How Safe is Your Mobile?

Saturday, July 05, 2008

You're under attack. With call and SMS spoofing and spam, mobile viruses...even SIM cloning. What's more, these threats don't require rocket science to learn, making most mobile phones out there extremely vulnerable. We give you a detailed report on these threats, along with advice on how to protect yourself against them. Plus we take you through some of the hottest mobility trends

While they started as the wireless version of the good old landline, mobile phone usage today is just not restricted to making calls. They are our music player, camera, video player, Web Browser, all rolled into one. More seriously, they provide access to bank statements, credit cards, are your password valet, and overall a sign of your social identity.

Mobile phones contain GSM and CDMA modems for mobile Net access, act as handheld devices for SFA (Sales force Automation), and so on. Enterprises extensively use mobile communications for business benefit. Just look around to see the many different uses of mobile communication.

Enterprises use mobile devices for doing quick polls and surveys, and not to mention the traditional and push mails that have changed the way mobile executives communicate. Today you have access to unified clients that provide access to IMs, VoIP servers, Skype, etc from a single interface. In short, mobile communication has become the epicenter of our communication today.

And now the flip side
It's good to see so many good things happening in the world of mobility. But did you know that apart from getting so much functionality, how much of your confidential data is exposed to unscrupulous elements? Many people carry their ATM/credit card pin numbers on their mobiles, unencrypted or encrypted. Many people also link their phones with their bank, demat and Insurance accounts. They store crucial contact details, SMSes, chat logs, etc. So, just image if your phone becomes vulnerable and somebody manages to access this data? You wouldn't even want to imagine the impact!

Believe it or not, but with the growing popularity and increase in the number of mobile phones, the number of threats that they're prone to has also increased. What's even more worrying is that these threats are not very difficult to perform. We did a thorough study of these threats and in this story, we will take you through the most common ones that mobile networks are prone to. But don't worry. We won't leave you dangling with nightmarish thoughts in your mind. Besides telling you about the threats, we've talked about ways to combat them towards the end of this article.

SMS Spoofing
All of you would be recieving plenty of promotional SMSes that either don't show the phone number or comewith only a name, but no phone number. These are essentially called anonymous or masked SMSes. By the same technique one can even send SMSes with someone else's number, and the technique is known as SMS spoofing.

Unfortunately, you don't need to be a tech expert to spoof SMSs. Even a novice can do it. There are websites on the Internet (both free and paid) that let you send spoofed SMSes. Besides websites, there are even some software that can do the same. We'll not get into the details of which software and how to do SMS spoofing, because that's not our intent. We just want to highlight the gravity of the threat. For instance, just count the number of times your phone number is used for authentication over the mobile network.

For example, for balance enquiry or for recharging a DTH account, most of the times you would have registered through your phone number and now access the same through an SMS.

If someone spoofs your phone number for sending SMSes, then that person can easily pretend to be you and do all account related enquiries with the spoofed number.

Call spoofing
VoIP is becoming increasingly popular amongst most organizations. The good news is that today you can easily download an Open Source IPPBX from the Internet and configure it as a VoIP gateway on your network and start enjoying the benefits of VoIP. Add a FXO card to that and you can even make local calls with it over IP. While it feels good to have so much power, remember that the same power can also be misused, and one of the methods is called call spoofing. For instance, you could get a call from somebody posing as a representative of your bank and ask you some confidential information. If you're not careful, then you might reveal this information to the caller and become a victim of call spoofing.

There are sites on the Internet which can be used by anybody to do SMS Spoofing.

Call spoofing is similar to SMS spoofing but more difficult to perform. Essentially, a VoIP gateway with a FXO card is used to initiate a call and the VoIP server can be configured to change the caller id to a desired value.

This attack is pretty much similar to forged mails, but the scary part here is that you don't have a spam filter that would let you distinguish a forged call from others. Plus, the level of awareness about mail scams is higher than that of call spoofing. That's why people don't take it seriously and hence the possibility of a successful scam attack is higher.

The way to protect yourself against call spoofs is to remember that no bank or financial institute is going to ask you for confidential information over the phone. Even if they do, then you should not give it to them.

Spamming voice and text
This is another common threat. All of us receive unwanted calls and SMSes selling credit cards or free ringtones, etc. Every day I receive about 60% spam SMSes. For calls, this percentage is lower but still hovers around 20 to 30%. These are more of a nuisance than a security threat, just like the spam you get in your mail. But you never know when things will change for the worse. Today, a lot of spam mail that comes also contains viruses and spyware. You might just start getting such malware over SMS in the future. The worst part about this vulnerability is the lack of a good Spam filter for mobiles. There are a couple of anti-spam solutions available, but they have to mostly be configured manually. This means you have to manually create the the blacklisted and white listed phone numbers. However, this is not 100% efficient.

Websites like this are accessible to everyone, meaning it's dangerous to leave Bluetooth enabled on your phone in public.

Page(s)   1  2