Top 10 Smartphone Security Tips

By Pam Baker

(Back to article)

When it comes to security issues, smartphone users are a bit delusional in believing the phone is safer than the PC. "If you can access data on your smartphone, so too can hackers," warned Martin Hack, EVP of NCP engineering.

What can thieves get from your phone? Access to your mobile banking site complete with passwords and PINs; your email at work and at home; passwords and access to your employer's networks; your social media accounts that contain all the info. an identity thief needs (and desperately wants); access to your PC when you sync your phone; and ... much, much more.

For example, smartphones are increasingly being used as a second factor of authentication by banks and other businesses. Cybercriminals are aware of this and will be increasingly intercepting the SMS-based (text) authentication messages that are sent to users' phones. Typically, during high-risk or high-value transactions, many online businesses will send a one-time pin (OTP) or a temporary password to the user's smartphone by SMS text message. Once the user receives the OTP they type it into the webpage to authenticate the transaction or simply reply to the SMS message. Businesses do this to add an extra layer of security for user account changes and online transactions in case the user's login credentials or online session had been compromised.

"However, the downfall of this process is that the temporary code is sent in clear text and anybody with access to the phone can read it," said Roman Yudkin, CTO at Confident Technologies. You don't even have to lose your phone for this breach to happen. Cybercriminals are adept at redirecting phone numbers and snatching encrypted text messages from public WiFi or personal Bluetooth connections.

Wake up call

It's time to wake up and smell the sweaty hacker on your phone. Whether you are a CIO charged with securing the enterprise from employee cell phone use or just a guy or gal toting a loaded smartphone, Tim Armstrong, malware researcher at Kaspersky Lab, said there are several universal things that all smartphone users should and should not do:

The Do's:

1. Lock your screen with a pin code or password. While this seems simple, anything that provides an extra layer of difficulty for an untrustworthy user is beneficial.

2. Install and enable remote services. All major smartphone operating systems (Blackberry, iOS, Android, Windows Mobile) can be enabled with some or all of these features: remote lock, remote wipe, and even GPS location (for finding where your phone went) are available in many cases. This goes hand in hand with No. 3.

3. Back up your data. Either through a product that offers this functionality, or simply by copying your documents, pictures and info to your computer. This can save you in the event of a lost, stolen, destroyed, or otherwise non-functioning phone.

4. Use encryption where available. Though not offered on every platform, if you can use it, you should. Even in cases where you lock your phone, the data on your device storage can, in some cases, be accessible unless it is encrypted. This includes external memory cards, such as SD cards, installed in the device as well.

5. Use Antivirus. The mobile malware landscape is developing more quickly now than ever before, due to increased reliance on smartphones for everyday tasks such as banking, paying bills, and managing finances. As a direct result, malware writers will likely show an ever increasing interest in gaining access to your money.

The Don'ts

1. Don't jailbreak, root, or otherwise unlock your phone. While this may add some small increase in functionality, it can also completely disable the security architecture of your device.

2. Don't connect to untrusted Wi-Fi access points. The coffee shop, the airport or other points of connectivity can be compromised or otherwise provide a way for others to access your secure data. Login data or personal information that you provide over these networks can sometimes be accessible to other people either connected to, or operating these access points. It is also worth mentioning that many services on current devices will "auto-synchronize" in the background without any user action. The information used to synchronize, or the information you send or receive during the syncing process could be available to others in this circumstance.

3. Don't wait to report a problem. Immediately notify your network administrator or other responsible security person if your phone has been lost or stolen. Treat your phone as though it is your wallet. If you have backed up your data, you will recover.

4. Don't skip updates. Update your operating system, update your apps. Security flaws are found in both operating systems and applications every day. The longer you wait, the longer you risk being exposed.

5. Don't assume your mobile device is any safer than your computer. It is a fact that viruses and other malware exist for mobile devices. Phishing attacks often still work on mobile browsers. Employ all the safety tactics you'd use on your regular computer. Check the address of the site you're trying to access, avoid clicking links in email, or SMS/text messages, and avoid providing personal data whenever possible, even via SMS/text message.

8 more security tips just for IT

Okay, so you thought there were just 10 but Khoi Nguyen, group product manager of Mobile Security at Symantec, said IT pros should, at bare minimum, do the following eight more to secure the enterprise from threats coming in via smartphones:

1. Education is essential. Educating employees is the first step in protecting information from malicious attacks. Organizations must help their employees understand what types of threats are out there, and how to prevent them.

2. Focus on protecting information instead of devices. Instead of solely focusing on the devices, companies need to take a step back and look at where their information is being stored and protect those areas accordingly.

3. Encrypt the data on the devices. The information stored on a company's mobile devices is an important asset. Encrypting this data is a must. If the device is lost and the SIM card is stolen, the thief will not be able to access the data if the proper encryption technology is loaded on the device.

4. Make sure the security software is up to date. Organizations must treat mobile devices just like they would their PCs and keep security software-up-to-date. This will protect the device from new variants of malware and viruses that threaten a business' critical information.

5. Develop and enforce strong security policies. In addition to encryption and security updates, it is important to enforce password management for managers and employees. Maintaining strong passwords will help protect the data stored in the phone if a device is lost or hacked.

6. Use caution when enabling Bluetooth. A phone's Bluetooth setting is often set to "On" by default, so it will need to be turned off or paired with the device and configured with the headset. If not, the device will look for other Bluetooth-enabled phones to connect to, and could result in malware being loaded on to the device.

7. Stress the importance of paying attention. Make sure employees are always striving to be aware of their surroundings when entering passwords or viewing sensitive content to ensure that would-be criminals are not looking over their shoulders.

8. Be wary of free Wi-Fi. Wi-Fi hotspots at airports and cafes can be very convenient, but they can also be a breeding ground for malware. Once again, security education and software are essential to keeping business information safe while employees are accessing wireless networks.

If you want even more intel on the topic, ISACA, a nonprofit, independent association of 95,000 IT security, audit and governance professionals in 160 countries recently published the white paper Securing Mobile Devices as a guide for IT professionals.

"Don't say that you will not support a technology just because of security issues, without weighing business need. And don't think you can roll out a solution and then figure out how you will secure it," advised Mark Lobel, author of the ISACA paper and principal, Advisory Services, at PricewaterhouseCoopers. The bad guys already have your number -- why give them anything else?

A prolific and versatile writer, Pam Baker's published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).