Top Smartphone Cybersecurity Best Practices
Igor Draytsel, Chief Information Security Officer
In this first blog of our Cybersecurity series, let us discuss a technology many of us hold dearest. The technology we have grown to be so hopelessly dependent on and can barely envision functioning without: smartphones.
Are smartphones vulnerable to cyberattacks? What are the basic cyber hygiene principles to remember? What are the immediate Indicators of Compromise (IOCs) to look for? Let’s examine together.
First and foremost, like any other technology, your smartphone is vulnerable and a target for a cyberattack. Like with any other technology, your role is to be cyber-aware, prepared and resilient.
Here are the top ten smartphone DOs and DON’Ts. Practice them to minimize the risk of your favorite technology becoming a victim of malicious cyber activities, which can lead to a cascade of unpleasant consequences.
Smartphone Dos:
- Do make sure to always install the latest versions of your operating system (OS), apps and other mobile software. This is your most important defense against the bad guys out there. While the never-ending cycle of OS upgrades may be annoying, it is necessary to keep your smartphone defenses up to date. If your OS vendor just released another upgrade with security patches, then the first in line to learn about the previous version’s weaknesses are the cybercriminals. In no time, they will jump to exploring security holes, hoping you were too annoyed to upgrade your OS, yet again.
- Do have an anti-virus and anti-spyware software installed. Yes, there is anti-virus software for mobile devices.
- Do disable Wi-Fi, Bluetooth, and GPS when you are not using them.
- Do back up your data on a cloud. You will thank yourself for doing so should your phone get lost or stolen.
- Do configure your remote tracking device setting, “Find My iPhone” for iPhone and “Find My Device” for Android. Not only will these features inform you of your device’s last location, but they also allow you to wipe out the data if you need to.
- Do audit your apps often. If you don’t use/need that application you installed a few years ago, delete it. This will shrink your potential attack surface, which is always a good practice.
Smartphone Don’ts:
- Don’t “jailbreak” your iOS or “root” your Android device. Never. Ever. This cannot be stressed enough. Do not jailbreak your iPhone!
- Don’t join unverified Wi-Fi networks. The bad guys will set up a spoof Wi-Fi network masquerading it with some innocuous name like “YourHotelName-Guest-WiFi”. The idea is to lure you into communicating via their malicious network. Now the bad guys can see into your traffic.
- Don’t use publicly available phone chargers in airports, cafes, or department stores. Malicious actors conduct a “juice jacking” attack that comes with setting up a fake charging station to get access to the device to install malware.
- Don’t install applications from marketplaces other than traditional ones like Apple Store or Google Play. Read user reviews before opting-in. Be aware that cybercriminals publish spoof apps that advertise superior services, with the true goal of placing a piece of rogue software on your device.
Two Bonus Items:
Do restart your device often. At the risk of getting more technical than necessary, let’s just say that it gets harder and harder to persist a malware on your device. The attackers opt-in for in-memory payloads that are still dangerous, but can never survive a re-boot.
Don’t share your personal phone number when you don’t have to, especially for devices with access to your crypto assets and crypto trading applications. Instead, get a virtual Voice over IP (VoIP) with a call transfer to your number.
Smartphone Indicator of Compromise: SIM Swap
Here is one essential thing to stay on the lookout for, especially if you are a crypto enthusiast: a SIM swap.
In this situation, the attacker contacts your mobile provider pretending to be you. They claim you’ve lost your phone and ask to transfer your number to a new SIM card—the swap. Once transferred, the attacker proceeds to access your email, bank applications, and crypto-wallets via the “Forgot Password” function. To reset passwords, the services will start with a one-time verification code. Where is this code sent? To the very same SIM card that is now in the attacker’s control.
If your smartphone suddenly stops making and accepting calls and text messages, you may be a victim of a SIM swap attack. Many big names have fallen for this, including Twitter co-founder and ex-CEO Jack Dorsey.
What do you do if you are a victim of a SIM swap? Don’t panic, and follow these steps:
- Call your mobile provider as soon as possible, explain the situation, and ask for escalation.
- Contact your financial services. Temporally freezing your accounts may be a necessary next step.
- Later, audit every activity from password resets to financial transactions to social posts. Look into everything that you allowed your smartphone access to.
Which brings us to our final DO for today. Always use your cyber awareness filter when you equip your phone with yet another feature accessing your sensitive data, critical function, or both.