Covid-19 SMS/text message scams: advice for mobile phone users

Fraudsters are using the Covid-19 crisis as bait to conduct SMS scams on a global scale. Many of these criminals are adapting their existing campaigns to exploit the situation.

Some of the examples we’ve seen on the twitter hashtag #covid19scamsms include text messages that trick recipients into divulging their personal and financial details based on lures of ‘goodwill payments’, ‘free home testing kits’ or ‘threats of a fine for breaking lockdown conditions’. In this post, we collate guidance from expert organizations and government agencies worldwide to help mobile phone users thwart such attacks as well as providing our own advice.

Two examples of scam SMS messages being sent by fraudsters exploiting the coronavirus pandemic.

Firstly, what are the tell-tale signs to look out for?

It can be very difficult to work out whether a message is real or not. The reason for this is that fraudsters are trying to trick you into believing that a message is genuine. One of the problems with SMS is that the sender ID can be easily spoofed. This means that something that looks real — for example, the sender is a name rather than a number, and says something like: “US_Gov” — might not in fact be real. Here’s a list of other things that might suggest an SMS is suspect:

  • The message comes from an unrecognisable number.
  • The message contains misspelt or poorly worded phrases.
  • The message uses strange characters that look like legitimate letters (in order to avoid spam filters and get through to you).
  • The message contains a web link for you to go to.
  • The message requests payment or suggests you will receive money if you provide your details.
  • The message attempts to rush or panic you into taking immediate action.
  • The message uses doubtful or clearly false names of government agencies or organizations, either in the web link or the message text itself.

Next, what action should you take?

  • Never reply to the SMS or click on suspicious links. These could result in your phone being infected with malware or you losing money if you’re persuaded to enter credit card details or personal information such as addresses or passwords.
  • Don’t let anyone pressure you to make quick decisions. Stop and think; challenge the information provided in the SMS.
  • Only contact organizations using details obtained from official websites.
  • Check whether a government agency actually did send out messages to people. This might take a bit of searching on the web, but sometimes they’ll explain exactly what they sent. One example is the UK’s coronavirus SMS message.
  • If the message refers to a charity or non-profit, verify that the organization is registered – for example, in the US follow Federal Trade Commission advice, or in the UK search the charity register. Consider donating money via a different mechanism.
  • Keep your mobile phone’s software up-to-date to help reduce the chance that malware could exploit your device.

How can I help others?

We have started to tweet out some examples of these on twitter to help organizations around the world with gathering threat intelligence. The hashtag we are using is:

#covid19scamsms

If you receive a message, in the first instance, you should try and report this to your network operator. They are best-placed to tackle the issue and initiate blocking measures. In many countries you can do this by forwarding the SMS to 7726 (more details provided below). It helps to do this – it is important that the operator knows you’ve received a message that isn’t legitimate because this will tell them that something has got through their filters.

We would encourage anyone who receives a scam SMS message to post a screenshot to the hashtag as a small way of assisting in tackling the problem. For example, the information contained in the message could be a web link to a malicious site which can be taken down before it can cause harm to lots of users. Please make sure you remove any identifying information such as your phone number before you post an image.

And finally, how can you report the fraudulent activity so that government agencies and mobile network operators can take action?

Australia
Canada
  • Forward the spam message to the short code 7726 (SPAM)
  • Call the Canadian Anti-Fraud Centre on 1-888-495-8501 (toll free) or report online.
European Union
New Zealand
  • Forward the TXT message to the free shortcode 7726 (SPAM).
UK
  • Contact your mobile network operator by forwarding the message to 7726.
  • Notify ActionFraud – the UK’s National Fraud and Cyber Crime Reporting Center — either online or by calling 0300 123 2040.
USA
  • Copy the message and forward it to 7726 (SPAM).
  • Report it to the Federal Trade Commission at ftc.gov/complaint.

Related links and further reading

As stated above, we ask that people post screenshots of any examples of Covid-19 SMS scams. Please use the hashtag #covid19smsscam – https://twitter.com/hashtag/covid19scamsms?src=hashtag_click.

Australian government advice

Canadian Anti-Fraud Centre

New Zealand government advice

UK government advice on phishing and bogus contact updated to include examples of Coronavirus (COVID-19) scams

US Federal Communications Commission advice on Covid scams

About the author

James Tyrrell is a Threat Modelling Analyst at Copper Horse.

Further Thoughts on SIM Swap

I recently wrote about the topic of SIM swapping on my company’s site. This was also posted to the GSMA’s Fraud & Security Group blog. There has been an increase in the amount of awareness of the issue over the last 18 months or so and I expect that to continue throughout 2020. Some factors are driving it – the recently published Princeton paper is probably the first scientific analysis of these problems, especially on the social engineering aspect. Others are the sheer life impact as I describe in my earlier blog – either a huge loss of money or life-takeover of all the victim’s online accounts.

Some feedback I received from industry colleagues on Linkedin is worth mentioning:

  • While I refer to ‘SIM swap’ – because that is the colloquial term we all understand, what is really happening is a re-assignment of the user’s credentials to access services, by the operator to another SIM card, rather than a specific issue with the SIM itself. It’s primarily a process and procedural issue.
  • Like many other cyber security issues we face (not just in telecoms), particularly for trans-national issues, there is almost a complete absence of law enforcement. I’m not just talking about action, but even basic interest would be useful. Where it comes to technical topics, it can be very difficult for the victim to describe it to the Police, but a lack of Police training and structure for dealing with cyber security issues means ultimately criminals get away with it. This perpetuates the cycle of crime. If it’s international, then probably nothing will happen.
  • The authentication of the real user is at the core of the issue – improving these procedures in line with the increased attack surface and asset value is overdue.
  • SMS 2FA is not the solution that should be recommended because SS7 is too vulnerable – I actually disagree with this one on the basis that as an interim solution it is easy for operators to deploy and would raise the bar significantly. SS7 attacks are much more difficult to conduct than social engineering and it ignores the fact that SS7 monitoring, controls and firewalls in-line with GSMA guidance have been and are being implemented across the world.
  • One side-point was made that SMS 2FA isn’t 2FA because the phone number isn’t something the user controls. I think this is not correct – the second factor is really a combination of “something you have (the phone that receives the message)” and “something you know (the code that is sent)”. This point also kind of ignores the practicalities of the problem – you need something that is going to work for millions of users. SMS 2FA is still the easiest and least worst solution for this. Arguably you’re sending the message ‘in-band’ and associated with the thing that is being targeted, however logically, at that point it is under the control of the authentic user. These days there are other channels the operator could possibly use which are sort-of ‘out-of-band’ and they should explore these – i.e. Whatsapp, Signal messages or using an authenticator app such as Duo. I would argue that at least for the last two of these, they’re still quite niche for the ordinary user and that raises complexity in the customer service chain, ultimately actually reducing security. It would also have to carefully thought through – attackers don’t remain static.
  • One point was made that “We have to stop knitting new applications with old technology” and “Same horse same speed… ” – I and others would agree with this. With 5G we had a real opportunity to make a clean break from legacy technologies, however it hasn’t happened. We’ll carry some of those problems with us. I guess there are some similar analogies to replacing lead pipes in houses and cities – it is an economic and practical upgrade problem. We’ll get there I think.
  • Other comments talked about regulation and putting the liability onto operators for the financial losses of users. It is really not that simple in my view. If the target of the service is someone’s email or breaking into the bank – does the network operator retain sole liability for that? We also have to remember that the issue here is the criminals doing this – let’s focus on them a bit more and start prosecuting them.

The UK’s National Cyber Security Centre has an excellent and pragmatic guide for enterprises using SMS: ‘Protecting SMS messages used in critical business processes‘.

10 Inspirational Women in the Mobile Industry

Today is International Women’s Day and I was thinking about the women who had influenced my thinking in the mobile industry over the past year. I have to say, I thought twice about writing this blog – I didn’t want to patronise or embarrass the individuals mentioned in this piece and that certainly is not my intention. At the end of the day, I have decided to publish as they all deserve to be recognised as the movers and shakers they are in the mobile and/or web and internet security world and after all, the theme this year is “make it happen”!

No more glass ceilings

In alphabetical order, I have included their twitter handles where appropriate, so you can follow them:

Karen Barber, Independent Mobile Business and Startup Advisor

Twitter: @KLBarber

Source: Twitter
I first met Karen at the ForumOxford event in May 2014. She has advised many mobile startups and continues to do so, helping people to productise and bring to market new mobile applications and services. Dedicated, with great connections, she is generous with time and advice.

Anne Bouverot, GSMA

Twitter: @annebouverot

Source: https://www.flickr.com/photos/itupictures/8094137683/ (CC BY 2.0)

As Director General of the GSMA, an association of over 800 member network operators and associate companies, Anne has a huge job to herd the cats of the mobile industry whilst negotiating with the governments of the world over regulatory and policy concerns. She is one of only two women on the Board of the GSMA (Mari-Noëlle Jego-Laveissière of Orange recently joined). Only this week she highlighted that: 1.7 billion women in low and middle income countries don’t own a mobile phone – a gender gap of 200 million.

Melanie Ensign, FleishmanHillard
Twitter: @imeluny

I met Melanie while I was out in Las Vegas for Blackhat and DEFCON in 2014. Determined and skillful, Melanie liaises with the media and the hacking community over security concerns on behalf of some telecom companies. This role requires a head for technology and strong people skills, both of which Melanie has in abundance.

Virginie Galindo, Gemalto

Twitter: @poulpita

Source: https://blog.html5j.org/2013/06/w3c-developer-meetup-tokyo.html

As Chair of the W3C’s Web Crypto group, Virginie has one of the hardest jobs in the web world. The recent rise in interest of encryption on the web has made this activity all the more important. In an almost entirely male group, with some extremely volatile and passionate personalities, Virginie has shown incredible leadership, leading to a seat on the Advisory Board of W3C.

Helen Keegan, Independent Mobile Marketing Specialist

Twitter: @technokitten

Source: https://t
echnokitten.blogspot.co.uk/

Helen is one of the most well known people in the mobile marketing community. She runs the Heroes of the Mobile Fringe series of events every year at Mobile World Congress in Barcelona including the spectacularly popular Swedish Beers. Facilitating connections between startups, mobile companies and VCs. Another unsung heroine of the mobile industry, probably responsible for numerous collaborations between companies that previously would never have met.

Dominique Lazanski, GSMA

Twitter: @dml

Source: Twitter

A well known Internet governance expert, Dominique now advises the GSMA on policy issues and cyber security. She is also on the Board of the UK’s Open Data User Group amongst other things. A true visionary and passionate about securing the future of an open and free internet for all.

Sue Monahan, Small Cell Forum

Source: linkedin

Appointed as CEO of the Small Cell Forum in 2014, Sue has shown great leadership and has made great use of her large global network of mobile industry colleagues to raise the profile of small cells and develop the future of mobile networks.

Marie-Paule Odini, HP

An expert in NFV and SDN (she co-chairs the ETSI NFV SWA working group), Marie-Paule is a Distinguished Engineer at HP and their CTO, EMEA for Communications Media Solutions. Intelligent, resourceful and full of ideas, I had the pleasure of meeting her at ITU World in Qatar where we discussed smart cities, drones and disaster relief.

Natasha Rooney, GSMA

Twitter: @thisNatasha

Source: W3C

Natasha is a Web Technologist for the GSMA and co-chair of the Web and Mobile Interest Group at the W3C. A self-declared geek, she has thrown herself into the role and has taken leadership on quite a few critical issues for the future of the web. She has gained the respect of pretty much everyone I know in a very short space of time (oh and as of the Global Mobile Awards in 2015 is now mates with John Cleese!).

Nico Sell, Wickr

Source: ambassadorialroundtable.org

A staunch defender of privacy, Nico Sell co-founded and is CEO of the privacy and security sensitive messaging app Wickr. Personable and highly intelligent, Nico commands the respect of the hacking community and also runs the successful DEFCON kids event and the R00tz Asylum which is bringing up the next generation of security technologists. At this point, I’ll take the opportunity to apologise to Nico for “borrowing” one of the Stegocat posters at Wickr’s DEFCON party!

Let’s Make it Happen

There are many other women across the past year that have influenced me and that I have not mentioned. Some of those don’t have a public profile or keep themselves to themselves, but they’re also often unrecognised by their own companies. I’m constantly impressed by many women that are often juggling parenting responsibilities with international travel and partners who are also in busy careers.

The simple fact that I’m writing this shows that world society still has a long way to go, even in the West. Most of the meetings I go to are still populated by white middle aged suits (yes, me too!). Whilst most people in my age group have moved on from old stereotypes, you still hear some pretty shocking stories of prejudice and public humiliation towards women by bosses and colleagues.

To the male readers of this blog – I see many meetings where “he who shouts loudest” seems to be the “successful” conclusion of a lot of email discussions and meeting decisions. Next time you’re speaking in a meeting – stop and think: perhaps you should listen to someone else’s view? That person may be the woman next to you who isn’t choosing to engage in the usual testosterone-fuelled meeting argument.

The glass ceilings do still exist, but there are lots of rays of light and it is great to see so many of my friends and colleagues doing so well. Long may it continue until the point we don’t need an International Women’s Day.

If you want to mention a woman in the mobile, security or web world who has inspired you, please leave a comment below!

Edit: 08/03/14 – some small edits and tidy-ups, and to actually put them in alphabetical order!


Cyber Security in the Mobile World: MWC Lunchtime Seminar Series

I’ve been running a cyber session on behalf of UKTI and BIS for the past few years. The event has been an increasing draw as a hub for security and privacy discussion at Mobile World Congress. We have an absolutely stellar line-up this year, across three days of lunchtime sessions and I’m really looking forward to MCing! If you’re around at MWC, come along to the UKTI stand in Hall 7 (7C40) at the times below.

#MWC15

Cyber Security in the Mobile World: MWC Lunchtime Seminar Series

In the fourth year of our MWC Cyber Security in the Mobile World event, the topic remains at the top of the headlines. 2014 saw a large number of attacks which were both news-grabbing and serious. Are things getting better or are they going to get worse?

Securing the Internet of Things
Mon 2nd March
12:00 to 12:40
Location: Hall 7, UKTI stand 7C40

The Internet of Things (IoT) has exploded in the last year. Many machine-to-machine (M2M) and IoT devices being purchased by consumers and being implemented within technology from cars to chemical plants, are we adequately prepared to handle the increased cyber risk?

Introduction:

• Richard Parris, Intercede: Introduction to the Cyber Growth Partnership

Keynote speakers:

• Richard Parris, Intercede: The Role of SMEs in Securing IoT
• Marc Canel, Vice President of Security, ARM: Hardware security in IoT
• Svetlana Grant, GSMA: End to End IoT Security

Mobile Cyber Security for Businesses
Tues 3rd March
12:45 to 13:25
Location: Hall 7, UKTI stand 7C40

The Prime Minister recently said that 8 of 10 large businesses in Britain have had some sort of cyber attack against them. With a big increase in the number of mobile devices, how can businesses defend themselves, their data and their employees? What cyber standards are being developed and what enterprise security mechanisms are being put into the devices themselves?

4 person keynote panel, moderated by David Rogers:

• ETSI, Adrian Scrase, CTO
• Samsung, KNOX, Rick Segal, VP KNOX Group
• Good Technologies, Phil Barnett, Head of EMEA
• Adaptive Mobile, Ciaran Bradley

Innovation in Cyber Security: Secure by Default
Wed 4th March
11:40 to 12:20
Location: Hall 7, UKTI stand 7C40

Our speakers will get straight to the point by giving 3 minute lightning talks on a variety of innovations in cyber security.

1. Symantec, IoT Security, Brian Witten
2. W3C, Web Cryptography, Dominique Hazaël-Massieux
3. NCC Group, Innovative Security Assessment Techniques, Andy Davis
4. Plextek, Automotive Security, Paul Martin, CTO
5. SQR Systems, End-to-End Security for Mobile Networks, Nithin Thomas, CEO
6. CSIT, Queens University, Belfast, Philip Mills & David Crozier
7. Trustonic, Your Place or Mine? Trust in Mobile Devices, Jon Geater, CTO
8. NquiringMinds, Picosec: Secure Internet of Things, Nick Allott, CEO
9. Blackphone, Blackphone update, Phil Zimmermann
10. GSMA, The Future of Mobile Privacy, Pat Walshe

Master of the House? Who Controls the Home in the Internet of Things?

I had an interesting conversation with an American friend recently about how the AT&T Digital Life product had helped him take control of the temperature in his house…. from his wife!

I’ve experienced air conditioning wars at a company I used to work at – the thermostat was at the end of the office near the door. At various points, certain people would go and turn it up to full heat, whilst others would go and turn it fully down to cold. It was a mess. In the end facilities resolved it by taking control away entirely and nobody was happy.

Whilst slightly amusing, it does raise interesting questions for the future home internet-of-things (IoT) solutions.

Is the administrator or ‘Master’ of the house IoT system de facto the most tech-savvy person in the house? Statistics on technical career choices would dictate that is probably usually a man. Does that put women in an unfair or weak position when it comes to privacy?
What rights do other family members have to privacy and control?
What about visitors?

Rental Homes and Holiday Lets

What about rented homes? In the future home automation, monitoring and other IoT solutions are likely to be built in to new homes. What rights do people who are leasing homes have when it comes to ensuring that the Landlord cannot monitor or control such a system?

Abusive and Controlling Relationships

What happens in cases of domestic violence, controlling behaviour and abuse? Spyware applications are often used by jealous partners so there is nothing to say that such people wouldn’t also use IoT technology as part of their controlling behaviour.

The Good Side

On the flip-side, there are plenty of examples of cameras being used by home owners which have caught thieves, discovered abuse by child minders and by carers for the elderly. For some vulnerable people, door cameras have been helpful to deter and detect cold callers who would take financial advantage of them.

These new social realities are happening now. Whilst home IoT solutions are generally fantastic, for some people, even being at home may become a problem.

ForumOxford Mobile Security discussion

Join me on Friday the 11th at 3pm (UK), 7am (PDT), 10am (EDT) for a discussion via linkedin on the topic of mobile security. I’ll be talking about everything from mobile phone theft and fingerprint scanners, to what the future could hold.

More details here. So hopefully see you all there. If you can’t make it, have a look at this book if you’re interested in the topic.

9th ETSI Security Workshop

In January 2014, it’ll be the 9th ETSI Security Workshop, in Sophia Antipolis in the south of France. I’ve always found the event really interesting and have spoken there a couple of times myself.

There’s a call for presentations that’s still open until the 11th of October, so if you’re interested in security and mobile, why not put in an abstract? The topics are really broad-ranging (which is part of the appeal). This year’s include:

1. Machine-to-Machine Security
2. Critical infrastructure protection
3. Cybersecurity
4. Analysis of real world security weaknesses
5. Next Generation Networks security
6. Mobile Telecommunications systems
7. RFID and NFC Security issues
8. Privacy and Identity Management
9. Cryptography and Security algorithms
10. Security in the Cloud
11. Smart city security (energy, transport, privacy, …)
12. Trusted Security (services and platforms)
13. Security Indicators/Metrics
14. Academic research and Innovation
15. Device and smart phones security
16. Malware detection and forensics

More details here: http://www.etsi.org/news-events/events/681-2014-securityws

 

CCC bust Apple’s fingerprint scanner?

Just a few days ago I wrote about some of my concerns on biometrics, after the launch of the fingerprint scanner ‘TouchID’ on the iPhone 5S. It appears that they may have been well-founded. The Chaos Computer Club in Germany have released a blog and video which seems to show TouchID being broken by a fake fingerprint. Back to the drawing board again on biometrics? Watch the video for yourself below:

 

You are the Key: Fingerprint Scanning on the iPhone 5S

So, here we are. Another iPhone launch and seemingly even less features. The September 10th launch of the iPhone 5S brings the only physical feature of note: fingerprint scanning via “Touch ID” which is built into the main button of the phone (an elegant way of doing it by the way). This turn of events is more about a push by Apple towards acceptable secure m-payments and stronger user authentication for the web and app store rather than just being completely about access control to the device itself. I’m pretty sure that there’s a strong pull from the business / enterprise sector as well for this kind of technology. In my experience, senior management seem to quite like things they’ve seen in a sci-fi film such as palm-print security access and voice recognition in front of big strong-room doors. Perhaps a blue LED or two to top it off. That of course, is real security. Not.

Just like in the movies! It must be secure!

So what does this technology really bring us and why hasn’t it been implemented before? Let’s concentrate on just the access control piece here.

Leaving your keys hanging around

Unlike PIN numbers, you leave a number of exact replicas of your fingerprints in various public places when you go about your daily business. That’s like leaving an exact imprint of your front door key over twenty times a day on things like the side of your car door, on a coffee cup and on the table of your favourite pub. In all likelihood, the back of your mobile phone probably contains a pretty good copy of your fingerprint right now. In 2008, the German interior minister Wolfgang Schauble found this out when hacktivists collected his fingerprints from a glass. And remember: once you’ve lost your fingerprint you can’t really get it back (you only have a limited number!).

There are some pretty extreme examples of people who’ve been tortured for bank PIN numbers and even one case in Malaysia where a man had his finger cut off to steal his fingerprint protected Mercedes.

There is an argument to say that most street thieves (like burglars) are not going to want a direct confrontation with the owner, but there’s also plenty of evidence of violence during mobile phone theft from people being shot or held at knifepoint, just for their phone.

One could easily imagine a scenario where the user is just forced to open up the device and remove the security protection before the criminal makes off. This scenario could just as easily be argued for users with PIN protection and it seems (from my unscientific hearsay point-of-view!) that we haven’t heard of many instances of thieves doing this. What seems to be more prevalent is either unattended theft or snatch theft where the phone is actually being used (and is therefore unlocked and ready to go).

“The number of phones found on the London Underground alone was 25,000 in 2011”

According to the Office of National Statistics’ report on Mobile Phone Theft [pdf], the Crime Survey of England and Wales for 2011/12 showed that 7 in 10 incidents of mobile phone theft were personal thefts (e.g. pickpocketing or snatch) or ‘other thefts of personal property’. These ‘others’ are defined as: “items stolen while away from home, but not carried on the person (such as theft of unattended property in pubs, restaurants, entertainment venues, workplaces etc.).”

Let’s also bear in mind that a lot of people could believe they’ve been pickpocketed or that their phone was stolen from somewhere when they have in fact just lost their device. The number of phones found on the London underground alone was 25,000 in 2011.

Convenience

What fingerprint biometric technology does give you is convenience, more so given that the sensor for Touch ID is built into the key that you would have to press anyway. Instead of having to make four or more finger movements and the possible engagement of brain to remember a PIN, you instead have almost instantaneous access, which when you consider how many times you have to enter your PIN into your phone every day is surely a good thing. What convenience then hopefully gives you is increased adoption by users, which overall is again a good thing. Most people using fingerprint access control security than a few using a PIN is a much better situation for everyone.

However, this is certainly not all a bed of roses. Usability is a big issue once you look into it (and I’m not sure how much Apple have taken this into consideration).

Some people just simply can’t use fingerprint readers. For example, the very young, the elderly and some disabled people. In addition “False negatives” can be caused by various factors such as:

  • Long fingernails
  • Arthritis
  • Circulation problems
  • People wearing hand cream
  • People who’ve just eaten greasy foods
  • Fingerprint abrasion, includes: the elderly, manual labourers, typists, musicians
  • People with cuts

In some senses, this functionality could be regarded as socially regressive, or at least a not socially inclusive and accessible technology. These types of users must fall back to things like PIN usage to provide access control.

Technology progression

Technical details of the Apple solution are not clear, but a lot of fingerprint technologies have failed in the past and I am sure that this one will come under intense scrutiny by security researchers. I have demonstrated the “gummy finger” attack against an optical fingerprint scanner myself at conferences and in lectures, even creating a working latex ‘replacement’ fingerprint aka ‘Diamonds are Forever’.

Researchers have even gone as far as ‘lifting’ fingerprints, reversing the image (to get it back to the right way round) and etching them in order to create a pattern for new, usable replicas (see the gummy finger link above for more details). Other researchers have also defeated ‘liveness’ or pulse detection too.

Summary

So what do I really think? I think for high-end enterprise use cases (one area that Apple has been really going after in the past couple of years), this does make sense. I can imagine a CEO complying with that kind of policy more than a mandatory very long PIN or password. If they’re really important people though, you can certainly imagine them being targeted to copy their fingerprints as I mentioned at the beginning.

For your average user, maybe just maybe, the convenience aspect will make this a success. What that would mean is more devices secured at rest (i.e. left on café tables), so an opportunistic thief would not be able to get immediate access. It could even provide a different, potentially more secure way of authenticating to banking and payment services over the web or in a shop. I truly hope that users do not become the targets of more violent assaults where they are forced to give fingerprint access to their device.

Lastly, I hope that the Apple security engineering team have done their job correctly. At the end of the day, your fingerprint is translated into 1s and 0s. A representation of this has to be stored on the device in some way. Each time you access your phone, your data is then processed through an algorithm to get compared. If that is not done properly using secure hardware, then there’ll be another set of people producing hacking tools to address a new market for criminals to get around the fingerprint protection. The first commercially sold fingerprint scanner on a phone that I remember was in 2004 in the GI100,a PanTech device that was released in Asia. I looked into and rejected fingerprint scanning as a possibility for mobile phones at Panasonic in 2005 for many reasons (not least the processing capability needed). Nearly 10 years later it’ll be interesting to see whether it really is a useful security technology or just simply a movie-inspired gimmick.

Mobile related presentations at Blackhat and DEFCON 2013

Next week I’ll be heading over to Las Vegas for the world’s biggest security and hacking conferences; Blackhat and DEFCON. Here’s a short run-down of some presentations and briefings that are related to mobile. Obviously there are many others that may also be relevant to mobile (e.g. SSL attacks or HTML5). As you can see, mobile interest is again steadily going up, as well as in other embedded platforms such as automotive and in-home systems. It looks like it is going to be a pretty interesting, if slightly scary week!

Blackhat
DEFCON