Archive for the ‘Mobile Security’ Category

By Ondrej Krehel,

There are more than 200 million iPhones and iPads out there in consumer land. Most of them are connected to a Mac or PC via iTunes, Apple’s popular music player and file sync program.

Every time the phone or tablet is connected, by USB, to the host computer, iTunes can automatically sync your selected music, documents, photos and contacts. There’s no prompt when you download Lady Gaga’a new album and add it to a playlist that’s on your phone. The music simply shows up on your device after a short background sync.

But what about when you use multiple computers for multiple devices? What about those pesky wires? This is what Apple’s trying to work around with its recently announced iCloud service.


By Ondrej Krehel,

As our smartphones have become our wallets and personal computers, holding everything from banking to social network information, they’ve become targets for hackers, scammers and criminals. Our phones hold a treasure trove of data—and the bad guys know it.

A screen lock is no longer enough.

Dream Droid, a botnet-type of malware program, recently . It got its name because the malware activated at night, affecting users while they were asleep. Originally it was thought that 21 apps were infected, but an independent security firm found an additional 30 apps. Google flipped its famous kill switch—a scary, but seemingly necessary, piece of code that accesses phones without users’ permission and deletes the offending software. About 260,000 Android users were hit. The phone’s IMEI identifier numbers were stolen, but no other personal user information was breached.



There’s a lot of hullabaloo right now about turning your smartphone into a wallet. Phone companies and major banks hope that someday people will reach for their phone instead of their credit card or cash to buy coffee, gas and household items (especially since processing a bunch of ones and zeroes is much cheaper than handling loose bills).

Internet giant Google is in on the action, having recently .  The idea behind the mobile payment plan is to build a system where consumers can buy stuff and receive coupons and loyalty rewards all with their Sprint smartphone.


Watch out, PayPal. Three of the nation’s largest banks announced Wednesday they’ve joined together to offer instant, person-to-person payment. The new venture, called clearXchange, is already offered in Arizona by Wells Fargo, JP Morgan Chase and Bank of America. It will be available nationwide within a year.

“We’re adding one more piece to the menu of bank customers, which already includes branches, ATMs, Internet banking, mobile banking, and now person to person payment,” says Tom Kelly, a spokesman for Chase.

The new system is intended to be simpler to use than PayPal, which does not offer checking accounts, and thus requires people to fund their PayPal account by withdrawing money from accounts at other financial institutions. With clearXchange, the transaction is intended to be smoother, as long as both parties to a transaction have a bank account with one of the three participating banks.



Most popular smartphone apps have no privacy policy to tell consumers how their personal data will be collected, stored and reused, according to a recent study by the Future of Privacy Forum. In a review of the top 30 applications across iPhones, Androids and Blackberries, 22 failed to provide a privacy policy on the company’s web site or the app itself.

While a written privacy policy does not guarantee consumer privacy won’t be violated, “posting a privacy policy is the essential first step for companies to take to be accountable for their practices of collecting and using online data,”

By Ondrej Krehel, Identity Theft 911

You pull up to the gas station and wave a tiny magic wand.  The pump starts automatically and, without a card swipe or a stroll inside to pay the attendant, your linked credit card is tapped for that full tank of fuel. It’s a familiar situation for any ExxonMobile customer with a .

Now imagine that the Speedpass works for all purchases, from groceries to movie tickets. And rather than a tiny wand dangling from your key chain, the magic is embedded in your credit card itself.

This is the direction all the major credit companies are moving. RFID or Radio Frequency Identification could make the magnet swipe on the back today’s credit card something like the typewriter. But is it secure?

RFIDs or RF tags are basically one-way, read-only radio transmitters. They’re always on and when placed near a receiver they send the information needed to, say, complete a purchase. The concern is whether this information can be intercepted, stolen by just simply , or hijacked and then used to commit fraud or an identity theft scam.


By Ondrej Krehel, Identity Theft 911

is a regular morning stop for consumer tech news and I can’t stop thinking about its recent posts on the .

It all started when Google from the Android Market, the app store for the Google smartphone OS. It later came out that there were 56 malicious apps affecting at least 260,000 users. The apps were up to all kinds of no good, including uploading phone information to third parties and setting up backdoors so new software can be remotely installed.

Then Google flipped the kill switch.

This company-installed backdoor—Apple and Microsoft phones have them, too—allowed Google to remotely access its users’ phones and delete the offending apps. It went one step further by installing a new security patch. Think of it as an auto-update and auto-delete, over which you have no control.


by Ondrej Krehel

There’s a host of articles online about and to secure your smartphone. And for good reason: The risks have never been higher. Potential threats range from simply losing a device loaded with your personal and sensitive information to sophisticated unauthorized dialing, SMS scams (smishing) and data leakage scams.

There are several mobile security applications, such as , for all major smartphone platforms. They’re well worth exploring. Yet there are two simple things you can do—one low-tech, one hi-tech—to up your security game.

Get out the pen and paper, or your word processor. Seriously. Make a physical list of everything on your smartphone—all the accounts and documents (or types of documents) it can access. Big corporations call this data classification. If you log into Gmail and Facebook and Twitter, write the names of those sites down. Online banking? Shopping? Put down the names of your banks and credit cards. In the event the phone is lost or stolen, this list will be a lifesaver. You’ll have a clear guide to all the passwords you need to change and a list of the documents that may be at risk.

[Related: ]

With that list stored in a safe place, you might want to take one extra step and delete all the login names and passwords stored in your phone. Yes, you’ll have to type your Facebook login and password every time you access it on your phone, but that extra four seconds could save hours of headache if the phone is compromised. If you can’t remember all your passwords, install , which stores them in an encrypted database.

The hi-tech solution is for a worst-case scenario: remote data wipe. This amounts to logging into a website that sends a signal remotely to your lost or stolen phone to erase its internal memory. Lookout, linked above, offers this option for free for Android, BlackBerry and Windows-based phones. Apple offers the service through , but at the steep rate of $99 a year. Of course even this security layer has a weakness: The new “owner” of your phone can just pull the battery.

Is all this worth the trouble? Consider the list of accounts and documents stored on your phone. What would it cost to restore them, or even worse, what would the consequences be if a hacker or identity thief took them over.

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

Image by , via Flickr