now browsing by tag
#cybersecurity | #hackerspace | In-store Payments via Mobile Apps Can Lead to Increase in Card Not Present (CNP) Fraud
Consumers love the convenience of paying for goods and services in store by using their NFC enabled smartphones and stored credit cards. This is demonstrated by the fact that you can download retailer specific apps for your smartphone to pay for everything from coffee, to movie tickets, to poutine using a retailer specific mobile app.
As more and more retailers embrace this technology and release their own mobile apps with in-store payment options, the threat of fraudsters looking to benefit from flaws in the implementation, or by exploiting the human component must be carefully considered. The following are a few example Card Not Present (CNP) fraud schemes that retailers who offer in-store purchasing using a store branded mobile app should be aware of.
In these scenarios, we will use the imaginary retailer Smoothie Shop. Smoothie Shop has a mobile app that allows customers to save their credit card in the app in order to facilitate easy in-store purchases. Consumers log into their Smoothie Shop account using an email address and password. Smoothie Shop has recently seen an increase in CNP fraud and chargebacks, but is unable to pinpoint the root cause.
(Smoothie Shop mobile app login)
CNP Fraud Scheme #1 – Fraudster takes over a Smoothie Shop account that has a Credit Card saved in the app
In this scenario, the fraudster has to take over an existing Smoothie Shop account. This is known in the industry as Account Takeover (ATO) which is explained here.
In this scenario the fraudster has lucked out! Since the account that was taken over by the fraudster already has a credit card saved in the app, the fraudster can simply walk over to a Smoothie Shop, present the mobile app with the saved credit card information and enjoy a refreshing smoothie that was paid for via some other Smoothie Shop customer’s stored credit card.
CNP Fraud Scheme #2 – Fraudster takes over a Smoothie Shop account that does not have a Credit Card saved in the app
Again this scenario requires the Frauster to take over an existing Smoothie Shop account, however this scenario requires a little bit more legwork, and is less profitable as Fraud Scheme #1 above. Since the Smoothie Shop account that was taken over does not have a credit card saved in the app, the fraudster will instead need to buy a stolen credit card off the Dark Web or some other electronic market*, and then add the freshly purchased credit card to the Smoothie Shop account and app. Once this is done, the fraudster proceeds in-store to obtain smoothies using the stolen credit card.
Why would the fraudster go through the trouble of taking over an existing Smoothie Shop account you ask? Good question! Fraudsters are aware that aged accounts (e.g. accounts more than 3-6 months old) with a good transaction history are usually given more leeway and transactions from these accounts are less closely scrutinized when compared to a brand new account with no transaction history.
*Stolen credit cards can be acquired for as little as $3 or as much as several hundred dollars depending on the credit limit, zip/postal code, issuing bank, etc.
(screenshot from Dark Web Credit Card market)
CNP Fraud Scheme #3 – Fraudster creates a brand new Smoothie Shop account
This scheme doesn’t require taking over an existing account, but instead requires the fraudster to use a bot tool or a human clickfarm to create hundreds of “fake” Smoothie Shop accounts. Once the fraudster has access to multiple Smoothie Shop fake accounts, he can then add in as many stolen credit cards as he pleases in order to make in-store purchases at Smoothie Shop, each one being a unique incident of CNP fraud.
(In-store payment via Smoothie Shop mobile app and stored credit card)
What can Retailers and Consumers do to protect themselves?
Prevention Methods for Retailers
1) Prevent Account Takeover. This is easier said than done. There are many ways to prevent or at least significantly reduce the amount of ATO, such as by eliminating Credential Stuffing. The goal of the organization should be to eliminate the economic advantage that fraudsters obtain from taking over an account. If the cost/effort of taking over an account outweighs the value of said account, there will be no incentive for the fraudster and he/she will likely go elsewhere to commit fraud.
2) Maintain control of Account Creation process. Creation of accounts by bots and scripts can be limited by using a CAPTCHA, however captchas can be bypassed by mid-level sophistication fraudsters, and consumers generally dislike captchas. Preventing bulk creation of accounts requires collecting device level information in order to restrict the number of new accounts that can be created by a single device. There are device farms available for rent, but forcing the fraudster to leverage a device farm could make their rate of return less desirable and push the fraudster elsewhere.
3) Ensure your customers are not logging into your site/mobile app with credentials that have been compromised in 3rd party data breaches. This is a NIST recommendation that makes a lot of sense in today’s world of daily breaches. The customers that are logging in to your website or mobile app with compromised credentials are most likely the accounts that will be taken over and defrauded first.
4) Build controls around misuse of credit cards in the mobile app. Legitimate customers will likely need to add 1, maybe 2 unique credit cards to their account/device. Any account/device trying to add 3, 4, 5, or more credit cards to an account should be closely inspected and possibly restricted from adding any more. The stored credit card should also be tied to the device, rather than the account. That way, if an account is taken over from a new device, there will be no stored credit card information available for the fraudster to use. Both of these require a strong and unique identifier on the device level.
Prevention Methods for Consumers
1) Don’t reuse passwords across multiple sites! – This is the single most important piece of advice consumers should follow. If you reuse the same password across multiple sites, it is no longer a question of if, but rather when you will become a victim of Account Takeover and fraud. Using a Password Manager to create strong and unique passwords will greatly improve your personal security posture.
2) Be mindful of the sites and apps that you enter your username and password in to. Many fraudsters are now relying on phishing scam sites that look eerily similar to the real retailer/airline/bank site but are in fact under the control of the fraudster and are meant to harvest credentials in order to commit fraud.
3) Make sure you have a reputable antivirus on your Smartphone and uninstall any apps that are flagged as suspicious or malicious.
4) Use a virtual credit card. Virtual credit cards are now available from a number of organizations. These are beneficial as you can create a single use virtual credit card with a credit limit for a specific retailer. That way if the retailer suffers a data breach, or your account is taken over, your fraud exposure is contained and your real credit card is still secure.
5) Ask the retailer about their security controls and practices, and how they prevent Account Takeover. If they give you a sub-par canned answer, maybe you should think twice before saving your credit card information in their app.
*** This is a Security Bloggers Network syndicated blog from Shape Security Blog authored by Carlos Asuncion. Read the original post at: https://blog.shapesecurity.com/2020/02/13/in-store-payments-via-mobile-apps-can-lead-to-increase-in-card-not-present-cnp-fraud/
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans If you receive a phone call from anyone claiming to be an employee of an online shopping site or ‘buy first – pay later’ business advising you there are issues associated with your account – just hang up and contact the company using an independently verified […] View full post on AmIHackerProof.com
Many modern vehicles let owners use the Internet or a mobile device to control the car’s locks, track location and performance data, and start the engine. But who exactly owns that control is not always clear when these smart cars are sold or leased anew. Here’s the story of one former electric vehicle owner who discovered he could still gain remote, online access to his old automobile years after his lease ended.
Mathew Marulla began leasing a Ford Focus electric vehicle in 2013, but turned the car back in to Ford at the end of his lease in 2016. So Marulla was surprised when he recently received an email from Ford.com stating that the clock in his car was set incorrectly.
Out of curiosity, Marulla decided to check if his old MyFordMobile.com credentials from 2016 still worked. They did, and Marulla was presented with an online dashboard showing the current location of his old ride and its mileage statistics.
The dashboard also allowed him to remotely start the vehicle, as well as lock and unlock its doors.
“It was a three-year lease from Ford and I turned it in to Ford four years ago, so Ford definitely knows I am no longer the owner,” Marulla said, noting that the dashboard also included historic records showing where the Focus had been driven in days prior.
“I can track its movements, see where it plugs in,” he said. “Now I know where the current owner likely lives, and if I watch it tomorrow I can probably figure out where he works. I have not been the owner of this vehicle for four years, Ford knows this, yet they took no action whatsoever to remove me as the owner in this application.”
Asked to comment on Marulla’s experience, a spokesperson for Ford said all Ford dealerships are supposed to perform a “master reset” as part of their used car checklist prior to the resale of a vehicle. A master reset (carried out via the vehicle’s SYNC infotainment screen by a customer or dealer) disassociates the vehicle from all current accounts.
“A master reset cleans phone data and removes previous Ford Pass and My Ford Mobile connections,” the company said in a statement released to KrebsOnSecurity. “Once complete, a previous owner will no longer be able to connect to the vehicle when they log in to My Ford Mobile or Ford Pass.”
As Marulla’s experience shows, if you’re in the market for a used car you should probably check whether it’s possible to reset the previous owner’s control and/or information before purchasing it, or at least ask the dealership to help you ensure this gets done once the purchase is made.
And if you’re thinking of selling your car, it’s a good idea to clear your personal data from the vehicle first. As the U.S. Federal Trade Commission advises, some cars have a factory reset option that will return the settings and data to their original state.
“But even after a factory reset, you may still have work to do,” reads an FTC consumer privacy notice from 2018. “For example, your old car may still be connected to subscription services like satellite radio, mobile Wi-Fi hotspots, and data services. You need to cancel these services or have them transferred to your new vehicle.”
By the way, this issue of de-provisioning is something of a sticky wicket, and it potentially extends well beyond vehicles to a number of other “smart” devices that end up being resold or refurbished. This is doubly so for Internet-connected/capable devices whose design may give the previous owner a modicum of access to or control over the device in question regardless of what steps the new owner takes to limit such access (particularly some types of security cameras).
Tags: Focus EV, Ford, Mathew Marulla, MyFordMobile.com, U.S. Federal Trade Commission
The post When Your Used Car is a Little Too ‘Mobile’ — Krebs on Security appeared first on National Cyber Security.
View full post on National Cyber Security
With growing enterprise mobility requirements plus higher
numbers of remote workers, properly securing mobile and remote users is causing
IT security teams to rethink their endpoint security strategies.
VPN tunneling enables remote users to benefit from most
perimeter protections. However, full-time VPN enforcement can be difficult.
Users may not always follow VPN usage guidelines. And in mobile BYOD
environments, it can be even more challenging. Personal devices may not even be
set-up for VPN access, users may use unsecured WiFi networks, and they typically
use mobile devices for both corporate and personal purposes.
Special “secure” web proxies are another option for
protecting remote workers. But most organizations find deployment and
enforcement challenging for similar reasons as for VPN tunneling, especially on
BYOD mobile devices. Web proxies also bring their own set of security, user
privacy, and latency concerns.
The most commonly deployed security option for remote
workers has traditionally been endpoint anti-virus or NextGen AV (NGAV)
solutions. But endpoint security for laptops is focused on malware protection
and offers little in the form of anti-phishing protection; that is, protection
from file-less social engineering attacks designed to exploit users rather than
the devices themselves. For the latter, most organizations use a variety of
email security solutions. These certainly help reduce the number of phishing
emails remote users see in their inboxes, but they do nothing to protect users
from targeted phishing attacks in personal email, social media, ads, rogue
browser extensions, messaging platforms, and more.
For users on mobile iOS and Android devices, the
situation is worse. The vast majority of mobile devices have no special
security protection other than the protections natively built into iOS and Android,
along with their respective app store vetting processes. Safe browsing
protections on mobile are also just a fraction of those on desktop browsers.
Fortunately, truly malicious mobile malware is still quite rare. Unfortunately,
mobile phishing is rampant. According to at least one mobile threat defense
vendor, mobile users are 18x more likely to encounter a phishing threat than
malware. There are also additional phishing attack vectors such as SMiShing
which are largely unprotected. And with smaller screens and information
layouts, important clues such as full URLs are typically hidden, making it
easier to phish mobile users.
Protecting Remote Users from Phishing
So, if traditional endpoint and email security solutions,
network access, and built-in safe browsing protections aren’t enough to protect
remote workers, what now? Time to get purpose-built, remote user
phishing protection onto mobile and remote workers’ machines.
Recently, we introduced new solutions to address these
key security issues. Our Mobile Phishing
Protection solution comes if the form of lightweight, cloud-powered
apps that protect iOS and Android users. And for Windows, MacOS, Chrome OS, and
Linux users, we offer Browser Phishing
Protection for Chrome, FireFox, Safari, and Edge browsers. These lightweight,
cloud-powered browser extensions augment endpoint security solutions to provide
multi-vector, multi-payload phishing protection. These endpoint and mobile
security products are easily deployed and managed with leading Unified Endpoint
Management (UEM) solutions or with SlashNext’s own Endpoint Management System.
To find out how you can protect your remote workforce
from the growing number of sophisticated phishing and social engineering threats,
contact us and request a demo
*** This is a Security Bloggers Network syndicated blog from SlashNext authored by Lisa O’Reilly. Read the original post at: https://www.slashnext.com/blog/rethinking-endpoint-and-mobile-security-for-remote-workers/
View full post on National Cyber Security
Criminal groups are increasingly targeting users of Android mobile devices with malware for conducting ad fraud on a massive scale.
Mobile security vendor Upstream this week said that in 2019 it identified as many as 98,000 malicious Android apps and 43 million infected Android devices across the 20 countries where mobile operators currently use its technology. The numbers are up sharply from 2018 when Upstream recorded some 63,000 apps and 30 million infected devices.
A startling 32% of the top 100 most active malicious Android apps that Upstream blocked in 2019 were available for download on Google’s Google Play mobile app stores. Many of them still are, according to Upstream. Another 19% of the most worst-offending malicious Android apps were also on Google Play but have been removed, the vendor noted.
More than nine out of 10 — or 1.6 billion of the 1.71 billion mobile transactions that Upstream’s security platform processed last year — were blocked for being fraudulent. If those transactions had been allowed, the total cost to end users in fraudulent charges would have topped $2.1 billion, Upstream said in a report. In Egypt, 99% of the mobile transactions that Upstream’s platform handled were fraudulent.
Android is the most targeted mobile OS because of how widely it is used and also because the operating system is open and therefore more vulnerable, says Dimitris Maniatis, CEO at Upstream.
Android is a favorite playground for bad actors, especially in the case of low-end devices, he says. “Users should have a heightened awareness of any preinstalled apps that come bundled with their device and pay attention to the mobile data usage by each,” Maniatis says. “Organizations should have measures in place to check the app’s reviews, developer details, and list of requested permissions, making sure that they all relate to the app’s stated purpose.”
Upstream’s analysis of 2019 data shows that the favorite apps for hiding ad-fraud malware are those that purport to improve productivity or improve device functionality. Some 23% of the malicious Android ads that Upstream encountered last year fell into this category. Other apps that attackers frequently used to hide malware included gaming apps, entertainment/lifestyle and shopping apps, communications and social apps, and music and audio and video players.
The top most downloaded malicious Android apps in 2019, according to Upstream, were Ai.type (an emoji keyboard), video downloader Snaptube, file-sharing app 4shared, video streaming and downloading app VidMate, and weather app Com.tct.weather. The top five apps alone have been downloaded some 700 million times. The top 100 malicious Android apps combined have been downloaded more than 8 billion times, Maniatis says.
In the US, the worst offenders, according to Upstream, were Free Messages, Video, Chat,Text for Messenger Plus; GPS Speedometer; QVideo, EasyScanner; and WhoUnfriendedMe.
A Stealthy Menace
In many cases, malicious apps do the function they are purportedly designed to do. For example, a weather app might forecast weather but in the background also carry out a variety of malicious activity without the user knowing a thing.
Malware for mobile ad fraud can visit websites and view and click on banner ads, make purchases, mimic a real user going through a subscription process, or deliver bogus ads to the device without the user being aware of the activity. The goal is to generate revenue for the malware author in different ways, including via payouts for fraudulent traffic and ad clicks.
Often such rogue apps can remain on a device for a long time because the malicious activity is only happening in the background. In some cases, the apps change their name after being downloaded or don’t have an icon to locate them easily.
“Losses from online, mobile, and in-app advertising reached $42 billion in 2019 and are expected to reach $100 billion by 2023, according to Juniper research published last May,” Maniatis says. “Considering that fraudsters operate at scale and can simultaneously target millions, tens of millions, or even hundreds of millions of devices in one hit, the means to stop them in their tracks need to likewise operate at scale.”
A vast majority of the victims are users of Android phones, especially in countries including Brazil, Egypt, Indonesia, South Africa, and Ethiopia.
While detecting malicious mobile apps can be difficult, there are often some indicators — like a constantly drained battery, an overheated device, or high data charges. User ratings and reviews are also sometimes a good indicator of an apps quality, though not always.
The most downloaded malicious Android apps, for instance, all had good reviews and high rating, but only because of a carpet bombing of fake reviews, says Maniatis. “The only way to get around this currently is to scroll enough and see genuine negative reviews from real users,” he says.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio
The post Android Malware for Mobile Ad Fraud Spiked Sharply … appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans The 2020 marketer is a new breed of marketer that drives teamwork and devours data. 123rf A rigorous analysis of the reams of mobile and marketing predictions for the new year suggests 2020 will be remembered as the year mobile-first marketing finally grew up. The obsession […] View full post on AmIHackerProof.com
If you’re one of the tiny contingent still using Windows 10 Mobile, 10 December 2019 is probably a day you’ve been dreading for nearly a year.
As announced by Microsoft in January 2019, it’s the end of life date for version 1709 of the OS, which means that November’s Build 15254.597 (KB4522811) was its last ever software update and therefore its last set of security patches.
After this date, users are on their own, warming themselves in the fading heat of a dying star which began life with some fanfare what seems like a long time ago but was in fact only 2015.
It’s a death that’s been well-rehearsed by Microsoft – Windows 10 Mobile version 1703 users reached this end-of-life moment earlier this year, on 11 June.
From what we can tell, no new Windows 10 Mobile devices were released after early 2016, which means affected devices running version 1709 will be among the following models:
- Microsoft Lumia 550
- Microsoft Lumia 650
- Microsoft Lumia 950/950 XL
- HP Elite x3 (Verizon, Telstra),
- Wileyfox Pro
- Alcatel IDOL 4S
- Alcatel IDOL 4S Pro
- Alcatel OneTouch Fierce XL
- Softbank 503LV
- VAIO Phone Biz
- MouseComputer MADOSMA Q601
- Trinity NuAns Neo
Bad news too for anyone still running the unsupported (as of 11 July 2017) Windows Phone 8.1 which sees the end of its app store support on 16 December 2019. No feature updates, no security fixes and now no software of any kind.
Build 15254.597 fixes some Intel chip issues plus a small pile of other flaws Microsoft doesn’t identify in detail, some of which were included in previous updates:
- Intel Processor Machine Check Error vulnerability (CVE-2018-12207).
- Protections against the Intel Transactional Synchronization Extensions (TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135).
- Security fixes for Microsoft Scripting Engine, Internet Explorer, Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Input and Composition, Microsoft Edge, Windows Fundamentals, Windows Cryptography, Windows Virtualization, Windows Linux, Windows Kernel, Windows Datacenter Networking, Windows Peripherals, and the Microsoft JET Database Engine.
Safe to say, if you run this OS, you’ll want the update, which should happen automatically.
Ironically, not many Microsoft employees will download this update because it seems that not many people inside Microsoft use Windows 10 Mobile. That includes figurehead Bill Gates himself, who in 2017 admitted he used an unspecified Android smartphone.
Phrases like ‘end of an era’ are easy to throw around but this does feel like one. Microsoft’s dream of a Windows for mobile devices is finally past tense.
The post Windows 10 Mobile receives its last security patches – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
#cyberfraud | #cybercriminals | NATCOM calls for tough laws to regulate mobile banking in Sierra Leone
By Mabinty M. Kamara
Officials of the National Telecommunication Commission (NATCOM) have called on the Bank of Sierra Leone to bring out a stronger legislative framework on mobile money service to complement the rapid growth of these services and curb cybercrime.
Abdul Ben Foday, Director of Corporate Affairs, while acknowledging the growing recognition of the importance of mobile phones and mobile money by tele-communication companies, which he said have brought unprecedented benefits by improving livelihoods and becoming a tool to mobilize and encourage savings for the unbanked populace in Sierra Leone, it has also occasioned issues that need attention.
“The financial services activities of telecos are beyond the purview of NATCOM, but falls within the mandate of the Bank of Sierra Leone. We are looking forward to imploring the Bank of Sierra Leone to come up with a stronger legislative framework than what it currently has,” he said.
He added that the role of the bank of Sierra Leone is pivotal in ensuring that mobile money services are regulated, supervised for the smooth operations of the financial sector.
“In view of this, our vigilance has increased, consumer awareness and consumer public dialogue is on an upward trajectory. The rapid growth of mobile money transactions should [warrant] the urgency for an effective and robust regulatory and legislative framework.”
The spokesman for the Bank of Sierra Leone, Berestford Taylor, did not respond to Politico when contacted via calls and a text message.
NATCOM, as a regulatory body, is responsible to monitor media and telecommunication technical capacity and functions in Sierra Leone. Their role includes granting licenses for the operations of communications systems and services, ensuring fair competition among operators, establish and monitor quality of service indicators for operators and service providers.
Dr. Abdul Kamara, Manager of Information Cyber Security, noted that cyber security issues are borderless due to the borderless nature of the cyber space itself. He said they have been working with Police to tackle emerging threats.
“In the recent past, we have been able to make some gains in the fight against cybercrimes and fraud in partnership and collaboration with the Sierra Leone Police in the termination of Sim Box fraud,” he stated.
Sim Box Fraud is one of the most sophisticated cybercrimes in the country. However, simpler cybercrimes like scams involving people luring others to send them mobile money by impersonation, have been on the increase.
Mustapha Sesay is a victim of mobile money fraud. He said he recently lost Le5million to a scammer who claimed he was the Secretary to the President of Sierra Leone.
Sesay believes mobile companies are not doing enough to tackle the problem.
“I think the mobile companies are in connivance with these rogues, otherwise there is no way the same number would be used to scam other people even when the first incident was reported to the Police. The same number that was used to scam me was also used to scam another Le8 million (from someone else). This could not have happened if these mobile companies are serious about curbing the criminal activities of these criminals,” he said.
Police already have a cybercrime unit which they have used in the past to conduct raids and arrest cyber criminals.
Assistant Superintendent of Police, Kabba Lavalie, explained in a Police press briefing this week that they currently have people in custody who impersonated a government minister, so they could carry out a scam.
© 2019 Politico Online
View full post on National Cyber Security
Ninety-three percent of organizations recognize that mobile devices present a serious and growing security threat, yet many organizations are failing to take even the most basic precautions, according to a recent report by Verizon.
Almost a third of respondents even admitted to having sacrificed mobile security to improve expediency and/or business performance.
“I think they agree it’s a threat, however they’re probably not as comfortable with the precautions they need to be taking,” says Justin Blair, executive director of business wireless services for Basking Ridge, New Jersey-based Verizon. “There’s a level of awareness that needs to be raised about what are the best practices and how to easily implement them.”
Malware, ransomware and device theft or loss emerged as the top threats that companies are concerned about, and are most likely to cause incidents, according to Verizon’s 2018 Mobile Security Index.
Malware is suspicious software that can infect a device, says Gary Davis, whose title at Santa Clara, California-based cybersecurity company McAfee is chief consumer security evangelist. Ransomware is a type of malicious software that takes over a device until a ransom is paid.
McAfee Labs detected more than 16 million mobile malware infestations in the third quarter of 2017 alone, nearly double the number it saw a year earlier.
Many of these threats can be avoided with some simple education and precautions, Davis says.
First, have your employees download a virtual private network (VPN), which establishes an encrypted channel between your device and the internet, he says. Also encourage them to use unique passwords and pins on their device, he says, noting some people disable these functions.
Only one in seven companies surveyed had four basic security practices in place, including changing all default passwords and encrypting data sent over public networks, Blair says.
Only 49 percent of firms have a policy regarding the use of public Wi-Fi, and only 47 percent encrypt the transmission of sensitive data across open, public networks, according to the Verizon report.
Beyond transmitting data across secure networks, another best practice is to update your apps and encourage employees to do the same, says Adam Schwam, president of Farmingdale-based Sandwire Corp., an information technology firm.
“You’re supposed to update them regularly because there could be security holes in them,” he says.
Still, with so many companies allowing or requiring employees to use their own devices, it gets harder to control what employees do with their phones, he says.
It may pay to issue company-owned mobile devices because they give you greater control from an application standpoint, Schwam says.
“If companies do provide a phone, they have the ability to control everything,” he says.
William Collins, president of NST Inc., an East Northport IT services company, understands this, and that is why he issues his employees their mobile devices.
He also uses mobile device management software that allows him to wipe clean a potentially compromised device, stop emails, etc.
“It helps protect intellectual property on the phone if an employee leaves or it’s stolen,” Collins says.
Beyond that, it pays to have mobile device policies in place, says Shari Claire Lewis, a partner in privacy, data and cyber law at Uniondale-based Rivkin Radler LLP.
This policy should include a requirement that a device be protected by a “robust” password that is changed frequently and that the company has the right to wipe out the contents of the device under certain circumstances, she said.
In terms of best practices, it also pays when dealing with confidential or proprietary information that employees not sign into unprotected public Wi-Fi, Lewis says.
Policies, of course, may vary depending upon the firm.
“Your mobile standards require a reasonableness approach that takes into account the sensitivity of the data you’re accessing and the circumstances in which you access it,” she says.
The post Companies #sacrifice #security for #mobile #convenience, survey #finds appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
General Cybersecurity Conference
May 16 – 18, 2018 | San Diego, California, United States
Cybersecurity Conference Description
We are currently soliciting presentations and suggestions for roundtable discussions in the areas of Automotive, IoT, and Mobile Security. Specific topics of interest include (but are not limited to):
– Vulnerability discovery
– Attacks and mitigations
– Exploit reverse engineering and incident response
– Security development lifecycle
– Patching and device update
– Security of safety-critical systems
– Third-party and open-source code security and implications
– Malware threats and trends
– Threat landscape
– Measuring security
View full post on National Cyber Security Ventures