From using phones with no internet access to having smartphones to unlock your smart cars, we have come a very long way. With little or no security defense and access to valuable organizational information, smart devices are becoming the new favorite target of attackers.
On the occasion of International Women’s Day 2023, three female cyber experts from the GS Lab|GAVS Security Team had come together to have a deep dive discussion on this topic.
“With the advancement and increased proliferation of technology, there has also been an increase in cyberattacks. Phone-based security attacks have been a common news item these days. Threat actors are constantly trying to steal data; with low security and having multiple attack vectors, smartphones are an easy target”, said Bhavani Damodaran, Technical Manager, Information Security.
From a Security Operations point of view, Mythili V, Sr. Engineer, commented that the number of Vishing/Smishing related attacks is on the rise. “We are experiencing a huge number of attacks targeting smartphone users where Vishing/Smishing is one of them.
Smishing is a type of phishing scam, where a hacker sends a SMS which seems legitimate with an urgency in the message. This creates panic among the users, so they react/respond to the message almost immediately.
Most of us would panic if we saw a message that goes like “We have detected suspicious activity on your bank account, hence we have blocked your account, to unblock please click on the below link” or “Priority!! Your account has been compromised. Please click this link to reset your password.”
We would immediately act on the message by clicking the link present within assuming it is from a legit source. This is where the hacker wins by making us click a malicious link and thereby gaining access to our sensitive information.”
The link might redirect us to another website, or it may download malware which enable the hackers to steal the personal information like DOB, Names, Contacts credit card and bank account information, location history, contact list, photos, and more for their benefits.
Most of the data collected through these attacks are sold in the dark web.
According to a latest report by Nord VPN, Stolen data of around 5 million internet users globally is being sold online of which 600,000 is that of Indians. Making India the most affected country.
Also, one more type of mobile based attack is Vishing – the scammers call the victim using pre-recorded voice message, pretending to be a legitimate source, and seeking personal information from the answers the victim gives.
Though many of us are aware of what is Phishing, user awareness on Smishing and Vishing needs to be increased. Making the user understand that they should keep calm while handling these calls and messages and be informed not to give any sensitive personal information. We should be careful while clicking on links from unknown sources.
Madhumitha K, Engineer, Access Management mentioned that “With very less or poorly managed access protection, the hackers could easily gain access to our mobile devices. Use of two-factor authentication like strong passwords/codes along with biometrics can ensure that even if our phone gets lost or stolen, we would be still able to protect our precious data within.
Also downloads of malicious apps or accessing malicious websites could open entry ways for bad actors to get in. These days, with a click of a link malware gets downloaded in the background without the user’s knowledge. The user should be well informed and access only trusted sites or download apps from the App Store and provide only the required permission to these apps.”
She also added that we could escape from these attacks by
- using cellular data over public Wi-Fi,
- enabling strong authentication for banking and company-related apps
- Not accessing untrusted websites or clicking on pop-ups
- avoiding accepting all cookies
- updating OS & apps regularly
People are constantly downloading applications and software and often the most sought out ones are the free apps – these apps often are not secured and trustworthy. It gives way for the cyber criminals to find loopholes to exploit and enter the targets phone.
“Many organizations are having their business data accessed through mobile devices. The number of smart phones as an organization’s endpoint has increased in the recent days. Organizations are constantly seeking newer security measures to manage and monitor the mobile devices.
Mobile device management (MDM) policies are being implemented to enforce stronger security controls such as DLP, encryption, password policies and remote wipe capabilities. Once the device is reported missing or hacked the organization has an option to wipe all the data from remote.
Training users on security best practices also play a vital role in helping users stay safe” said Bhavani Damodaran, Technical Manager, Information Security
Reference
Author
Bhavani Damodaran
Bhavani has held numerous positions of responsibility in the areas of Information Security such as risk management, IT controls, audits and compliance. Her expertise involves in handling IT risks, security control framework designing and assessing digital tools. She is an avid traveller and passionate about driving.
Author
Mythili V
Mythili has worked in field of System Administration and Security Management specialized in the field of Antivirus and is currently part of the internal security operations team.
Author
Madhumitha K
