Truth or Hype: Smart Phones carry High Cyber Risk?

By Shardul Singh
Hits: 1303

In the last couple of years, many Banks have started to offer their Banking services over the smart phones. At the launch of each such mobile application, I have noticed a lot of noise from Information Security Professionals and Cyber Gurus.

The conventional wisdom is that any data or app on a mobile phone is at a high risk because it is a lot easier to misplace or steal a mobile phone. The high risk phenomenon might have been true 10-15 years back but now since recently even FBI struggled to get data out of an iPhone, it seems things have changed significantly and these devices may not be as risky anymore.

If I compare a smart phone with a conventional Desktop machine, though the desktop machine is within the physical boundaries of your office or home as a End-user your contact time with the Desktop is a lot less in comparison to the smart phone. You are accessing the desktop only when you are in front of it may be 8-10 hours. Whereas you carry smart phone almost all the time. Even when someone is sleeping their smart phones is usually next to them on the side table. That way, it’s a lot easier to connect a snooping device such as a key logger to a desktop or open the device in your absence. I have heard a lot more stories of stolen Desktop RAMs from the corporate offices than any stolen parts from smart phone devices.

Also, most of the desktops either don’t support location tracking or this feature is generally not enabled. As a result, if (God forbid) a desktop device is stolen, it is a lot more difficult to track it than a smart phone devices and remotely wipe it.

On Desktops, we generally have this sense of a lot more storage space and false sense of security and hence we tend to download a lot more data from unknown sources. Music, freeware, videos, software code etc. These are the golden opportunities for malware writers to distribute new zero day exploits.

On the contrary, on smart phones usually we prefer to stream music/videos, we download software from various stores that have done some security checks before software listing and hardly anyone downloads software codes on a smart phone device. Which reduces the attack vector significantly in comparison to the desktops.

Similarly, if I compare Smart Phones against the Laptops, usually when people are carrying a Laptop and they go for a shopping or something, they leave the Laptops in car which is one of the most popular avenue to steal the Laptop device. I don’t think anyone leaves a smart phone in car if they go shopping.

Still, in a worst case scenario, if the device is stolen. Storage Memory of a smart phone can be taken out similar to the hard disk of a Desktop or Laptop. In case of certain smart phones it easier to take out a Micro SD card whereas in other cases you might need special tool to open the device first.

However, the good news is that most of the applications that people use on Smart Phones are cloud based which means your critical data is not on your local disk (except some photos, music, videos and OS configuration). On the contrary, one tends to put a lot more confidential information on a Desktop or Laptop. We have the technology available today, so that the storage (Hard disks or chips) of all these three device types can be easily encrypted.

Therefore, personally, I believe that it would be inappropriate to judge a device low or high Cyber Security Risk on the basis of its size or form factor.

We have seen a lot more and faster innovation with Smart phone devices and I hope it will continue.

The risk assessment should be based on material impact and likelihood of occurrence in today’s scenario, instead of preconceived notions of the last decade.

My respect to the Information Security Experts and the Cyber Gurus. They have done a fantastic job in increasing the awareness around this underinvested area and I would like to see more effort and seriousness on the part of corporates in product design as well upgrading their existing IT infrastructure.

At the same time, I will also have to acknowledge that Biometric devices (Fingerprint Reader) have been experimented with Physical Door Entry/Turnstile, Desktops and Laptops but were never accepted by the masses. Now one company has put finger print reader on a smart phone device and more people than ever are using Biometric login on their Smart Phone than people ever used for all three other purposes mentioned above, combined.

Bottom-line is, only a good product design and material impact will define what is a High or Low Risk and what is going to be accepted by the masses.

Blog Author

Shardul Singh

 

 

  Shardul Singh, FRM, CISA, CISSP

  FinTech Risk Management & Audit Consultant