Security Issues vs User Awareness in Mobile Devices a Survey

Others

9 pages
39 views

Please download to get full document.

View again

of 9
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Share
Description
Mobile devices help modern man stay connected. Mobile phones come handy to serve this purpose; they use a radio link available in a geographical area, to make and receive telephonic calls, without compromising on the mobility. In the most recent years, the mobile phones are not just meant for making calls; they are used for many more purposes. Their penetration rate has increased drastically with a wide range of applications coming into the market every day. The latest ones, the Smart phones, serve an increasing number of activities besides storing sensitive data. This has made the mobile phones a prime target for attacks. The users lose all the important data besides losing a handsome amount with the loss of mobile phones; even messaging has become highly insecure. Hence this paper intends to discuss the results of a survey made online on the possible attacks on mobile devices. The paper also throws light on the case studies of a variety of attacks that have been registered in the world of mobile phones.
Transcript
  International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME  217   SECURITY ISSUES VS USER AWARENESS IN MOBILE DEVICES: ASURVEY Khaja Mizbahuddin Quadry, Research scholar,JNTUK, Kakinada, A.P, India Dr. Mohammed Misbahuddin , Senior Technical Officer, C-DAC, Electronic city, Bangalore Dr.A.Govardhan, Professor of CSE Dept and Director of Evaluation,JNTU, Hyderabad, A.P., India ABSTRACT Mobile devices help modern man stay connected. Mobile phones come handy to serve thispurpose; they use a radio link available in a geographical area, to make and receive telephonic calls,without compromising on the mobility. In the most recent years, the mobile phones are not just meantfor making calls; they are used for many more purposes. Their penetration rate has increaseddrastically with a wide range of applications coming into the market every day. The latest ones, theSmart phones, serve an increasing number of activities besides storing sensitive data. This has madethe mobile phones a prime target for attacks. The users lose all the important data besides losing ahandsome amount with the loss of mobile phones; even messaging has become highly insecure.Hence this paper intends to discuss the results of a survey made online on the possible attacks onmobile devices. The paper also throws light on the case studies of a variety of attacks that have beenregistered in the world of mobile phones. Keywords: Security issues, Vulnerabilities, attacks, malware 1.   INTRODUCTION Mobile phones, [1] otherwise called the cell phones, facilitate making and receivingtelephonic calls through a radio link available in a geographical area, while being mobile. The cellularnetwork provided by a mobile phone service provider in any area allows the cell phone access to thepublic telephone network. In addition to telephony, text messaging, mailing, internet access, short   INTERNATIONAL JOURNAL OF ADVANCED RESEARCH INENGINEERING AND TECHNOLOGY (IJARET) ISSN 0976 - 6480 (Print)   ISSN 0976 - 6499 (Online)Volume 4, Issue 3, April 2013, pp. 217-225   © IAEME: www.iaeme.com/ijaret.asp   Journal Impact Factor (2013): 5.8376 (Calculated by GISI) www.jifactor.com     IJARET © I A E M E  International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME  218   range wireless communications (I.R, Bluetooth) business applications, gaming and photography arealso possible by these modern mobile phones.. Hence, every common man in the modern times finds atrustworthy companion in the form of these mobile phones. They serve as a means to stay connectedwith family and friends, carry on business transactions, make emergency calls, etc. Records show thatrural consumers, earning less than $1000 yearly, make the fastest growing cell phone subscribersworld-wide. The expansion of Indian cell phone industry presents a sharp contrast when compared tothe other industries. The present day Smart phones are supported with more general computingcapabilities. The cell phone industry registered a boost in December 2008. More than 10million newsubscribers were reported in comparison to the 8 million in 2007. The overall subscription in the cellphone industry grew by 48% in 2008 with 34 million customers. The past twenty years, from 1990 to2010, recorded a growth in the worldwide mobile phone subscriptions, from 12.4 million to over 4.6billion; it penetrated and reached the bottom level of the economic pyramid in the developingeconomies. An exponential increase in the numbers of users has been recorded ever since the mobilephones were first made available. The end of 2009 saw over 50 mobile operators with 10 millionsubscribers each and another over 150 mobile operators with at least one million subscribers. The year2010, has recorded 4.6billion mobile phone subscribers on the whole, a number that is expected togrow more rapidly in the years to come... 2.1 VULNERABILITIES and Security of Mobile Devices With the wide spread use of Mobile phones for a wide range of applications, their security is amatter of serious concern. Mobile phones are nowadays considered to be the very handyauthentication medium by many websites [3] and by most of the online businesses. They send an SMSbased authentication code for ensuring authentication online; often in clear text involving no codes.As these mobile phones run the risk of being stolen, the fraudster can easily read the text or forward itto another number. This allows a cyber criminal authenticate fraudulently. Vulnerability, [2] thoughnot so common a factor with the desktops, is very serious in case of mobile devices given to theirsmall size and portability; thus being easily stolen or lost. The report presented at Georgia Tech CyberSecurity Summit 2011, the Emerging Cyber Threats 2011 talks about the rise of vulnerabilities in caseof mobile browsers. The security experts say that the device constraints and tension between usabilityand security make it difficult to debug issues. As the mobile browsers never get updated as traditionalweb browsers do, and the users continue using the same operating system and the mobile browser as itwas on the date of manufacture, the attackers gain a big advantage. Attackers leverage a logic flaw inthe mobile network standards and force mobile phones to send premium rate SMS messagespreventing them from receiving messages for long periods of time. Major actions like checking creditor voice mail, calling emergency numbers or customer support and even performing mobile bankingare performed by these malicious applications, while typically they figure themselves as menu orapplication bearing the operators’ name. A majority of cell phones don’t notify for the SIM Toolkitmessages; some others wakeup from their sleep mode, but neither they indicate the receipt of anyneither message nor do they show any message in the inbox. However, when automated error reportsare sent, the users of some branded phones get notified for the message being sent but can’t really seeany message. Only the Nokia devices ask for confirmation to send SIM toolkit response. But thisoption, asking for confirming the SIM service actions, is off by default on the phones configured bythe operators. The most recent devices like iphones and the Windows mobile 6.x devices notify themessage being sent but offer no way to stop it. However the sender can request for a reply via SMSeither directly to the sender’s number or to the operator’s message center. The online bankingapplications through mobile browsers are also vulnerable to the phishing websites that invite the bank customers to enter their passwords or other credentials.  International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME  219   3 CASE STUDIES We discuss some of the mobile phone attacks reported. 3.1   C ASE S TUDY :   Z EUS T ROJAN A TTACKS B ANK ' S 2-F ACTOR A UTHENTICATION   Zeus [4], a type of banking Trojan, has been reported to target the mobile phones when theusers try to get their handsets upgraded to the two-factor authentication facility. The F-secureantivirus provider researchers informed that the Zeus MitMo attack appears to be similar to thereported in Spain. In both the cases the malware attempted to steal the mTANs (mobile transactionauthentication numbers) used by a majority of European banks an enhanced authentication service totheir online customers. In this case the financial institutions provide a one-time password throughSMS, which in the secondary stage needs pass codes to login to online accounts. The Zeus Mitmo[5]creates a fraudulent field on the web page prompting the users to provide their cell phone numbersand the type of handset they use. As there is no change in the URL or any changes in the header orfooter that hints about the untrusted security panel. The users provide the information thinking thatthey are enhancing their security, least knowing that the notification is fraudulent. Thus activated, theapp then monitors your SMS messages and sends the mTANS to the Zeus operator, making it possibleto gain access to your bank account as it has got your user name, password and mTAN; combinationthat would clear your account of cash. 3.2   Case study: Spy Eye banking Trojan: now with SMS hijacking capability Another banking Trojan, the Spy Eye[7] has the capability to reroute the SMSes carrying the one-time passwords sent to victims' cell phones. This feature enables the Trojan to bypass all theprotections adopted by the financial institutions. In yet another case, the Spy Eye tried to redirect andtrick the victims to reassigning the cell phone number that they have registered with the banks toreceive one-time passwords. The fraudulent pages injected into the online banking sessions make afalse claim that the users have been assigned a unique telephone number and that they would receive aspecial SIM card in the mail shortly. Thus injected, Spy Eye allows the fraudsters to receive all theSMS transaction verification codes for the hijacked account via their own telephone network.   In thisway they divert funds using the SMS confirmation system from the customer's account withoutacknowledgement or triggering any fraud detection alarms. How the attack works: The malware first gains the access to the login information logs into theaccount without being detected by the bank or the consumer. With the help of social engineering heobtains the confirmation code srcinally used to activate the consumer's mobile phone number withthe bank. To do this the malware injects a page that is assumed by the consumer that it is from thebank. It says that as a requirement for the new security system unique telephone numbers are beingissued to the customers and that they will receive a special SIM card in the mail. The customers areprompted to reregister with the bank using the srcinal confirmation code into the relevant field; of course, the Black Hats are ready to capture it. On getting the code the fraudsters claim for a change inthe old phone number with the new one which will be their own number. As soon as this is done, theydivert the funds, without alerting the customer or the bank about the fraud. These unauthorizedwithdrawals or expenditures are noticed only when the customer logs in to his account. This is enoughto demonstrate that all out-of-band authentication systems, including SMS-based solutions, are notfool-proof. As the banks have started verifying the transactions and subjecting them to various frauddetection systems, the fraudsters are using a combination of MITB (man in the browser injection)technology and social engineering to buy themselves more time. Once a computer has been identifiedto be infected with Spy Eye, such attacks can be checked with endpoint security that blocks MITBtechniques. Only a layered approach to security can solve the issue otherwise even the mostsophisticated OOBA schemes would fail.  International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME  220   3.21 First Spy Eye Attack on Android Mobile Platform Spy Eye [8] is fast spreading in the mobile market, making the Android mobile platform theirtarget. Ever since Man in the Mobile attacks (MitMo/ZitMo) first emerged in late 2010, Spy Eyeintroduced their own hybrid desktop-mobile attacks (dubbed SPITMO). On the Zeus’ tracks. Trojan: SymbOS/Spitmo The SPITMO Trojan injects fraudulent fields for the user’s mobile phone number and the IMEI of thephone into the bank's webpage, thus directing the user to provide them . The Trojan needs to link up with thedeveloper certificate in order to get installed on the user’s phone. But as the developer’s certificate is tied to theIMEI of the user’s mobile phone, the malware authors request the IMEI along with the phone number on thebank's website. On receiving the new IMEIs, they request an updated certificate with the IMEIs of all thevictims in order to sign in and create a new installer. The delay in getting the new certificate from the developerexplains why the Spy Eye injected message states it can take up to three days for the certificate to be delivered. The cumbersome cycle which is used to circumvent Symbian's signing in requirement makes theTrojan take up to three days to complete an attack. ã   Ask the user for their device's IMEI ã   Generate an appropriate certificate ã   Release an updated installer Trojan:DriodOS/Spitmo The fraudsters find it unreasonable to wait for three days just to steal a couple of SMSs. The AndroidOS provides a much more intuitive and modern approach to succeed getting desired treasure. Figure3has a pictorial overview of how MitMo evolved. The figure shows clearly that before 2011Blackberry and symbian were affected by Zeus Trojan, but after April 2011 the Spy Eye Android,Blackberry and Symbian. Figure.3 MITMO EVOLUTI(www.pcworld.com/.../  spyeye _ trojan _ targets _ online _ banking _ securit  The Trustee reached the following analysis from a Spy Eye compromised machine on July 24th: Stage 1: MITB – web injects module (you know the drill...)When a compromised mobile is used for transacting with the targeted bank, a messageprompts a new security measure, supposedly being enforced by the bank, which is mandatory inorder to use its online banking service thereafter. It seems to be an Android application, fully safe andprotecting the phone’s SMS messages from being intercepted (there’s irony for you…) and guards theuser against any fraud.
Advertisement
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks