Smartphone Security: Tips for protecting your PII on mobile devices
In the past decade, public- and private-sector organizations have greatly increased their use of smartphones for their employees — they're now ubiquitous. Upside: simple and quick communication. Downside: Smartphones are easily lost, stolen and susceptible to cyberattacks because of their technological vulnerabilities. According to the CNBC article, Biggest cybersecurity threats in 2016, by Harriet Taylor, Dec. 28, 2015, "The evolution of cloud and mobile technologies, as well as the emergence of the 'Internet of Things,' is elevating the importance of security and risk management as foundations."
Smartphones are more at risk in certain areas — hotels, coffee shops, airports, cars, trains, etc. And home Wi-Fi connections can be potential risk areas if users don't properly secure them. An attacker could easily access confidential personally identifiable information (PII) and data, such as:
Personal or professional data (emails, documents, contacts, calendar, call history, SMS, MMS).
User identification and passwords (to emails, social networks, etc.).
Mobile applications that record PII.
Geolocation data about the smartphone user.
Poor configuration of particular smartphone parameters can also lead to security breaches. An attacker can initially target a smartphone that contains little or no classified data but then use it as a steppingstone to build a more complex attack to obtain access to sensitive applications or confidential data. For example, a hacker can use various seemingly unimportant pieces of data to social engineer victims to gain more information that could enable him to stage a successful attack.
So while it's crucial that CFEs are aware that mobile devices — smartphones and tablets — bring fraud risks to organizations, it's also critical that they know the risks of using their own mobile devices in professional settings.
Diallerware attacks: an attacker steals money from the user by means of malware that makes hidden use of premium short message services or numbers.
Financial malware attacks.
We can use these risks (listed from high to lower risk) along side the ISO 27002 standard to review professional use of smartphones within organizations. Internal auditors might not have the technical expertise, so you could hire external experts with specific skills to perform the proper tests. External experts also provide necessary independence for testing organizations' security measures.
Here are various measures that can help reduce the risks associated with mobile devices:
Encrypt mobile devices.
Regularly update mobile devices' applications and operating systems.
Set strong passwords. Each personal identification number (PIN) should be at least eight digits long because a four-digit PIN can be easily broken. Alphanumeric passwords should be at least eight characters long and shouldn't use common names or words. An easy way to help create a memorable password is to use a favorite sentence. For example, you can create a password from "The ACFE is reducing business fraud worldwide and inspiring public confidence." Use the first letters of each word and replace "a" and "i" with "@" and "1," respectively. Following this method, the password would be: "t@1rbfw@1pc."
Also avoid using a password that you've used for another account (a Yahoo! or Google email account, for example). Change your passwords (to access your phone and your various accounts) after a trip, especially if you used it in high-risk areas such as public hotspots in hotels, coffee shops and airports.
Here are a few more steps to better protect smartphones:
Consider deactivating smartphone functionalities such as Siri on iPhone, "Ok Google" on Android or Cortana on Windows Phone as they could be used to gain PII or control over your phone or computer.
Activate an immediate automatic lock of your smartphone screen when you're not using it.
Deactivate any smartphone features that display messages on a locked screen.
Don't ignore error messages about the validity of certificates, for example, when you try connecting to a Wi-Fi hotspot. You should always ensure that the website you're visiting or the hotspot you're connecting to is legitimate. They could be malicious Wi-Fi connections pretending to be legitimate hotspots. Hackers can plan and deliver these attacks at a relatively low cost.
Staying diligent helps decrease risk
Smartphone antivirus protection applications can provide a false sense of security because their effectiveness varies greatly. Thus, you have to be responsible to ensure the safety of your professional and personal smartphones and possibly those your organization supplies to its employees.
The lists in this article aren't exhaustive, but they illustrate some of the measures you can take to reduce the risks. I've found that organizations must train all employees — including high-level employees who have access to sensitive company information — in smartphone security. Your organization can conduct online training in social engineering, smartphone specificities, malware and passwords.
Smartphone instructions often are outdated. Stay current about security risks and remedies because smartphone attack schemes are always evolving. You can do this by checking specialized websites and blogs or by doing a simple web search.
When managing mobile devices for the entire organization, consider evaluating a mobile device management application (MDM) such as MobileIron, Good, AirWatch or Citrix to help ensure that organizations are applying adequate security policies across all mobile devices. For example, an MDM can help assure that smartphones are encrypted and the professional and private data stored on them is segregated.
CFEs should safeguard security for their professional smartphones and those in their organizations because they're often laden with confidential company information. (Of course, CFEs shouldn't forget that paper data can be equally confidential and necessitate adequate security measures, but that's for another article.)
Protect PII in all its forms because you know that fraudsters will gladly take it any way they can get it.
Nikola Blagojevic, CFE, CISA, is an audit director at the Cour des Comptes in Geneva, Switzerland. His email address is: email@example.com.