The addiction to smartphones is a slam dunk for hackers who are constantly lurking because the devices are virtually always on and connected with dozens of apps filled with sensitive data.
Hackers find them irresistible since passwords are stored on your phone for your bank, stock trading and gaming apps.
“Mobile devices are often fertile ground for attackers since any given device holds tens or hundreds of mobile applications and account logins, let alone troves of stored, sensitive data,” Michael Isbitski, technical evangelist at Salt Security, a Palo Alto, Calif.-based provider of API security told TheStreet.
Smartphones Are Targets
The amount of time that people spend on their smartphones combined with the number of people working from home increases the odds of a hacker attacking them.
“Most enterprises support some form of BYOD (bring your own device), which brings a consumer-level hack into the realm of an enterprise being compromised,” Bud Broomhead, CEO at Viakoo, a Mountain View, Calif.-based provider of automated IoT cyber hygiene told TheStreet.
Companies must ensure that their employees are not using personal passwords in their work environment since it can help reduce the possibility of compromise.
“The blurred lines between work life and home life are making it easier for cyber criminals to perform exploits aimed at enterprise systems and data,” he said.
Both consumers and employees are still using passwords that can be easily guessed or hacked, Joni Moore, director of security solutions at Lookout, a San Francisco-based endpoint-to-cloud security company, told TheStreet. The company's recent list of the 20 passwords most commonly found in the leaked account information on the dark web ranges from simple number and letter sequences like “123456” and “Qwerty” to easily typed phrases like “Iloveyou.”
Apps Have Weaker Forms of Authentication
The apps on your phone could be the easiest way for hackers to find an entry because the majority of apps were designed to be easy to use and are not secure enough, Brian Contos, chief security officer of Nashville-based Phosphorus Cybersecurity told TheStreet.
While there are safeguards when the apps are installed such as asking for permission to access your photos, contacts, microphone, video camera and location, the majority of people say yes to everything because “they want ease of use and they want to enjoy all the benefits the app has to offer,” he said.
Behind the scenes of the app is a different story and it could be capturing sensitive information, Contos said.
While the Apple and Google app stores do screen all apps, a few bad ones will always manage to sneak through, Jason Glassberg, co-founder of Casaba Security, a Redmond, Washington-based penetration testing and security services company, told TheStreet.
Legitimate apps also pose risks since it is possible for hackers to compromise them from the app's backend servers. The biggest risk is that the user will be tricked into installing a malicious app, typically from a third-party app store, he said .
There should be less concern for the data on a smartphone and more emphasis for what data the phone unlocks, Sounil Yu, chief information security officer at JupiterOne, a Morrisville, North Carolina-based provider of cyber asset management and governance solutions, told TheStreet.
Attackers know that phones have become indispensable in supporting two-factor authentication that guards access to troves of data. Many companies send a text to your phone with a five or six-digit number to be used to verify that you are making a transaction.
The catch is that now they are “frequently targeted through SMS hijacking and enticing malicious apps,” he said. “To better protect the data that your phone unlocks, you should avoid using SMS or phone calls as your second factor and use authenticator apps instead.”
Attackers target mobile apps constantly because they can “pull mobile app binaries from the public app stores and reverse engineer them to understand how the applications work and store data,” Isbitski said.
Mobile app designs “talk” to back-end services over the internet to fetch data, store information, and enable functionality and app developers will sometimes use weaker forms of authentication to enable mobile user experiences, he said.
Your Phone Can Also Be Phished
Cybercriminals are agnostic and can cast a wide phishing net in the hopes that a person will click on a malicious link whether it comes from email or a phone, Moore said. Lookout's mobile phishing maps shows that the phishing encounter rate for the U.S. is 34% for both iOS and Android combined.
The company’s data shows that personal mobile devices encounter more phishing attacks with 46.2% of consumers exposed to mobile phishing versus 15.7% of mobile enterprise users.
Phishing scams often take the form of email or SMS messages impersonating known entities such as the IRS or CDC.
“Social phishing scams can trick consumers into thinking they are donating to a legitimate cause or personal information to win a contest or help a cause,” she said.
Nation-state hackers want access to a target's phone so they can monitor their communications, as well as physical location while stalkers or former partners wants to access the GPS tracking, Glassberg said.
The majority of hackers want to steal your information to take over your financial accounts and generate revenue and will use phishing text messages known as smishing in an effort to trick the user into visiting a fake login page or downloading a fake financial app, he said.
“Phishing is not just limited to email,” he said. “It's now a standard tactic used by criminals across multiple communications channels, including SMS, instant message, social media, Slack and even Zoom. Pretty soon, phishing and other social engineering tactics will find its way into the metaverse.”
Why SIM Swapping Is On the Rise
Hackers are always on the lookout for the next easiest scam to commit and SIM swapping is extremely profitable.
The number of SIM swapping complaints rose to 1,611 with adjusted losses of more than $68 million, according to the FBI Internet Crime Complaint Center. From January 2018 to December 2020, the FBI received 320 complaints with adjusted losses of approximately $12 million.
Criminals target mobile carriers to gain access to victims' bank accounts, even virtual currency accounts in SIM swapping by using social engineering, insider threat or phishing techniques.
After a SIM is swapped, all calls and texts of the victim are diverted to the criminal's device. Now the hacker can send “forgot password” or “account recovery” requests to the victim's email and can send a link or one-time passcode via text to the victim's number, which is now owned by the criminal.
The FBI recommends that people avoid posting information about financial assets, including cryptocurrency on social media websites and forums and do not store passwords or usernames in your apps.
“The user is none the wiser since their device and SIM have never left their possession though they may start seeing errors on their own device over time,” Isbitski said.
Attackers can deceive carrier customer service representatives easily because the answers to challenges frequently used by the reps to identify an individual are now public because of prior security incidents.
“The amount of sensitive data that’s been leaked about individuals over time has become tremendous,” he said.
How Consumers Can Avoid Hackers
Taking control of your apps will help you avoid being the target of a hacker. Start by limiting the number and type of apps that you install since “this is where the greatest threat lies on your phone,” Chris Pierson, CEO of BlackCloak, an Orlando, Florida-based cybersecurity company that specializes in preventing cyber attacks on mobile and personal devices and home networks, told TheStreet.
Android users are at an “even greater risk of malicious apps, but iPhone users are not immune to this either,” he said.
The app stores cannot always catch a malicious app, especially if it performs a legitimate function such as a calculator or ad blocker instead waits until later to update its software to make it malicious, Pierson said.
“Employees should also use mobile device encryption to protect any important data on their phones,” he said. “This can be done in the phone's settings for both Android and iPhone. Mobile antivirus is also a good idea as an extra layer of protection to guard against malicious apps and links.”