Mobile apps are now a preferred means for users to engage in transactions, connect with friends and family, as well as perform work related tasks. As a result, phishing threats and mobile scams are on the rise. In the first few months of 2023 alone, Singaporeans have lost over $300M through scam transactions on mobile devices. Ensuring the reliability, safety, and security of these applications is paramount to mitigate phishing threats and scams.
On a panel during Singapore International Cyber Week, industry experts representing Samsung Electronics, Google, Quokka, OWASP, and DEKRA discussed how to combat the challenges of mobile scams and threats.
How should you evaluate a mobile security provider?
The cybersecurity industry aims to limit phishing attacks by building better solutions to further protect the end user. To achieve this, there needs to be more education and tools provided to combat these attacks. The first step to ensuring safety is by choosing a mobile security provider. However, evaluating the right one can be challenging. Chris Gogoel, VP of business development at Quokka, discusses the importance of understanding the top-down perspective of vendors, OS manufacturers, and the bottom-up perspective of the end user. Each manufacturer adds their own features and flavor to their platform, sometimes leading end users to resort to sideloading an app. Sideloading may not provide the best security, which is why users should add an extra layer of protection by utilizing a security app. Oftentimes users fear that security apps observe everything that they are doing. This is where the balance between privacy and security need to be emphasized. Quokka, a cybersecurity solutions provider, focuses on providing users with tools to check their devices and applications lacking essential security features. They also focus on partnering with companies like Google and Samsung to scan applications as they are getting developed. By collaborating with the top-level provider and educating end-users, the cybersecurity ecosystem becomes a more secure space for users to interact.
Should the industry be held accountable for mobile scams?
Protecting mobile devices is an evolving industry. As new technologies are built, there are more loopholes where scams may occur. Vulnerabilities may be introduced to all parts of the cyber life cycle. This makes it especially important for vendors to build security and give users the ability to check for vulnerabilities themselves. Pinpointing accountability becomes a challenge when there are various attack methods occurring across international boundaries with different government standards. where phishing can be performed. SMS, telegram channels, line channels, and emails are just some platforms where scamming can happen. Blocking and identifying unknown bad domains on the devices and the network needs to be more apparent. KC Choi, Executive Vice President at Samsung Electronics, discusses the difficulty of holding entities liable and suggests improvements in accountability ,security standards enforcement, and collective commitment to using more secure platforms.
Should mobile app developers be certified?
Oftentimes when developers are creating the app they only develop a quarter or less of the code. Most of the code used in the application is reused from an open source or a paid close source. It may be possible to ensure a developers intention on whether they write good code, however, the open source or paid close source libraries can introduce an issue that may be deemed risky. There is benign intent where a developer may introduce risks to their app using outdated information and malicious intent. There are some instances where the government has issued validation certificates for websites, however there needs to be a process where this can be done uniformly in different countries. In the future, the possibility of doing continuous validation of applications regardless of developer would be a great step forward.
What do those of us in the cybersecurity industry want governments to do to protect citizens from mobile scams?
Governments have the opportunity to empower people by educating and providing the tools for users to protect themselves. This would enable users to feel safe with the choices they make and the apps they download. Oftentimes citizens will download an app from the app store that has good reviews not knowing it has the capability to leak data. The government can enforce regulations for these app stores by providing a way for users to check the security of these apps before downloading them. Eugene Liderman, Director of Mobile Security Strategy at Google, discusses how the Google Play store now offers an independent security review viewable for users. This standard of security is slowly growing to become more prominent. The government would play an effective role in introducing this standard for apps that require higher security such as finance apps. By setting universal standards for app developers and dictating a set of security measures for apps, the government would be helping greatly in protecting citizens from mobile scams.
Can mobile banking apps run entirely on a device’s Trusted Environment (TE)?
Eugene Linderman brings up an example of Protected Confirmation on android where TE is being run on a user interface (UI) instead of the actual banking app. This requires physical confirmation to acknowledge a transaction. The sensitive information would only be shown on the trusted UI. There is still a search on how to run TE in more scalable ways for banks to pursue. Chris Gogoel, expresses how deploying Samsung devices at a TE level can have its challenges because these features are chipset specific. The feature needs to be built on to the chipset and also turned on by the manufacturer in order to work. Aside from these challenges, securing a small percentage may be worth the effort.
Can AI help prevent mobile scams?
The topic surrounding artificial intelligence (AI) has become increasingly prevalent across industries and in everyday life. KC Choi, Samsung Electronics, opens the conversation explaining how companies should tap into the expanding capabilities of AI. In the realm of preventative threat defense, AI is not just an option but a necessity. There is a nuanced duality of AI, acknowledging its capacity to yield to both positive and negative outcomes. With the ongoing evolution of AI-driven devices, there is also a growth for potential scams generated through AI. Now having the ability to react in real-time, there may be possibilities of incorporating AI in shaping the landscape of security measures. There is a lot of public focus on AI. Leveraging AI use on these devices to detect those attacks and applications when installed would be something interesting to see in the future.
How can we democratize mobile app security?
Empowering users through awareness training helps users in determining the security of their mobile applications. Security comes down to the end user and their individualized needs. Users need to be comfortable with their choices and understand what apps could be doing to their data. Gogoel advocates for providing multiple layers of defense, building solutions for specific markets, and having the ability to judge known and unknown domains.
Cybersecurity is a dynamic and continually evolving field. It requires multiple layers of protection to guarantee reliability, safety, and privacy of digital tools to help protect users from phishing threats and scams. Industry experts from Samsung Electronics, Google, Quokka, OWASP, and DEKRA shed light on the significance of cybersecurity. They share insightful strategies to effectively combat challenges posed by emerging threats and scams. The creation of a secure mobile ecosystem involves various factors, including user awareness training and collaborative efforts among top-level mobile security experts. Through such proactive measures, both top-level industries and users can work towards establishing a universally protective environment on an international scale.