Accessing your bank account using your mobile phone might seem safe, but security experts say would-be hackers can access confidential information via a simple text message seemingly from your service provider.
People in the industry aware of the risk see it as extremely small, as only a few people use handsets to access their bank accounts, but it is growing as mobile Internet usage rises.
In April, the flaw — which enables criminals to access a cell phone data connection, steal data or install or remove programs — gained wider attention at the BlackHat Europe security conference.
“The hacker does not have to be especially skilled to do this,” said Jukka Tuomi, chief technology officer at Finnish software firm ErAce Security Solutions.
ErAce said that in some phones using Microsoft’s Windows software, users cannot block the attack, while Symbian phone users can block malicious messages.
However, in practice, most users accept an installation of new settings if they seem to be from an operator.
So far, security problems on cell phones have been mostly limited to small outbreaks as operators have been able to screen the data traffic, but the new risk could be out of their reach in many countries where screening text messages is not allowed.
Consumers’ increasing fears over computer viruses’ ability to attack cell phones can put at risk the take up of new mobile services, which are crucial for operators looking for growth in mature markets, where call prices are falling.
Also, installing security software on the phone is not always enough, as on some models criminals can wipe the program from the phone.
“People think they are closing their door, but the windows and the back door are open,” ErAce’s Tuomi said.
When trying to enter a bank website on a mobile browser from an infected phone, the message on the phone says: “Opening a secure connection. Content cannot be seen by anyone else.” In fact, the connection goes through criminals’ servers.
“This is a real risk, but we have not seen this used in any real attacks in the field,” said Mikko Hypponen, research director at Finnish security software firm F-Secure.
Jacob Greenblatt, from security software firm Discretix said: “While this is definitely serious, there are certain safeguards which can be built into mobile devices to eliminate the threat entirely or to limit its potential for harm.”
Even if new phones are protected, this would still leave billions of phones on the market which are not shielded.