NetSafe Smartphone Security Report 2014

Transcription

1 NetSafe Smartphone Security Report 2014 Smartphone Security Report 2014

2 Mobile internet use is soaring in New Zealand with latest figures from December 2013 suggesting 64% of Kiwis aged between 15 and 65 now own a smartphone 1. At the start of this year, Yahoo! Chief Executive Marissa Mayer suggested that 2014 will mark a tipping point in our adoption of technology: By the end of this year we will have more mobile users and more mobile traffic than we have PC traffic. Visitor traffic to NetSafe websites reflects this trend with mobile and tablet use growing. As more New Zealanders have begun using smartphones, NetSafe has revisited a research project from 2011 that looked at the use of and security awareness around mobile technology and has discovered some promising trends. Smartphone use in New Zealand In 2011, it was estimated that 7-10% of New Zealanders owned a smartphone three years on and that figure has soared with almost two out of three people carrying around a small but powerful computer in their pocket every day. NetSafe surveyed 207 smartphone owners for with almost one in 5 (19%) stating that their employer provided the device. This figure has fallen from 32% in 2011 suggesting more New Zealanders are taking advantage of steadily falling prices for consumer electronics and snapping up handsets that allow them to stay connected to their online lives 24/7. In terms of market share, analysis of our 2014 survey respondents shows the following ownership breakdown: Apple iphone 59% Android (all manufacturers) 35% Windows Phone 3% BlackBerry 1% Other 2% Whilst the survey size is small (and this device ownership split may not reflect the wider community) it still allows analysis of behavioral trends and provides a snapshot of Kiwi mobile use. NetSafe defines a smartphone for the purposes of the survey as a mobile offering internet connectivity and services beyond the ability of an older feature phone. 1 Frost & Sullivan New Zealand Mobile Device Usage will- have- 90- smartphone- and- 78- tablet- ownership- by htm 2 Survey methodology: NetSafe published an online survey for 2014 and received responses from Survey methodology: NetSafe published an online survey for 2014 and received responses from 207 anonymous individuals who identified that they use a smartphone to access online services. Respondents were asked a variety of questions around device use and loss, technical capability and awareness and use of security functionality including handset locking and mobile anti- virus products. The 2014 survey asked 23 questions including country of residence and age and replicated the majority of questions first asked in April The mean age of respondents was 38 with 190 stating that they lived in New Zealand.

3 NetSafe Smartphone Security Report 2014 More Kiwis banking and transacting on mobiles 62% of New Zealand residents who responded to the survey used their smartphone to bank online with dedicated banking apps five times more popular than using a website. 64% of people had completed a purchase using their smartphone - buying from websites, winning online auctions, purchasing in- app credits or add- ons or paying for music or other digital downloads.

4 Smartphone security challenges The most significant risk for smartphone owners is the physical loss of their device. With just over one in four Kiwis who responded to the survey admitting to having lost a mobile phone, security of the handset and the contacts, data and apps within remains a key concern for individuals and for businesses that provide employees with an expensive device to enable them to work on the move. 28.5% Yes No 71.5% Figure 1: Have you ever lost a mobile phone? (NZ residents) The small size of most smartphones makes them easy to lose and the resale value of stolen handsets means they are also attractive for opportunistic thieves. A new phrase, Apple picking the targeting of Apple devices by thieves has been coined by US police 3 and around percent of thefts in major American cities involve mobile phones 4. The average smartphone owner inputs a vast amount of personal and/or business data into their device and losing your phone can open up unwanted access to friends and family, your social networks, work or personal accounts and potentially give access to confidential business systems. Lock up your life The easiest way to mitigate the impact of losing your smartphone is to use a lockscreen to prevent causal access to your phone and the data within. 3 Apple picking: how the iphone became an object worth killing for - picking- stolen- iphones_n_ html 4 FCC announces new initiatives to combat massive smartphone and data theft A1.pdf

5 In 2011, only 66% of Kiwis reported that they used a pin number or swipe pattern to keep their device secure. In 2014 that number had risen to almost 9 out of 10 smartphone owners with manufacturers and app developers introducing a range of options that includes longer passwords, facial recognition and even biometric measures such as fingerprint scanning to secure devices: 0.5% 8.0% PIN number 10.6% 10.1% 13.3% 57.4% Fingerprint or other biometric option None of the above, the phone is not locked Swipe pattern Password Facial recognition Figure 2: Do you need a PIN number, swipe pattern, password or other log on feature to access and use the phone? The rapid adoption of BYOD in the workplace has also been accompanied with increased knowledge of the need to protect devices and how they are used. Where an employer provided the mobile, respondents suggested that almost three quarters of businesses (71%) now have policies and procedures in place to advise staff on the use and security of their smartphone. The picture was vastly different in 2011 with only 38% of respondents receiving such guidance. Mobile malware and protecting your device Anti- virus software has been the keystone of any computer security strategy for a long time in the world of desktop computing. Mobile malware has been touted as the next big cyber threat for several years and in 2011 only 13% of Kiwi smartphone owners were using anti- virus software on their device. In 2014, this figure had risen to 25% of survey respondents, with more than half of Android owners where the malware threat is perceived to be most serious suggesting they were using security software on their phone as an additional line of defence. When asked if their smartphone had shown signs of a computer virus style infection with data or apps being lost, premium rate texts being sent without

6 permission or slow internet access or excessive data use, almost 4% of Kiwis suggested they had experienced this issue. NetSafe has only received one report to date of mobile malware affecting an older Android- powered smartphone where the handset was reset to factory settings via a browser- based exploit. A recent report from UK media regulator Ofcom suggested that 2% of British adults they surveyed had experienced a virus, Trojan or malware on their phone 5. Looking at New Zealand responses, NetSafe found that the majority of issues reported concerned free games or intrusive advertising suggesting that mobile malware has yet to be a significant issue locally. Media coverage in May of Koler ransomware targeting Android devices 6 suggests threats continue to emerge. However, the end user must normally agree to install a rogue app or APK before the handset is affected. Increasing awareness of smartphone challenges is essential to ensure owners are proactive in protecting their own devices. Tools and technology can help Smartphone manufacturers and software companies alike have recognised the risk of a mobile device being lost or stolen and have responded by offering easy ways to track, lock or wipe handsets remotely. Apple s Find My iphone service and Google s equivalent Android Device Manager make it easy for consumers to find lost smartphones or tablets. Popular security software suites can also be installed to deliver similar functionality. Enterprise device management options are available to businesses that also allow a corporate owner to prevent the installation of unauthorised apps or restrict device functionality. In 2011, 53% of survey respondents were able to use this technology to remotely lock or wipe their phone with a large number of people unaware this ability existed. Three years on, 65% of people confirmed they had this facility to protect their smartphone. Almost three quarters of Kiwis stated that they could find their device using an online system and one in three had actually used this technology in the past with two individuals calling for police assistance to recover a phone once located. 5 Ofcom Adults Media Use and Attitudes Report data- research/other/research- publications/adults/adults- media- lit- 14/ 6 Police Locker land on Android Devices - locker- available- for- your.html

7 NetSafe Smartphone Security Report 2014 Smartphones contain valuable data 75% of New Zealand residents who responded to the survey believed there was nothing sensitive stored on their smartphone. 8% of smartphone owners stated that they kept account passwords or other important information in plain text on their phone.

8 Data security and backing up When asked if they stored important information or passwords on their smartphone, three quarters of respondents believed there was nothing sensitive on their device. Given the ability of many apps and in- built phone components to track location, record calls or access contact lists or text messages, this figure indicates a surprising level of naiveté among users. Many smartphone owners may not fully comprehend the volume of data stored on their phone as they message friends and family, conduct transactions, surf the web or travel around with a device that could function as a tracking beacon. Almost one in ten owners (8%) stated that they kept account passwords or other important information in plain text on their phone. At the other end of the spectrum, almost a fifth said they were using a password manager tool to handle login information and store passwords securely. The unintentional disclosure of data stored on a smartphone was highlighted by the European Union Agency for Network and Information Security (ENISA) as a high risk in their 2010 Smartphone Security Report. 7 Individuals and business owners should think carefully about the volume of information stored on a mobile device and use built- in security features or additional security options to protect their device in the event of loss or theft. 62% of survey respondents stated that they routinely backed up their smartphone, a process that differs across manufacturers and operating systems. Yes, I backup my full phone 40.2% 51.3% Yes, I backup my SIM card / contacts No 8.5% Figure 3: Do you backup your phone to another computer or copy contacts from your SIM card? 7 Smartphones: Information security risks, opportunities and recommendations for users - and- trust/risks- and- data- breaches/smartphones- information- security- risks- opportunities- and- recommendations- for- users

9 Network security on the move Despite mobile data costs falling in New Zealand, many smartphone owners continue to make use of opportunities to save money and connect to free or open Wi- Fi networks when travelling. In 2011, 57% of Kiwis used free Wi- Fi hotspots. Three years later, 62% of survey respondents were using Wi- Fi connections but only 15% of those doing so also used a VPN connection to provide additional security to encrypt their activities online. One individual commented: I rely on my own data plan as do not trust free Wi- Fi NetSafe has continued to highlight the potential risks of so- called evil twin attacks where Wi- Fi networks are set- up to intercept internet activity. ENISA considers these Network Spoofing Attacks as medium risk but the potential is there for financial transactions to be recorded and the Banking Ombudsman issued a warning in February about sending sensitive information in s over free Wi- Fi after a New Zealand couple lost a six- figure sum. The future of mobile payments The ubiquity of mobile internet access now offered by smartphones allows anyone to perform a range of tasks on the move. Financial transactions are made easy by mobile network operators billing account customers directly and the banking sector has seized upon the app ecosystem as a way to offer their retail and business customers the ability to take payments on the spot. Near Field Communication (NFC), ibeacon and other technologies are presented as a way to turn the mobile phone into a consumer wallet with the potential for one device to store identification information, hold proprietary credits or to pay for items in- store. Three years ago, NetSafe asked if survey respondents were keen to see this type of technology rolled out more widely and 55% supported mobile payments. In 2014, 6% of Kiwis had already used NFC enabled payments but concerns about security meant that only 40% of those asked were now keen to use this technology for themselves. As convergence and mobility become key drivers for internet use, more may need to be done to reassure smartphone owners that device security or application security frameworks are effective at preventing financial losses or that policies are in place to support consumers who find themselves out of pocket for any reason. Patching and updating smartphones 8 Using unsecured public Wi- Fi risky business -

10 Keeping your operating system and software up to date has been a consistent message for desktop computer users for a long time. This discipline is also needed for smartphones. Whilst Apple, Microsoft s Windows Phone and Google s Android platforms take a different approach to their operating systems, patching regimes and app deployment processes, the end user still retains some control over keeping their smartphone up to date. When compared with ios- powered iphones, Android is normally associated with devices across the full price spectrum and this has allowed some manufacturers to sell smartphones and tablets that run on older versions of the operating system. When asked what operating system their smartphone was powered by, the majority of Apple owners were using ios version 7 (93%). Apple s managed ecosystem actively encourages owners to update their devices regularly and there have been several security patches deployed for ios 7 as more attention has been paid to Apple security vulnerabilities over recent months. Android owners can find their upgrade path complicated by network operator or manufacturer customisations and this was reflected in responses given by survey respondents. Only 20% of Kiwi- owned Android devices were powered by the latest OS, version 4.4 named KitKat. In 2011, 12% of survey respondents stated that their smartphone was jailbroken - where they had modified the original operating system or 'unlocked' the phone. This figure declined substantially in 2014 with only 5% of Kiwis confirming they were using a jailbroken handset. App security and user best practice The app economy is booming and official and unofficial app stores can provide a myriad of options for the bored or productive smartphone owner alike. Almost all survey respondents had downloaded apps to their device but almost a quarter admitted to not checking what permissions they required and what data the app could access on the phone. Malicious apps have been an issue for all the major smartphone manufacturers with media coverage regularly highlighting the risk associated with fake or cloned apps designed to part owners from their money, snoop on phone data or potentially run up large bills via text or data usage. A recent example of this would be the discovery that screensaver apps have been used to build a botnet secretly mining bitcoins for the developers 9. Smartphone owners should take the time to read store reviews and check for reported bugs before installing new games or services on their device. Only downloading from 9 BadLepricon malware caught stealth- mining bitcoin in Android apps - malware- bitcoin- mining- android- apps

11 official app stores can minimise risk. Owners also need to be aware of what system permissions and data on the phone each application requests access to. Figure 4: Protect Your Privacy on Your Mobile Device - Some high profile security vendors have seen fake copies of their anti- virus products listed for purchase in app stores so owners need to be alert to mis- spellings or poor grammar. Installing apps from unofficial sources on Android can also put you at increased risk as can sideloading APK files. An example of this would be smartphone owners browsing porn websites who have been enticed into downloading and installing a video player to watch adult content which subsequently acts as the delivery method for ransomware 10. Smartphone owners undertaking online banking on their device should also be alert to apps masquerading as official offerings although to date banking Trojans designed to intercept financial transactions have been an issue mainly affecting countries outside of New Zealand 11 : 10 Your Android phone viewed illegal porn. To unlock it, pay a $300 fine android- phone- viewed- illegal- porn- to- unlock- it- pay- a fine/ 11 Mobile banking threats around the world in Q Kaspersky Lab -

12 Figure 5: Mobile banking threats around the world in Q (Kaspersky Lab) The ability to send targeted spam and phishing s to mobile devices continues to be an issue for owners and employers. 95% of survey respondents stated that they could read and reply to work or personal s on their smartphone. Smishing or phishing messages have been shown to be three times more effective at harvesting login information on mobiles 12 as small screen sizes can prevent owners from recognizing visual clues that are more obvious on desktop computers. It can also be harder to confirm the full URL of a destination site or check the details of a secure certificate before entering login information. Device owners should avoid responding to spam text messages or clicking on the links they include to strange looking website URLs. A message sent to a smartphone can often trigger a notification that may reinforce the sense of urgency to respond or take action. 12 Phishing, smishing and how a casual click can deliver a nasty surprise - smishing- and- how- a- casual- click- can- deliver- a- nasty- surprise/

13 Smartphone Security Challenges ENISA 14 No. Title Risk Description 1 Data leakage resulting from device loss or theft 2 Unintentional disclosure of data 3 Attacks on decommissioned smartphones High High High The smartphone is stolen or lost and its memory or removable media are unprotected, allowing an attacker access to the data stored on it. The smartphone user unintentionally discloses data on the smartphone. The smartphone is decommissioned improperly allowing an attacker access to the data on the device. 4 Phishing attacks Medium An attacker collects user credentials (such as passwords and credit card numbers) by means of fake apps or (SMS, ) messages that seem genuine. 5 Spyware attacks Medium The smartphone has spyware installed, allowing an attacker to access or infer personal data. Spyware covers untargeted collection of personal information as opposed to targeted surveillance. 6 Network Spoofing Attacks Medium An attacker deploys a rogue network access point (Wi- Fi or GSM) and users connect to it. The attacker subsequently intercepts (or tampers with) the user communication to carry out further attacks such as phishing. 7 Surveillance attacks Medium An attacker keeps a specific user under surveillance through the target user s smartphone. 8 Diallerware attacks Medium An attacker steals money from the user by means of malware that makes hidden use of premium SMS services or numbers. 9 Financial malware attacks Medium The smartphone is infected with malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions. 10 Network congestion Low Network resource overload due to smartphone usage leading to network unavailability for the end- user. 14 The top ten information security risks for smartphone users - and- CIIP/critical- applications/smartphone- security- 1/top- ten- risks

14 Smartphone Security Challenges - Summary Figure 6: Our 2011 report identified a range of challenges connected to the loss of a handset or an attacker gaining access to the apps or data on the device The image above was originally created in 2011 to highlight potential risks to smartphone owners. The New Zealand Law Society produced an updated version for the October 2013 edition of their Law Talk magazine 13, which can be freely accessed online. Risks can be summarised as follows: 1. Physical loss Losing your phone can provide access to your device and data, especially if the handset is not protected by a lockscreen. Losses can include your contacts and other stored information, the cost of any texts sent or data used. If financial information or app logins are stored on the phone (and do not require further authentication by the re- entry of a password or PIN) an attacker or thief may be able to access bank accounts or accounting information. Reputational harm can also be caused if the handset is used to send spam or scam s to friends or business contacts, message social networks 13 NZ Law Talk, Issue archives/issue- 830

15 or to impersonate the original owner. 2. Malware Smartphone owners should patch operating systems and apps to avoid emerging mobile malware threats and consider installing anti- virus software. Fake or cloned apps can harvest data or incur network costs if premium rate texts are sent without permission. Apps which leak data should be considered a privacy risk. Sideloading copies of popular apps from unofficial marketplaces or installing APK files to watch adult videos are examples of current malicious threats. 3. Phishing and smishing Smishing involves sending spam text messages designed to direct owners to malware websites or imposter banking sites that record login information for later use. Smartphone owners may be less conditioned to receiving mobile spam. They can also find it hard to detect the visual clues that are more obvious in standard phishing attacks due to the small size of the screen and an inability to review a linked URL. 4. Wi- Fi network spoofing Open hotspots are a popular way to save on mobile internet costs. Connecting to a free Wi- Fi network can allow full use of all smartphone functionality but unencrypted connections or network access points set up to record internet traffic can allow cyber criminals to record login information. Financial transactions should only be undertaken on a secure network. Owners can boost their security by using a VPN service to encrypt data. 5. Privacy concerns Location services on smartphones can add a new dimension to local search tools or aid online marketers looking to monitor customer behavior. GPS tagging can assist with storing photo location data and has transformed the navigation market. Device owners should examine just how much location data they share with online services and what information the apps they choose to install can pass back to their developers.

16 Smartphone Security Advice 1. Lock your smartphone Use a pin, password, complex swipe or other option to restrict access to your phone should it be lost or stolen. Whilst there may still be ways for persistent attackers to gain access to your device, taking steps to prevent casual use is essential and helps secure the contents of your phone especially your photos and contacts - from prying eyes. Check settings to enable automatic screen locking after several minutes of non- use. 2. Investigate security software that lets you find, lock, wipe or disable your phone Many popular smartphones come with easy options to help you locate your device, flash up a message on screen to anyone finding it or to activate a loud noise to aid recovery or deter a thief. This may be part of the operating system or available as a stand alone app or bundled with an anti- virus security suite. 3. Consider installing anti- virus software Smartphone operating systems are constantly being improved with steps taken to patch security holes as they are made public. Although the majority of malware or malicious software remains focused on desktop computers, 99% of mobile malware is targeted at Android devices 15 and an anti- virus package is another line in your defence. New computer security threats are being developed every day and mobile malware continues to be highlighted as an emerging risk. 4. Keep your operating system up to date How easy this task is depends on your chosen device but NetSafe encourages smartphone owners to actively apply operating system updates when made available. Newer versions of software tend to more secure and your smartphone is a powerful computer that also needs protecting. 5. Be cautious about what apps you install Stick with the official marketplaces to avoid installing malicious software and be cautious about what permissions are requested during the installation process. Does that free game really need to be able to read or send text messages or access your camera? Many mobile malware threats are developed and most active in Russia, Kazakhstan, Belarus, and Ukraine but security companies have reported malware being detected in more than 50 countries to date. 15 Data suggests Android malware threat greatly overhyped - suggests- Android- malware- threat- greatly- overhyped

17 6. Jailbreak at your own risk There may be some benefits to trying out a new operating system for your smartphone but dumping the manufacturer s system can also expose you to increased risk. Make sure you fully understand what the process involves and any additional security features that may be required to avoid malware threats. 7. Backup your device and the data stored on it Imagine the downside to losing your phone and with it your full list of contacts or photos from a recent trip. Try to keep a clean device by routinely removing data that doesn t need to be kept on your phone just in case you lose it or someone gets access to your collection of risky selfies. 8. Consider the risks of using free Wi- Fi The potential for having your s, banking transactions or purchases intercepted may seem small but NetSafe would still encourage smartphone owners to stick with trusted data connections or your home Wi- Fi for sensitive activities. Investigate Virtual Private Network (VPN) security apps if you really need to connect to open hotspots. 9. Don t click on links or open attachments you weren t expecting Text spam continues to be an issue for mobile owners so avoid responding to lottery or competition messages or clicking on links they include to strange looking websites. You can forward spam texts to 7726 where the Department of Internal Affairs monitors spam arriving from around the world. If you can read your personal or business s on your phone, be alert to standard phishing messages that are often more successful at sucking in victims due to the small screen size and the sense of urgency they can create by triggering a notification. 10. Be wary of sharing your smartphone with others Kids love to play games and a loaded smartphone can be a handy babysitting option for bored children in a restaurant or social setting. Be aware though that it doesn t take much for someone borrowing your phone to accidentally post a rogue tweet to a work social media account or to send an SMS or to your business contacts. Investigate ways to lock down what apps or functions can be used or simply keep the device for work use only. 11. Be alert to your smartphone behaving oddly Check your bills regularly to see if text messages especially to premium rate or overseas numbers are being sent without you noticing. Similarly, high data usage may signify a problem with your phone or an app you have installed. If the battery is draining rapidly this could be a sign that other apps or processes are operating in the background so check to see what is running on the device.

18 12. Securely erase personal information before reselling or recycling If you re thinking of selling or recycling your smartphone before upgrading, think carefully about the data stored on the phone and delete all apps and related data before wiping or securely erasing personal information. iphone owners can use Apple s factory reset to perform this task, Android and Windows Phone owners can use similar options or install Blancco Mobile Edition on a PC to thoroughly delete data.

19 I ve lost my phone what do I do now? It pays to take preventative steps to protect your phone should you lose it or have it stolen installing software or activating the manufacturer s service may let you track, lock or wipe the data in the future. It s also worth recording the unique IMEI number of the handset, which can often be found on the original packaging, under the battery or via the operating system settings. Keep a note of this number and consider storing it alongside other electronic assets you own on the NZ Police website at Contact your mobile network operator Once you know your phone is missing, contact your telecoms company for help and advice and consider the new mobile handset blacklisting option. 2degrees or- stolen- phone Telecom Vodafone phones/lost- or- stolen/ Mobile Handset Blacklisting If you lose your handset and don t want someone else using it on an NZ mobile network, you can have the handset blacklisted or IMEI blocked. To blacklist or un- blacklist your device contact your network provider using the details above. To check the status of an IMEI number you can use the Telecommunications Forum checker tool online at If you re considering buying a used handset it may be worth checking that the phone hasn t been blocked on New Zealand networks before you part with your cash. Report the lost or stolen phone to NZ Police Making a police report may help you recover your phone and may also be required if you want to make an insurance claim. You can find the details for your local police station in the phone book or on the website.