Mobile Device Security, A Multi-Faceted Approach

Cyber incidents are now the #1 business risk facing corporations, moving to the top of insurer Allianz’s annual list. In this world of high-profile state-sponsored cyber attacks, along with bad actors attempting various forms of cybercrime, enterprises and consumers need to take a multi-faceted approach to device security. The threat vector is higher today on mobile devices than laptops or desktops due to the volume of enterprise and consumer usage on mobile, as well as the speed with which emails are reviewed, links clicked, logins completed, and actions taken on a mobile device. Thus, care should be taken to employ mobile device security to protect against today’s top threats. Let’s shed some light on these threats, as well as potential solutions including mobile threat defense (MTD), zero trust frameworks, and account takeover (ATO) prevention measures.

Rising to top of the list of threats to consumers and enterprises: ATO and business email compromise (BEC). Use of compromised emails and passwords, billions of which are available on the dark web due to the many publicised hacks and breaches over recent years, have made ATO and BEC not only possible, but quite easy and lucrative for bad actors. Per the Financial Crimes Enforcement Network (FinCEN), BEC scams generate around $301 million every month.  For the last three years running, the use of weak or stolen passwords is the #1 hacking technique (not some sophisticated state-sponsored level of hacking as depicted in primetime television), aiding bad actors in taking over accounts containing corporate data, funds, and personally identifiable information (PII).

ATO and BEC are the result of third-party breaches. An analyst at the law firm DLA Piper found that after the General Data Protection Regulation (GDPR) came into effect, the first eight months saw an average of 247 breach notifications per day. Since then, the average has risen to 278 notifications per day. With this massive growth in breaches, enterprises and consumers should employ a proactive protective solution that monitors for stolen credentials in order to safeguard their accounts.

SIM swap attacks have also become a major problem for mobile operators and consumers worldwide (refer to this earlier GSMA blog on SIM swapping). Access to a victim’s password and ownership of their phone number gives criminals a way to bypass multi-factor authentication (MFA) and takeover sensitive accounts. One way to help prevent the effectiveness of a SIM swap attack is through strong password security: utilise credentials that have not been compromised in a breach.

As far as additional solutions available to combat today’s threats, a multitude of mobile threat defense solutions are available to enterprises and consumers, and some are even bundled into mobile device offerings. For example, AT&T (and many other global operators), offers a 3rd-party MTD solution on their devices that helps to scan for malware and prevent phishing attacks. Samsung announced including a 3rd-party MTD solution as part of their Knox security platform; this on-device machine learning engine prevents zero-day attacks. Google also includes Android SafetyNet to assist with MTD in all Android devices. Jeff Bezos may have been able to avoid having his phone (and data!) compromised recently if he utilised a MTD solution on his device.

In addition, many enterprises utilise a zero trust network architecture to protect corporate networks. Consumers should operate the same way, using MFA/2FA (two-factor authentication) to protect one’s financial accounts and other important assets. Note that use of 2FA solutions is on the rise, but some are concerned about the additional hassle that it imposes on consumers (wait for an SMS, enter the code, etc.). In their recent report, Duo Security (acquired by Cisco) cites that those who employ SMS as their second factor could save time by switching to other, more secure authentication methods (push and universal 2nd factor or U2F can save a user 13 or 18 minutes per year over SMS, respectively). Of note, per this report, they cite that email is the most important account to protect.

While securing the physical device is important, now that mobile devices are the preferred method of accessing banking and shopping sites, we need to think about securing the entire mobile experience. While mobile manufacturers don’t control all of the apps used on their devices, we can see a future where policies are put in place to mandate that apps requiring account creation comply with the latest National Institute of Standards and Technology (NIST) guidelines, which restrict weak and commonly used passwords, as well as passwords obtained from previous breach corpuses.

An ATO prevention solution that checks users’ passwords at the point of login against a database of recovered stolen credentials goes a long way to securing the entire mobile experience, especially if it can also screen passwords for NIST compliance. By forcing a password reset or leading the user down a step-up authentication path, account compromises can be avoided.

The GSMA’s Device Security Group (DSG) is actively working with leading mobile operators globally, along with mobile device original equipment manufacturers (OEMs) and other ecosystem players, to be the center of expertise on device security, and combat device security issues.  We hope that those with an interest in addressing mobile device security issues and increasing both consumer and enterprise mobile security (as well as people’s confidence in the use of their mobile devices!), may work to become active in the GSMA DSG.