A recent Mobile Security Index published by Verizon suggests cybercriminals are enjoying more success compromising mobile applications and devices than many organizations have come to appreciate.
Based on a survey of 876 professionals responsible for the buying, managing and the security of mobile and Internet of Things (IoT) devices, the report finds 39% have suffered a cybersecurity compromise, up from 33% a year ago. A total of 43% admit to cutting cybersecurity corners when it comes to mobile computing mainly because of expediency, convenience, and cost.
Of those that had suffered a compromise, 66% described the impact of that breach as being major, while 36% said it had lasting repercussions for the organization. Nearly a third (29%) said their organization suffered a regulatory penalty as a result of a mobile-related security compromise.
The good news is more organizations are concerned about mobile security. The report finds 87% of respondents said they were concerned that a mobile security breach could have a lasting impact on customer loyalty, while 81% said that a company’s data privacy record will be a key brand differentiator in the future. A total of 43% said they would increase spending on mobile security in the next 12 months.87% of respondents said they were concerned that a mobile security breach could have a lasting impact on customer loyalty.Click To Tweet
Most of the attacks aimed at mobile computing devices come in the form of phishing, ransomware and malware attacks. However, the form phishing takes on mobile computing devices is very different from traditional endpoints. For example, the Verizon report notes 85% of attacks seen on mobile devices now take place via mediums other than email. Phishing attacks sent via text messages, for example, are becoming a lot more common.
In addition, cybercriminals are making use of Punycode, a special type of coding developed to handle nonLatin characters in domain names. It uses combinations of the letters A–Z, 0–9 and the hyphen to represent characters from sets such as Cyrillic (like Б and Д) and Kanji (like 水 and 木). Cybercriminals are deliberately using Punycode in domain names, knowing that many computers won’t have the non-Latin characters available in their default fonts. This means that the Punycode converts back to the closest Latin characters instead. The user can’t tell that anything out of the ordinary is happening, but the URL is not what it seems.
A similar technique employs homoglyphs, which are letters that look very similar and could easily be overlooked by a busy user viewing a small screen.
End users are often under the impression their mobile computing devices are safe, especially if they come from Apple. In practice, cybercriminals are clearly becoming a lot more adept at exploiting unsuspecting end users. That’s troubling because many organizations don’t pay nearly as much attention to mobile security as they do other platforms, even though end users are making use of mobile computing devices a lot more these days than traditional desktops.
Of course, the most important thing for cybersecurity professionals to do is educate employees on the nature of the threat, hopefully, before some cybercriminal delivers a much harder lesson.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.