Human Behavior – the Achilles Heel in Mobile Security

finjanmobileBlog, Mobile Security

Human Behavior - the Achilles Heel in Mobile Security

The continued success of email phishing attempts and social engineering tactics, and the growing efficiency of the emerging breeds of mobile malware all attest to a fact that security professionals have been moaning about for years: Human beings (in this case, mobile device users) are the single most effective tool that cyber-criminals have in compromising security.

In classical Greek mythology, the great hero Achilles was virtually invulnerable save for the portion of his ankle that his mother held him by as a baby while dipping him into the mystic river which gave him his godlike powers. And the analogy in our case holds that even the most robust and up to date combination of security software, hardware and data protection can be rendered powerless by the single act of a careless user.

Plain Carelessness

There’s no simpler way of permitting a malicious outsider to gain access to the personal and work-related data on a mobile device than allowing someone to get access to the device itself. Loose pockets, open bags, leaving smartphones unattended in a crowded place: All of these are invitations for pickpockets and thieves.
And if your device isn’t protected by some form of access control, the thief has just been handed a treasure trove.

Corporate users may have some measure of protection if their company runs an effective mobile device management (MDM) system as part of its BYOD (Bring Your Own Device) policy. Administrators may have standing orders to delete all data from any device that’s reported as lost or stolen. Of course, the onus is on you, the user, to report it in the first place. But especially for private users – and also for security-conscious corporate ones – there are measures you can take to guard against this.

Access control doesn’t have to be restricted to passwords. In fact these days, the consensus in security circles is that it shouldn’t be. If your device has a lock screen mechanism or biometrics (fingerprint scanner, front-facing camera, or microphone) you can use these to set up layers of access protection that are tuned specifically to your physical characteristics.

Not So Simple Mistakes

Regarding passwords, the old problems of easy to guess and/or easy to retrieve access codes still persist. Personal or family birthdays, pet’s names, and hackneyed combinations of letters or numbers (1234567, anyone?) can be obtained not only from friends and workmates, but also from information provided in your online account and social media profiles. And even network administrators are sometimes guilty of using the default passwords or PIN codes (0000, etc.) that ship with mobile hardware.

There are web sites and tools out there for generating the kind of complex passwords demanded by today’s cyber-threat environment – and password management apps, for keeping track of them all. But if you choose to share your passwords with family, friends, or colleagues – and even if you use the same password(s) across multiple accounts – you’re putting your data at risk.

Setting Up For a Fall

Convenience and the urge to have the latest gadgets may be the foundation for an unsecured mobile architecture. Users wishing to bypass the restrictions laid down by device manufacturers and approved app stores may be tempted to root or “jail-break” their devices in order to gain the freedom to delete unwanted system files and download apps from third party download sites.

Though resources like The App Store and Google Play are far from perfect (some estimates suggest that anywhere from 13-17% of apps hosted there are malware, in disguise), they’re generally a safer bet than torrent sites and “cracked app” havens – where slipping adware, spyware, and other malicious code into hot downloads of the latest games and utilities is standard practice.

Greed and Need

For cyber-criminals, sometimes a more direct approach can yield results. With the economy still biting, inducements (cash and favors) may be enough to convince corporate or even private users to sell their own or their company’s sensitive or high-value information.

In a security survey conducted this year, 20% of the 1,000 private enterprise workers polled said that they would be willing to sell their passwords (almost half, for less than $1,000) to a third party. Factors such as mortgage payments and the burden of outstanding student loans have been cited as contributing to this.

Extortion and Persuasion

If the carrot doesn’t work, there’s always the stick. Some targeted research into company and social media profiles, hacked emails, and other sources may give cyber-criminals the leverage needed to blackmail a user into stealing or revealing vital documents, corporate data, or intellectual property.

And if research doesn’t yield anything, ransomware is another option. With attack vectors multiplying, the mobile landscape is witnessing an increase in these types of attacks, as well.

Disgrace Under Pressure

Social engineering ploys are being stepped up in the mobile environment, too. Threatening emails and SMS text messages from government agencies, law enforcement, financial institutions and utilities (“Your credit card/account/access to whatever will be rescinded in 3 days, unless you…”) are framed in this manner and distributed for a reason.

It’s human nature to respond to threats and pressure like this in a “fight or flight” response. Since everyone knows that you can’t fight the government (or the bank, or the power company) unless you have a lot of money and a really good lawyer, the tendency is for users to fly straight into whatever trap has been laid out for them.

Just Plain Fooled

Recent events have brought fake news and fake advertising into the (so they tell us) real news, with stories and pitches that are sometimes plausible enough to fool even the most hardened skeptic. And it isn’t just social media that’s to blame – though these highly visited platforms are being used as a medium to distribute much of the mayhem.

Malicious advertising or malvertising is gaining a foothold in the mobile world, and is also being spread through in-app promotions, text messages and emails inducing users to click through to various scams, malicious downloads, and booby-traps.

Keep your wits about you at all times. It’s your best defense against any content that you can’t block with your browser, anti-spam and app filters.

Undue Diligence

If you’ve scrolled down this far, you should also be of that school of thought that always reads the fine print on contract documents, license agreements, subscriptions, Terms and Conditions, and the permissions demanded by any mobile apps that you install. It’s an essential habit to adopt, as this text often contains barely-concealed references to adware, spyware, personal data collection, and data sharing policies that may come back to haunt you in the weeks or months to come.

Taking the time to read a fair proportion of the user reviews related to an app, or the comments of other subscribers to a resource or web portal is also a good practice.

Share this Post