Consumer phones and tablets must urgently adopt mobile security used by enterprises
Smartphone and tablet users risk ‘handing over the keys to their lives’ because their devices lack sufficient security safeguards, Intercede today advises.
The warning follows a special report by Channel 4 News which found that two major UK pawnbrokers have been selling mobile devices which contain large amounts of personal and sensitive data including passwords, bank details and photos.
Intercede’s CTO Chris Edwards said that smartphones and tablets represent a significant security threat, since most consumer devices do not have adequate protection for the data that is generated and stored on them. This is despite mobile device manufactures creating embedded secure elements and features within phones that are able to support enterprise level security, and SIM manufacturers producing Universal Integrated Circuit Cards (UICC) that can do likewise.
Edwards argued that fundamentally, there is no difference between consumer and corporate devices, with the difference lying in the device management and installed security software, calling for device manufacturers, security vendors and mobile network operators to work together to educate and role enterprise level security out to the wider population.
“The public are generally becoming better informed about online security threats, but strangely this does not extend to their mobile devices,” said Edwards. “As we live our lives increasingly through these devices, including using and storing sensitive data in online banking or social media apps, we are entrusting the keys to our lives to a single device that can so easily fall into the wrong hands. Nor is it just data: our devices also contain access permissions and cached passwords which, although not immediately ‘visible’ to the user, can be gold dust for criminals.
“In spite of this, mobile security comes low down on consumers’ priorities when it comes to choosing a device – if they consider it at all. The result is that we are creating great repositories of personal and sensitive data which are inadequately protected when the device is lost, stolen or given away.
“Part of the problem is that security is perceived as compromising ease of use; however modern enterprise mobility security technologies show that highly secure solutions are actually much easier to use than the current scourge of long, complex yet insecure passwords. It is time that consumers had the same protection, including two-factor authentication, like you get with a chip and PIN bank card (something you have and something you know), personal IDs and credentials stored on a secure component of the device – such as the SIM or Trusted Execution Environment, and remote device wiping.”
Edwards said that one of the main difficulties was that much of the sensitive data stored on devices was ‘invisible’ to the user, and called for greater efforts to educate consumers about how much information is accessible through their smartphones and tablets.
“There is no reason why consumers should not enjoy the same level of protection as large corporates; however, this requires that a conscious effort to protect their mobile data. More must be done by manufacturers, service providers and security tech firms to educate the public about the risks, to provide solutions, and demonstrate how strengthening security does not impede the ease of use which make these devices so attractive to use.”
About Intercede
Intercede is a software company specialising in identity and credential management with a global team of experts located in the US and UK. Intercede’s MyID software enables organisations to create and use trusted digital identities for employees, citizens and machines. This allows secure access to services, facilities, information and networks. MyID meets the highest government standards yet is simple enough to be deployed onto consumer devices such as smart phones and tablets. Critically, MyID provides an easy, convenient and secure alternative to passwords. www.intercede.com
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.