Holiday shopping season is upon us, a time when many forget to consider mobile device security. In its 2020 holiday retail forecast, Deloitte predicts “sales between $1,147 billion and $1,152 billion during the November through January timeframe.”  In the same survey, Deloitte is estimating 25% to 35% growth in e-commerce sales over 2019’s totals. With the COVID-19 pandemic, many people began using their mobile and smart devices for shopping, a trend that will continue to grow during the holidays. With this growth in the use of these devices for transactional purchasing, what can be done to protect the customer, their data and privacy, and your organization?

What is a mobile or smart device? 

Mobile and smart devices refer to any computing device that

  • can be held in your hand (mobile), 
  • can connect to other devices or networks (smart),
  • can be worn, embedded or implanted (wearables), 
  • uses a battery for power, 
  • can establish a WiFi or cellular wireless connection to the internet, 
  • provides a touch-screen for the capturing and/or display of data and information, and
  • run a mobile operating system that uses apps for common tasks.

Wherever there is money, there are criminals. Use mobile devices and smart technologies wisely and protect your digital identity, privacy and financial assets.

What are the risks of using a mobile or smart device? 

While mobile and smart devices have revolutionized computing, they do come with their share of security and privacy risks. These devices use operating systems and web browsers, so they are susceptible to the same types of vulnerabilities as a desktop computer – malware, spyware, operating system flaws, zero-day vulnerabilities, etc. However, they also provide unique challenges to data and privacy. 

  • Being smaller and mobile, there is a higher risk for loss or theft. 
  • Since they are computers, they hold and process data that is often sensitive (bioinformatic, location, payment cards, etc.). 
  • The use of multiple apps from varying sources can obfuscate who is holding sensitive information and how it is being used.  
  • Due to their dependence on networks and internet access, the use of open, public WiFi networks can place these devices at higher risks.
  • Because they are often networked to other devices, an attack can easily spread to other devices to which they are connected. 
  • Separating work data from personal data can be challenging and can lead to data being intermingled. 

Mobile and smart devices are a part of everyday life for most people. With the increased use of these technologies, mobile device security is all the more important. Unfortunately, cybercriminals are looking to exploit vulnerabilities, both in the devices, as well as in our knowledge and understanding of their use. The RSA’s Q2 Quarterly Fraud Report showed several concerning trends in relation to the use of these devices. 

  • 70% of all fraudulent transactions originated from the mobile channel, a 26% year-over-year increase.
  • The value of a fraudulent payment transaction in the mobile channel has increased by 17%.
SECURITY AWARENESS FOR EMPLOYEES

How can you use your mobile or smart device more safely? 

What can be done to mitigate the risks that come with the use of these devices, especially during the holiday shopping season? Check out these tips for mobile device security:

    1. Keep up with devices – One of the biggest advantages of mobile and smart devices – that they are portable – is also one of their greatest weaknesses. It is important that control of devices is maintained at all times. Enable the remote find, lock, and wipe capabilities if they are offered for the device. Also enable the user authentication feature on the device. Multi-factor authentication (MFA), especially ones that offer a biometric component, provide another level of security and privacy.
    2. Harden the device – When using a new device, focusing on the new features and accessories is normal. However, there are some tried and true steps you should take to harden any device as soon as it comes out of the box. Set a screen lock for the device. If enabling notifications, update your settings to not show these on the lock screen. Install a password manager on the device to avoid the storing of credentials in individual web sites or applications. Change all default passwords to strong passwords. Download and install a VPN and a firewall. Setup a cloud-based back-up service for the device. Enable encryption on the device. Turn on “do not track” in the web browser.
    3. Turn off Bluetooth and Location services when not in use – Bluetooth and Location features on a mobile or smart device enable a number of helpful features. Like WiFi, both of these protocols have a level of risk to them for data and identity theft. Exploiting vulnerabilities, an attacker can eavesdrop on phone conversations as well as record conversations you are having with those around you, even if the device is not in use. Location services can be hacked and allow an attacker to monitor a person’s movement. It is best to turn off these features when they are not in use.
    4. Keep operating systems and applications patched and up to date – This rule holds true for any electronic device. No software is 100% perfect. Bugs can be found in any software, whether new to the market or a long-time product. Mobile and smart devices can often access any part of the device, including microphones, cameras and data. This makes it even more important that these devices are updated with new versions or patches of their operating systems and applications/skills.
    5. Limit the number of apps/skills on the device – Companies must be sure to offer positive customer experiences through their mobile web sites, not just their mobile apps. Use a web browser on the device to access and complete transactions on sites with HTTPS to better protect data and privacy. Remove apps that are not used from the device. Only install apps or skills from official stores or sources.
    6. Do not save payment card information on a mobile or smart device – It seems like the height of efficiency, having payment information saved so as not to have to re-enter it each time a purchase is made through the device. However, it is also a risk. If someone is able to steal and access the device, they now have access to the payment card data a and the associated accounts. Although it can be a pain, always enter payment information each time a purchase is completed.
    7. Avoid public WiFi – Do not use public WiFi with mobile or smart devices. There are numerous risks associated with public WiFi, including Close Access Network Attacks and the subversive collection data over an unsecured network. Disable WiFi on the device when it is not being used and always delete unused WiFi networks from your listing. Disable the ability for the device to automatically connect to WiFi networks. If public WiFi must be used, use a Virtual Private Network (VPN) and do not access sensitive or confidential data.
    8. Only use accessories from trusted manufacturers – Although it can be tempting to borrow a stranger’s charger when a battery is running low or to order an accessory for a cheaper price to save a few dollars, both of these actions can result in the installation of malware or a breach of the device and the data stored there. Never use a public USB charging station, as this can lead to a “juice jacking” attack. Accessories sold by third-party vendors may also be used to install malware on a device. Purchase accessories from trusted sources and carry charging cords and battery backups when traveling.
    9. Practice careful clicking – Mobile and smart devices are susceptible to the same social engineering attacks as a desktop computer. Phishing attacks can occur through these devices. Vishing (phishing via phone) and SMiShing (phishing via SMS text messages) are specific phishing attacks that are aimed at mobile devices. Ransomware can be installed on devices from infected websites, instant messages, emails or texts. Malicious apps and skills can be used to infect devices with a variety of malware, ransomware and keystroke loggers. Do not click links or open unexpected attachments in emails, messages or texts. Be vigilant about the websites you visit. If an offer is too good to be true (for example, a 75% off coupon), then it probably is.
ANTI-PHISHING TRAINING

With the COVID-19 pandemic, e-commerce via mobile and smart devices will continue to see a rapid pace of growth. As we know, wherever there is money, there are criminals. Be vigilant with your mobile device security. Use these technologies wisely and protect your digital identity, privacy and financial assets.