Mobile phones are great for phishers, researchers find

Facebook and Twitter passwords could be at risk

Computer users seem to be getting better at spotting fake websites that are trying to steal their passwords, but when it comes to mobile phones, the deck is most definitely stacked against them.

Researchers at the University of California, Berkeley, recently took a look at 100 mobile applications, written for Android and the iPhone, and then thought up 15 techniques that scammers could use to write malicious programs that steal the victim's user name and password on websites such as Facebook or Twitter.

Their research underscores a thorny issue that promises to demand more attention as users increasingly reach to their mobile phones when they want to go online.

The problem is that mobile users are being trained to enter their passwords and user names into mobile apps.

The first time one mobile program wants access to another -- for example, if Groupon for iPhone wants to share something on Twitter -- the program typically pops up a window that invites the user to sign into that website. But there's usually no way to be sure that the login site is legitimate and that the phone's owner is really sending his user name and password to Twitter.

PC browsers have Web address bars, green warning lights and other features to help Internet users know if they're being tricked by phishers, but that's not the case in the mobile world. Phones are so small there often just isn't space for these protections.

In tests, researchers have shown that it's almost impossible for mobile-phone users to distinguish real websites from fakes, thanks to the small screens on mobile phones.

The Berkeley researchers said it would be easy for a criminal to develop a malicious program that could either spy on users as they typed in their passwords, or direct them to a phishing site that looked exactly like the real thing.

David Wagner, a Berkeley computer science professor, believes that until there are better ways for mobile applications to talk with each other, this could be a very hard problem to solve. "The reason we wrote this paper was because we saw the potential risk and we did not have a good solution," he said.

In their paper, Wagner and co-author Adrienne Felt conclude, "mobile users' passwords for several major sites (notably including Facebook and Twitter) might be at risk."

One person who's working on a fix is Markus Jakobsson, principal scientist of consumer security at PayPal. He's developing software that would work with smartphone operating systems, called Spoof Killer. It would keep track of which applications and websites are legitimately supposed to ask for login credentials and simply block the fake ones from working.

Jakobsson thinks there could be a surge of spoofing in the next year or so as the mobile phone becomes the most popular way to surf the Web. "It just makes sense to me, to attack the predominant platform," he said.

Right now, there are not a lot of phishing attacks that specifically go after mobile users, according to Dave Jevans, chairman of the Anti-Phishing Working Group. But he agreed that phishing e-mails are more effective when they end up in mobile-phone mailboxes. "The antiphishing technologies on the mobile phone are inferior compared to what is available on the Windows platform," he said.

However, when it comes to mobile devices, Jevans said he's more worried about malicious apps than about phishing e-mail messages.

Phone makers have security checks to prevent malicious programs from getting included in their app stores. But a criminal could distribute a program that seemed legitimate at first and then flip a switch on a server somewhere and suddenly turn it into a password-stealing phishing program, said Kevin Mahaffey, chief technology officer and founder of mobile security software vendor Lookout. "It's this whole new world of mobile malware that gets around the security controls," he said.

Luckily, the malicious programs that Mahaffey has seen so far haven't been like this. They've been obvious, engaging in bad behavior from the start. "Right now, the bad guys haven't figured out that you can make something good and then turn it bad after a period of time," he said.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags BerkeleyInternet-based applications and servicestelecommunicationsecurityUniversity of CaliforniaPhonesPhone applicationsinternetmobileMobile handsetsconsumer electronics

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?