Mobile security - too complex to be left to the users

Many of us have encountered cyber frauds (in particular using mobile devices) - either ourselves or through first hand accounts. The usual prescriptions are always held out - don't share passwords, install the latest OS patches, install anti-virus, change passwords regularly etc etc. However, it is time to recognise that it is becoming increasingly unrealistic to expect the end users to protect themselves given the complexities involved. Hence, it is time for the other stakeholders to pitch in and contribute more significantly to make mobile frauds more difficult.

Other stakeholders? There are many - government, regulators, law enforcement authorities, financial institutions, mobile device and OS providers, mobile communication providers, ISPs and so on. However, for the purposes of this article, I want to focus on just two - mobile device/OS providers and the financial institutions.

Of course, they are certainly contributing their bit to improving cyber security in general and mobile security in particular. However, given their capabilities and outreach, they are in a position to shoulder even more responsibility in the fight against such crimes.

What can mobile providers do better? By mobile providers, here, I mean mobile device makers (such as Samsung, Apple, etc.) and the mobile operating system providers such as Google (android).

1. We have been hearing for ages that the data in mobile devices never go away - even if you use the manufacturer-provided utilities to erase them. I am not sure if this is still true; but if it is, then the time to act is now. Why can't mobile providers provide a simple, fool proof utility to clean the device completely and without leaving any residual user data?

2. USSD (Unstructured Supplementary Service Data) has always been a risky option with very dangerous functionalities such as call forwarding. Such functionalities should not be provided through USSD but through a user-interface with sufficient warnings about misuse. This will ensure that the mobile user knows what (s)he is signing up for. Simply activating such a misuse-prone functionality through abstract text messages is clearly dangerous.

3. Call forwarding - a favourite tool of fraudsters - should have more granular control. Some examples are:

- the system should check that the number to which the calls are forwarded is in the contact list of the mobile users. This will ensure that the receiver is a known person.

- It should display the details of the receiver (as far as possible) and obtain a confirmation that the forwarding is really intended.

- It should provide the capabilities for restricting call forwarding - e.g. limit it to a few days, limit it to specific content (e.g. calls, messages). It also should have options for prohibiting sharing of OTPs, passwords (to the extent they can be recognised).

4. A caller should never be able to access the data in the device directly

5. Utilities such as WhatsApp, SMS should alert the users before clicking when .apk files are sent. They should advise the users about the potential risks when the click on the .apk file.

6. There are public domain videos that show how anybody's mobile can be hacked. If a user's mobile is so vulnerable, the system should alert with suggestions as to how to plug the gaps.

7. The app-specific restrictions should be more detailed. For instance, most versions of android (or mobile specific version) allows a user to decide whether an app can access contacts or not. This should be broadened to include access to only a select set of contacts (that are relevant for the purposes of the app). Similarly, ability to make calls should be restricted to calling specific numbers only. Access to photos and other data should be based on folders. Access to the camera should be controlled very tightly. I have not come across any mobile where the system clearly tells the user the risks involved in granting the rights.

The financial institutions (and the software providers who empower them) should also beef up their mobile apps from a security perspective. Examples are:

• If it is possible to detect that the app user's mobile has forwarding enabled, it should send an alert by alternative channels (email).
• Critical options such as funds transfer, online transactions, international transactions, ATM transactions should have more guardrails provided. For instance, the users should be able to limit the number of online transactions that can be initiated in a specific time interval. Any attempts beyond these, should be reported through all the channels available to the customer.
• When suspicious transactions take place, some times, the banks call out the customers to obtain their concurrence for effecting the transaction. However, customers are not often able to respond to such calls. Hence, customers should be able to set up a default "No" response for such cases - which means that, if the customer cannot be reached, the transaction should be rejected.
• A related topic is how to identify the genuine calls from the Bank. When someone calls from the Bank, there should be an identification mechanism - for instance, the customer should be able to define a password (or PIN) for bank staff trying to call. This number should be invariably quoted by the caller so that identity can be established before the conversation takes place.

The above list is not exhaustive; there will be many more such suggestions. And some of them might already be available - in that case, the availability of such facilities should be publicised better.

In short, the battle against mobile/cyber frauds, should not be left to the gullible end user; other stakeholders should chip in to the maximum possible extent.