According to Dr. Markus Jakobsson, a noted security expert in the field of phishing and crimeware, mobile phones -- especially smart phones -- pose the next big headache for security professionals. And financial institutions should be particularly concerned about risks to mobile banking.
"Hackers target data that can be turned into cash, and mobile banking services are a prime spot for them to target," says Jakobsson, principal scientist at the Palo Alto Research Center (PARC), a commercial innovation center.
User behavior is part of the challenge. People who won't open a strange attachment to an email on their PC don't take the same precautions with their phones. "People have not connected that phones are computers, and that means they can get infected," Jakobsson says. "Especially since it is a social device, users get things from their friends so much more often on a smart phone."
The other issue is pure security. "Cell phones are a higher risk because they aren't well protected," he says.
At present, the possibility of malware infecting mobile phones is low. "There is no mobile malware to speak of," Jakobsson says. "But once the magnitude of the problem goes up, the traditional measures used to detect malware on Macs and PCs will not be able to handle the load without draining a cell phone's battery."
Worse, he says, the smart phone platform will surpass the regular Windows platform on computers and become the biggest target for hackers within three years. The projection by Credit Suisse analysts in 2009 saw the smart phone market expected to balloon to around 1.5 billion units. By comparison, worldwide unit sales of all mobile phones in 2009 were about 1.2 billion, and worldwide unit sales of all PCs in 2009 was projected to be about 300 million.
These numbers mean that the malware writers will seize the opportunity to target mobile phones, Jakobsson predicts. "Malware writers are just crooked businessmen," he says. "I imagine they are working overtime to create malware for the smart phone platforms."
There are already malicious applications being spread by hackers for the android and iphone platforms, trying to steal banking credentials from unsuspecting users.
There are currently two kinds of countermeasures that could be used to detect malware on a smartphone. The first is signature-based. "Think of it as a party, and you have a bouncer looking at everyone's ID's before they can get in the party," Jakobsson says. "If their ID shows that they've behaved poorly as a previous party, they won't let them in."
The second is a behavioral detection model that can be compared to looking at what people are doing while they are standing in line to get into a party. "If they are fighting or throwing up, the behavioral detection model will not allow them in."
The drawback to these countermeasures is both are extremely taxing on a phone's batteries, and will drain them if they have to check every attachment coming in, Jakobsson notes.
Software-based attestation has been researched for several years by several teams of computer scientists. Yet, all prior software-based attestation methods have proven unsuitable for use on handsets. Solutions designed for embedded devices for example, do not work on handsets. "The reason is that a malware agent on an embedded device cannot establish a radio connection to an external resource in order to cheat, whereas a malware agent on a handset can do that," he says.
Other solutions require too much computation for handsets, and are only practical on powerful computers. "And most of [the potential solutions] have been found to have some security flaw," Jakobsson says.
Experts: Mobile Security 'Meltdown'
Jakobsson isn't alone, warning of the potential dangers of unsecured smart phones.
Dr. Larry Ponemon, head of the Ponemon Institute, a noted privacy and information security research firm, also sees trouble ahead for entities seeking to secure their mobile phones. "Smart phones are computers with the capacity to capture and store significant amounts of information including network connection credentials," Ponemon says. "Our research shows that end-users of smart phones are more susceptible to surreptitious downloads -- including dangerous data stealing malware and botnets."
Also, organizations are finding it difficult to prevent end-users from downloading strange applications -- especially when the device is owned by them. "In short, this is a perfect storm for a security meltdown," Ponemon says.
The kinds of mobile malware being seen today exhibit anomalous or aggressive behavior, says Srinivas Mukkamala, Chief Technology Officer at CAaNES, a private research arm of New Mexico Tech. He sees mobile malware evolving to be more stealthy and intelligent. "It is trying to steal sensitive data that's stored on mobile devices. The 'next generation' mobile malware-infected devices will show no obvious signs of infection, which makes detection harder," Mukkamala says.
"Next gen will be more polymorphic and metamorphic in nature where they will have inbuilt capabilities to change and evolve rapidly to avoid detection (signatures are required to detect every time a variant is created)," he adds. They will also try to hide in the operating systems or bind to system files, making them harder to remove.
Mobile malware is going to become a fact of life, says Tom Wills, Security, Fraud & Compliance Senior Analyst at Javelin Strategy and Research, a security research firm based in San Diego, CA. "We don't yet have the mass consumer uptake that has happened on the online side," he says. "Many banks still don't offer fully functional online banking, yet. All you can do in many cases is find an ATM or check your balance. You often can't move money. The equation changes when you can move money."
Wills agrees that the richest environment for mobile malware is smart phones, and while that's a very fast-growing segment of the market, he sees most Americans are still using older-generation handsets. He says that's because smart phones often use web browsers (i.e. mini-online banking), and browsers are more vulnerable to malware than are dedicated applications.
The hacksters -- what Wills calls hackers and fraudsters who commit data theft -- will always follow the path of least resistance, and today that's still with the online channel - not mobile. "As soon as it becomes mobile, they'll be all over it," he predicts. He sees this happening within 18-24 months, when mobile banking and payments on smart phones become a mass market service, and when they commonly feature the ability to move money.