26 Aug 2013

BE WARNED: Fraudsters Target Mobile Phones

A security expert has warned of possible attacks targeted at mobile phone users via the telecommunication operators Over-The-Air (OTA) settings, so called various methods of distributing new software updates, configuration settings, and even updating encryption keys to devices like cellphones.


Mr. Rock Adoke, head of IT (security & Research), International Electronics Services Limited, told Nigeria CommunicationsWeek that with the growing trend in e-commerce cumulated in e-payment, e-banking, internet banking, fraudsters are throwing spanners on the OTAs of notable telecommunication companies in Nigeria targeting passwords and other credentials of phone users.

In the context of the mobile content world the programming involves over-the-air service provisioning (OTASP), over-the-air provisioning (OTAP) or over-the-air parameter administration (OTAPA), or provisioning handsets with the necessary settings with which to access services such as WAP or MMS or other internet configurations.

Thus, some phones with this capability are labeled as being “OTA capable.”

“Now, the challenge, let us look at the scenario where you remove the SIM card from your phone and insert it in a new phone, the network operator sends internet settings to you. We are looking at the financial institution (FI) level; when that setting is going on it can be compromised, just like the bulk SMS. There are securities issues with these platforms. Fraudsters can impersonate anybody and send messages using bulk SMS platform. There is why unsolicited messages are rising by the day. When they send it to over a million people, hundred or thereabout respond, they have captured over N100,00 million.

“Back to the settings, there are only four vendors we subscribe to when we want to conduct vulnerability assessment on information systems. SMS gives you the ability for Over-The-Air (OTA) settings; that is what telecom operators send to the subscribers. It is a system that companies use to safeguard against staff using social media while incorporating Bring Your Own Device (BOYD) platform.

The setting allows you have access to the internet at a point in time. What the fraudsters do is to OTA settings which is not more than N300, send out messages to people and they respond in droves. The idea has been that once you see that setting it is from a valid telecom operator, because we use it to browse”.

He said that cyber criminals are cashing on telecom operators over the air positioning space.

“When they have succeeded in setting the proxy account whatever the target is doing will be passing through their channels. That is what they call “over the air positioning exploits”. Let the target use it for any bank transaction, they will see the user name and password through “factor authentication”. These things are real.

He warned about unguided and unsecured channels been deployed for e-commerce related transaction in the country adding when, “You are now encouraging people to use mobile commerce, by the time this goes into full-blown maturity, criminals start conducting sophisticated attacks (because things happen without user interaction), the target does not even know he is compromised. It takes a smart criminal to remove just N1 per day. When your account has been compromised they go to the modification channel and modify the password and your numbers. These are the trends in cyber attacks”.

Source: NCW

No comments:

Post a Comment

LinkWithin

Related Posts Plugin for WordPress, Blogger...