[ISN] Is Wireless Technology Encouraging Fraud?

From: InfoSec News (alerts@private)
Date: Tue Jan 02 2007 - 00:37:06 PST


http://www.techweb.com/showArticle.jhtml?articleID=196700872

By Brad Keller & Craig Mathias
January 01, 2007

Yes: The capability to perform mobile financial transactions is 
outpacing the ability to protect them with adequate security.

I realize I'm taking a somewhat precarious position by speaking out 
against the ever-expanding move to mobile computing. However, I believe 
we're seriously facilitating online fraud by failing to address the lack 
of meaningful security on mobile devices.

First, let's clear the air: I have nothing against mobile access per se. 
Indeed, I wouldn't be caught dead without my BlackBerry. But as a 
technology consumer and corporate IT executive, I take issue with ISPs, 
technology vendors, and device manufacturers that disregard security 
concerns when developing methods for consumers to access their banking 
information, for instance.

How many mobile devices routinely come with antivirus or anti-Spyware 
software already installed? Or better yet, how many ISPs or carriers 
even offer effective security tools? While numerous ISPs tout their 
ability to protect your computer from a variety of evilsmalware, 
crimeware, viruses, spyware, and the likehow many wireless carriers 
advertise their ability to protect your mobile device from these same 
threats?

New Internet-access devices seemingly appear monthly, and I'm not just 
talking about new E-mail devices and smart phones. Many gaming systems 
either offer an Internet-access option or plan to include such access as 
basic functionality in the near future. But how well protected is your 
PlayStation from keystroke loggers and Trojans? Consider the following:

* According to Japan's Computer Emergency Readiness Team (CERT), 
  virtually all cell phones in that country have Internet functionality, 
  making them the most heavily targeted devices for phishing scams and 
  malware. So the malevolent capability existsthe criminals just haven't 
  targeted the United States yet.

* SMiShingSMS-based phishinginfects not only mobile devices, but wired 
  computers as well. Many people routinely forward SMS messages to their 
  PCs because linked Web sites are easier to view. Criminals are aware 
  of this and write their SMS message accordingly. By doing so, they're 
  using SMS to effectively target wired computers.

What do you really know about the wireless network you just logged on 
to? We don't really know who runs those servers and what kind of 
security is on them. In Japan, some enterprising employees at a coffee 
shop installed their own software on the company's servers so they could 
perform a man-in-the-middle attack and get the online banking 
credentials of everyone who logged on to their bank accounts while 
getting their caffeine fix for the day.

Consider the TV commercial that shows a couple of buddies at the coffee 
shop making a debit-card payment online. See the fellow in the corner 
with the big smile? He's on a laptop running a wireless hotspot, and in 
their bank account at the same timehappily transferring money to his own 
account!

The simple truth is that mobile computing offers little security 
protection today, and few people understand the risks. For the most 
part, financial institutions like ours have been left to protect online 
users from these threatsafter all, it's our own customers who are at 
risk.

A cooperative effort between the banking industry and the companies that 
develop wireless technologies would do much to address these problems. 
Working in partnership to identify and mitigate security issues before 
new technologies are released could very well be the answer to 
developing a safe and secure mobile society. Let's not worry about just 
how mobile we are until we all work together to find a way to secure the 
mobility we have.

---

Brad Keller manages E-commerce risks for a large financial institution. 
He's testified before Congress on privacy issues on behalf of the 
banking industry.


-=-


No: Mobile technology is just the latest medium that determined 
cyberthieves can use to perpetrate fraud.

Hackers, crackers, scammers, spammers, spoofers, and phishers all lurk 
in the cyberworld. They're a thoroughly reprehensible bunch that 
deserves a minimum of two weeks in the stocks.

But let's face it, fraud in its many forms has been with us throughout 
history. We always manage to remain a step behind the criminals, and new 
electronic media only seem to encourage the fundamentally evil 
misapplication of human intelligence.

Wireless is merely the latest medium to offer its capabilities to people 
who should know better than to take advantage of their fellow human 
beings. The question before us is whether wireless in some way 
represents a unique, new vehicle for wrongdoing, and deserves special 
treatment of a legislative or other nature as a consequence. The answer 
to me is: Are you kidding? No way.

The wireless industry was always a target of fraud. Cloning cell-phone 
handsets was a billion-dollar problem for the industry, but new 
technologies have taken the sport out of that. There have even been 
problems with investment scams surrounding bidding on the auctions used 
to allocate frequencies to particular carriers.

But no problem in wireless is as great as the use of these devices and 
services for good old end-user fraud. The beauty of wireless from the 
perpetrator's perspective, of course, is its fundamental location 
independence. It's a lot tougher to get caught if one is always on the 
move. Access to cheap prepaid or even stolenhey, why stop with just one 
crime?cell phones simply allows rotten individuals to stay ahead of the 
law.

While it may be argued that E-commerce providers and wireless networks 
offer too much access without enough protections, I submit that the bad 
guys will still stay ahead of the curve. Wi-Fi networks might ramp up 
security, and E-commerce services might build in better protections, but 
those out to steal personal financial data or hack into a network will 
still find a way.

The ability to pop into your favorite coffee shop and check E-mail or 
bank balances is as convenient as it is potentially dangerous. Yet no 
one would advocate banning Starbucks, or cellular-phone networks, or 
metro-scale Wi-Fi networks, or any other network, wired or wireless, 
just because the technology can be misused by criminals or employed 
carelessly by the end users it was created to serve. Matches are great 
for lighting one's fireplace, but they can also be used for arson. As 
far as I know, nobody's lobbying Congress to ban matches. There's an 
upside and a downside to every technology; wireless is no different.

And I'm really left to wonder exactly what we might do if we did want to 
control wireless. We already have the ability to track cell phones and 
Wi-Fi devices, with no GPS required. That makes it easy, more or less, 
to find stolen phones and known criminals foolish enough to identify 
themselves. But how could we track or otherwise locate someone using 
Skype on an open (unsecured) Wi-Fi connection?

I don't think too many people would advocate monitoring the Web, 
wireless or otherwise. Apart from the obvious technical and 
constitutional issues, we don't have the technology to do so. Besides, 
it's just too easy to hide one's identityand maybe that's as it should 
be.

Few CIOs are worried enough about the potential for fraud to keep 
workers wired. CIOs know that the perils of mobile technologies are 
many, but the benefits of a wireless workforce are even greater. The 
best a CIO can hope for is smart users who follow smart corporate 
policies.

---

Craig Mathias is a principal at Farpoint Group, an advisory firm that 
specializes in wireless networking and mobile computing.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Tue Jan 02 2007 - 00:52:14 PST