Mobile phones are great for phishers, researchers find

Facebook and Twitter passwords could be at risk

Computer users seem to be getting better at spotting fake websites that are trying to steal their passwords, but when it comes to mobile phones, the deck is most definitely stacked against them.

Researchers at the University of California, Berkeley, recently took a look at 100 mobile applications, written for Android and the iPhone, and then thought up 15 techniques that scammers could use to write malicious programs that steal the victim's user name and password on websites such as Facebook or Twitter.

Their research underscores a thorny issue that promises to demand more attention as users increasingly reach to their mobile phones when they want to go online.

The problem is that mobile users are being trained to enter their passwords and user names into mobile apps.

The first time one mobile program wants access to another -- for example, if Groupon for iPhone wants to share something on Twitter -- the program typically pops up a window that invites the user to sign into that website. But there's usually no way to be sure that the login site is legitimate and that the phone's owner is really sending his user name and password to Twitter.

PC browsers have Web address bars, green warning lights and other features to help Internet users know if they're being tricked by phishers, but that's not the case in the mobile world. Phones are so small there often just isn't space for these protections.

In tests, researchers have shown that it's almost impossible for mobile-phone users to distinguish real websites from fakes, thanks to the small screens on mobile phones.

The Berkeley researchers said it would be easy for a criminal to develop a malicious program that could either spy on users as they typed in their passwords, or direct them to a phishing site that looked exactly like the real thing.

David Wagner, a Berkeley computer science professor, believes that until there are better ways for mobile applications to talk with each other, this could be a very hard problem to solve. "The reason we wrote this paper was because we saw the potential risk and we did not have a good solution," he said.

In their paper, Wagner and co-author Adrienne Felt conclude, "mobile users' passwords for several major sites (notably including Facebook and Twitter) might be at risk."

One person who's working on a fix is Markus Jakobsson, principal scientist of consumer security at PayPal. He's developing software that would work with smartphone operating systems, called Spoof Killer. It would keep track of which applications and websites are legitimately supposed to ask for login credentials and simply block the fake ones from working.

Jakobsson thinks there could be a surge of spoofing in the next year or so as the mobile phone becomes the most popular way to surf the Web. "It just makes sense to me, to attack the predominant platform," he said.

Right now, there are not a lot of phishing attacks that specifically go after mobile users, according to Dave Jevans, chairman of the Anti-Phishing Working Group. But he agreed that phishing e-mails are more effective when they end up in mobile-phone mailboxes. "The antiphishing technologies on the mobile phone are inferior compared to what is available on the Windows platform," he said.

However, when it comes to mobile devices, Jevans said he's more worried about malicious apps than about phishing e-mail messages.

Phone makers have security checks to prevent malicious programs from getting included in their app stores. But a criminal could distribute a program that seemed legitimate at first and then flip a switch on a server somewhere and suddenly turn it into a password-stealing phishing program, said Kevin Mahaffey, chief technology officer and founder of mobile security software vendor Lookout. "It's this whole new world of mobile malware that gets around the security controls," he said.

Luckily, the malicious programs that Mahaffey has seen so far haven't been like this. They've been obvious, engaging in bad behavior from the start. "Right now, the bad guys haven't figured out that you can make something good and then turn it bad after a period of time," he said.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Topics: Berkeley, Internet-based applications and services, telecommunication, security, University of California, Phones, Phone applications, internet, mobile, Mobile handsets, consumer electronics

Comments

Maxim

1

I thinks it's total BS. Twitter and FB pop-ups occur through Twitter and FB API, respectively, integrated into specific iPhone apps. To get those APIs, developers must register with Twitter and FB and get the keys from them. And finally, Apple scrutinizes all binaries, so it's near impossible to integrate a phishing mechanism there.

Researchers from Berkeley are PhDs, so they probably should now that. Otherwise, their research is total BS.

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?