In this part of my mini-series “IT Misconceptions” I deal with the question of “Mobile Security”. There are dozens of misunderstandings that are constantly repeated and all too quickly accepted as the truth without actually being provable. I have identified some common misconceptions and shows how the risks resulting from a wrong understanding of IT security can be minimised.
Misconception No. 1: “My data is securely protected against external access in the cloud.”
Data in cloud services is not always adequately protected.
Storing user data in cloud storage or automatic synchronisation between mobile device and cloud storage does not provide sufficient protection for data. With such services, users must expect that this data is available unencrypted and that the providers may use this data for their own purposes. Although reputable cloud providers ensure the “security” of data in the cloud, there are dangers lurking when accessing this data. On the one hand, criminals can use malware on the smartphone, tablet or PC to access access data or even data in the cloud. If, for example, thieves only need to crack the four-digit PIN or the simple blocking pattern and they succeed, they can also use the app to steal, change or delete the cloud data with stored access data. When accessing the cloud via public WLANs, personal information can also be intercepted by unauthorized persons during data transmission.
Before deciding on a cloud service, it is important to check in advance who the provider is, where they are located and, above all, where the data centres are located.
Misconception No. 2: “Surfing public WLANs not only saves costs, but is also secure”.
Unfortunately, this is only partially true.
The offer of free public WLANs, for example in train stations, cafés or hotels, is tempting to save the monthly data volume and still use the Internet on the move. However, a public WLAN is often not secure because the data transfer between the mobile device and the router that establishes the Internet connection is usually unencrypted. Unprotected data can be tapped or malware can be infiltrated into the user’s device. For this reason, confidential data should never be transmitted via public WLANs unless it has been encrypted locally on the user’s own device or transmitted via a virtual private network (VPN). This is especially true if the home or company network is to be accessed. In general, users of mobile devices should only switch on the WLAN function during use to minimise the risk of unauthorized access. Some devices offer enhanced security settings for dialling into public WLANs.
When the connection is terminated, the hotspot should be deleted from the list of preferred WLANs to prevent unintentional dial-up at another time.
Misconception No. 3: “When I buy a new smartphone, I automatically have a secure device.”
Unfortunately, a new device is not automatically more secure.
When buying a new smartphone, the latest version of the respective operating system is not always installed. So before using the device, always check if the firmware is up to date and if necessary update it directly until all updates are installed. However, smartphone manufacturers do not always provide an update for all device types, even in the case of known security gaps, so that these gaps can exist for months even with newly purchased devices and are often not closed at all. On the other hand, the security settings are often not yet activated when the device is purchased. Users should check these settings and configure them accordingly. This includes PINs, codes or patterns for securing the SIM card and the device itself. Before disposing of the old device, all data on it should be deleted and the old SIM card should be removed and destroyed if it is not to be used in the new device. If encryption is offered on the device, it should be enabled.
Misconception No. 4: “I have of course enabled automatic updates and upgrades of the operating system and apps, so I don’t have to worry about vulnerabilities”.
Automatic updates are useful, but not every vulnerability detected is immediately updated.
Although the manufacturers of operating systems and apps usually try to provide updated software versions after vulnerabilities and security holes have been discovered. However, due to the large number of device types and versions of software and operating systems on the market, it may take longer to provide security updates or none at all for certain problems. Depending on the vulnerability, it may be advisable not to use or disable certain features during this period. Even if automatic updates are set by default, users should always make sure that the programs are really up to date. Some app manufacturers do not deliver updates for all operating system versions.