Some continue to hype “bring your own device” (sometimes just BYOD) as near-term technology and business goal for global Financial Services enterprises. At its most shrill, the argument hammers on the idea like ‘we all have a smart phone and it has become the center of our lives…‘ In this industry we are all responsible for protecting trillions of dollars of other people’s money as well as digital information about customers (individuals & companies), partners, and deals, all of which must remain highly secure, or the foundation of our business erodes. That responsibility is wildly out of alignment with most BYOD realities. In that context, this blog entry is an offering to help risk management teams educate their Financial Services organizations about some of the risks associated with using mobile phones for work activities.
Here is some content that may be useful in your security awareness campaign…
Financial Services executives “private” communications could be of high value to cyber criminals. So too could be your Finance staff, Help Desk, Reporting Admin, Database Admin, System Admin, and Network Admin communications. There are a lot of high value avenues into Financial Services organizations.
Under the title “Hacking Your Phone,” the 60-Minutes team have security professionals demonstrate the following in a 13 minute video:
- Any attacker needs just their target’s phone number, to track the whereabouts, the text traffic, and the details of phone conversations initiated or received by their prey. Turning off your “location status” or other GPS technology does not inhibit this attack. It depends upon features in the SS7 (Signalling System #7) network that have been overly permissive and vulnerable to abuse for decades. These SS7 vulnerabilities appear to remain after all this time because of nation-state pressures to support “lawful interception.”
They demonstrate their assertion in an experiment with U.S. Representative Ted Lieu, a congressman from California.
- Attackers can own all or some of your phone when you attach to a hostile WiFi. Never trust “public” or “convenience” (for example “hotel”) WiFi. Attackers present look-alike WiFi (sometimes called “spoofing”) and then use human’s weakness for “trustworthy” names to suck targets in.
They demonstrate this approach by stealing a target’s mobile phone number, account ID, and all the credit cards associated with– with that account, along with their email.
- Attackers use social engineering to get their software installed on targeted devices. One outcome is that they can also monitor all your activity via your mobile phone’s camera and microphone — without any indication from the mobile device screen or LEDs, and the attacker’s software does not show up via any user interface even if you tried to find it.
They demonstrate this approach with the 60 Minutes interviewer’s device.
Remember, not everyone employed throughout Financial Services enterprises understands the risks associated with performing business activities via mobile devices. Use materials like this video to augment your risk awareness program.
“Hacking Your Phone.” aired on April 17, 2016