Cybercrime on Mobile & Wireless devices

[Unit 2-

Cybercrime Mobile & Wireless devices: Security challenges posted by mobile devices, cryptographic
Security for mobile devices, Attacks on mobile/cell phones, Theft, Virus, Hacking. Bluetooth;
Different viruses on laptop [8L]

Introduction

In this modern era, the rising importance of electronic gadgets (i.e., mobile hand-held devices) – which
became an integral part of business, providing connectivity with the Internet outside the office – brings
many challenges to secure these devices from being a victim of cybercrime.

mobile phones has grown

from limited user communities to widespread desktop replacement and broad deployment.

By the end of 2008 around 1.5 billion individuals around the world had the Internet access.

growing proportion of those

mobile devices enabled for the Internet access.

y of managing these devices outside the walls of the office is something that the nformation
technology (IT) departments in the organizations need to address.

-in to wireless-on-the-move, and smart hand-

held devices such as PDAs have become networked, converging with mobile phones.

have converged
into a new category of mobile phone device: the Smartphone.

Smartphones combine the best aspects of mobile and wireless technologies and blend them into a useful
business tool.

company provided PDAs

(as the case may be) for the Smartphones, many users may bring these devices from home and use them in
the office.

increase the demands on

the IT function to secure the device, data and connection to the network, keeping control of the corporate
assets, while at the same time supporting mobile user productivity.

clearly, these technological developments present a new set of security challenges to the global
organizations.

Proliferation (Growth) of Mobile and Wireless Devices

 the buyers have a
choice between high-end PDAs with integrated wireless modems and small phones with wireless Web-
browsing capabilities.

-held mobile device provides enough computing power to run small applications, play
games and music, and make voice calls.

device‖ includes many products. We first provide a clear distinction among the key
terms: mobile computing, wireless computing and hand-held devices.

of mobile computing and the various types of devices.

Mobile computing

Mobile computing is ―taking a computer and all necessary files and software out into the field.‖ Many types
of mobile computers have been introduced since 1990s.

They are as follows:

1. Portable computer: It is a general-purpose computer that can be easily moved from one place to
another, but cannot be used while in transit, usually because it requires some ―setting-up‖ and an AC power
source.

2. Tablet PC: It lacks a keyboard, is shaped like a slate or a paper notebook and has features of a touch
screen with a stylus and handwriting recognition software. Tablets may not be best suited for applications
requiring a physical keyboard for typing, but are otherwise capable of carrying out most tasks that an
ordinary laptop would be able to perform.

3. Internet tablet: It is the Internet appliance in tablet form. Unlike a Tablet PC, the Internet tablet does not
have much computing power and its applications suite is limited. Also it cannot replace a general-purpose
computer. The Internet tablets typically feature an MP3 and video player, a Web browser, a chat application
and a picture viewer.

4. Personal digital assistant (PDA): It is a small, usually pocket-sized, computer with limited functionality.
It is intended to supplement and synchronize with a desktop computer, giving access to contacts, address
book, notes, E-Mail and other features.

5. Ultramobile PC: It is a full-featured, PDA-sized computer running a general-purpose operating system

(OS).

6. Smartphone: It is a PDA with integrated cell phone functionality. Current Smartphones have a wide
range of features and installable applications.

7. Carputer: It is a computing device installed in an automobile. It operates as a wireless computer, sound

system, global positioning system (GPS) and DVD player. It also contains word processing software and is
Bluetooth compatible.

8. Fly Fusion Pentop computer: It is a computing device with the size and shape of a pen. It functions as a
writing utensil, MP3 player, language translator, digital storage device and calculator.
Wireless computing

(such as a PDA)
and a data source (such as an agency database server) without a physical connection.

nologies are mobile. For example, lasers are used in wireless data
transfer between buildings, but cannot be used in mobile communications at this time.

desktop that is, not tethered. As

more personal devices find their way into the enterprise, corporations are realizing cyber security threats that
come along with the benefits achieved with mobile solutions.

act, it may not require

communication among devices at all.

mobile without being

wireless.

-helds are defined as hand-held or pocket-sized devices that connect to a wireless or cellular
network, and can have software installed on them; this includes networked PDAs and Smartphones.

Trends in Mobility

promises greater variety in

applications and have highly improved usability as well as speedier networking. Wirel―iPhone‖ from Apple
and Google-led ―Android‖ phones are the best examples of this trend and there are plenty of other
developments that point in this direction.

technology is rapidly gaining popularity and the attackers (hackers and crackers) are
among its biggest fans.

Seriousness of cyber
security issues in the mobile computing domain.

ess and mobile devices

Popular types of attacks against 3G mobile networks are as follows:

1. Malwares, viruses and worms: Although many users are still in the transient process of switching from
2G, 2.5G to 3G, it is a growing need to educate the community people and provide awareness of such threats
that exist while using mobile devices. Here are few examples of malware(s) specific to mobile devices
:
• Skull Trojan: It targets Series 60 phones equipped with the Symbian mobile OS.

• Cabir Worm: It is the first dedicated mobile-phone worm; infects phones running on Symbian OS and
scans other mobile devices to send a copy of itself to the first vulnerable phone it finds through Bluetooth
Wireless technology. The worst thing about this worm is that the source code for the Cabir-H and Cabir-I
viruses is available online.

• Mosquito Trojan: It affects the Series 60 Smart phones and is a cracked version of―Mosquitos‖ mobile
phone game.

• Brador Trojan: It affects the Windows CE OS by creating a svchost.exe file in the Windows start-up
folder which allows full control of the device. This executable file is conductive to traditional worm
propagation vector such as E-Mail file attachments

• Lasco Worm: It was released first in 2005 to target PDAs and mobile phones running the Symbian OS.
Lasco is based on Cabir’s source code and replicates over Bluetooth connection. Unavailable to the intended
users. Virus attacks can be used to damage the system to make the system unavailable.

3. Overbilling attack: Overbilling involves an attacker hijacking a subscriber’s IP address and then using it
(i.e., the connection) to initiate downloads that are not ―Free downloads‖ or simply use it for his/her own
purposes. In either case, the legitimate user is charged for the activity which the user did not conduct.

4. Spoofed policy development process (PDP): These types of attacks exploit the vulnerabilities in the
GTP [General Packet Radio Service (GPRS) Tunnelling Protocol].
5. Signaling-level attacks: The Session Initiation Protocol (SIP) is a signalling protocol used in IP
multimedia subsystem (IMS) networks to provide Voice Over Internet Protocol (VoIP) services. There are
several vulnerabilities with SIP-based VoIP systems.

Credit Card Frauds in Mobile and Wireless Computing Era

– mobile commerce (M-

Commerce) and mobile banking (M-Banking).

e now becoming commonplace given the ever- increasing power and the ever-
reducing prices of the mobile hand-held devices, factors that result in easy availability of these gadgets to
almost anyone.

Mobile credit card transactions are now very common; new technologies combine low cost mobile phone
technologies with the capabilities of a point-of-sale (POS) terminal.

anywhere anytime computing.

mode of working for white collar

workers.

process
transactions from mobile locations quickly, efficiently and professionally.

ses that operate mainly in a mobile environment.

cards.

Credit card companies, normally, do a good job of helping consumers resolve identity(ID) theft problems
once they occur. But they could reduce ID fraud even more if they give consumers better tools to monitor
their accounts and limit high-risk transactions
1. Merchant sends a transaction to bank;
2. The bank transmits the request to the authorized cardholder[not short message service (SMS)];
3. The cardholder approves or rejects (password protected);
4. The bank/merchant is notified;
5. The credit card transaction is completed.

(Box 3.2). Tips to Prevent Credit Card Frauds

era, however, we would

like to include these tips to prevent credit card frauds caused due to individual ignorance about a few known
facts.

Do’s

1. Put your signature on the card immediately upon its receipt.

2. Make the photocopy of both the sides of your card and preserve it at a safe place to remember the card
number, expiration date in case of loss of card.

3. Change the default personal identification number (PIN) received from the bank beforedoing any
transaction.
4. Always carry the details about contact numbers of your bank in case of loss of your card.
5. Carry your cards in a separate pouch/card holder than your wallet.

6. Keep an eye on your card during the transaction, and ensure to get it back immediately.
7. Preserve all the receipts to compare with credit card invoice.
8. Reconcile your monthly invoice/statement with your receipts.
9. Report immediately any discrepancy observed in the monthly invoice/statement.
10. Destroy all the receipts after reconciling it with the monthly invoice/statement.
11. Inform your bank in advance, about any change in your contact details such as home address, cell phone
number and E-Mail address.
12. Ensure the legitimacy of the website before providing any of your card details.
13. Report the loss of the card immediately in your bank and at the police station, if necessary.

Dont’s

1. Store your card number and PINs in your cell.

2. Lend your cards to anyone.
3. Leave cards or transaction receipts lying around.
4. Sign a blank receipt (if the transaction details are not legible, ask for another receipt to ensure the amount
instead of trusting the seller).
5. Write your card number/PIN on a postcard or the outside of an envelope.
6. Give out immediately your account number over the phone (unless you are calling to a company/ to your
bank).
7. Destroy credit card receipts by simply dropping into garbage box/dustbin.

Security Challenges Posed by Mobile Devices

in challenges to cyber security:

o first, on the hand-held devices, information is being taken outside the physically controlled environment
and
o second remote access back to the protected environment is being granted.

to these cyber security challenges are important in

devising appropriate security operating procedure.

1. at the device level called ―microchallenges‖ and

2. at the organizational level called ―macrochallenges.‖

-known technical challenges in mobile security are: managing the registry settings and
configurations, authentication service security, cryptography security, Lightweight Directory Access
Protocol (LDAP) security, remote access server (RAS) security, media player control security, networking
application program interface (API) security, etc.

Registry Settings for Mobile Devices

le:

o Microsoft ActiveSync is meant for synchronization with Windows-powered personal

computers (PCs) and Microsoft Outlook.

o ActiveSync acts as the gateway between Windows-powered PC and Windows mobile-powered device,
enabling the transfer of applications such as Outlook information, Microsoft Office documents, pictures,
music, videos and applications from a user’s desktop to his/her device.

o In addition to synchronizing with a PC, ActiveSync can synchronize directly with the Microsoft exchange
server so that the users can keep their E-Mails, calendar, notes and contacts updated wirelessly when they
are away from their PCs.
o In this context, registry setting becomes an important issue given the ease with which various
applications allow a free flow of information.

One of the most

prevalent areas where this attention to security is applicable is within ―group policy.‖ Group policy is one of
the core operations that are performed by Windows Active Directory. (Run command box, type
GPEDIT.MSC command to initiate the Local Group Policy Editor)

Wireless and mobile devices have become ubiquitous in today’s society, and with this increased usage
comes the potential for security threats. Wireless and mobile device attacks are a growing concern for
individuals, businesses, and governments.
Below are some of the most common types of Wireless and Mobile Device Attacks

What is cyber-crime in mobile and wireless devices?

A cyber-crime is a criminal act in which someone targets a computer or a network of devices in order
to gain illegal rights, steal data from them, frauds etc. This type of crime is carried out using technology
which primarily takes place online.

What are examples of mobile and wireless devices?

Cordless phones are wireless devices, as are TV remote controls, radios, and GPS systems. Other
wireless devices include phones, tablets, Bluetooth mice and keyboards, wireless routers, and most devices
that don't use wires to transmit information

Security Threats of Smartphones

You might be surprised by the hidden security threats lurking inside your trusty mobile device.

Our smartphones are always an arm’s length away, but how many of us are wise to the risks of using them?
Mobile security threats are on the rise: Mobile devices now account for more than 60 percent of digital
fraud, from phishing attacks to stolen passwords. Using our phones for sensitive business such as banking
makes security even more essential. ―The more you depend on your phone for everyday tasks, the more it
will impact you if your device is compromised,‖ says Randy Pargman, senior director for Binary Defense, a
cybersecurity company. That’s also one of the reasons you should never store certain things on your
smartphone.

Luckily, you can still use your phone safely by staying informed and taking precautions. To that end, we
rounded up this year’s biggest threats to smartphone security, as well as some expert tips that will help you
protect yourself, your phone, and your info.

Data leaks

Before installing a new app on your smartphone, you might want to read the fine print. Nearly every
smartphone app collects data from your phone, according to Pargman. That info could include your name,
date of birth, credit card and bank account information, location history, contact list, photos, and more. ―It’s
a little scary when you realize just how much of your activity is collected on servers maintained by the app
developers,‖ Pargman says. If those servers are hacked or if a technical error leaves them vulnerable, all of
that data can be stolen and used by criminals for fraud. Pargman suggests adjusting the security controls on
your device to limit the data collected by each app and thinking twice before downloading any new app that
requests a lot of permissions. FYI, if these apps are on your phone, someone may be spying on you.
Open WiFi

Connecting to open WiFi networks that do not require a password or use encryption is convenient when
you’re in a pinch. But doing so could allow anyone nearby to easily spy on all of your online activity,
Pargman says. Even worse, a cybercriminal can create a phony WiFi hotspot in order to trick users to
connect to it and steal their data. For example, instead of going to your bank’s website, the WiFi network
could direct you to a page that looks just like it and swipe your password when you try to log in. ―The safest
approach is to only connect to WiFi access points that you know and trust,‖ Pargman says. ―Don’t just
connect to anything you find.‖ If you really have no choice, make sure you never do these things when using
public Wi-Fi.

Phishing attacks

Cybercriminals often use email, text messages, and even voice calls to fool their targets into giving up a
password, clicking on a link to download malware, or confirming a transaction—a practice known as
phishing. ―Phishing remains one of the most often-used and successful tricks that cybercriminals use to
compromise victims,‖ Pargman says of this mobile security threat. To avoid falling for a phishing scam,
always verify who is contacting you for your personal information. For example, Pargman recommends
telling the caller claiming to be your bank that you’ll call back using the bank’s official phone number. You
should also delete these texts immediately because they are likely scams.

Spyware

Beware of apps that promise to monitor the activity of your loved ones and children—in reality, they
are spyware that is ―designed to allow extremely invasive digital surveillance through a smartphone,‖
Pargman says. Abusers can use these apps to read texts and emails, track the phone’s location, secretly listen
to nearby conversations, and take pictures, among other activities. Even less insidious apps can still collect
data about what you do on your smartphone, Pargman says. While making your phone impossible to
track can be hard, it’s still quite possible to do it to a certain extent to ensure safety. He suggests avoiding
apps that request a lot of permissions or any permission having to do with accessibility. ―Those permissions
give apps the ability to read the text in other apps or control other apps—that’s a lot of power that can be
abused,‖ he explains. Watch out for these red flags someone is spying on your computer, too.

Malicious apps

If you think an app is too good to be true, it probably is, according to Pargman. He calls this the Trojan
Horse trick: An app may appear to be beneficial—offering free access to something that should cost
money—but it actually contains a virus. ―People who take the bait and install these malicious apps are often
surprised to find that instead of the promised free material they were hoping for, their entire smartphone is
locked, or their data is stolen, and they are faced with threats,‖ Pargman says. Other times, the virus might
secretly transfer money to the attacker’s accounts through the phone’s online banking app. ―The best cure
for these malicious apps is prevention,‖ notes Pargman. Steer clear of apps that promise free access to
premium content, aren’t listed in well-known app stores, and don’t have a history of reviews. These are
the apps security experts would never have on their phone.

Apps with weak security

Without strong security standards, many smartphone apps can make your information vulnerable to
malicious actors. App developers might use weak encryption algorithms that are easy to hack, or
unintentionally share digital ―tokens‖ that allow hackers to impersonate real people online. Unfortunately,
there is ―very little that the average person can do to know which apps don’t do a good job with security,‖
according to Pargman. A good guideline is to be smart about the data you want to entrust to each app, he
says. While you may feel comfortable allowing an app to save your email address, you should be more
cautious about giving an app permission to access your contacts or store sensitive information such as your
Social Security Number or date of birth. You can check out these mobile security apps to help protect your
information.

Poor password security

More than half of Americans reuse passwords across multiple accounts, a 2019 Google/Harris poll found.
Those passwords are catnip for cybercriminals, who can gain access to hundreds of accounts by purchasing
massive lists of hacked and leaked passwords on the dark web. To protect your accounts from hackers,
Pargman suggests setting up multi-factor authentication, as well as using a password manager app to
generate and store unique passwords for every account. ―That way, you don’t need to use your pet’s name as
your only form of protection to keep your money where it belongs and out of the pockets of thieves,‖ he
says. As you secure your accounts, avoid the password mistakes hackers hope you make.

Out-of-date devices

When was the last time you updated your phone? It may be key to protecting your device against malware
and other cyberattacks. Phones that are too old to receive security updates should be replaced, according to
Pargman. ―Even if it seems to still run, there’s risk in using an old phone that hasn’t received the latest
security updates,‖ he says. You can find out how long your device will be updated by checking the ―end of
life‖ or ―end of support‖ date on the manufacturer’s website. Samsung updates devices for up to four years,
Apple provides regular updates for iPhones for about five to six years, and Google supports its Pixel line of
phones for at least three years. FYI, that’s not the only warning sign it’s time for a new cell phone.

Identity theft

Reports of identity theft have sharply increased in the past few years, with millions of cases detected since
March 2020 alone. Recently, thieves have used stolen identities to open new mobile phone accounts, or
hijack an existing account and upgrade phones or add phone lines. Victims may receive large bills from their
carrier or charges from accounts with other carriers that identity thieves opened without the victims’
knowledge. Secure your mobile phone account by creating a password or PIN with your carrier, which will
be required to make any changes to your account in the future. Hackers can also do these scary things with
your cellphone number.

How to safeguard your device

In addition to taking specific precautions for each of the mobile security threats listed above, Pargman
recommends downloading anti-virus programs for your smartphone. Apps like Norton Security and
Antivirus, McAfee Mobile Security, and Kaspersky Antivirus and Security can help to spot malicious apps
if they have been installed. You should also make sure to keep your smartphone’s operating system
(Android or iOS) up to date at all times, he says. Here are more tips to protect your phone from viruses.

Mobile Ransomware - How to Protect Your Business

Hackers and cybercriminals are constantly evolving – trying new tactics, ditching the ones that no longer
work, and emphasizing the ones that are getting the best results. And in 2020, ransomware is the most
lucrative option they have available at their disposal. But it might not be the type of ransomware you
typically think of.
Cryptographic Security for Mobile Devices

Cryptographically Generated Addresses (CGA) is Internet Protocol version 6 (IPv6) that addresses up to
64 address bits that are generated by hashing owner’s public-key address.

and to sign
messages sent from the address without a public-key infrastructure (PKI) or other security infrastructure.

PKI provides many benefits for users to secure their financial transactions initiated from
mobile devices.

-based authentication can be used to protect IP-layer signalling protocols including neighbour
discovery (as in context-aware mobile computing applications) and mobility protocols.

Palms (devices
that can be held in one’s palm) are one of the most common hand-held devices used in mobile computing.

Cryptographic security controls are deployed on these devices.

Cryptographic Provider Manager (CPM) in Palm OS5 is a system wide suite of

cryptographic services for securing data and resources on a palm-powered device.

these capabilities,
allowing the encryption of only selected data or of all data and resources on the device.

LDAP (Lightweight Directory Access Protocol) Security for Hand-Held Mobile Computing Devices.

and other resources

such as files and devices on the network (i.e., on the public Internet or on the organization’s Intranet).

Attacker Launches blended attack over rogue ad hocnetwork (802.11,

bluetooth, infrared) amount of code) version of Directory Access Protocol (DAP) because it does not
include security features in its initial version.

RAS (Remote Access Server) Security for Mobile Devices

business sensitive data that

may reside on the employees’ mobile devices.

cyber security, mobile devices are sensitive. Figure below organizations sensitive data can
happen through mobile hand-held devices carried by employees.
In addition to being vulnerable to unauthorized access on their own, mobile devices alsoprovide a route into
the systems with which they connect.

impersonating or masquerading)to these systems,

a would-be cracker is then able to steal data or compromise corporate systems in other ways.

port scanning.

IP address of connected computer.

A domain is a collection of sites that are related in some sense.

its Transmission Control

Protocol (TCP)/User Datagram Protocol (UDP) stack to see what communication ports are unprotected by
firewalls.

File Transfer Protocol (FTP) transmissions are typically assigned to port 21.

n trap unauthorized incomingdata packets and

prevent a mobile device from revealing its existence and ID.
personal firewall on a pocket PC or Smartphone device can be an effective protectivescreen against this
form of attack for the users connecting through a direct Internet or RAS connection.

Media Player Control Security

the potential
security attacks on their mobile devices through the ―music gateways.‖

are many examples to show how a media player can turn out to be a source of
threat to information held on mobile devices.
 hat a series of flaws in itsWindows Media
Player could allow a malicious hacker to hijack people’s computer systems and perform a variety of actions.

could take over a

computer system and perform any task the computer’s owner is allowedto do, such as opening files or
accessing certain parts of a network.

Networking API Security for Mobile Computing Applications

-Commerce) and its further off -shoot into MCommerce,
online payments are becoming a common phenomenon with the payment gateways accessed remotely and
possibly wirelessly.

Web services and their use in mobile computing applications, the API
becomes an important consideration.

enable software and

hardware developers to write single applications

ring a range of embedded and consumer

products, including those running OSs such as Linux, Symbian, Microsoft Windows CE and Microsoft
Windows Mobile (the last three are the most commonly usedOSs for mobile devices).

se provide the ability to significantly improve cybersecurity of a

wide range of consumer as well as mobile devices. Providing a common software framework, APIs will
become an important enabler of new and higher value services.

Attacks on Mobile/Cell Phones

Mobile Phone Theft

transformed
from being a luxury to a bare necessity.

n in India use public transport, major locationswhere theft occurs

are bus stops, railway stations and traffic signals.

number of false
claims.

her mobile phone, more than anything ―Contact List‖ and Personally Identifiable
Information (PII)‖, that really matter, are lost

often attacked by
viruses; however, criminals made this thought as false statement.
being the
increasing usage of cell phones and availability of Internet using cell phones.
 ng demand for Wi-Fi zones in the metropolitans and extensive usage of cell
phones in the youths with lack of awareness/knowledge about the vulnerabilities of the technology.

1.Enough target terminals: Enough terminals or more devices to attack.

2. Enough functionality: The expanded functionality ie. office functionality and applications also increases
the probability of malware.

3. Enough connectivity: Smartphones offer multiple communication options, such as SMS, MMS,
synchronization, Bluetooth, infrared (IR) and WLAN connections.

The International Mobile Equipment Identity (IMEI)

-digit
number and can be obtained by entering *#06# from the keypad.
therefore can be used to stop
a stolen phone from accessing the network in that country.
service provider and instruct them
to ―lock‖ the phone using its IMEI number.
untry, even if a SIM is changed.

about your cell phone such as manufacturer, model type and country of approval of a handset.

Mobile Viruses

is similar to a computer virus that targets mobile phone data or applications/software

installed in it.
-of-concept nowadays.
bile viruses have been identified.
mobile devices can
act as vectors to enter the computer network.
cols – Bluetooth and MMS.
–30 m, through Bluetooth activated phones
the infected
mobile phone’s address book.
How to Protect from Mobile Malwares Attacks

Following are some tips to protect mobile from mobile malware attacks:

1. Download or accept programs and content (including ring tones, games, video clips andphotos) only from
a trusted source.
2. If a mobile is equipped with Bluetooth, turn it OFF or set it to non-discoverable mode when it is not in use
and/or not required to use.
3. If a mobile is equipped with beam (i.e., IR), allow it to receive incoming beams, only from the trusted
source.
4. Download and install antivirus software for mobile devices.

Mishing

Mishing is a combination of mobile and Phishing.

-Commerce is fast becoming a part of everyday life. If you use your mobile phone forpurchasing
goods/services and for banking, you could be more vulnerable to a Mishingscam.
Vishing or message (SMS) known as Smishing.
r organization and willclaim a need for
your personal details.
they need this
information from you.

Vishing

neering over the telephone system,most often using

features facilitated by VoIP, to gain access to personal and financialinformation from the public for the
purpose of financial reward.

– voice and Phishing.

usually used to steal credit card numbers or other related data used in ID theft
schemes from individuals.

1. ID theft; 2. purchasing luxury goods and services; 3. transferring money/funds;

4. monitoring the victims’ bank accounts; 5. making applications for loans and credit cards.

depends upon
information gathered by a criminal and criminal’s will to reach a particularaudience.

1. Internet E-Mail:
2. Mobile text messaging:
3. Voicemail:
4. Direct phone call:
Following are the steps detailing on how direct phone call works:

• The criminal gathers cell/mobile phone numbers located and steals mobile phone numbers after accessing
cellular company.
• The criminal often uses a dialer to call phone numbers of people from a specific region, and that to from
the gathered list of phone numbers.
• When the victim answers the call, an automated recorded message is played to alert the victim that his/her
credit card has had fraudulent activity and/or his/her bank account has had unusual activity.

The message instructs the victim to call one phone number immediately.

The same phone number is often displayed in the spoofed caller ID, under the name of the financial
company the criminal is pretending to represent.

• When the victim calls on the provided number, he/she is given automated instructions to enter his/her
credit card number or bank account details with the help of phone keypad.

• Once the victim enters these details, the criminal (i.e., visher) has the necessary information to make
fraudulent use of the card or to access the account.

• Such calls are often used to gain additional details such as date of birth, credit cardexpiration date, etc.

Some of the examples of vished calls, when victim calls on the provided number after
receiving phished E-Mail and/or after listening voicemail, are as follows:

1. Automated message: Thank you for calling (name of local bank). Your business isimportant to us. To
help you reach the correct representative and answer your query fully,please press the appropriate number
on your handset after listening to options.• Press 1 if you need to check your banking details and live
balance.
• Press 2 if you wish to transfer funds.
• Press 3 to unlock your online profile.
• Press 0 for any other query.

2. Regardless of what the victim enters (i.e., presses the key), the automated system promptshim to
authenticate himself: ―The security of each customer is important to us. To proceedfurther, we require that
you authenticate your ID before proceeding. Please type your bankaccount number, followed by the pound
key.‖

3. The victim enters his/her bank account number and hears the next prompt: “Thank you.Now please type
your date of birth, followed by the pound key. For example 01 January 1950
press 01011950.‖

4. The caller enters his/her date of birth and again receives a prompt from the automatedsystem: “Thank
you. Now please type your PIN, followed by the pound key.‖

5. The caller enters his PIN and hears one last prompt from the system: “Thank you.We will now transfer
you to the appropriate representative.‖ At this stage, the phone call getsdisconnected, and the victim thinks
there was something wrong with the telephone line; orvisher may redirect the victim to the real customer
service line, and the victim will not beable to know at all that his authentication was appropriated by the
visher.

How to Protect from Vishing Attacks

Following are some tips to protect oneself from Vishing attacks:

1. Be suspicious about all unknown callers.
2. Do not trust caller ID. It does not guarantee whether the call is really coming from that number, that is,
from the individual and/or company – caller ID Spoofing is easy.
3. Be aware and ask questions, in case someone is asking for your personal or financialinformation.
4. Call them back. If someone is asking you for your personal or financial information, tellthem that you will
call them back immediately to verify if the company is legitimate or not.In case someone is calling from a
bank and/or credit card company, call them back using anumber displayed on invoice and/or displayed on
website.
5. Report incidents: Report Vishing calls to the nearest cyberpolice cell with the number andname that
appeared on the caller ID as well as the time of day and the information talkedabout or heard in a recorded
message.

Smishing

to Phishing.
SMS PhISHING.‖
gathering under
cybercrime.
reveal his/her PI.

provide a phone number to force the victim to call or provide a website URL to force the victim to access
the URL, wherein, the victim gets connected with bogus website (i.e., duplicate but fake site created by the
criminal) and submitshis/her PI.

ng.

How to Protect from Smishing Attacks

Following are some tips to protect oneself from Smishing attacks:

1. Do not answer a text message that you have received asking for your PI. Even if the message seems to be
received from your best friend, do not respond, because he/she may not be the one who has actually sent it.

2. Avoid calling any phone numbers, as mentioned in the received message, to cancel a membership and/or
confirming a transaction which you have not initiated but mentioned in the message. Always call on the
numbers displayed on the invoice and/or appearing in the bank statements/passbook.

3. Never click on a hot link received through message on your Smartphone or PDA. Hotlinks are links
that you can click, which will take you directly to the Internet sites.Smishing messages may have hot links,
wherein you click on the link and download Spyware to your phone without knowing. Once this software
has been downloaded, criminals can easily steal any information that is available on your cell phone and
have access to everything that you do on your cell phone.

Hacking Bluetooth
short distances (i.e., using short length radio waves) between fixed and/or mobile device.

-range wireless communication service/technology that uses the 2.4- GHz frequency
range for its transmission/communication.

– Bluetooth 1.0 has a maximum transfer speed of 1 Mbps (megabit per second)
compared with 3 Mbps by Bluetooth 2.0.

to connect‖ to any other Bluetooth-based device within range.

rward, and it also makes easier to identify the target for

attackers.

Bluetooth hacking tools] on a laptop and then installs a Bluetooth

antenna.
talled on laptop constantly scans the
nearby surroundings of the hacker for active Bluetooth connections.

Once the software tool used by the attacker finds and connects to a vulnerable Bluetooth enabled cell phone,
it can do things like download address book information, photos,calendars, SIM card details, make long-
distance phone calls using the hacked device, bug phone calls and much more.

Table 3.1 | Bluetooth hacking tools

1. BlueScanner: This tool enables to search for Bluetooth enable device and will try toextract as much
information as possible for each newly discovered device afterconnecting it with the target.

2. BlueSniff: This is a GUI-based utility for fi nding discoverable and hidden Bluetooth enabled devices.
3. BlueBugger: The buggers exploit the vulnerability of the device and access the images, phonebook,
messages and other personal information.

4. Bluesnarfer: If a Bluetooth of a device is switched ON, then Bluesnarfing makes it possible to connect to
the phone without alerting the owner and to gain access to restricted portions of the stored data.

5. BlueDiving: Bluediving is testing Bluetooth penetration.

It implements attacks like Bluebug and BlueSnarf.Bluejacking, Bluesnarfing, Bluebugging and Car
Whisperer are common attacks that have emerged as Bluetooth-specific security issues.

1. Bluejacking: It means Bluetooth + Jacking where Jacking is short name for hijack – act oftaking
over something. Bluejacking is sending unsolicited messages over Bluetooth toBluetooth-enabled
devices such as mobile phones, PDAs or computers (within 10-m radius),Bluejacking is harmless, as
bluejacked users generally do not understand what has happenedand hence they may think that their
phone is malfunctioning.

2. Bluesnarfing: It is the unauthorized access from a wireless device through a Bluetooth connection
between cell phones, PDAs and computers. This enables the attacker to access a calendar, contact
list, SMS and E-Mails as well as enables attackers to copy pictures and private videos.\

3. Bluebugging: It allows attackers to remotely access a user’s phone and use its features without user’s
attention.
4. Car Whisperer: It is a piece of software that allows attackers to send audio to and receive audio from a
Bluetooth-enabled car stereo.

Among the four above-mentioned attacks, Bluesnarfing is claimed to be much more serious than
Bluejacking.

These vulnerabilities are an inevitable result of technological innovation, and device manufacturers’
continuously research and release firmware upgrades to address new challenges/problems as they arise.

Mobile Devices: Security Implications for Organizations

Managing Diversity and Proliferation of Hand-Held Devices

Cyber security is always a primary concern to Most organizations

he long-term significance of keeping track of who owns what kind of
mobile devices.

organization networks.

and, at the very

least, should be deactivated and cleansed.

Unconventional/Stealth Storage Devices

(also called zip drive, memory sticks) used

by employees are the key factors for cyber-attacks.

in new shapes and

sizes –storage devices available nowadays are difficult to detect and have become a prime challenge for
organizational security.

viruses, worms and Trojans get into the organization network, but can also destroy
valuable data in the organization network.

unattended
computer and will be able to download confidential data or upload harmful viruses.

software are not

alerted.
ccess to plug and play
devices (for more details, visit http://www.devicelock.com/).

The features of the software allows system administrator to:

1. Monitor which users or groups can access USB Ports, Wi-Fi and Bluetooth adapters, CD read-only
memories (CD-ROMs) and other removable devices.
2. Control the access to devices depending on the time of the day and day of the week.

3. Create the white list of USB devices which allows you to authorize only specific devices that will not be
locked regardless of any other settings.

4. Set devices in read-only mode.

5. Protect disks from accidental or intentional formatting.

Threats through Lost and Stolen Devices

cyber security.
en mobile hand-held devices are lost while people are on the move.

laptops, 1,300 PDAs

and over 62,000 mobile phones were left in London in cabs in the year 2001 over the last 6-month period.
increased sales and usage of
mobile devices.
cyber security threat under this scenario is scary; owing to a general lack of security in mobile
devices, it is often not the value of the hand-held device that is important but rather the content that, if lost
or stolen, can put a company at a serious risk of sabotage, exploitation or damage to its professional
integrity, as most of the times the mobile hand-held devices are provided by the organization.

have potentially very little

security, making them a weak link and a major headache for security administrators.

Protecting Data on Lost Devices

cyber security needs to protect the data when device is lost :

1. data that are persistently stored on the device and

2. always running applications.

mobile device:

1. encrypting sensitive data and

2. encrypting the entire file system.

Organizational Measures for Handling Mobile

Encrypting Organizational Databases

technology, access to these data is

possible through mobiles.

Rijndael
(pronounced rain-dahl or Rhine-doll), a block encryption algorithm, chosen as the new Advanced
Encryption Standard (AES) for block ciphers by the National Institute of Standards and Technology
(NIST).
-Dimensional
Space Rotation (MDSR) algorithm developed by Casio.The term ―strong encryption‖ is used here to
describe these technologies in contrast to the simple encryption.

Strong encryption means that it is much harder to break, but it also has a significant impact on
performance.

Including Mobile Devices in Security Strategy

cyber security threats that come

through inappropriate access to organizational data from mobile device–user employees.

the machine a
special message.
-powered processors that will support 128-bitencryption.

1. Implement strong asset management, virus checking, loss prevention and other controls for mobile
systems that will prohibit unauthorized access and the entry of corrupted data.
2. Investigate alternatives that allow a secure access to the company information through a firewall, such as
mobile VPNs.
3. Develop a system of more frequent and thorough security audits for mobile devices.
4. Incorporate security awareness into your mobile training and support programs so that everyone
understands just how important an issue security is within a company’s overall IT strategy.
5. Notify the appropriate law-enforcement agency and change passwords. User accounts are closely
monitored for any unusual activity for a period of time.

Organizational Security Policies and Measures in Mobile Computing Era

Importance of Security Policies relating to Mobile Computing Devices

cyber security issue harder than what we would tend to think

.
them like wallets!

es of confidential information on mobile computing devices than

their employers or they themselves know; they listen to music using their hand-held devices
 confidential E-
Mails and strategic information about organization.

customer data such

as credit reports, social security numbers (SSNs) and contact information.

Operating Guidelines for Implementing Mobile Device Security Policies

1. Determine whether the employees in the organization need to use mobile computing devices or not.

2. Implement additional security technologies like strong encryption, device passwords and physical locks.

3. Standardize the mobile computing devices and the associated security tools being used with them.

4. Develop a specific framework for using mobile computing devices.

5. Maintain an inventory so that you know who is using what kinds of devices.

6. Establish patching procedures for software on mobile devices.

7. Label the devices and register them with a suitable service.

8. Establish procedures to disable remote access for any mobile.

9. Remove data from computing devices that are not in use

10. Provide education and awareness training to personnel using mobile devices.

Organizational Policies for the Use of Mobile Hand-Held Devices

to handle the matter of creating policy for mobile devices.

One way is creating a distinct mobile computing policy.
Another way is including such devices under existing policy.

Laptops

ness functions.
they are
portable.
cyber security concerns when the information being
transmitted over other, which makes it hard to detect.
cyber security industry and
insurance company statistics.
profit in the black
market.
 , thereby avoiding cyber
security exposures.

Physical Security Countermeasures

information, no matter
where they travel.

sk of having a data breach (Violation) if a laptop

containing sensitive information is lost or stolen.

laptops.

1. Cables and hardwired locks: The most cost-efficient and ideal solution to safeguard any mobile device
is securing with cables and locks, specially designed for laptops.

2. Laptop safes: Safes made of polycarbonate – the same material that is used in bulletproof windows,
police riot shields and bank security screens – can be used to carry and safeguard the laptops

3. Motion sensors and alarms: Alarms and motion sensors are very efficient in securing laptops.

4. Warning labels and stamps: Warning labels containing tracking information andidentification details
can be fixed onto the laptop to deter aspiring thieves. These labels
cannot be removed easily and are a low-cost solution to a laptop theft

5. Other measures for protecting laptops are as follows:

• keeping the laptop close to oneself wherever possible;

• carrying the laptop in a different and unobvious bag
• creating the awareness among the employees about the sensitive information contained in the laptop;
• making a copy of the purchase receipt of laptop
• installing encryption software to protect information stored on the laptop;
• using personal firewall software to block unwanted access and intrusion;
• updating the antivirus software regularly;
• tight office security using security guards and securing the laptop by locking it down in lockers when not
in use;
• never leaving the laptop unattended in public places
• disabling IR ports and wireless cards when not in use.
• Choosing a secure OS
• Registering the laptop with the laptop manufacturer to track down the laptop in case of
theft.
• Disabling unnecessary user accounts and renaming the administrator account.
• Backing up data on a regular basis.

A few logical access controls are as follows:

1. Protecting from malicious programs/attackers/social engineering.
2. Avoiding weak passwords/open access.
3. Monitoring application security and scanning for vulnerabilities.
4. Ensuring that unencrypted data/unprotected fi le systems do not pose threats.
5. Proper handling of removable drives/storage mediums/unnecessary ports.
6. Password protection through appropriate passwords rules and use of strong passwords.
7. Locking down unwanted ports/devices.
8. Regularly installing security patches and updates.
9. Installing antivirus software/firewalls/intrusion detection system (IDSs).
10. Encrypting critical file systems.
11. Other countermeasures:

Spy Phone Software!!!

Spy Phone software is installed on the mobile/cell phone of employees, if the employers wants to monitor
phone usage. The Spy Phone software is completely hidden from the user,once it is installed and collects all
the available data such as SMS messages, ingoing/outgoing call history, location tracking, GPRS usage and
uploads the collected data to a remote server.

The employer can simply access the designated website hosted by Spy Phone vendor, andafter entering
his/her account details, he/she can have full access to all the data collected 24hours a day, 7 days a week.
The employer can access this website through the Internet; hence,he/she can keep an eye on their employees,
regardless where he/she is in the world. The employer can read all SMS messages (both incoming and
outgoing), know who they(employees) are calling or who is calling them and where they were when the call
was received.

Following are few Spy Phone Software(s) available in the market:

1. SpyPhonePlus: http://www.spyphoneplus.com/
2. FlexiSpy: http://www.flexispy.com/
3. TheSpyPhone: http://www.thespyphone.com/spyphone.html
4. Mobile Spy: http://www.mobile-spy.com