CIOs Want To Know: How Secure Is Your Mobile Phone?

Where are the weaknesses of mobile phones and what can CIOs do about it?
Where are the weaknesses of mobile phones and what can CIOs do about it?
Image Credit: David Dennis

As the person with the CIO job, you realize just how important mobile phones are to your company. These devices have become the way that everyone stays in touch and the way that we are able to find each other no matter what time of day or night it is. However, just as mobile phones have become a more and more important part of our lives just like the importance of information technology, at the same time the bad people out there have discovered that our mobile phones can hold the key to breaking into people’s lives and into your business. What should you be doing as CIO to keep your people and your company secure?


Bad Things Can Happen Using A Mobile Phone

So just exactly what kind of bad things can happen to somebody’s mobile phone? I have an excellent example for you to ponder. A common attack on a mobile phone goes by the name of “SIM swap”. Each mobile phone has a subscriber identity module (SIM) inside of it that is used to identify its owner. The bad guys collect information about the phone’s owner and then use that information to convince the phone company to transfer the phone’s phone number to a different phone. Once this has been done, the bad guys can then trick banks and other companies into resetting the phone owner’s password by having them send the password reset to the new phone. Once this is done, the bad guys can get into the phone owner’s personal accounts.

What mobile phone users have to realize is that we have come to rely on our mobile phone numbers for a single, publically available, piece of information that has become a critical piece of our identity. This decision to allow our mobile phones to become this important in our lives means that we are going to have to make some difficult decisions. Should mobile phone users be concerned about relying on their mobile phones for text messaging based two-factor authentication? Are we asking our mobile phones to assume a job that they were never designed to do?

Many mobile phone users are not aware of the threats that they are facing. There are a number of reasons for this. One of the main reasons that many of us don’t realize how dangerous it is out there is because of limitations that the bad guys are facing. It turns out that it actually takes work on the part of the bad guy who is attacking you to steal your mobile phone number and use it. Currently, these kinds of mobile phone attacks are not something that it is possible to in bulk like can be done with credit cards.


How Can Mobile Phone Users Protect Themselves?

All this talk of ways that mobile phones can be attacked can get people to start thinking “should I be doing something to protect myself?” One of the biggest threats is the SIM swap technique and the experts believe that there is not going to be an easy way to prevent this from happening. One of the biggest challenges that we are all facing is that the bad guys tend to get creative as they try to attack our mobile phones. The good news is that what is happening is that a layered approach to security is being adopted. When someone is trying to verify my identity, they may start to include such things as biometrics or behavioral identify such as how quickly I can respond to things or how I tend to hold my phone.

One of the challenges that the person in the CIO position needs to understand is that the more secure that we make a mobile phone, the more of a hassle it is for the mobile phone user. More security means more friction. All fraud could be stopped tomorrow – it’s just that using your mobile phone would become a big hassle. A good example of this is that in order to stop SIM swapping, banks could be required to allow a period of time to pass after a password was reset before money could be taken out of a bank account. If this was done, then it would prevent SIM swapping.

In any country, it would be possible to eliminate a lot of the fraud that is happening with mobile phones. However, it would require CIOs to pressure telecom providers to change how they are doing business. What needs to happen is the telecom providers need to operate public web pages where you can query a phone number and get a positive / negative response when you ask questions about if there was an ownership change or a hardware change in the past few days. This would allow third party firms like email providers, banks, and retailers to check to see if there was anything strange going on with a mobile number.


What All Of This Means For You

The IT world that we live in is increasingly becoming more and more mobile. CIOs understand that mobile phones have become a critical tool that their company uses to keep things running on a daily basis. The continued operation of those phones is critical for the successful operation of the business. That’s why understanding the threats that mobile phones are facing and how to deal with those threats is so important for CIOs.

CIOs need to understand that there are a number of different ways that mobile phones can be attacked. One of the simplest is called a “SIM swap”. An attacker can get someone’s mobile phone number transferred to a new phone and then get password reset instructions sent to the new phone. Mobile phones have become a critical part of our lives and we may not realize how much we have come to rely on them. Users may not be aware of the threats that they are facing because it takes a lot of effort to steal someone’s phone number. This means that the bad guys can’t perform this type of attack in bulk. One of the problems with stopping these types of attacks is that the bad guys can get creative. The more secure that we make our mobile phones, the more of a hassle it is to use them. CIOs could pressure their telecom providers to create web pages where changes to a cell phone could be checked.

Let’s face it: mobile phones are here to stay. They have become a critical part of each of our lives and most of us could no longer comprehend how we could make it through a day without our mobile phones. However, because they have become so important to us, the bad guys are now starting to attack them. CIOs need to understand the threats that the mobile phones used within their companies are facing. Additionally, they need to know what can be done to secure them. If we can stay on top of this evolving threat, then the people in our firm can continue to safely and securely use their mobile phones to conduct business.


– Dr. Jim Anderson Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™


Question For You: How aware of the threat to their mobile phones do you think that CIOs should make the people who work at their firms?


Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

As your company’s CIO it is your responsibility to understand the importance of information technology and to use it to secure the company’s assets. What this means on a daily basis is that you are probably installing firewalls and creating white lists for who can access what applications and servers. However, as life become more and more complicated, you may also be dealing with the arrival of image-recognition filters for everything from screening online content and people arriving at your company’s buildings. However, it turns out that these new AI driven systems can be fooled…