TMCnet News

Look before leaping
[September 17, 2014]

Look before leaping


(Nation, The (Nigeria) Via Acquire Media NewsEdge) Phones are all over the place now, unlike in the past. With subscriber base close to 130 million, teledensity is over 90 per centthanks to the liberalisation of the telecoms sector. Smartphones are becoming affordable the internet remains unregulated with open source applications. But downloading free applications can compromise a phone user's security and his account details, LUCAS AJANAKU reports.



When he spoke at a cybersecurity summit organised by the Office of the National Security Adviser (ONSA) in conjunction with the Nigerian Communications Commission (NCC) in Lagos, everybody listened.

The Chief Information Officer (CIO), Central Bank of Nigeria (CBN), Taiwo Longe, said last year that money deposit banks (MDBs) lost N140billion to internet fraudsters.


According to the apex bank, between 2000 and last year, a whopping N159billion was stolen from the MDBs across the country through electronic fraud. These funds are depositors' money which the banks so often do not make any noise to panic withdrawals.

Information Technology (IT) security experts have linked some of these internet frauds to the download of free applications (apps) from the internet onto either the smartphones or personal computers (PCs). It is believed that weaknesses in the applications people download, compounded further with basic human error could result in the installation of spyware or malware on smartphones and PCs.

Experts argue that this could allow hackers to gain access to the smartphone's vital information, such as contact list, phone calls, global positioning system (GPS) location and bank information without the user realising it.

This is because as businesses increasingly rely on various cloud services, the emergence of attacks targeting endpoints, mobile devices and credentials as means to gaining access to corporate or personal clouds will be on the rise.

According to a report on RT.com, the Russian English language news channel, security firm Group-IB has warned that more than 541,000 smartphones running on Android in Russia, Europe and the United States (U.S.) were infected with malware which grants cybercrooks unfettered access to people's mobile devices.

Yet, another report, this time from the U.S, said many mobile banking apps, including those of major financial institutions, contain configuration and design weaknesses that makes them vulnerable to attacks.

According to reports on DarkReading.com, an online security site, experts from security firm Praetorian tested 275 Apple iOS- and Android-based mobile banking apps from 50 major financial institutions, 50 large regional banks, and 50 large U.S. credit unions. Overall, they found that eight out of 10 apps were improperly configured and not built using best practice software development.

Moneyweb, online platform, said among the big-name banks whose mobile apps the security firm tested were Bank of America, Citigroup, Wells Fargo, Goldman Sachs, Morgan Stanley, Capital One Financial, and Suntrust Banks. Praetorian did not disclose how each bank's apps fared in the tests.

The security weaknesses identified in the mobile banking apps are not pure software vulnerabilities, says Nathan Sportsman, founder and CEO of Praetorian. "These aren't business-logic or application-specific issues. They are weaknesses across the mobile apps things developers should be doing but are not," he said.

A research team from IBM uncovered a vulnerability that will affect apps built on a popular platform for application development called Cordova, according to SecurityIntelligence.com.

The researchers found that up to 10 per cent of the applications built on this platform are banking apps. It said while a patch has been released, millions of people using apps built on this platform are at risk of having sensitive information, such as their login details, stolen.

Experts said the reality of the situation is that 95 per cent of successful attacks or security breaches are caused by human errors, according to IBM's Cyber Security Intelligence Index. As a result, hackers continue to aggressively seek out such vulnerabilities to exploit.

These warnings are coming when mobile banking, licensed by the CBN and driven by banks, is recording slow sluggish uptake. In spite of this, all of the MDBs in the country offer one mobile banking solutions or the other.

A software expert said smartphone users must understand is that all operating systems are vulnerable to attack because it is routed through the cyber space. Operating systems are by design complex pieces of code.

According to him, the process is made more difficult because apps are written to go into an app store and are then downloaded onto an operating system.

An expert, Herman Singh said at each step application development, the app store, operating system there is the potential for vulnerabilities to be exploited.

At the application level, apps can be deliberately infected, or become vulnerable because the developers have overlooked something.

"You have to consider who is writing the app, and who is vetting it before you just download it onto your phone," Singh warned.

At the application store level, not all app stores were created equal.

"The Apple screening is the most rigorous. All Apple apps are very carefully tested before they are allowed into the store for download. None of the other app stores are as thorough," he said.

The best-known app stores (digital distribution centres for application software) include Apple, Blackberry and Google Play. But because the Android operating system (launched by Google) is so ubiquitous there are over 30 various app stores flogging their wares for Android devices.

The reason for this is not far-fetched. Android operating system is open and allows for a high degree of customisation and exposes users to vulnerability.

"The Apple operating system on the other hand is tightly coupled to iTunes and the Apple apps. The company has kept proprietary control over its system." President, Nigeria Internet Group (NIG), Bayo Banjo, said the country was yet to witness a major cyber attack in the country. According to him, what the nation is currently witnessing is cyber-assisted crimes.

Way forward Phone users should be on guard against cyber-attack. Logging onto an unsecured Wi-Fi connection is risky, especially if the information one is working with is vital.

Care must also be taken in downloading content and visits to sites via the mobile phone.

Phone users are advised to stick to Apple, Google Play or the device manufacturer Samsung's app store for instance, for download because third party downloads makes your phone vulnerable to crooks.

Make sure you always have an up-to-date version of the operating system on your phone. The same rule should also apply to banking applications.

"Don't jailbreak your device. This allows access to the operating system's file system and manager, allowing the download of applications that are not approved by Apple, Google or the handset manufacturer,"Singh counselled.

[ Back To TMCnet.com's Homepage ]