With millions of consumers carrying iPhones and Androids in their pockets, smartphones already are targets of cyber attackers. But now employees of Wall Street firms are getting emails and viewing spreadsheets on the go, so corporate data is moving onto the smart devices as well. "It's a very challenging problem," says Chet Wisniewski, senior security adviser at Sophos. Productivity has gone up by virtue of employees working on their smartphones and iPads into the evening and on the weekend, he adds, so IT departments need to find ways to enable a mobile workforce rather than simply say, "No."
Mobile devices are a path into the enterprise, adds Michael Callahan, VP of enterprise security products at HP, which offers a real-time application monitoring solution. "If you have a mobile device and the bank's app is on there, if the app has a vulernability, the attacker exploits the app," he warns. "Once they have control over the device, they now can gain access to your accounts."
As a result, banks must monitor the applications on the mobile device as well as on the corporate server. "The piece that's sitting on the mobile app is making requests back to an application server at the bank that is processing your requests," Callahan explains. "You have to make sure that those applications are safe and secure."
Another way to protect corporate data on mobile devices is to educate employees to make sure that the built-in security protection mechanisms are not removed from these devices. On Apple devices, IT departments need to instruct employees to avoid "jailbreaking," which removes the security measures built into the devices. "They are there to prevent you from loading apps without going to the approved App Store," explains Wisniewski, who notes that for Android devices the process is called "rooting." "Removing that security mechanism allows you to load things on your phone away from what [the manufacturers] have approved," he says. But, "It does weaken the security."
Recently, financial services firms have begun sending their customers text messages with a secondary authentication code when they wire funds, says Jason Milletary, technical director for malware analysis on the Dell SecureWorks' Counter Threat Unit (CTU) research team. But hackers can place malware on phones to try to access that code, he acknowledges.
Some of the answers to preventing mobile cyber attacks can be found in the mobile devices themselves, argues Ben Knieff, Director of Product Marketing at Nice Actimize. For example, mobile devices can be used as location sensors and many have cameras, "so you can use it as a facial sensor or as a biometric sensor," says Knieff. The latest Android phone actually unlocks your phone based on facial biometrics, he notes. "If you hand the phone to someone else, it stays locked."
[To read more about how to secure data in the mobile age, read Data-Centric Security Offers Best Defense Against Cyber Threats.]