Of late there have been several innovations involving the mobile phone to help build a securer enterprise. For example in May 2009, SC Magazine reported how Ericsson IPX had developed Mobile phone technology that can locate a person and determine if a credit card transaction is fraudulent and several security vendors have developed two factor authentication products involving the mobile phone as a token component.

However, hardly a month goes by without further news of different attack vectors on the mobile phone. In fact the GTISC 2009 Emerging Cyber threat Report predicted the rise and the type of attack vectors on corporate mobile phones for this year. In the report, Dave Amster, Vice President of Security Investigations for Equifax is quoted as saying about the security challenges presented by mobile computing.

“More and more financial transactions will take place over mobile devices. Consumers are ordering credit reports from their Blackberrys, which puts valuable information at risk. The challenge for businesses and banks is going to be maintaining secure mobile applications and ease of use at the same time.”

This year alone, we’ve seen malware attacks that can do all types of damage such as locking up your phone whilst making outgoing calls to premium rate numbers and this week in the press, we now have the first reported piece of malware that is turning people’s mobiles into part of a large botnet army.

In addition to the mobile phone becoming an attack vector to be used by cyber criminals and a source of income from diallers to premium rate numbers, the mobile is also a potential threat to the corporate network as a cause of malware infection. Once a user has plugged their mobile into the corporate network they have effectively bypassed all firewall defences and any layered anti-virus defences, opening up the business to potential downtime risk.

The story gets worse, earlier in March 2009, a major news story broke based on the research of Credant Technologies a company who specialises in endpoint security. According to their research, 80% of users store information on their mobiles that could easily be used for identity theft. The report showed that

• 16% have their bank account details saved on their mobile phones
• 24% their pin numbers and passwords
• 11% keep social security and inland revenue details
• 10% store credit card information

It wasn’t just identity theft that was at risk but also corporate data, the research also found that

• 99% of people use their phones for some sort of business use – even though 26% have been instructed by their employer not to do so
• 35% receive and send business emails
• 77% keep business names and addresses
• 30% use them as a business diary
• 17% download corporate information, such as documents and spreadsheets
• 23% store customer information

Great statistics – but the killer finding was that 40% fail to protect their devices with a password, which in one report translated to 4.2 million UK mobile phone users extrapolated from figures obtained from the Department for Transport, or to put it differently there is a 40% risk that your organisation will be compromised by ID theft or data leakage/IP theft due to a mobile phone when you consider that potentially four out of ten of employees are not password protecting their mobiles.

This still isn’t the end of the story. Data isn't the only information at risk. Many mobile phones are subject to sophisticated eavesdropping and denial of service attack vectors which again makes it incumbent on employees to be careful when using their mobiles for confidential conversations.

Summary
A famous quote from Professor Laurence Peter, best known for the Peter Principle goes,
"History repeats itself because nobody listens."

If the mobile phone vendors would use the lessons learnt from the history of the PC, we would have securer communications. Until then organisations must assess the risk of all mobile communications and take appropriate steps to secure each of the attack vectors before the real pain begins. To end with another quote from Professor Laurence;

"In spite of warnings, nothing much happens until the status quo becomes more painful than change."

References
SV Podcast: How Hackers Eavesdrop on Mobile Phones
SV Podcast: Mobile Two Factor Authentication in the Cloud
New Scientist: Sexy Space - First Zombie Cellphone Network
Wall Street Journal: Exxon CEO's Secure Mobile Calls
F-Secure Site: The Curse of Silence SMS Attack
Georgia Tech Information Security Centre - Major Attacks on Smartphones Prediction
SC Magazine: Mobile Technology to Reduce Fraud
BBC Website: Mobile Users at risk from data theft