As cellphones are increasingly used to store, transmit and access sensitive information, South African users are facing a greater threat of ID fraud, a trend already observed in other countries.
A recent UK report revealed four million Britons were leaving themselves vulnerable to identity theft in the event of their phones being stolen.
In a small poll of mobile users at the ITWeb offices, all respondents stored contact numbers, mostly a mix of business and personal, on their phones, and the majority also kept SMSes and photos.
Although most users could limit entry to their phones via a PIN code or password, a few had no such barrier in place. Roughly two-thirds accessed the Internet via their phone and a third made use of online banking services. Approximately one-third of respondents stored PIN codes or passwords for other services like online accounts or social media log-ins on their mobiles.
According to Richard Hurst, IDC programme manager for communications, Africa, one of the security considerations mobile users should consider is the cost of the data they store on their phones and the cost of losing that data. “As people begin to use their mobile devices for a wider range of applications, there is a danger that sensitive data could be lost or stolen.”
Analysts agree the information most likely to be used in identity fraud include PIN and ID numbers, online log-in details, and bank and credit card details.
Senior security analyst at SensePost, Ian de Villiers, says the widespread adoption of mobile devices has increased the risk of identity theft for South Africans, but that the threat is still indirect. ”The theft of a mobile device is not going to directly result in the theft of the individual's identity, but it will disclose information which a fraudster would find exceptionally valuable in the process.”
De Villiers explains that even if only contact details are stored on a mobile device, a potential fraudster with access to the device can already infer large amounts of information from the hapless user. This includes who the victim regularly calls and what their numbers and names are - information that can prove of value, specifically if the fraudster is able to pinpoint specific contacts on the device as the victim's spouse or family.
“Identity theft is a very difficult threat to protect against, as the most innocuous piece of personal information can lead to the disclosure of progressively larger and larger amounts of information,” warns De Villiers.
He adds that in cases where e-mail and scheduling are stored on the device, the problem becomes compounded. Access to the user's e-mail then starts becoming access to the user's online identity.
Risky business
As more people use their mobiles to conduct business and make transactions, there is the additional risk of endangering the confidential details of company contacts and clients.
“Corporates providing smartphones to users generally allow them to access their e-mail remotely and store this information on their phone. It might not be uncommon for a corporate user to have valuable and confidential information in his e-mail - including the personal information of customers. In this case, it is not only the corporate user who loses his phone who is at risk, but also clients of the corporate,” says De Villiers.
The data stored on the phone today might be outside the legitimate user's control tomorrow.
Ian de Villiers, senior security analyst, SensePost
According to Paul Jacobson, Web and digital media lawyer at Jacobson Attorneys, the biggest challenge is making users aware of what personal information is being collected and what it is going to be used for. “Companies also need to be aware of the need to publish comprehensive privacy policies and take informed consent from users to collect and process personal information,” he adds.
When it comes to laws protecting users' details, SA lags behind regions like Europe, says Jacobson. “We simply don't have much legislation to guide us and most of our current privacy law is derived from case law and common law.”
In addition, there have been concerns about corporate text messages and the potential dangers they involve. Ryan Smit, research analyst at BMI-TechKnowlege, says text message phishing could become a great risk. “E-mail phishing already affects many consumers in this country, and would likely affect many more if mobile phishing increased.”
According to De Villiers, it is possible for a user to receive a message from their bank, mentioning that some irregular activity was noticed on their account, and requesting them to contact the institution on a specific number. These schemes can be used for more damaging attacks, such as tricking the user into disclosing personal information.
Strictly confidential
As facilitators of much of the information that passes between mobile phones, network operators take steps to ensure private details are kept secure. According to chief communications officer for Vodacom, Dot Field, the mobile operator has a variety of security and policy measures in place to protect both its network and its customers' personal information.
E-mail phishing already affects many consumers in this country, and would likely affect many more if mobile phishing increased.
Ryan Smit, research analyst, BMI-TechKnowlege
The company's Web privacy policy adds, however, that it may collect and use personal details such as names, addresses, telephone numbers, e-mail addresses and account numbers for business communications, administration and transacting.
Bridget Bhengu, public relations and communication officer at MTN SA, says MTN Banking uses full Triple DES encryption on all transactions performed, whether by mobile phone or via its Internet site. All confidential information is stored on encrypted databases, protected by the necessary security firewalls.
“As far as we are aware, no MTN Banking customers have been subjected to the type of attack where funds are illegally removed from their account either via the phone channel or via the Internet. However, we have encountered cases where stolen identity documents have been used to fraudulently open accounts,” says Bhengu. She adds this is something all banks are subject to and the company is working to resolve these issues.
While Cell C had not responded to requests for comment, its online privacy policies give assurance that personal details will be protected from loss or misuse.
Field stresses that if individuals are using their cellphones to store personal information, it is of critical importance that this information be encrypted. Blacklisting services, offered by all the major network operators, allow users to block their phones from being used if they have been taken.
“Most importantly, users must realise that a mobile device can easily be lost or stolen,” says De Villiers. “The data stored on the phone today might be outside the legitimate user's control tomorrow.”
Secret guardian
Until more stringent legislation is in place, users need to take measures to protect their confidential details. “Don't store personal information in an obvious place, or under obvious names,” says Smit. “The phonebook will be the first place a thief will look, followed by notes and messages, and names such as PIN, PSWRD, IDnum will not be hard to decrypt.”
Identity theft is a very difficult threat to protect against, as the most innocuous piece of personal information can lead to the disclosure of progressively larger and larger amounts of information.
Ian de Villiers, senior security analyst, SensePost
Smit adds that many smartphones have downloadable applications called PIMs (personal information managers) which store personal information in a data vault which can only be unlocked by a password. “These types of measures will be effective as long as the password is strong and the user hasn't saved the password in his phonebook.”
While traditional identity theft is not directly possible as a result of the theft of an individual's mobile device, the widespread adoption of these devices, and the incredibly large amounts of information stored on them, has definitely made things more problematic, says De Villiers.
“Other innovations in the mobile field have also made this a transactional tool. The field is constantly changing, and as devices become more and more complex, so do the security concerns.”
Share