Archive for category Cybersecurity
The Life and Crimes of a Carder
By: Amy L. Wees
University of Maryland University College
April 6, 2012
The Internet carding industry is responsible for the identity theft, fraud, and financial losses of countless individuals and businesses every year. The most lucrative example of the carding network came from a website called CarderPlanet. Criminals steal account information, credit cards, and personally identifiable information in a variety of ways, then buy, sell or trade the information online, after which the information can be used to make purchases, withdraw money or further the carder’s career. Though CarderPlanet was taken down and many arrests were made, similar sites and forums are still in existence and flourishing across the Internet. To learn more about the way carding works and why it is so appealing to criminals; one can look at the ease of the craft, the multiple ways to get involved, and the habits and profiles of arrested criminals. This paper will explore the carding crime, the criminals’ actions and motivations, lessons learned from victims and prevention strategies.
Keywords: Carders, Identity Theft, Credit Card Fraud, Cyber-crime
The Life and Crimes of a Carder
The words of a fictitious Internet advertisement boast “Don’t miss it! There is a limited time only sale on stolen identifications, debit and credit cards including pins and CVVs, counterfeiting equipment, bank account information and PayPal accounts! Get dumps of U.S. accounts for as little as 20 dollars! Learn how to make your own credit cards with our specialized equipment. It has never been easier to get your hands on all of this FREE money!! Fine print: Membership required, website can be relocated at any time and cannot be held liable for unlawful transactions. All transactions are risky and success is not guaranteed”.
Unfortunately the above advertisement illustrates a scenario that is very real. The Internet carding industry is responsible for the identity theft, fraud, and financial losses of countless individuals and businesses every year. Criminals steal account information, credit cards, and personally identifiable information in a variety of ways, then buy, sell or trade the information online, after which the information can be used to make purchases, withdraw money or further the carder’s career. Though these criminals can make a lot of easy money and mask their identities behind online codenames to avoid capture, there are many separate roles played in this crime ring and different motivations for involvement. This paper will explore the carding crime, the criminals’ actions and motivations, lessons learned from victims and prevention strategies.
The most lucrative example of the carding network came from a website called CarderPlanet. CarderPlanet was launched in 2003 and was quickly known in the underground community as the place to go to learn the secrets of the carder trade and how to make money from stolen credit cards and identities. Forum topics on the site covered everything from beginners’ instructions, sales or trades of credit cards, identity theft information and sales, programming, hacking and carder software, how to maintain anonymity and security, and employers offering carding jobs (Munns, 2010). The site had fake contact information for an address in Ho Chi Minh City, Vietnam and an administrator who went by the alias “Script”. “Script” was so bold he even created several online advertisements boasting of CarderPlanet’s success. One of the flashy advertisements makes the following statements in capital letters: “NEED RELIABLE PARTER? CARDERPLANET! WORLD-CLASS CARDERS; GENIUS OF PROCESSING SECURITY; PROFESSIONALS OF PAYMENT SYSTEMS; WE GIVE YOU THE KNOWLEDGE; PROFITABLE STRATEGIES, CARDERPLANET TACTICS AND TUTORIALS; CARDERPLANET IS INEVITABLE” (F-Secure, 2008).
The site was easy to find for Internet browsers and Federal Bureau of Investigation (FBI) investigators attempting to hunt down cyber criminals. Authorities gained a lot of leads from posts on the site which could be linked to open cases, but only names of aliases and little in regards to location or actual identities of criminals could be found. Interpol soon was involved, and with the cooperation of multi-national law enforcement agencies, arrests were made and the site brought down (Munns, 2010). In a 2010 FBI press release after the arrest of one of CarderPlanet’s founders Vladislav Anatolievich Horohorin, U.S. Secret Service Assistant Director for Investigations Michael Merritt stated:
“The network created by the founders of CarderPlanet, including Vladislav Horohorin, remains one of the most sophisticated organizations of online financial criminals in the world; this network has been repeatedly linked to nearly every major intrusion of financial information reported to the international law enforcement community” (U.S. Department of Justice , 2010).
Though CarderPlanet was taken down and many arrests were made, similar sites and forums are still in existence and flourishing across the Internet. To learn more about the way carding works and why it is so appealing to criminals; one can look at the ease of the craft, the multiple ways to get involved, and the habits and profiles of arrested criminals.
Threat Profiles and Scenarios
According to University of Maryland University College (2010), a threat profile has five elements: asset – an item of value, whether data or physical property; actor – the person causing damage; motive – the reason for the action; access – the means of obtaining the item; and outcome- the eventual result of the action (p. 9). For the purpose of this paper threat profiles will be given based on observed and reported scenarios of carders.
Scenario 1: Data Breach via Wardriving
In 2010, eleven cybercriminals were charged with conspiracy, computer intrusion, fraud, identity theft and various other crimes after stealing forty million credit and debit card numbers via wardriving. The criminals tapped into the wireless networks using laptops while parked in front of various retailers including Sports Authority, TJ Maxx, Barnes & Noble, Marshalls and Office Max. After gaining access to the network packet sniffers were installed to capture account numbers as cash registers processed purchases (U.S. Department of Justice , 2010).
The asset in this case is the credit and debit card numbers. There were 11 separate actors, most with the motive of financial gain as account numbers were sold over the internet or imprinted on magnetic strips of counterfeit cards and used to withdraw thousands of dollars (DOJ, 2008). Ukrainian Maksym Yastremski was a well-known online seller of stolen cards and supposedly gained eleven million dollars from his crimes. U.S. citizen Albert Gonzalez was also caught while simultaneously acting as a Secret Service informant on a separate operation (Poulsen, 2008). Gonzalez’s motive may have been to lessen his previous sentence by working as an informant but also to use this position as a cover up to participate in other crimes for financial gain. He may have been addicted to this crime if even after being caught he could not stop. The outcome of this crime was severe financial losses to several major retailers. The cost of the intrusion to TJ Maxx alone was reported to be over 130 million dollars (Poulsen, 2008).
How could these wardriving attacks have been prevented? Data on a wireless network is transmitted via radio instead of over a wire, leaving it highly vulnerable to interception. The first step in protection is to keep all essential data on a more secured wired network and not connect a device loaded with critical data to an unsecured wireless network. Next, defaults on routers should be changed from factory settings and the Service Set Identifier (SSID) should not be broadcasted. When setting passwords, ensure they are complex enough to deter a password cracker. Third, Media Access Control (MAC) address filtering and Dynamic Host Configuration Protocol (DHCP) can be used to limit the number of workstations or devices allowed to access the network. Last and most importantly, ensure the information sent over the wireless network is encrypted. The best encryption standard is Wi-Fi Protected Access (WPA) 2 and is included in the latest router configurations. Information should also be protected at the source using anti-virus programs, personal firewalls, and wireless network firewalls. For businesses that may need even more protection, virtual private networks (VPN) can be used to ensure the person connecting to the network enters via a secure gateway (Comodo, 2006).
Scenario 2: Skimming
In 2011, carders were arrested in several states after installing skimming devices on top of existing automatic teller machine (ATM) card slots on the entryway door used for access to the machine. Additionally, carders installed pinhole cameras pointed at the ATM number pad (KTLA News, 2012). The skimming device captured the account numbers on customers’ debit cards and carders later used these numbers in combination with the pins from captured videos to create counterfeit cards used for purchases and cash withdrawals (Kitten, ATM Skimmer Sentenced to Jail, 2011).
The asset in this scenario is the account data and pin numbers. In this case there were three actors believed to be linked to a larger crime ring as several separate arrests were made for similar crimes in New York. Gabriella Graham plead guilty of acting a lookout for other members of her team while they installed cameras and skimming machines at eleven banks in Connecticut, Massachusetts and Rhode Island. She also admitted to creating and using counterfeit debit cards. At first glance Graham’s motive appears to be financial gain, though she was labeled as a mule by authorities and offered a lower sentence in exchange for her testimony against accomplices. This suggests she may have been pressured into involvement by others. The skimming attacks cost banks and customers over $335,000 (Kitten, ATM Skimmer Sentenced to Jail, 2011).
Julie McNelley, a fraud analyst for Aite Group, states “ATM skimming has helped push debit-related fraud losses to the top of the card-fraud list; debit losses now outpace credit card fraud” (Kitten, Skimmers Busted by Fraud Detection, 2011). Customers and banks need to know how to protect themselves from skimming. Customers need to keep an eye on their account statements, look for irregular charges and report them to the bank immediately. Credit cards offer fraud protection but debit cards are limited to a $50 limit by the FDIC’s consumer protection rule. Therefore if a customer’s bank account is drained due to theft or fraud the bank does not have to refund the money unless a full investigation is completed to determine there was no fault of the customer (Sullivan, 2004). Some banks use fraud detection software that limits the amount of cash that can be withdrawn on a daily basis and looks for irregular customer spending habits such as large dollar amounts outside of the immediate area.
Customers should also pay attention to ATM card slots or credit card swiping machines that look out of the ordinary. If it appears as if something is attached to the original machine, do not use it and report suspicion to the vendor (Rogak, 2012). Skimmers have also been found on cashiers and wait staff at restaurants, so customers should pay at the register when possible and not leave their card with staff for long periods of time (such as for a bar tab). Retailers should mount security cameras over all areas in the store where transactions are processed to deter employees from theft or fraud (Crane, 2008).
Scenario 3: Phishing
In December, 2011 the United Kingdom’s e-crime unit caught six cybercriminals running a phishing scam targeted at college students across the U.K. The criminals sent e-mails to students at various schools asking them to update the login details to their student loans. Some students followed the e-mail link to an official looking website and provided enough personal information for criminals to gain access to the student’s bank accounts (Kovacs, 2011).
The asset was the student loan accounts and the bank accounts. The actors, whose names were not released, were four men and two women many in their mid-20’s and one age 49. Police found computers and storage media used to access the stolen information (Neal, 2011). The motive was financial gain as amounts of up to 5,000 pounds were withdrawn at one time adding up to over 1 million pounds stolen. The U.K. charged the suspects with “conspiracy to defraud, money laundering and other offences under the Computer Misuse Act” (Ashford, 2011). The outcome to the victimized students and banks is unknown.
Consumer awareness is key when it comes to preventing phishing attacks as the amount of phishing e-mails sent and the differences in subjects are substantial. Consumers need to know what to look for that is commonplace in many phishing e-mails and web addresses so they are able to recognize the scams in their inboxes. The Anti-Phishing Working Group (APWG) offers consumer advice and recommendations; a brief summary is given:
- Do not respond to e-mails with requests for personal financial information; banks and other businesses will not ask for this information via e-mail
- Avoid clicking on links in an e-mail. Type the known web address in the address bar instead
- When purchasing items online use trusted retailers and ensure the https:// secure site is enabled as well as the padlock icon
- Install a web browser toolbar that will provide alerts when browsing known fraudulent websites
- Report phishing e-mails to the company being spoofed, the Federal Trade Commission or the Internet Crime Complaint Center of the FBI (Anti-Phishing Working Group, 2012).
Scenario 4: The Middle Man
The U.S. Secret Service reports they have arrested “one of its five most wanted cybercriminals in the world” (Metzger, 2010). “BadB” was an online credit card trafficker who was one of the founders of CarderPlanet.com and later opened another site named badb.biz. “BadB” sold credit card dumps to Secret Service agents on one of his sites and collected money for the sale through a Russian hosted site called Webmoney. The sale led to his eventual identification and arrest in Nice, France (U.S. Department of Justice , 2010).
The asset in this scenario is the credit card dumps, which are large amounts of electronic copies of the magnetic stripes of stolen credit card numbers offered for sale in bulk in online forums (CreditCards.com, 2012). The actor is Vladislav Horohorin, a.k.a. “BadB”, who bought and sold stolen credit card data online in web forums that he reportedly scrupulously participated in by posting chat rules against swearing and warnings of devious users. On his own site, badb.biz he advertised his services with animated cartoons showing Russian political gain by stealing from the U.S. and carders receiving medals for their work. Horohorin’s motive is more than just financial. Being a founder of CarderPlanet and watching fellow carders go to prison did not derail him. He continued on as a leader in the carder crime ring and did not make any attempts to cover his tracks, making noise with his bold cartoon advertisements, his website, and his avid participation on other popular carding sites (Metzger, 2010). His actions show political motivations as he was determined to show Russian carders as heroes and U.S. citizens as easy targets who deserve to be criminalized. Horohorin also showed that his crimes were motivated by his ego. He wanted to see how much he could get away with. It was obvious he thought he was untouchable. The outcome of Horohorin’s crimes was his arrest. He is charged with access device fraud and aggravated identity theft with a total maximum sentence of up to 12 years in prison and fines of up to $500,000 (U.S. D.O.J., 2010).
Although authorities have cracked down on carders, the problem remains almost too large to conquer. There is no sign carders are slowing down in their crimes. The credit card and banking industry must find better ways to combat the simplistic ways in which account data can be compromised. Europe, Japan and various other areas around the globe have moved to a new standard using credit cards embedded with a computer chip instead of a magnetic strip. The new cards also require the user to enter a pin to verify their identity at the time of purchase (Tulipan, 2012). The use of this card prohibits skimmers from being used to steal credit card data and is a step in the right direction toward more secure credit and debit cards. Another option would be to utilize biometric systems either instead of cards or to verify the identity of the owner of a card in lieu of a pin.
History has shown us that regulating information shared on the Internet is nearly impossible. Regulating users of the Internet is also exceedingly tough as many of the sites in which hackers and cybercriminals converge are quickly moved from one location or host to another or utilize dynamic internet protocol addresses. Law enforcement has come together on a global scale to bring cybercriminals to justice, but there are many more criminals to arrest than there are cyber-crime teams to dedicate to their capture. Another solution posed by journalist Misha Glenny while speaking for Technology Entertainment Design (TED) talks is to hire the hackers to design security solutions instead of jailing them. Glenny studied some of the most notorious cybercriminals and noted that nearly all of them learned their skills in their teens before their moral compass had developed, demonstrated advanced skills in science and math, and lacked social skills. He also noted that countries like Russia and China are recruiting these hackers before and after they get into crime and utilizing them to develop their cyber-offensive capabilities (Glenny, 2011). Glenny ends his presentation with an interesting point; he says “We need to find ways of offering guidance to these young people, because they are a remarkable breed. And if we rely, as we do at the moment, solely on the criminal justice system and the threat of punitive sentences, we will be nurturing a monster we cannot tame” (Glenny, 2011).
Identity theft and credit card fraud are a serious global problem. Criminals have various motivations for committing these crimes as carding does not require any advanced hacking skills, it is fairly easy to hide securely behind an Internet address and alias, and there is money to be made. Victims must report crimes and suspicious activity to law enforcement and consumer protection agencies and also stay informed on the latest security threats and prevention strategies.
Anti-Phishing Working Group. (2012). Consumer Advice: How to Avoid Phishing Scams. Retrieved from APWG: http://www.antiphishing.org/consumer_recs.html
Ashford, W. (2011, December 9). UK police arrest six in £1m phishing scam. Retrieved from Computer Weekly: http://www.computerweekly.com/news/2240112250/UK-police-arrest-6-for-1m-phishing-scam
Comodo. (2006, October 11). Wardriving: What is it, how common is it, and how to protect against it. Retrieved from Comodo: http://forums.comodo.com/general-security-questions-and-comments/wardriving-what-is-it-how-common-is-it-and-how-to-protect-against-it-t3199.0.html;msg23829#msg23829
Crane, A. (2008, September 9). 5 steps to avoid ID theft at the register. Retrieved from CreditCards.com: http://www.creditcards.com/credit-card-news/merchant-data-security-identity-theft-tips-1275.php
CreditCards.com. (2012, April 6). Credid Card Glossary: Terms and Definitions. Retrieved from CreditCards.com: http://www.creditcards.com/glossary/term-dump.php
Department of Justice. (2008, August 5). Retail Hacking Ring Charged for Stealing and Distributing Credit and Debit Card Numbers from Major U.S. Retailers. Retrieved from Department of Justice: http://www.justice.gov/opa/pr/2008/August/08-ag-689.html
F-Secure. (2008, March 14). Digging the Archives for Case CarderPlanet. Retrieved from F-Secure.com: http://www.f-secure.com/weblog/archives/00001403.html
Glenny, M. (2011, July). Hire the Hackers. (M. Glenny, Performer) TED, Edinburgh, U.K.
Kitten, T. (2011, December 28). ATM Skimmer Sentenced to Jail. Retrieved from Bank Info Security: http://www.bankinfosecurity.com/articles.php?art_id=4362
Kitten, T. (2011, November 22). Skimmers Busted by Fraud Detection. Retrieved from Bank Info Security: http://www.bankinfosecurity.com/articles.php?art_id=4262
Kovacs, E. (2011, December 10). Six Phishers Arrested for Scamming UK Students. Retrieved from Softpedia: http://news.softpedia.com/news/Six-Phishers-Arrested-For-Scamming-UK-Students-239744.shtml
KTLA News. (2012, February 7). 2 Arrested for Installing Skimming Device at Chase Bank. Retrieved from KTLA News: http://www.ktla.com/news/landing/ktla-skimming-device-chase-bank,0,1600909.story
Metzger, T. (2010, August 12). Alleged cybercriminal, cartoonist arrested in France. Retrieved from Creditcards.com: http://www.creditcards.com/credit-card-news/carderplanet-badb-data-thief-cybercriminal-arrested-1282.php
Munns, D. (2010, August 12). The secret history of CarderPlanet.com and Dmitry Ivanovich Golubov. Retrieved from CreditCards.com: http://blogs.creditcards.com/2008/05/secret-history-of-carderplanet.php
Neal, D. (2011, December 9). Arrests made for student phishing scam. Retrieved from The Inquirer: http://www.theinquirer.net/inquirer/news/2131361/arrests-student-phishing-scam
Poulsen, K. (2008, August 5). Feds Charge 11 in Breaches at TJ Maxx, OfficeMax, DSW, Others. Retrieved from Wired: http://blog.wired.com/27bstroke6/2008/08/11-charged-in-m.html
Rogak, L. (2012, April 6). 10 things you should know about identity theft. Retrieved from CreditCards.com: http://www.creditcards.com/credit-card-news/help/10-things-you-should-know-about-identity-theft-6000.php
Sullivan, B. (2004, February 18). ID theft victims face tough bank fights. Retrieved from MSNBC: http://www.msnbc.msn.com/id/4264051/ns/business-online_banking/t/id-theft-victims-face-tough-bank-fights/#.T3kvBdm-2So
Tulipan, M. (2012). European Credit Card Standard Leaves Americans Stranded. Retrieved from The Saavy Explorer: http://www.thesavvyexplorer.com/index.php/life-and-style-mainmenu-31/36-tips/689-european-credit-card-standard-leaves-americans-stranded
U.S. Department of Justice . (2010, August 11). Alleged International Credit Card Trafficker Arrested in France on U.S. Charges Related to Sale of Stolen Card Data . Retrieved from Federal Bureau of Investigation: http://www.fbi.gov/atlanta/press-releases/2010/at081110.htm
University of Maryland University College. (2010). Human Aspects in Cybersecurity: Ethics, Legal Issues, and Psychology. Module 7. UMUC.
|Vulnerabilities and Threats of Mobile Computing|
|By: Amy Wees
CSEC620 Section 9082University of Maryland University College
Tech target defines mobile computing or nomadic computing as “the use of portable computing devices (such as laptop and handheld computers) in conjunction with mobile communications technologies to enable users to access the Internet and data on their home or work computers from anywhere in the world (TechTarget.com, 2012).”
Mobile computing is a part of everyday life for many people. Devices that offer the ability to connect to the Internet on-the-go are vast. Some common examples are smartphones, laptops, tablets, Global Positioning System (GPS) devices, music players, handheld video games, wireless home appliances and e-readers (O’Dell, 2010). A study conducted by Morgan Stanley in 2010 “predicts that the mobile web will be bigger than the desktop web by 2015 (O’Dell, 2010).” This is mostly due to the development of smaller, more affordable devices with better data coverage and connection speeds. Mobile e-commerce is also increasing along with the use of social networks over e-mail use (O’Dell, 2010).
Mobile computing is prevalent for businesses and consumers because of its many advantages. Businesses can communicate with employees and customers in and out of the office, employees can update their work and human resource requirements in online portals. People can search for, communicate with, and navigate to businesses on-the-go. Productivity and leisure time are also increased as people can send and receive e-mails, update their social status, conduct research, or watch a movie all while waiting at the airport or standing in line at the coffee shop (Shukla, 2011). “We are entering the era when the mobile employee has become the typical employee rather than the exception. One recent survey found that 81% of global executives use a mobile device, and analyst firm IDC estimates that there will be 1 billion mobile workers by 2011, including nearly 75% of the US workforce.”
Although mobile devices offer ways to be productive without an Internet connection such as by tracking appointments and reminders, creating documents and taking notes, capturing photos or videos, and listening to music; an Internet connection offers the ability to access and share information at anytime from almost anywhere. Many software applications used for productivity and leisure are also limited or unusable without an Internet connection. Some examples are Microsoft Office’s templates, e-mail applications which require Internet access to download new mail or send mail, music and video streaming software such as Apple’s iTunes which requires online access to download new content and anti-virus programs such as Norton that download important updates from online repositories.
Mobile computing devices connect to the Internet in a variety of ways such as wirelessly using a Wi-Fi card and a wireless internet connection or hotspot, through a mobile broadband connection such as third generation (3G) or fourth generation (4G) wireless connections provided by a cellular network, or by tethering using a cellphone as a modem (Pinola, 2012).
Vulnerabilities and Associated Threats of Mobile Computing
The benefits of mobile computing also come with various cybersecurity threats and vulnerabilities. The vulnerabilities of mobile computing can be associated with the devices hardware, the Bluetooth or wireless internet connections, or mobile applications, data, and information transfer. Threats associated with vulnerabilities are rated on a scale of low, medium, and high based on the likelihood of the threat versus the impact to the user (Bosworth, Kabay, & Whyne, 2009). Threats will be listed from highest to lowest threat rating and strategies to decrease the probability of or mitigate the threat will also be noted.
- 1. High Threats (Likelihood and Impact to User are High)
Theft or Loss
The chance of loss or theft of a device is high. Some devices are small and easy to lose and because of their portability even larger laptops can be left behind. Theft of devices is also a concern as there is a large market willing to buy and “most devices are stolen for their cash value and not their information value (Barcelo, 2011).” The vulnerability with theft or loss is the loss of proprietary or personal data. A study done by the Ponemon Institute found that “55 percent of consumers are aware that they may be putting their employers’ confidential business information at risk when using their smartphone for both business and personal use. The survey also found that 52 percent of those who are aware of the risk say that it has happened (NZ Business, 2011).”
Employers need to consider this risk when drafting security policies to ensure the rules on the use or prohibition of personal devices for company purposes are spelled out. Hardware and software of the device should be known to the employer and employees should be required to follow minimal secure practices on their devices before accessing company websites or e-mail (NZ Business, 2011). The Information Systems Control Journal notes “The biggest decision a corporation needs to make with respect to mobile device deployment is the cost of support based on graduated levels of security. If the total cost of the device and the risk it generates does not surpass the business benefit, corporate management should “just say no (Milligan & Hutcheson, 2008).”
It is difficult to prevent theft or loss of devices, but the loss of data can be minimized by encrypting data on the device, requiring a password, biometrics, or an access key to use and configuring the device to erase data after a number of failed logon attempts. The cost of these mitigations is minimal since most operating systems offer password protection and biometric systems are also relatively inexpensive (Milligan & Hutcheson, 2008). Another option is to install software that allows remote wipe of the data such as Lojack for laptops and Sophos for smartphones (Barcelo, 2011). Users may not want to take the extra steps in logging on to their devices but the pay off is rewarding if the device is lost or stolen.
Malware and Phishing Attacks
The threat of malware includes viruses, Trojans, worms, spyware and other types of malicious software that can severely degrade or destroy a computer system’s operations. Most malware is targeted at laptops but threats against mobile phones have also recently been discovered. The danger of mobile devices infected with malware is that they can infect other computers when connecting to a network at work or home. The “mobile blind spot” is a large threat for businesses that allow their employees to use corporate devices and travel for weeks exposed to malware without updating anti-virus software and then returning and connecting to the business’ network (Friedman & Hoffman, 2008).
Phishing attacks are an additional concern for users’ on-the-go. The risk of malware can be reduced by using updated anti-virus and anti-spyware software but phishing tricks users into giving up personal information, log-on information or downloading a file that could be a virus simply by sending an e-mail or displaying a website that appears to be from a reputable company but is really a cybercriminal looking for an easy target. Phishing attacks have gotten so sophisticated they are often hard for even the experienced computer user to distinguish. “In May 2011, Trend Micro discovered a vulnerability in Hotmail that could compromise a user’s account just by previewing an e-mail. The malicious messages, specially crafted for individual targets, triggered a script that could steal e-mail messages and contact information and forward new messages to another account (Newman, 2011). Although some phishing attacks may be hard to recognize, the best prevention strategies are to read e-mail carefully to ensure it is from a reputable source, look for grammatical errors and avoid opening attachments unless their receipt is expected (Newman, 2011).
- 2. Medium Threats (Likelihood and Impact to User are Medium)
Wireless Internet Connections –
Unlike wired devices within the work center which are often behind firewalls and physical security defenses, mobile devices connect to corporate networks and the Internet directly without the protection of firewalls. Wireless networks controlled by business are much more protected and controlled than the wireless hotspots mobile workers are connecting to which may have little or no security, leaving devices vulnerable to interception or spoofing (Friedman & Hoffman, 2008).
Unsecured WiFi connections such as those at the local Starbucks coffee shop are an open invitation for snoopers and can even allow an attacker to take over a users’ browsing session. A hotspot attack called sidejacking uses automated tools to take over unsecured websites. One such tool developed by Mozilla as a Firefox browser plug-in is called “Firesheep.” “Firesheep automates session hijacking attacks over unsecured Wi-Fi networks by analyzing traffic between a Wi-Fi router and a person’s laptop or smartphone using a packet sniffer (Westervelt, Top 5 mobile phone security threats in 2012, 2011).”
Users can reduce risks of hotspots and wireless networks by deactivating the automated search and connect to wireless feature on their device and connecting to secure wireless connections whenever possible. “Developers such as Google offer encryption support for browsers using open connections and IBM has created a Secure Open Wireless Standard that uses a digital certificate to secure the hotspot and ensure the Service Set Identifier (SSID) is legitimate (Westervelt, Top 5 mobile phone security threats in 2012, 2011).”
Bluetooth technology allows laptops, phones and other devices to wirelessly transfer data between devices, connect to technologies such as keyboards and other peripherals, and stream audio and video. Mobile devices with Bluetooth activated and set to discoverable are vulnerable to bluesnarfing attacks. Bluesnarfing uses a Bluetooth connection to steal data such as contacts, calendars, e-mails and text messages, often without the user’s knowledge. “Bluesnarfing requires software such as “SpyBuddy” which is easy to install software can monitor a device’s text messages, phone calls, and GPS and is totally undetectable (Bluejacking Tools, 2012).”
With the amount of uses for Bluetooth technology today, it is important for mobile users realize the security threats to Bluetooth, to pair with known devices only, and turn Bluetooth off when not in use.
- 3. Low Threats (Likelihood and Impact to User are Low)
Mobile Phone Applications
Although applications submitted to Apple and Android markets are evaluated prior to being added to the marketplace, recent events leave reason to believe the security of applications is not the number one priority (Westervelt, 2011). In June of 2010, Apple banned a Vietnamese developer from the iTunes store after his electronic books application reportedly charged 400 users for books they did not purchase. Experts believe the developer launched the attack to boost his ratings in the iTunes store; as he was able to move from position 50 to 21 in a matter of weeks. In response, Apple implemented a new policy that requires users to enter credit card data more often (Computer Weekly, 2010). One month later a reported 4.6 million Android users downloaded a wallpaper application that was collecting data such as the users’ phone number and transmitting information to China (Warwick, 2010). Security firm Lookout studied the application and reported that although the application was suspicious there was no proof that the activity and data transmission was malicious. Lookout’s Chief Technology Officer Kevin MaHaffrey spoke on mobile application security at a BlackHat conference: “Apps that seem good but are really stealing your personal information are a big risk at a time when mobile apps are exploding on smartphones (Warwick, 2010).”
A study by Veracode Inc. found a hard-coded cryptographic key in 40 percent of Android mobile applications. Veracode discovered these keys assign the same password to multiple users allowing for anyone, namely an attacker, to easily discover and publish keys in public forums (Westervelt, 2011). Chris Wysopal, Chief Technology Officer of Vericode stated “If someone loses their phone and an attacker gets access to that application, the attacker could basically get access to all the data that everyone in the organization can access (Westervelt, 2011).”
Mitigation of application vulnerabilities is easier said than done as the resources and infrastructures for creating applications are still very immature. Some suggestions for improvement in software are code signing which allows users to verify the applications’ source; sandboxing, which separates an application from other processes; and permission notifications to warn users of an application attempting to access their data (Westervelt, 2011). It will be up to the application police such as Google for Android and Apple for iTunes to raise the standard for security requirements in mobile applications and to users to review the application before downloading.
People and businesses today have found ways to use mobile technology to their advantage by working and communicating from anywhere at anytime. Although the advantages of mobile computing come with cybersecurity risks; the right training, information, and policies can reduce these risks and allow for continued productivity in the mobile world. As devices and technologies improve, cybercrime will also evolve. Technology professionals and businesses must keep security at the forefront of development and implementation in order to keep customers and proprietary information safe.
Barcelo, Y. (2011, September). Mobile Insecurity. CA Magazine, pp. 36-38.
Bluejacking Tools. (2012). Mobile Phone Spy. Retrieved from Bluejacking Tools: http://www.bluejackingtools.com/bluesnarf-mobile-spy/mobile-phone-spy/
Bosworth, S., Kabay, M., & Whyne, E. (2009). Physical Threats to the Information Infrastructure. In F. Platt, Computer Security Handbook. New York: John Wiley & Sons Inc.
Computer Weekly. (2010, July 12). iTunes hack could effect thousands, say experts. Retrieved from Computer Weekly: http://www.computerweekly.com/news/1280093237/iTunes-hack-could-affect-thousands-say-experts
Friedman, J., & Hoffman, D. (2008). Protecting data on mobile devices: A taxonomy of security threats to mobile computing and review of applicable defenses. Information Knowledge Systems Management, 159-180.
Milligan, P. M., & Hutcheson, D. (2008). Business Risks and Security Assessment for Mobile Devices. Information Systems Control Journal, 1-5.
Newman, J. (2011, June 3). 4 Security Tips Spurred by Recent Phishing Attacks. Retrieved from PC World: http://www.pcworld.com/article/229361/4_security_tips_spurred_by_recent_phishing_attacks_on_gmail_hotmail_and_yahoo.html
NZ Business. (2011, September). Are mobile devices compromising your business security? NZ Business, p. 60.
O’Dell, J. (2010, April 13). New Study Shows the Mobile Web Will Rule by 2015. Retrieved from Mashable: http://mashable.com/2010/04/13/mobile-web-stats
Pinola, M. (2012). Mobile Internet Access Comparison. Retrieved from About.com Mobile Office Technology: Pros and cons of different Internet-on-the-Go options: http://mobileoffice.about.com/od/wifimobileconnectivity/a/wireless-internet-comparison.htm
Shukla, I. (2011, September 21). Advantages of Mobile Computing. Retrieved from Buzzle.com: http://www.buzzle.com/articles/advantages-of-mobile-computing.html
TechTarget.com. (2012). Search Mobile Computing. Retrieved from Techtarget.com: http://searchmobilecomputing.techtarget.com
Warwick, A. (2010, July 30). Millions downloaded suspicious Android wallpaper. Retrieved from Computer Weekly: http://www.computerweekly.com/news/1280093401/Millions-download-suspicious-Android-wallpaper
Westervelt, R. (2011, December 8). Android app security: Study finds mobile developers creating flawed Android apps. Retrieved from SearchSecurity: http://searchsecurity.techtarget.com/news/2240112235/Android-app-security-Study-finds-mobile-developers-creating-flawed-Android-apps
Westervelt, R. (2011, December 9). Top 5 mobile phone security threats in 2012. Retrieved from Search Security: http://searchsecurity.techtarget.com/news/2240112288/Top-5-mobile-phone-security-threats-in-2012