1. Beware of software you install Many applications require access to your mobile phone camera and photos before installation. Unless you trust the creator of the application, it is safer to avoid installing as your device will be vulnerable to external tampering and sensitive data theft. Ensure that permissions given match the purpose of the downloaded application. After the application is installed, you may or may not be able to change this permission.
2. Do not open suspicious URLs If you receive an invitation to click on a URL to win a prize or holiday within the next 15 minutes, and that little voice in your head is telling you that it seems too good to be true, it probably is. Do not click any links even if it looks like it was sent from a friend, and do not be pressured to make quick and potentially unsafe decisions.
3. Do not use modified smartphones or electronic devices When restrictions imposed by the smartphone or electronic device manufacturer have been removed to allow the installation of unauthorised software (known as “jailbreak” for iOS, “rooting” for Android), it is possible for your device to be fully controlled externally. Your mobile device can be used for criminal activities, for cyber scams or attacks, without your knowledge.
4. Avoid using free WiFi networks When you connect to a hotel’s free WiFi network or to a public WiFi network in a restaurant or shopping mall, always check with the staff what the name of the official free WiFi network is. Cyber attackers sitting close by can introduce fake WiFi access points with the network name very close to legitimate one, like “C0ffeeshop” instead of “Coffeeshop”. Fake WiFi networks can ask you to provide personal information such as email addresses and passwords.
5. Do not make sensitive transactions using public WiFi networks Some improperly developed or configured mobile applications can allow cyber attackers to tap on the same WiFi network to sniff and decode personal sensitive data accessed via your mobile device. Even if a secure HTTPS connection is used, some applications may not be sufficiently validated which can lead to your web traffic being intercepted by a cyber attacker, sitting between you and the application’s servers.
6. Set PINs/ face recognition/ fingerprint for device unblock If you haven’t done it, set a phone lock. Sometimes cyber attackers do not need to steal your phone to install malicious applications. Three minutes of unattended access to your mobile device is more than enough time to transfer your private information to an external web drive.
7. Do not leave your mobile device with strangers for charging When you leave your mobile phone to charge at public locations, your data can be transferred to another device without your knowledge. It is better to use a power bank than to hand over your mobile device to unknown people, even if they look friendly
8. Use an anti-malware solution with a remote wipe function Installing an anti-malware application in your mobile device will enable you to remotely wipe your personal data from it in the event that it is stolen, once the device is switched on and online again.
Social engineering attacks are when bad actors send fake emails (phishing attacks) or text messages (smishing attacks) to your employees in an effort to trick them into handing over private information like their passwords or downloading malware onto their devices.
Reports by cybersecurity firm Lookout and Verizon show a 37% increase in enterprise mobile phishing attacks and that phishing attacks were the top cause of data breaches globally in 2020.
Phishing Attack Countermeasures
The best defense for phishing and other social engineering attacks is to teach employees how to spot phishing emails and SMS messages that look suspicious and avoid falling prey to them altogether. Reducing the number of people who have access to sensitive data or systems can also help protect your organization against social engineering attacks because it reduces the number of access points attackers have to gain access to critical systems or information.
2. Data Leakage via Malicious Apps
Today, hackers can easily find an unprotected mobile app and use that unprotected app to design larger attacks or steal data, digital wallets, backend details, and other juicy bits directly from the app.
For example, when your employees visit Google Play or the App Store to download apps that look innocent enough, the apps ask for a list of permissions before people are allowed to download them. These permissions generally require some kind of access to files or folders on the mobile device, and most people just glance at the list of permissions and agree without reviewing them in great detail.
However, this lack of scrutiny can leave devices and enterprises vulnerable. Even if the app works the way it’s supposed to, it still has the potential to mine corporate data and send it to a third party, like a competitor, and expose sensitive product or business information.
How to Protect Against Data Leakage
The best way to protect your organization against data leakage through malicious or unsecured applications is by using mobile application management (MAM) tools. These tools allow IT admins to manage corporate apps (wipe or control access permissions) on their employees’ devices without disrupting employees’ personal apps or data.
3. Unsecured Public WiFi
Public WiFi networks are generally less secure than private networks because there’s no way to know who set the network up, how (or if) it’s secured with encryption, or who is currently accessing it or monitoring it. And as more companies offer remote work options, the public WiFi networks your employees use to access your servers (e.g., from coffee shops or cafes) could present a risk to your organization.
For example, cybercriminals often set up WiFi networks that look authentic but are actually a front to capture data that passes through their system (a “man in the middle” attack). Here’s what that looks like:
If this seems far-fetched, it isn’t. Creating fake WiFi hotspots in public spaces with network names that look completely legit is incredibly simple, and people are very willing to connect, as shown by experiments run at the Democratic and Republican conventions in 2016 and by an experiment run by a researcher in 2019 from Magic.
How to Reduce Risks Posed By Unsecured Public WiFi
The best way for you to protect your organization against threats over public WiFi networks is by requiring employees to use a VPN to access company systems or files. This will ensure that their session stays private and secure, even if they use a public network to access your systems.
4. End-to-End Encryption Gaps
An encryption gap is like a water pipe with a hole in it. While the point where the water enters (your users’ mobile devices) and the point where the water exits the pipe (your systems) might be secure, the hole in the middle lets bad actors access the water flow in between.
Unencrypted public WiFi networks are one of the most common examples of an encryption gap (and it’s why they’re a huge risk to organizations). Since the network isn’t secured, it leaves an opening in the connection for cybercriminals to access the information your employees are sharing between their devices and your systems.
However, WiFi networks aren’t the only thing that poses a threat—any application or service that’s unencrypted could potentially provide cybercriminals with access to sensitive company information. For example, any unencrypted mobile messaging apps your employees use to discuss work information could present an access point for a bad actor.
Solution: Ensure Everything is Encrypted
For any sensitive work information, end-to-end encryption is a must. This includes ensuring any service providers you work with encrypt their services to prevent unauthorized access, as well as ensuring your users’ devices and your systems are encrypted as well.
5. Internet of Things (IoT) Devices
The types of mobile devices that access your organization’s systems are branching out from mobile phones and tablets to include wearable tech (like the Apple Watch) and physical devices (like Google Home or Alexa). And since many of the latest IoT mobile devices have IP addresses, it means bad actors can use them to gain access to your organizations’ network over the internet if those devices are connected to your systems.
How to Combat Shadow IoT Threats
Mobile device management (MDM) tools can help you combat shadow IoT threats, as well as identity and access management (IAM) tools like Auth0. However, IoT/Machine-to-Machine (M2M) security is still in a bit of a “wild west” phase at the moment. So it’s up to each organization to put the appropriate technical and policy regulations in place to ensure their systems are secure.
Spyware is used to survey or collect data and is most commonly installed on a mobile device when users click on a malicious advertisement (“malvertisement”) or through scams that trick users into downloading it unintentionally.
Whether your employees have an iOS or Android device, their devices are targets ripe for data mining with spyware—which could include your private corporate data if that device is connected to your systems.
How to Protect Against Spyware
Dedicated mobile security apps (like Google’s Play Protect) can help your employees detect and eliminate spyware that might be installed on their devices and be used to access company data. Ensuring your employees keep their device operating systems (and applications) up to date also helps ensure that their devices and your data are protected against the latest spyware threats.
7. Poor Password Habits
A 2020 study by Balbix found that 99% of the people surveyed reused their passwords between work accounts or between work and personal accounts. Unfortunately, the passwords that employees are reusing are often weak as well.
For example, a 2019 study by Google found that 59% of the people they surveyed used a name or a birthday in their password, and 24% admitted to using a password like one of these below:
These bad password habits present a threat to organizations whose employees use their personal devices to access company systems. Since both personal and work accounts are accessible from the same device with the same password, it simplifies the work a bad actor has to do in order to breach your systems.
However, these behaviors also provide opportunities for credential-based brute force cyberattacks like credential stuffing or password spraying because cybercriminals can use weak or stolen credentials to access sensitive data through company mobile apps.
How to Reduce or Eliminate Mobile Password Threats
The NIST Password Guidelines are widely regarded as the international standard for password best practices. Following these guidelines—and insisting your employees do the same—will help protect you against threats from weak or stolen passwords. Password managers can simplify the work required for your employees to follow these guidelines.
Requiring your employees to use more than one authentication factor (multi-factor authentication or MFA) to access mobile company applications will also help reduce the risk that a bad actor could gain access to your systems since they’d need to verify their identity with additional authentication factors in order to log in.
Finally, implementing passwordless authentication will help you eliminate password risks altogether. For example, in the event that a mobile device is stolen or accessed illegally, requiring a facial scan as a primary (or secondary) authentication factor could still prevent unauthorized access.
8. Lost or Stolen Mobile Devices
Lost and stolen devices aren’t a new threat for organizations. But with more people working remotely in public places like cafes or coffee shops and accessing your systems with a wider range of devices, lost and stolen devices pose a growing risk to your organization.
How to Protect Against Lost or Stolen Device Threats
First and foremost, you’ll want to ensure employees know what steps to take if they lose their device. Since most devices come with remote access to delete or transfer information, that should include asking employees to make sure those services are activated.
Mobile device management (MDM) tools can also help you secure, encrypt, or wipe sensitive company information from a device that’s lost or stolen, so long as those tools were installed before the device went missing.
9. Out of Date Operating Systems
Like other data security initiatives, mobile security requires continuous work to find and patch vulnerabilities that bad actors use to gain unauthorized access to your systems and data.
Companies like Apple and Google address a lot of these vulnerabilities with operating system updates. For example, in 2016, Apple realized it had three zero-day vulnerabilities that left its devices open for spyware attacks and released a patch to protect users against these vulnerabilities.
However, these patches only protect your organization if your employees keep their devices up to date at all times. And according to Verizon’s Mobile Security Index Report, operating system updates on 79% of the mobile devices used by enterprises are left in the hands of employees.
How To Keep Mobile Operating Systems Up To Date
Google and Apple both allow organizations to push updates to managed Android and iOS devices. Third-party MDM tools (for example, Jamf) often provide this functionality as well.
IAM Tools Can Help Secure Company Mobile Applications
Identity and Access Management (IAM) tools can help organizations secure the apps and data that users access from their mobile devices, including:
Restricting which devices and users can access enterprise applications and data, as well as which parts of those applications they’re allowed to access.
We encounter countless messages and calls from unknown contacts on a daily basis. It is best to avoid those messages and calls, specially if its a suspicious link, or a call from a suspicious number.
Always check for the country code when receiving a call from an unknown number. The country code for India is 91.
Beware of the selfie camera
Always keep the selfie camera setting turned off. You can always switch it on once you are sure the call is from a known person.
Avoid unknown groups
We are all added to an unknown WhatsApp group once in a while. It is best to leave the group as soon as possible to avoid a potential security breach.
The options in the privacy settings allows users to make their profile completely private. Users can choose to make their profile picture, status and last seen visible to everyone, contacts only or to nobody. It is best to choose the ‘contacts only’ option.
You love your Android phone and you love to go to the Play Store and download exciting new apps. You have also been through the Crazy Birds obsession and the Candi Crush mania. But do you know that your Android phone is not secured against the smartest of breaches: mobile app hackers. Before we go ahead and explain the intensity of this threat to mobile apps, especially Android apps, let’s have a look at the facts and figures, reported by Arxan, regarding mobile app hacks:
97% of top 100 paid Android apps have been hacked.
87% of top 100 paid iOS apps have been hacked.
80% of popular free Android apps have been hacked.
75% of the popular free iOS apps have been hacked.
and more 97% of top 100 paid Android apps have been hacked. 87% of top 100 paid iOS apps have been hacked. 80% of popular free Android apps have been hacked. 75% of the popular free iOS apps have been hacked.
These facts and figures are horrifying. What we once considered a safe way of computing, exchanging information and thoughts and communicating with others, has turned out to be totally vulnerable to security threats like mobile app breaches. Our intention is not to frighten you, but reality is harsh. The oh so glorious Google’s Android OS is not safe. What if we tell you that an app that you have on your Android phone, is likely to be a fake, produced by some smart cybercriminals? After Google decided to transform the Android Market into Google Play, such criminals have great fun producing fake apps. Even Google Play is compromised, what do you expect from Android apps on your phone?
What to do? One option might be to live in a layman’s Utopia and believe that malwares and hacking are only for computers, and that your smart phone is immune. Another option, and a smart one, is to consider a security plan against mobile app hacking. When we talk about the security of apps on your mobile phone, specifically for an Android phone, the security can be provided at three different levels. One layer of protection is on device level; it varies from device to device and approach focuses on the device and not the operating system, let alone the vulnerable apps. Another layer of security is on the operating system level. This may vary from iOS to Android, but again the vulnerability of apps is not fully addressed in this type of security doctrine. A whole new level of security is at the application level. There are different types of apps in a mobile phone. We are not discussing the difference due to their functions e.g. fun, games, entertainment or communication but by the difference design of the apps. The more important apps are the custom apps presented in every Android phone. Just imagine if someone successfully infiltrates into your Gmail app? Your personal correspondence and financial communication would be at the mercy of a vicious stranger.
You need maximum security, and that can only be ensured with the help of a reliable tool to provide security on the application level. This type of security ensures that you get strong protection against app hacking attempts and keep your financial and personal details safe.
Enjoy using certain custom and downloaded apps on your Android phone all you want, but bear in mind the importance of maximum app security.
Just about everyone these days has a cell phone, and it has become intrinsically linked to our identity. Identity thieves are always searching for new ways to get your information and use it for identity theft or fraud.
The most significant danger of handing out your mobile device number is that it could fall into the hands of a cybercriminal and steal information from cell phone. With so much information available in public records and sold on the dark web from data breaches, your cell phone number could link you to a lot of other personal or sensitive information like logins, usernames, passwords, and more.
A lot of apps are linked to your cell phone number also. Using two-factor authentication is great and keeps things safer, but if you have compromised phone number, then hackers have the keys to the kingdom. Some SMS systems are insecure and hackable. Therefore, someone would potentially get that special code that is texted to you from an app, and they could log into your account and change the password before you even realize what is going on. It’s crucial to use end-to-end encrypted SMS platforms for all your communications.
SIM swapping is another danger where nefarious criminals use SIM cards linked to your phone to steal access to your phone number and carrier account. This type of danger is very real and scary and usually involves social engineering to trick the phone company representative. By having your cell number, a scammer could trick caller ID systems and get into your financial accounts or call financial institutions that use your phone number to identify you.
Once the scammer convinces your carrier to port out your number, you may never get it back. Scam porting is a big problem for phone owners.
Can Someone Steal My Phone Number?
Yes. Your phone number is out there on the web in various locations. Scammers can use stolen cell phone numbers and use it for two-factor authentication codes and other access to all your texts, apps, and other online accounts, they could have your cell phone number hijacked and do it through SIM swapping. This is how it occurs:
First, they buy a burner phone and pop a new SIM card into it. They then call your wireless phone carrier and pretend to be you. If the hacker has enough information to convince the person, they may transfer your service and phone number to that blank SIM card and the new burner phone. Now your phone number has been stolen, and you aren’t even aware of it. All your texts, phone calls, and 2FA codes will now go to the hacker’s phone instead of yours. If you have access to bank accounts and other apps tied to your phone number, they will now have access to that stuff as well. Many location-based systems will think it’s you just by the scammer calling from your phone number. If hackers get this far, they can then change all your passwords and lock you out of your own accounts. Very scary stuff.
How Do Scammers Get Your Phone Number?
One of the most common ways scammers get your phone number is through the many data breaches and treasure troves of raw data found and sold on the dark web.
Another way is by picking through your trash and grabbing an old bill with your phone number on it.
Using a people search site, someone could glean a whole lot of information on cell phone numbers, such as any criminal records, past addresses, social media accounts, arrests, warrants, court cases, relatives’ information, and more.
How Much Info Can You Get From a Cell Phone Number?
It’s actually quite shocking how much information you can get from just a cell phone number. The list begins with your name and possibly address. Some other things might be:
What Steps to Take if Scammers are Using Your Phone Number
The best way to avoid this cybersecurity disaster is to prevent it from ever happening. However, if you suddenly find that scammers are using your phone number to commit fraud or scam others, you should take these immediate steps:
Contact your wireless service provider and report the abuse. Ask them to put a secondary password on your account so no one can take it over without the password.
Let your friends and family know that your number is being used in this way.
Stop giving your phone number out online and to anyone who requests it.
Stay clear of websites and apps that link to your phone.
Turn on two-factor authentication for all your accounts.
Get a phone number through Google voice which is not linked to anything else.
Never click on links in texts or email. Malware is often linked to text messages or email.