to track the user or downloaded along with a mobile application. Hackers use this malicious software either to spy on a person or to profit from stolen data.
Employees can detect spyware programs on devices using malware detection apps or antivirus apps with anti-spyware features. Avoiding suspicious email attachments, links, apps, and online pop-ups will also help prevent downloading of the spyware.
Mobile Account Takeover
A mobile phone account takeover is an attack that fraudsters use to gain access to a user’s mobile account and phone number. Attackers gain access to an account through either brute-force, manipulation, credential stuffing, phishing, and or vulnerable passwords.
For example, with aSIM swap attack, the criminal contacts the user’s network service provider to assign their phone number to a new SIM card. Once they have access to the user’s number, they gain the ability to receive text messages which are often used in two-factor verification. Once the account is taken over l, the fraudster can then use it for nefarious purposes.
Companies can implement passwordless authentication methods on their platforms to protect the network from account takeovers. For example, LoginID’s FIDO2 passwordless authentication service offers a strong verification power as it incorporates biometric features that are unique to everyone. Therefore, even if attackers can take over an employee’s mobile number, they cannot take over their employee account and infiltrate the organization’s system because they lack the necessary biometric credentials.
Out-of-Date Mobile Systems
Installing security updates is important for fixing bugs and keeping devices up-to-date with the latest security features. Even minor updates are critical as they patch holes in the phone’s system, which hackers may use to their advantage.
Reduce the business’s exposure by encouraging employees to always install mobile security updates. Android and iOS users can check their security update levels in the settings. Typically, Samsung updates last for four years, while iPhone updates last for 5-6 years.
Poor Phone Security
Kaspersky Lab revealed that 52% of mobile users do not password-protect their phones, while only 22% use anti-theft phone features. People do not realize it, but on average, there are 1,222 phones stolen every day. Not securing mobiles, in addition to reusing account passwords, opens mobile phone users to many risks if their devices get stolen.
To better secure mobile devices, organizations should require employees to activate their phone’s security features. Some devices already allow mechanisms like facial and fingerprint recognition to unlock smartphones, so setting these up will equip the phones with more robust access security.
Stolen phones should also be reported to the organization so that actions can be taken to secure business accounts and information. Installing mobile device management (MDM) tools should be mandatory. Through an MDM tool, the company can remotely encrypt or wipe critical information from a device if an employee’s device gets stolen.
FIDO2 in Securing Mobile Phone Usage
Mobile phones are now as indispensable as computers in accessing systems and in completing work tasks. This is also why more criminals target mobile phones – they have many vulnerabilities, and people use them all the time. Their prominent use in business opens the organization to many vulnerabilities as every phone is an access point into the system.
Fortunately, new ways are also being developed to reduce risks and threats to mobile phone usage. One game-changer to this goal is the FIDO2 (Fast Identity Online) protocol. FIDO2 aims to eliminate the use of passwords over the internet and remove the weaknesses they create. These are standards that guide developers into creating secure passwordless authentication over the internet. With this standard, users no longer need to enter usernames and passwords for mobile identity verification. As a result, user accounts are much harder to hack.
Companies can now integrate FIDO2 in their systems with LoginID’s passwordless authentication solution. With LoginID, organizations can provide their mobile-user members with better security and privacy. It is easy to integrate, regulatory-compliant, and cost-effective. Get started for free by creating an account!
References:https://www.rd.com/article/mobile-security-threats/https://www.kaspersky.com/resource-center/threats/top-seven-mobile-security-threats-smart-phones-tablets-and-mobile-internet-devices-what-the-future-has-in-storehttps://www.techadvisory.org/2018/12/how-to-protect-your-company-mobile-devices/https://oxfordcomputertraining.com/glossary/what-is-fido2/