CDI an AHEAD Company

10 Security Best Practices for Mobile Device Owners

By Yury Magalif, Chief Architect Managed Services Cloud Computing, CDI

Follow my advice and take steps to protect your mobile device before you face a problem. Take a few minutes now to join me in understanding the everyday risks.

By Yury Magalif, Practice Manager – End-User Computing (EUC) and Microsoft, CDI

Don’t be alarmed by these statistics. More importantly, don’t become a statistic yourself. I’m sharing a few factoids here to help protect you, as one of the nearly 4.6 billion mobile device users out there (Gartner).

• Cybercrimes including hacking and theft cost American businesses over $55 million per year (Ponemon Institute)
• Every month, one in four mobile devices succumbs to some type of cyber threat (Skycure)
• Last year in the United States alone, over five million smartphones were stolen or lost (Consumer Reports)

Who is responsible for such mayhem? Hackers, of course, and online thieves all over the world.

But who is responsible for protecting your device? You are.

As IT and Networking professionals, we can manage mobile device security around the clock, seven days a week, 365 days a year, but it is you, the mobile device owner or user, who ultimately determines the relative health of your smartphone or tablet and the level of security you want to experience.

To protect your mobile device, follow these recommended best practices:

1. Lock your device with a passcode: One of the most common ways your identity can be stolen is when your phone is stolen. Lock your device with a password, but do not use common combinations like 1234, 1111. On Android phones you can establish a swipe security pattern. Always set the device to auto-lock when not in use.
2. Choose the Right Mobile OS for Your Risk Tolerance: Open source integrations, price, and app selection might guide you toward Android or Windows phones; however, Apple devices running iOS are generally more secure. A recent NBC Cybersecurity News article revealed that Google’s Android operating system has become a primary target for hackers because “app marketplaces for Android tend to be less regulated.” Hackers can more easily deploy malicious apps that can be downloaded by anyone. As an example, the article reported that over 180 different types of ransomware were designed to attack Android devices in 2015. If you’re an Android owner, fear not. Consumers who choose Android can still remain safe by being aware of the vulnerabilities and actively applying the other tips in this article.

3. Monitor Links and Websites Carefully: Take a moment to monitor the links you tap and the websites you open. Links in emails, tweets, and ads are often how cybercriminals compromise your device. If it looks suspicious, it’s best to delete it, especially if you are not familiar with the source of the link. When in doubt, throw it out.

   If you have Android and your friend has an iOS device, and you both have a link you are not sure about opening, open the link on iOS first. This practice allows you to check out the link while lowering your exposure to risks including malware.

4. Regularly Update Your Mobile OS: Take advantage of fixes in the latest OS patches and versions of apps. These updates include fixes for known vulnerabilities. (To avoid data plan charges, download these updates when connected to a trusted wireless network.) Every few days, and especially whenever you hear news about a new virus, take the time to check for OS updates or app patches.

   In 2016, an iOS 9.x flaw resulted in a vulnerability for iPhone users where simply receiving a certain image could leave the device susceptible to infection. Apple pushed out a patch. A year ago a similar flaw was detected on Android devices; however, the risk to users was significantly greater, impacting 95 percent of nearly one billion Android devices. An expected 90-day patch was late. Meanwhile, the flaw allowed hacking to the maximum extent possible including gaining complete control of the phone, wiping the device, and even accessing apps or secretly turning on the camera. Don’t ignore those prompts to update!

   At this point you may be asking, “Do I need a separate anti-virus app, especially if I use an Android device?” To answer that question, balance your need for security against how much risk you plan on taking with your device. Do you often use public wireless networks and make poor choices with the links you open? For now, you may not need an anti-virus app; however, some early industry trends are showing more anti-virus apps on the horizon.

5. Do Not Jailbreak Your Smartphone: Reverse engineering and unauthorized modification of your phone (jailbreaking) leaves your phone vulnerable to malware. Even jailbreaking an iOS device leaves it open to infections. If your cousin already customized your device for you, it’s not too late. Restore the OS through the update process or check with an authorized reseller.
6. Download Apps from Reliable Sources Only: Similar to the risks you introduce in jailbreaking your phone’s operating system, downloading rogue apps is also not recommended. Recognize that your desire for that custom functionality, that shortcut, or that obscure free version of an original app is going to cost you more later. Do not download apps outside the official app stores for Apple and Google. A trusted manufacturer might be a reliable source, but try to avoid relatively unknown third-party sites.

7. Turn Off Bluetooth and Wi-Fi When Not in Use: We group these two technologies together but Bluetooth is significantly more vulnerable and a popular attack vector to hackers, especially when in discovery mode. It is fairly common to see hackers infiltrate smartphones and other wireless devices over Bluetooth. Turn off Bluetooth, especially if you are not connecting to other devices.

   With standard encryption for wireless routers today, Wi-Fi has become more difficult to hack and is more secure than Bluetooth. However, you should also turn it off when not in use. Many users have both Bluetooth and Wi-Fi on at the same time. Balance your need for convenience with security.

8. Connect to Trusted Wireless Networks Only: Verify that you are connecting to a valid wireless network especially in hotels, restaurants, and other public places. Always ask for and follow the official wireless access policy in place at legitimate business locations.

   Let’s say you are traveling to a trendy café called Four Seasons Coffeehouse and often connect to their free Wi-Fi while you sip your mocha latte. Your device freezes as you realize you connected to Four_5easons instead of Four_Seasons; the hackers used a 5 instead of an S. Or perhaps your mobile device shows that you connected to Wi-Fi at a Ho1iday 1nn last night. You get the idea. Browse the list of available wireless access points carefully because it is possible you are connecting to a network you should not trust. Look for obscure spelling or punctuation errors in the network name.

9. Limit Hardware Connections: Grandparents want to watch family photos or videos and with a simple USB connection, you can connect your smartphone and transfer files to their home PC near the kitchen. Be careful. You should run an updated anti-virus and anti-malware program on the PC. It could be infected. Or, you could be introducing a virus on their PC. After you allow the shared connection, both the PC and the phone are now more vulnerable.

10. Set Strong Passwords: Setting passwords that are unique, longer than eight characters, and difficult to guess is one of the most important things you can do to protect your online accounts. Changing passwords regularly and using different passwords for each account goes a long way to protecting your identity. Specifically, using strong passwords for your iCloud or Google account is important. Anyone who has access to iCloud or Google account can fully control and wipe your phone.

    Anytime it is offered, configure two-factor authentication. To open a website, this security measure requires you to enter a code from a text message that you receive on your phone, from an app like Google Authenticator, or from a physical key (most secure), in addition to your normal password.

Bonus Content: Mobile Device Security Threats

You made it this far… you deserve some bonus content.

Know the Risks: An additional best practice is to become more aware of the risks. As an educated consumer, learn the risks. As an educated employee or contractor, understand the risks of bringing your mobile device to work locations where you can also be infected or infect your company network. Read your company’s BYOD policy.

You might be thinking you have nothing to hide and nothing to lose by being hacked. Guess again. All of the following scenarios and threats are real and have happened to everyday people like you and me:

• You connect to a rogue Wi-Fi network access point and hackers phish for your private data.
• You might not always see a van with no windows, but hacker groups have been known to drive around trying to identify unsecure wireless networks.
• Your device is taken over by spyware that periodically turns on your camera and microphone and monitors you remotely!
• Your employer may be monitoring you at any time, especially if they are providing the mobile device.
• You set up a wireless network and don’t take steps to secure it. You could face criminal or civil legal action if illegal activity transpired and you did not act to prevent it. With easy encryption today, unless you are setting up a public library, do not host public networks without proper security controls.
• Competitors hack your device to steal patents, formulas, or gain access to trade secrets.
• Ransomware infects your device and a threat appears. Unless you wire $400 to the cyber criminals, all of your original work, financial data, and photo memories will be destroyed. A crypto virus locks you out of all your own files. The next day, the ransom is $500. You refuse to pay the ransom, cannot unlock your files, and have to start over. Or, you pay the ransom and learn all your files are still wiped out anyway. (Note to self: make a backup in the cloud.)
• Like millions of people, you feel that because you are not a spy, not a VP of a giant tech firm with trade secrets, and not super wealthy that you are not a target. Some hacker groups still might target you for the following reasons:
1. They need the practice. They might target anyone, even the most obscure individual you could not imagine as a target, just to develop their hacking capabilities.
2. They are doing it just for fun to see if they can. A few years ago, a reporter’s Twitter account was taken over by a group that admitted they just wanted to see if they could take over the unique name of the account and then just kept going because they could. He lost personal photos of his own children in the attack.
3. You fit into their geo-political plans. In January 2010, British, Israeli, German, and Australian identities were used as pawns, their actual passport data reproduced or stolen to conceal the true identities of those responsible for the assassination of an alleged Hamas arms dealer in a Dubai hotel. The international police and media published the photos of what it claimed were actual secret agents involved in the killing, cross-listed with the names of innocent citizens, now wanted for the crime. Local residents and police were in the awkward position of questioning and then apprehending the innocent victims of the grand conspiracy. The media joined the feeding frenzy until their true identities and alibis could exonerate them. One was a repairman, another was a writer, and a third was a physiotherapist. All of them gave statements immediately confirming the identity theft.

Our Exciting Conclusion

If you remember the revelations by Edward Snowden, you might worry that the U.S. government is monitoring you. If the NSA decides to target you for hacking, you have virtually no chance of protection. The NSA has capabilities that vastly exceed any commercial hackers in technology and resources by 3-5 years.

However, while your country’s intelligence service might not care much about you (unless you are in non-democratic countries), as evident from the assassination story above, another country’s secret agency might target you. But breathe easier – the U.S. is in the lead on technology here. The Russians, Chinese, British, and Israelis are very good, but not as advanced as the NSA.

In the end, even hackers themselves must eventually swallow their own bad medicine. Years ago, a small team of hackers committed the largest data breach in history at popular retail chains compromising the credit and debit card information of over 100 million consumers. The hackers coded back doors to gain network access and tested their malware against various antivirus programs to make sure they would not be detected. They also programmed the malware to erase evidence from the hacked networks to avoid forensic detection. International authorities sniffed out their mobile activity and traced their leader’s online identity to apprehend the mastermind who is now serving two 20-year prison terms.

You can read about this cyber crime of the century in The Great Cyberheist by James Verini in the New York Times Magazine (www.nytimes.com/2010/11/14/magazine/14Hacker-t.html).