Mobile Security: Top Priority for Banking in 2014

There’s no doubt that mobile device usage has become pretty universal in today’s digital age. Moving far beyond basic text and calls, our smartphones now serve as alternatives to automated teller machines (ATMs), menus, global positioning systems (GPS), and much more. Aside from providing all types of entertainment and help in looking up the best new local restaurant, mobile devices have become widely embraced by users—and at a breakneck pace—for banking needs. According to a recent survey by Princeton Survey Research Associates International, 32% of adults and 35% of mobile phone owners in the U.S. bank online using their mobile devices. And the numbers will only continue to grow in 2014. However, as we become more reliant on our mobile devices for everyday activities, the potential for data and identity theft increase exponentially.

Forrester Research predicts that mobile banking will reach roughly 46% of all U.S. bank account holders by 2017, which means a lot more information to steal for cybercriminals. With the number of mobile devices connected to financial accounts increasing daily, it is no surprise that criminals have turned their sights on mobile—oftentimes faster than businesses and banks can respond. And while it’s certainly convenient to check an account balance from anywhere anytime, mobile banking has also given savvy scammers another way to steal precious information from unsuspecting users.

As 2013 comes to a close, it is important to better understand how mobile devices will continue to impact financial institutions and consumers, as well as what to look out for in 2014. Security expert and Gartner analyst Anton Chuvakin warns that financial institutions should prioritize protecting payment data on mobile devices over other endeavors. While many banks and merchants are inclined to concentrate more on the regulatory part of mobile transactions such as industry security standards that are handed down from governing bodies, the real emphasis should be on preparing for and staying abreast of emerging security risks. Threats like mobile phishing scams and banking Trojans are expected to be on the rise, so protecting information at the device level is key as this is where many attacks start.

When it comes to consumer best practices for 2014 and into the future, the most important factor will be vigilance. It is easy to get too comfortable using mobile devices for everything from shopping to depositing checks, and cybercriminals bank on users’ lack of awareness in protecting their data and devices across all mobile activities. While the responsibility lies in part on the merchant or financial institution to protect transactions and other activities on their sites, it lies as much in your hands to protect your device and data. Mobile devices are constantly exposed to risks by way of unsecure networks, device loss/theft, and other threats on the user side.

So, with these current and new threats in mind, how can you continue to enjoy the convenience of mobile banking without exposing yourself and your data to new risks? Below are some tips to help keep your device and information safe in 2014 and beyond:

  • Update your mobile software. If your mobile carrier allows for it, updating your OS can immediately improve the security of your device.
  • Don’t use public Wi-Fi networks to access your bank account. Avoid checking your bank account or downloading any content while on unsecure networks. Cybercriminals often use public Wi-Fi in places like coffee shops as a hunting ground for victims.
  • Stick to your bank’s app. Avoid the possibility of logging onto phony mobile sites when banking by using your bank’s app. These have been created by your financial institution specifically to enhance the security of your transactions.
  • Don’t store banking information on your device. You never know what could happen should your phone fall into the wrong hands. Keep your accounts safe by keeping your bank logins saved elsewhere.
  • Lock down your device with a PIN Code. Regardless of what information you store on your device, keep it passcode protected and keep the cyber snoops out.
  • Don’t share account information over text. Never share sensitive information over unsecured text channels such as email, text message or chat. Even if you receive a message supposedly from your bank, call them first to confirm that the message is in fact from them, as banks should not be asking for such information in writing.
  • Go the extra mile when it comes to mobile security. Vigilance is not always enough, which is why enlisting the help of a security service is a crucial part of mobile device safety. McAfee® Mobile Security detects some of the top Android banking Trojans and protects devices from any subsequent data loss. Additional features include remote lock and wipe functions should your device become lost or stolen, as well as virus protection with continuous scanning and monitoring of your mobile activity.

When it comes to your personal banking there are a number of additional proactive measures you can take to keep your information safe, both on and off of your mobile device. For more tips on how to enjoy the convenience of mobile banking while keeping your important data safe, visit the McAfee Security Advice Center.

To keep up with the latest mobile security threats now and into the new year, make sure to follow @McAfeeConsumer on Twitter and like us on Facebook.

 lianne-caetano

The post Mobile Security: Top Priority for Banking in 2014 appeared first on McAfee Blogs.

McAfee Labs 2014 Threats Predictions

As we wind down the year, it’s a time to reflect, but also to look forward. Some of us may be thinking about resolutions and what we need to do in the upcoming year—exercise more, eat better, have better work/life balance, etc. Others of us will be thinking about how we’re going to ring in the New Year.

This time of year the McAfee Labs™ team is busy looking at what the new threats are going to be and what are new trends they expect to see. Today they released their 2014 Threats Predictions, and here’s what they believe will be in store for us:

Mobile Malware

While this is not new, this category of malware is growing like wildfire and McAfee Labs sees no slow down on this in 2014. And besides continued growth in this category (mostly on the Android platform), they believe that some  types of mobile attacks will become prevalent.

One of these growing attacks is ransomware targeting mobile devices. Once the cybercriminal has control of your device, they will hold your data “hostage” until you pay money (whether that’s conventional or virtual, like Bitcoin) to the perpetrator. But as with traditional ransomware, there’s no guarantee that you really will get your data back.

Other mobile tactics that will increase include exploiting the use of the Near Field Communications (NFC) feature (this lets consumers simply “tap and pay,” or make purchases using close-range wireless communications), now on many Android devices, to corrupt valid apps and steal data without being detected.

Virtual Currencies

While the growth of Bitcoin and other virtual currencies is helping promote economic activity, it also provides cybercriminals using ransomware attacks with a perfect system to collect money from their victims. Historically, payments made from ransomware have been subject to law enforcement actions via the payment processors, but since virtual currency is not regulated and anonymous, this makes it much easier for the hackers to get away with their attacks.

Attacks via Social Networking Sites

We’ve already seen the use of social networks to spread malware and phishing attacks. With the large number of users on Facebook, Twitter, Instagram and the likes, the use of these sites to deliver attacks will continue to grow.

In 2014, McAfee Labs also expects to see attacks that leverage specific features of these social networking sites, like Facebook’s open graph. These features will be exploited to find out more information about your friends, location or personal info and then be used for phishing or real-world crimes.

The other form of social attacks in 2014 will be what McAfee Labs calls “false flag” attacks. These attacks trick consumers by using an “urgent” request to reset one’s password. If you fall for this, your username and password will be stolen, paving the way for collection of your personal information and friend information by the hacker.

2014ThreatPredictions

 

Here’s some security resolutions to help you stay safe online in 2014:

  • Strengthen your passwords: If you’re still using easy to remember passwords that include your home address and pet’s name, it’s time to get serious about creating strong passwords that are at least eight characters long, and a combination of numbers, letters and symbols. Don’t include any personal information that can be guessed by hackers.
  • Don’t open or click on suspicious emails, text or links: By simply opening an email with a piece of ransomware within it you could be leaving your devices vulnerable to hijacking.
  • Be aware when downloading apps: Since apps are the main way mobile malware is spread today, make sure to do your research before downloading any app and only download from reputable app stores.
  • Limit your use of NFC, Wi-Fi and Bluetooth: If your phone has NFC capabilities, you may be unaware of default settings. Turning this feature off, as well as turning off Bluetooth and Wi-Fi connections, will not only help you save battery life on your devices, but prevent attacks from hackers looking to exploit your wireless connections.
  • Check your bank statements and mobile charges regularly: This way, you can discover and report any suspicious charges
  • Install comprehensive security on all your devices: With the growing amount of threats that we’re seeing, you want to make sure that your all your devices (not just your PC) are protected. Consider installing security software such as McAfee LiveSafe™ service that protects your data, identity and all your devices (PCs, Macs, smartphones and tablets).

 

RobertSicilianoRobert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

The post McAfee Labs 2014 Threats Predictions appeared first on McAfee Blogs.

WhatsApp With That? Security Flaw in Mobile Messaging Apps

Mobile phone calls and text messages seem to be going the way of the dinosaurs. In their place, a plethora of multi-functional mobile messaging apps have flooded the market, each offering distinct features. In fact, a study by Informa found that chat apps are now more popular than text messaging among mobile users worldwide, with 19 billion chat messages being sent each day last year alone. Although traditional text messaging may never fully disappear, users today are looking for services offering easy-to-use multimedia functions, group chats, video calls, gaming and more.

Arguably, privacy is a key draw for users when it comes to any mobile chat option, and one of the most popular apps on the market, WhatsApp, has found itself in some hot water after researchers called out a potential security vulnerability. WhatsApp is a multimedia-messaging app that offers secure text, video and picture services for $0.99 per year. Thijs Alkemade, an open-source developer and student at Utrecht University in the Netherlands was the first to point out and explore a flaw in the app’s encryption (the process of encoding messages in a way that cybercriminals cannot view) that would make it possible to read plain text communications sent via WhatsApp. So far, the vulnerability has been found almost exclusively in Android devices, and Nokia Series 40, but Alkemade stated that it’s possible that the vulnerability could be found in iOS devices although such a case has not yet been reported. Nor have researchers found if the flaw affects WhatsApp messages sent across device types, such as an Android message sent to an iPhone. Aside from Alkemade’s investigation, independent security researchers also reviewed the information and agreed that the issue poses a real threat to users on any mobile operating system.

The vulnerability in question involves the use of the same key to decode the encryption on both sides of a conversation, making it possible for someone to intercept messages sent via Wi-Fi and decrypt them. An attacker with access to the encrypted messages can use a specific algorithm to compare and essentially predict the text hidden underneath the encryption. In previous research experiments, cryptographers have already used this method and successfully decrypted short messages in seconds with a 99% accuracy rate. Because the message sent from the user to the server, and vice versa, have the same key to unlock them, when compared against each other, the actual text can be pulled out of the encrypted streams of seeming gibberish. For those who use WhatsApp to either send sensitive messages, or simply get the address for a dinner party, the possibility of someone being able to see plain text content is a major security risk for all 300 million monthly users.

While using the same encryption key to secure two different messages is a well-known security weakness, it is still a labor-intensive process to break through. The algorithm needed to decrypt the intercepted messages is not only difficult and time consuming to develop, but the attacker would have to have access to the wireless network that messages are being relayed over as well. Regardless, a determined hacker could most likely create something general enough to target WhatsApp users as well as other vulnerable mobile apps. WhatsApp processes as many as 27 billion instant messages a day, and chances are there is plenty of private and potentially useful information being shared. However, despite the findings, WhatsApp maintains that their messages are fully secure and it is unclear if they are exploring the issue any further.

In the meantime, Alkemade warns users to assume that if they use unsecure wireless networks, their WhatsApp messages are most likely already compromised, given enough effort. However, users can ensure that any future conversations can’t be used against them by being careful about what they share on WhatsApp. It is a best practice to avoid sharing personal information like your home address, account passwords or risky photos via any mobile app, even if security is supposedly guaranteed. Also avoid connecting to public Wi-Fi in general on your mobile device. You never know who could be looking in.

WhatsApp is not the first, nor will it be the last mobile app to have its security practices called into question, and it is up to users to practice mobile safety no matter what app they are communicating on.

Be sure to check out my other blogs for more top mobile security stories, safety tips and similar app-related issues.

To keep up with the latest security threats, make sure to follow @McAfeeConsumer on Twitter and like us on Facebook.

lianne-caetano

The post WhatsApp With That? Security Flaw in Mobile Messaging Apps appeared first on McAfee Blogs.

What will happen if countries carve up the internet?

Twenty years ago, there was nothing like the internet we have today, the global all-connecting network that has become an integral part of our lives. Over the last few decades, we have all witnessed how it has grown exponentially and come to change our everyday existence – keeping most of us online all the time (with accompanying frustrations as well as benefits) and making communications and information exchange unprecedentedly seamless and fast.

But I fear that we are at a turning point for the internet, and may even be going into reverse. The utopia of a borderless digital global village may be coming to an end. Fragmentation of the world wide web is already taking place – along national borders.

Edward Snowden’s revelations on the scale of US online surveillance – the Guardian’s massive scoop of 2013 – may be giving rise to a new era in history. The disclosures have already given rise to significant changes, including skyrocketing growth of the number of users striving for online privacy and choosing anonymity tools and browsers, and the astonishing swell in the value of bitcoins, the most widely used anonymous online peer-to-peer currency.

But what may prove to be the ultimate game-changer is the fragmentation of the internet. A number of countries, among them Brazil and Germany, are considering carving out their own sectors of the internet, or may even have already started the process. If the trend spreads, which is likely, such fragmentation will bring about the creation of parallel networks as governments the world over try to isolate their critically important communications. Such networks with no physical connection to the internet are already widely used for military communications.

The new networks will serve only governments and large enterprises with the aim of protecting national critical infrastructure from any possible foreign intrusion. This will mean they’ll be more secure and reliable, but they’d come at a price, quite literally. Building such networks requires both huge investment over many years (funded by taxpayers) and a great deal of technical expertise (diverted from public services and innovative projects).

This is probably good news if you’re graduating with an IT engineering degree soon. Less so if you want to work abroad, because governments will prefer homegrown talent that can pass all the necessary security checks. Also, many countries – even some high-tech giants like Germany, Japan and France – could face a deficit of such workers.

Internet fragmentation will bring about a paradoxical de-globalisation of the world, as communications within national borders among governmental bodies and large national companies become increasingly localised.

Ordinary users will hardly perceive any change while these state-run parallel networks are being built, but there is another aspect of this global trend that will affect everyone directly. Some countries are already seriously considering making sure as much of their internet traffic as possible stays within their national borders.

In some countries, for example Brazil, there’s talk about forcing global giants such as Google and Facebook to locate their data centres locally to process local communications. If this trend gains worldwide momentum, it will be a disaster for global IT giants and pose a threat of full-blown Balkanisation of the internet. The process would probably foster the creation of local search engines, email systems, social networks and so on – an intimidating prospect for publicly listed companies.

As a result, the whole notion of netizens, or global online citizens, and of the internet being a global village could lose all practical meaning. What could emerge is a patchwork of online nation states with different rules and regulations and hindered communications.

Sadly, I don’t think the trend can be reversed. It feels as inevitable as the change of the seasons. But while one can’t help complaining about bad weather in December, it’s worth remembering that a bit of snow is not the end of the world.

Internet fragmentation may mean better protection of national critical infrastructure; as a counterbalance, the politicians and diplomats of the world should be engaged in dialogue on how to keep the internet as close to how we know it today – a global information highway.

Eugene Kaspersky is chairman and CEO of Kaspersky Lab

Get more articles like this sent direct to your inbox by signing up for free membership to the Guardian Media Network – this content is brought to you by Guardian Professional.

12 Scams Merry Merry Retweet to Win Contest

‘Tis the season for holiday shopping, roasting chestnuts over an open fire…and cyber scams? Last month, McAfee released their annual 12 Scams of the Holidays to help consumers navigate the seasonal threat landscape.

Some of the top scams this year included not-so-merry mobile apps, holiday mobile SMS scams, hot holiday gift scams and much more. With the rise in smartphone and tablet use, cybercriminals have tailored their usual bag of nasty tricks to target mobile shoppers.

In the spirit of spreading cheer as well as online safety awareness, McAfee will be running a Retweet To Win contest with our Twitter audience this week. Daily winners will receive a McAfee prize pack, which includes a 1-year subscription to McAfee LiveSafe™ service, a McAfee lined shopping bag, a McAfee mouse and a McAfee phone wipe. All you have to do is retweet the daily contest tweet to enter!

Help us spread the word about safe holiday shopping practices and thwart Cyber Scrooges using seasonal topics to endanger users online. Follow the directions below for a chance to win big!

12Scams_RT2Win

12 Scams Merry Merry Retweet to Win Contest Terms and Conditions

1.   How to enter: No purchase necessary. A purchase will not increase your chances of winning. The “12 Scams Merry Merry” Retweet to Win Contest (the “Contest”) will have 5 drawing periods during which time all entries must be received. Pacific Time shall control for all purposes of this Contest. Five (5) winners will be chosen, one for each drawing period. Drawing periods are as follows:

  • Drawing 1: Monday, December 16th 8:00 AM PST through 5:00 PM PST
  • Drawing 2: Monday, December 17th 8:00 AM PST through 5:00 PM PST
  • Drawing 3: Monday, December 18th 8:00 AM PST through 5:00 PM PST
  • Drawing 4: Monday, December 19th 8:00 AM PST through 5:00 PM PST
  • Drawing 5: Monday, December 20th 8:00 AM PST through 5:00 PM PST

During each Drawing period, go to the McAfee page on Twitter and do the following steps.

  1. Find the contest tweet of the day, which will include the hashtags: #RT2Win and #12scams.
  2. Retweet the contest tweet of the day and make sure it includes both the #RT2Win and #12scams hashtags.

Look for the contest tweet daily starting at 8am PST. Retweets of other tweets or those that do not contain the hashtag #12scams and #RT2Win will not be considered.

Eligible contest tweets will be announced daily at 8am PT during the drawing period on the @McAfeeConsumer feed featuring the #RT2Win hashtag. Each retweet must include the #12scams hashtag to be eligible to win, and winners will be chosen at the end of each day (after 5pm PT). No other method of entry will be accepted besides Twitter. Entries from one Drawing are not carried over to a later Drawing (you must enter each Drawing separately). 

2.   Eligibility: The contest is open globally to those who are 18 years of age or older on the date the contest begins. Employees of McAfee and its subsidiaries, affiliates, prize suppliers, and advertising and promotional agencies, their immediate families (spouses, parents, children, and siblings and their spouses), and individuals living in the same household as such employees are ineligible. A winner of one Drawing is eligible to enter in the subsequent Drawings. Void wherever prohibited by law with no exceptions.

3.   Winner Selection: The winner for each Drawing will be selected at random from all eligible retweets received during a Drawing’s entry period. By participating, entrants agree to be bound by the Official Contest Rules and the decisions of the coordinators, which shall be final and binding in all respects. The odds of winning depend on the total number of eligible retweets received.

Winner Notification: Each drawing winner will be notified via direct message on Twitter.com at the end of each drawing period. Prize winners will be required to sign an Affidavit of Eligibility and Liability/Publicity Release (where permitted by law) to be returned within ten (10) days of written notification, or prize may be forfeited and an alternate winner selected. If a prize notification is returned as unclaimed or undeliverable to a potential winner, if potential winner cannot be reached within four (4) calendar days from the first notification attempt, or if potential winner fails to return requisite document within the specified time period, or if a potential winner is not in compliance with these Official Rules, then such person shall be disqualified and, at Sponsor’s sole discretion, an alternate winner may be selected for the prize at issue based on the winner selection process described above.

4.   Prizes: The prize for each Drawing is a McAfee prize pack, which includes a 1-year subscription to McAfee LiveSafe™ service, a McAfee lined shopping bag, a McAfee mouse and a McAfee phone wipe. (Approximate retail value “ARV” of each prize is $100).

Entrants agree that McAfee has the sole right to determine the winners of the drawing and all matters or disputes arising from the drawing and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of McAfee.

Sponsor will not replace any lost or stolen prizes. Sponsor is not responsible for delays in prize delivery beyond its control. All other expenses and items not specifically mentioned in these Official Rules are not included and are the prize winners’ sole responsibility. ARV of the prize may be subject to market fluctuation. In the event the stated ARV of a prize is more than the actual retail value of the prize at the time of award, the difference will not be awarded in cash or otherwise.

5.   General conditions: Entrants agree that by entering they agree to be bound by these rules. All federal, state, and local taxes, fees, and surcharges on prize packages are the sole responsibility of the prizewinner.

Sponsor is not responsible for incorrect or inaccurate entry information, whether caused by any of the equipment or programming associated with or utilized in the Contest, or by any technical or human error, which may occur in the processing of the Contest entries. By entering, participants release and hold harmless McAfee and its respective parents, subsidiaries, affiliates, directors, officers, employees, attorneys, agents, and representatives from any and all liability for any injuries, loss, claim, action, demand, or damage of any kind arising from or in connection with the contest, any prize won, any misuse or malfunction of any prize awarded, participation in any contest-related activity, or participation in the contest.

Prize ForfeitureEach prize will be awarded.  If winner cannot be notified, does not respond to notification, does not meet eligibility requirements, or otherwise does not comply with these prize drawing rules, then the winner will forfeit the prize and an alternate winner will be selected from remaining eligible entry forms for each Drawing.

Dispute Resolution Entrants agree that McAfee has the sole right to determine the winners of the drawing and all matters or disputes arising from the drawing and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of McAfee.

Governing LawEach Prize Drawing and these rules will be construed in accordance with the laws, jurisdiction, and venue of New York.

Privacy Policy Personal information obtained in connection with this prize drawing will be handled in accordance policy set forth at http://www.mcafee.com/us/about/privacy.html (McAfee Privacy Policy).

The post 12 Scams Merry Merry Retweet to Win Contest appeared first on McAfee Blogs.