Last year, a survey conducted as part of the “World Password Day” campaign, made a number of alarming discoveries. The most alarming of them as was that 10% of the people surveyed actually used ‘password’ or ‘qwerty’
as their passwords. Surprisingly, this isn’t an uncommon occurrence – other statistics reveal that even basic security hygiene is rare among most people, with 52% of users using the same password for different services. However, you
probably stick to a stringent set of security rules, so you should be safe from such threats, right? Think again.
In the world of information security, things are changing faster than you can say “I’ve been hacked”. Digital services, and the cloud computing platforms they run on, have gone mobile in recent years through devices like laptops,
smartphones and even wear-able(s). The threats have followed them and adapted accordingly, so you need to be on your toes. The first step to fighting the new, evolved threats is knowing about them. To help you with that, we’ve highlighted
some of the most significant emergent threats in the mobile security landscape.
Mobile malware and trojans
It has been a long time since malware moved its focus to mobile devices. Trend Micro Mobile App Reputation Service sourced 214,323 unique samples of mobile banking trojans in 2018 - almost twice as much as 2017. FakeSpy and XLoader were two particularly
prolific malware doing the rounds. While the former replaces authentic banking apps with malicious versions, the latter spreads itself through SMiShing (SMS Phishing) and DNS hijacking, which is overwriting the router’s Domain Name Service
settings to divert internet traffic to attacker-specified domains. Behaviour like keylogging and deleting users’ contact lists is also quite common in mobile malware. The usual end goal is to gain access to the user’s confidential
accounts, especially banking applications, and cause them financial harm that cannot be easily resolved. Some malware can also create fake card verification pages. To protect yourself from such an approach, make yourself aware of the official
verification pages from your bank.
For instance, here’s how Axis Bank uses Verified by Visa (VBV), MasterCard SecureCode & RuPay PaySecure so that you can safely use Axis Bank
cards online. Additionally, do note that the Axis Mobile application is available officially only on the Play Store and App Store, and will always have ‘Axis Bank Ltd.’ listed as a developer.
Although they sound relatively less scary, adware and cryptominers also fall under malware. Instead of your identity and credentials, they intend to misuse your device for their own benefit. Essentially, adware works by sneaking a couple of unwanted
installation packages onto a mobile device, usually as an undetected part of an app installation. This package, in turn, throws up ads almost incessantly at the user, generating revenue for the adware developer. The situation can quickly get worse
if one such package manages to install additional packages, turning the phone into an ad-zombie which doesn’t allow you to do anything before you close a sea of ads. To prevent this from happening to you always download apps from the official
app store, where you can also check the reviews section for other users who might have faced such issues.
Multiple sources have reported a near five-fold growth in cryptomining malware in the last year. There could be several factors behind this. For instance, mobile devices are being fitted with increasingly powerful GPUs, making them more useful for
cryptomining. Combined with the fact these devices are ubiquitous, it makes mobile devices highly lucrative targets for cryptomining malware. One good way detect cryptominers is to keep track of CPU/GPU usage on your smartphone, and generally
being aware of unusual slowdowns.
Dangers of the third party
The thriving app ecosystem today owes its existence to third party developers and applications. Here, third party means any developer other than the manufacturer of the smartphone or its operating system. Due to their ubiquity, we are also quite used
to sharing our banking information with them. For instance, you might have saved a frequently used card’s details on the cab aggregator app that you use for commuting daily. However, the trust you place in third party developers might let
you down occasionally. Last year, a famous travel company leaked credit card details due to a third party vulnerability they had missed, among numerous other similar examples. While any attempt to misuse the card is hampered by the requirement
of a secret code for every single transaction, it is not an infallible security measure. A CVV can be obtained through measures like key logging and social engineering.
A good way to avoid the risk involved is to always use two-factor authentication, so that you’re notified of all transactions – benign or fraudulent. Using methods like UPI through trusted apps like Axis Pay is also a good method to mitigate the risk. Speaking of third parties, it is also a good practice to stay away from third party app stores. These stores might be lucrative to developers for the less stringent regulations
they impose. However, the same reason makes them more likely to carry malware.
Every popular social engineering technique is more effective on mobile platforms. According to reports, a staggering 91% of cybercrime starts with an email. Studies also indicate that mobile users are more likely to fall prey to social engineering
attacks due to multiple reasons. The always-on nature of smartphone usage, along with the way most mobile email apps are designed, makes mobile users first responders to most phishing emails. For instance, if an email app only shows the name of
the sender and not the email ID, it is difficult to identify a fraudulent source. Another vector that is unique to mobile phones is social engineering via calls. People may pose as banking officials and ask you for information like your CVV, PIN
or OTP and more. Never disclose such information verbally over a call. Additionally, when you’re on IVR during a call, make sure the pin you’re entering isn’t visible to anyone. Other practices to follow during a phone banking
call can be found here.
Gone are the days when WiFi was only available in your home or your office. Today, not just establishments like a restaurant but even public places like bus stops, railway stations and shopping malls offer their own free internet over WiFi networks.
While the threat of public WiFi networks is nothing new, it does pose greater risk due to the extent of damage it can cause. A malicious WiFi network can pose as genuine and snoop on your data. Unencrypted WiFi, even though not harmful by itself,
can allow an unwanted man-in-the-middle attack on your information. The cost of accessing personal and professional information over public WiFi still far outweighs its benefits. Among other rules, a good practice is to check for HTTPS encryption,
which you can do by looking for the ‘https://’ prefix to the URL, or the padlock icon at the beginning of the URL. Pro-tip: Clicking on the padlock icon allows you to check the security certificate of the website. For Axis Bank, the
certificate should be issued to ‘www.axisbank.com’.
There are numerous reasons behind users rooting an Android device. Rooting refers to gaining ‘root privileges’ on Android, giving the user a much greater degree of control over their own device. It could be done to get rid of unwanted
pre-installed apps, or to unlock certain features that were inaccessible earlier. It is this customizability that makes Android appealing to users, but at the same time, it also puts them at risk. For starters, modified (rooted) versions of Android
don’t automatically receive security updates from Google. These devices can download and install apps that haven’t been checked by Google and can have unchecked access to your data. They also forsake some built in security measures
to fully utilise the rooted functionality. It is not advisable to use a rooted device, especially if you intend to use apps with sensitive data such as Mobile Banking apps.
While most reports of fingerprint scanners being beaten by 3D printed or AI powered fingerprints can be safely dismissed as outliers, they do betray a trend. It is not impossible to dupe a fingerprint scanner when it comes to gaining access to your
device. Even a sufficiently high resolution photograph of your hand can be used to create a replica of your fingerprint. Early face scanners that skip depth sensing can still be beaten using photographs. While an average person may not be a target
of this approach, it is nonetheless a risk factor that needs to be monitored. PIN and security passwords remain the most robust ways of accessing protected devices and services. If you want to be extra safe always rely on those as your last line
Disclaimer: This article has been authored by Siddharth Parwatay, a Mumbai based independent tech-journalist, editor, and content-creator. Axis Bank doesn't influence any views of the author in any way. Axis Bank and/or the author shall not be responsible for any direct / indirect loss or liability incurred by the reader for taking any financial decisions based on the contents and information. Please consult your financial advisor before making any financial decision.