It’s time for tech to embrace security by design

Cybercriminals are getting more and more adept at exploiting the latest trend or issue of high public interest to spread malware and steal personal data from unsuspecting users.

Whether it’s an app related to your favorite TV show, government health updates about COVID or tracking missed package deliveries, the result is too often the same: infected devices leading to fraud or outright theft.

Basic cybersecurity hygiene is the key to protecting your devices against the most common types of malware, but we also need security built into technology to prevent these sophisticated cyberattacks.

The Secret Service is certainly best known for protecting the president. But its other primary mission is to safeguard the nation’s financial infrastructure and payment systems to preserve the integrity of the economy from a wide range of financial and electronic crimes, including U.S. counterfeit currency, bank and financial institution fraud, illicit financing operations, identity theft, access device fraud and cybercrimes.

With the prevalence of mobile devices in today’s world, that means that, as the Department of Homeland Security (DHS) recommends, “users should avoid — and enterprises should prohibit on their devices — sideloading of apps and the use of unauthorized app stores.”

The pandemic has been a boon to cybercriminals, taking “advantage of an opportunity to profit from our dependence on technology to go on an internet crime spree,” said Paul Abbate, deputy director of the Federal Bureau of Investigation.

The FBI’s Internet Crime Complaint Center registered 791,790 complaints in 2020, nearly double the previous year’s total and the largest year-over-year increase ever recorded. One particularly insidious example was text messages that encouraged users to download an app to make vaccine appointments but then sent malware to every device in that user’s contacts that could steal personal data or banking information.

Earlier this year, the U.K.’s National Cyber Security Centre (NCSC) alerted the public to a new form of malware that induced a user to click on a link to track a supposedly missed package delivery, a common occurrence during the pandemic. The link downloaded a malware app, called FluBot, which could then compromise a user’s bank and other financial account details. Cybersecurity researchers discovered “the volume of malicious [FluBot] SMS messages can number in the tens of thousands per hour.” Hackers are even capitalizing on the popularity of the hit television show “Squid Game” with a new wave of cybercrimes targeting mobile devices using malware hidden in apps related to the show.

Mobile devices are now the primary access point for the internet, with 61% of all website visits in the United States in 2020 coming on mobile devices, cementing the trend that only became the majority in 2019. This is reflected in the increased targeting of mobile devices with cyberattacks, with complaints of phishing and smishing attacks — emails or SMS text messages with malicious links — to the FBI more than doubling in 2020, rising from 114,702 in 2019 to 241,342 last year.

As we enter the holiday shopping season, during which one survey indicates that more than 55% of shoppers will make at least one purchase with a mobile device, it is essential that device owners take precautions to protect themselves from attacks.

The NCSC recommends that users follow basic protections, like frequently backing up their devices, using virus detection software and only installing “new apps onto your device from the app store your manufacturer recommends.” That guidance mirrors that from the DHS, which also included recommendations that operating systems, apps and other software should be updated regularly and that users and enterprises adopt multifactor authentication.

Simple cyber hygiene recommendations form a layered defense against attacks, dramatically reducing the threat of unauthorized access to mobile devices. Yet as critical and effective as these user actions are, cybercriminals utilize sophisticated techniques that exploit human psychology and behaviors to deceive users and penetrate devices.

These kinds of attacks, called social engineering attacks, utilize human interactions and social skills to trick users into allowing attackers access to their devices or systems, sometimes even getting users to disable optional security protections. Attacks like FluBot, fake vaccination sites and malicious “Squid Game” apps are all examples of social engineering.

According to DHS’ Cybersecurity and Infrastructure Security Agency, mobile device owners may be more vulnerable to social engineering attacks through text messages because mobile devices’ “integration of email, voice, text messages and web browser functionality increases the likelihood that users will fall victim to engineered malicious activity.”

The White House’s Cybersecurity Summit earlier this year identified ways beyond cyber hygiene to protect against unauthorized access: “We need to transition to where technology is built securely by default. … We need to know we’re buying secure tech,” a senior White House official said.

Secure-by-design mobile devices would build cyber hygiene protections into the device, removing human psychology from the security equation. Just as seat belts and air bags started as options for car buyers, they are now mandatory safety equipment in all cars.

Basic cyber hygiene protections like multifactor authentication or prohibitions on downloading apps from outside official app stores can be built into systems by design. Mobile devices with these kinds of protections baked in from the start would not be nearly as vulnerable to social engineering attacks even if the device owner was, like most people, interested in a hit television show or worried about a pandemic.

The public should follow the basic cyber hygiene recommendations of our cybersecurity agencies. But we also need to short-circuit sophisticated social engineering attacks and build high-security protections into the design of our technology.