One day recently Marc Gaffan got a call from his wife. She had received an email from Google saying her Gmail account was blocked due to exceeding the number of emails allowed in a single day.
“I quickly figured out that someone had hacked into her email account. All they were doing – they didn’t want her data – all they wanted was an email address to send spam emails,” said Gaffan, co-founder of Incapsula.
“I immediately activated what Google calls two-step verification, which is two-factor authentication basically, for her account,” Gaffan said. “The person that was sending or the entity that was sending the email through her account could no longer get in there because I put something that was hacker-safe basically in front of the email account and prevented it.”
That little story, in a nutshell, explains the power and simplicity of the security possible with mobile devices. With all the talk of the bring-your-own-device craze wreaking havoc on IT departments and the yearning for simpler days before everyone and everything could connect whenever and wherever, people are missing one very important thing: mobile is going to make us safer, and in many ways it’s the answer to all your business security problems.
The Million-Dollar Question
“One big part of mobile is once you’ve secured mobile, once you know that you’ve protected it against malware,” said Mike Byrnes, product manager at Entrust, “Then you have something very powerful in your hand. You have a secure, convenient, anytime-anywhere device that you can use to authenticate to computer applications.”
“Once you’ve secured mobile” – that leads to the million-dollar question. How do you get mobile secure?
There are several problems unique to mobile: it’s easier to get phished, it’s easier to get stolen, and people let their guard down. Mobile is very reactive. It’s used in an in-and-out fashion to quickly check email, social media and other apps. Combine that mentality with a smaller screen that makes things look a little different, and it’s the perfect chance for someone to click a link they likely wouldn’t on a PC. Add in the fact that a person always has their phone on them – a huge reason why it’s perfect for security authentication – and that also means it’s much more likely to be stolen or accessed by someone else compared to, say, a work laptop.
Much of this comes down to ignorance. Dan Ford, the chief security officer at Fixmo, told us he speaks to people whenever he gets the chance, even on an airplane, to educate them about all the valuable data on their phone and how to go about keeping it safe. They often don’t even have a PIN.
“They believe that it’s protected because Apple says it’s protected, because Google says it’s protected,” Ford said. “They’re not as safe as they thought they were.”
And that’s where so many companies go wrong. A culture of security has to be created and instilled in every employee. They have to be aware of these issues before they can fix them.
A Shift is Coming
“Many banks offer their customers something they call dual controls,” Byrnes said. “That transaction won’t go through until I login and I review and approve the transaction. It’s like I’m signing that transaction by going into the system with my credentials and doing that. Well, unfortunately, there’s been a number of fraud attacks against small business where the bank had offered them to use dual controls and the small business didn’t take advantage of it. Sounds kind of crazy – back to your point, why wouldn’t they? If I’m a small business guy, and I if get $50,000 stolen from me, that’s a big deal. That could put me out of business. But they’re not using dual controls because it’s cumbersome and it’s difficult.”
Just this year there was a lawsuit involving over $440,000 in losses taken via fraudulent wire transfers with the exact situation that Byrnes described. And this time the bank was not held responsible. From the summary judgement:
… at the center of the entire litigation – is a question of who should bear the risk of loss when a wire transfer is fraudulently undertaken by a third-party unconnected to either the bank or its customer.
The victims were offered the chance to sign up for dual authorization on more than one occasion, and they refused. With that refusal the judge decided the bank was no longer responsible for the later losses that resulted from poor security.
“So what the banks are starting to do is – back to our mobile phone discussion – say, ‘Why don’t we use the mobile phone to do those dual controls?’” Byrnes said. “It helps make security simpler to use, and we envision more and more customers will take advantage of dual controls once mobile is being used to help facilitate that.”
That’s where the problem ultimately lies – people, be it customers or employees, do not want to be inconvenienced by cumbersome security controls, even if implementing those controls could have saved hundreds of thousands of dollars in losses. A secure mobile device used as an authentication device is the natural solution to that problem.
“We’re really transforming this phone into your digital identity. You can use it to log onto your computer or your computer network as I mentioned. It can be used for physical access to the building. You can also use it to defeat very advanced malware attacks,” Byrnes said.
Say you have a typical piece of banking malware, and you transfer $500 to a vendor. That malware may sit in the middle and change the payment to $5000 and try to send it out of the country. Or another piece of malware may try to do a wire transfer for $50,000 out of your corporate treasury account. Or other malware may try to access high-level intellectual property like plans for the latest fighter jet.
“We check those kinds of transactions with this mobile out-of-band transaction verification method that I’ve talked about,” Byrnes said. “If it’s not you, you’re going to look at your mobile device and hit cancel.”
“Two factor authentication in general once used to be a corporate-only, banking-only, enterprise-only technology,” Gaffan said. “It’s actually the must have solution for every single application that we use.”
As with everything, it starts at the top. Banks, for example, started by implementing it on their high-profile and business accounts first, but eventually it will trickle down to everyone and become the new status quo. Even social media like Twitter has finally jumped on the bandwagon after accounts became compromised time and time again.
Of course, having a secure mobile device is the foundation all of this is built upon. Educating employees is key, and every business needs to have a mobile policy. On Byrnes’ tip list: never support jail-broken or rooted devices, have Wi-Fi secured through mobile access certificates, only deploy apps from vetted stores, force PIN protection on the application level instead of usernames and passwords, and never assume that SMS is secure.
“There’s a big perception out there that mobile is insecure, so we have to overcome and educate people and say, ‘Well, there are ways to really secure your mobile device,’” Byrnes said. “So I think it will take time, but the convenience that’s offered with mobile and the security improvements over the desktop I think will cause that shift to happen fairly quickly.”
This is part of a two-part series on how mobile devices affect business. The other side: Mobile Devices – A Nightmare for Business Security