Mobile security fails the history lesson

Hackers use the same attacks against mobile devices they've yielded against PCs, yet we've learned nothing

Mobile users from all walks of life, from the average citizen to business bigwigs to movie stars and politicians, are getting their phones and voicemail hacked these days. Most of the perpetrators aren't even skilled hackers; they're regular Joes, spurned suitors, or even -- hold your nose -- reporters.

End-users certainly deserve part of the blame here, but phone vendors and mobile carriers alike could be doing more. It's not as if attacks targeting phones are especially new. It's a strange paradox: We know what we need to do to stop hacking. We have two decades of experience in putting down malware and hackers in the PC-based, network world. But we seem to be ignoring all those lessons as we move our CPUs and storage to new form factors. Am I the only one who thinks we're destined to live out every PC-based malware symptom in our smartphone world?

[ Also on Remote SMS attack can force mobile phones to send premium-rate text messages | Get expert advice about planning and implementing your BYOD strategy with InfoWorld's 29-page "Mobile and BYOD Deep Dive" PDF special report. | Keep up on key mobile developments and insights with the Mobilize newsletter. ]

First off, every phone today offers users the ability to require a password, a PIN, or a finger swipe to gain access. Most users forgo these features unless forced. But it's not as though those security mechanisms provide much protection anyway -- they don't require any complexity. PINs tend to be four numbers long. Swipes can be as uninteresting as possible: Most people I know who use the swipe method just go in a straight line from top to bottom, as if no uber-hacker will try that swipe combination.

I understand the need for providing easy access. Asking someone to type in a nine-digit PIN to pick up a random phone call is a bit much. Many, if not most, end-users will do anything to get rid of every "annoying" security feature. I get that.

But cellphone makers, networks, and carriers can do more to deter malicious hacking. For starters, how about enabling phones to track failed logon attempts, leading to a temporary lockout -- or at least slower responses to each additional bad logon attempt? I can't wait for accurate facial recognition or fingerprint swipes to become a standard option.

1 2 Page 1
New! Download the State of Cybercrime 2017 report