http://www.techweb.com/showArticle.jhtml?articleID=196700872 By Brad Keller & Craig Mathias January 01, 2007 Yes: The capability to perform mobile financial transactions is outpacing the ability to protect them with adequate security. I realize I'm taking a somewhat precarious position by speaking out against the ever-expanding move to mobile computing. However, I believe we're seriously facilitating online fraud by failing to address the lack of meaningful security on mobile devices. First, let's clear the air: I have nothing against mobile access per se. Indeed, I wouldn't be caught dead without my BlackBerry. But as a technology consumer and corporate IT executive, I take issue with ISPs, technology vendors, and device manufacturers that disregard security concerns when developing methods for consumers to access their banking information, for instance. How many mobile devices routinely come with antivirus or anti-Spyware software already installed? Or better yet, how many ISPs or carriers even offer effective security tools? While numerous ISPs tout their ability to protect your computer from a variety of evilsmalware, crimeware, viruses, spyware, and the likehow many wireless carriers advertise their ability to protect your mobile device from these same threats? New Internet-access devices seemingly appear monthly, and I'm not just talking about new E-mail devices and smart phones. Many gaming systems either offer an Internet-access option or plan to include such access as basic functionality in the near future. But how well protected is your PlayStation from keystroke loggers and Trojans? Consider the following: * According to Japan's Computer Emergency Readiness Team (CERT), virtually all cell phones in that country have Internet functionality, making them the most heavily targeted devices for phishing scams and malware. So the malevolent capability existsthe criminals just haven't targeted the United States yet. * SMiShingSMS-based phishinginfects not only mobile devices, but wired computers as well. Many people routinely forward SMS messages to their PCs because linked Web sites are easier to view. Criminals are aware of this and write their SMS message accordingly. By doing so, they're using SMS to effectively target wired computers. What do you really know about the wireless network you just logged on to? We don't really know who runs those servers and what kind of security is on them. In Japan, some enterprising employees at a coffee shop installed their own software on the company's servers so they could perform a man-in-the-middle attack and get the online banking credentials of everyone who logged on to their bank accounts while getting their caffeine fix for the day. Consider the TV commercial that shows a couple of buddies at the coffee shop making a debit-card payment online. See the fellow in the corner with the big smile? He's on a laptop running a wireless hotspot, and in their bank account at the same timehappily transferring money to his own account! The simple truth is that mobile computing offers little security protection today, and few people understand the risks. For the most part, financial institutions like ours have been left to protect online users from these threatsafter all, it's our own customers who are at risk. A cooperative effort between the banking industry and the companies that develop wireless technologies would do much to address these problems. Working in partnership to identify and mitigate security issues before new technologies are released could very well be the answer to developing a safe and secure mobile society. Let's not worry about just how mobile we are until we all work together to find a way to secure the mobility we have. --- Brad Keller manages E-commerce risks for a large financial institution. He's testified before Congress on privacy issues on behalf of the banking industry. -=- No: Mobile technology is just the latest medium that determined cyberthieves can use to perpetrate fraud. Hackers, crackers, scammers, spammers, spoofers, and phishers all lurk in the cyberworld. They're a thoroughly reprehensible bunch that deserves a minimum of two weeks in the stocks. But let's face it, fraud in its many forms has been with us throughout history. We always manage to remain a step behind the criminals, and new electronic media only seem to encourage the fundamentally evil misapplication of human intelligence. Wireless is merely the latest medium to offer its capabilities to people who should know better than to take advantage of their fellow human beings. The question before us is whether wireless in some way represents a unique, new vehicle for wrongdoing, and deserves special treatment of a legislative or other nature as a consequence. The answer to me is: Are you kidding? No way. The wireless industry was always a target of fraud. Cloning cell-phone handsets was a billion-dollar problem for the industry, but new technologies have taken the sport out of that. There have even been problems with investment scams surrounding bidding on the auctions used to allocate frequencies to particular carriers. But no problem in wireless is as great as the use of these devices and services for good old end-user fraud. The beauty of wireless from the perpetrator's perspective, of course, is its fundamental location independence. It's a lot tougher to get caught if one is always on the move. Access to cheap prepaid or even stolenhey, why stop with just one crime?cell phones simply allows rotten individuals to stay ahead of the law. While it may be argued that E-commerce providers and wireless networks offer too much access without enough protections, I submit that the bad guys will still stay ahead of the curve. Wi-Fi networks might ramp up security, and E-commerce services might build in better protections, but those out to steal personal financial data or hack into a network will still find a way. The ability to pop into your favorite coffee shop and check E-mail or bank balances is as convenient as it is potentially dangerous. Yet no one would advocate banning Starbucks, or cellular-phone networks, or metro-scale Wi-Fi networks, or any other network, wired or wireless, just because the technology can be misused by criminals or employed carelessly by the end users it was created to serve. Matches are great for lighting one's fireplace, but they can also be used for arson. As far as I know, nobody's lobbying Congress to ban matches. There's an upside and a downside to every technology; wireless is no different. And I'm really left to wonder exactly what we might do if we did want to control wireless. We already have the ability to track cell phones and Wi-Fi devices, with no GPS required. That makes it easy, more or less, to find stolen phones and known criminals foolish enough to identify themselves. But how could we track or otherwise locate someone using Skype on an open (unsecured) Wi-Fi connection? I don't think too many people would advocate monitoring the Web, wireless or otherwise. Apart from the obvious technical and constitutional issues, we don't have the technology to do so. Besides, it's just too easy to hide one's identityand maybe that's as it should be. Few CIOs are worried enough about the potential for fraud to keep workers wired. CIOs know that the perils of mobile technologies are many, but the benefits of a wireless workforce are even greater. The best a CIO can hope for is smart users who follow smart corporate policies. --- Craig Mathias is a principal at Farpoint Group, an advisory firm that specializes in wireless networking and mobile computing. _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Tue Jan 02 2007 - 00:52:14 PST