UNIT-III

Cybercrime:
Mobile &
Wireless Devices

K. BALAKRISHNA
B.Tech., MBA., M.Tech., DID., (Ph.D)
Contents
1. Introduction
2. Proliferation of Mobile and Wireless
Devices
3. Trends in Mobility
4. Credit Card Frauds in Mobile and Wireless
Computing Era
5. Security Challenges Posed by Mobile
Devices
6. Registry Settings for Mobile Devices
7. Authentication Service Security
8. Attacks on Mobile/Cell Phones
9. Mobile Devices: Security Implications for
Organizations
10. Organizational Measures for Handling
Mobile
11. Organizational Security Policies and
Measures in Mobile Computing Era
12. Laptops
1. Introduction

Today, incredible advances are being made for mobile devices. The
trend is for smaller devices and more processing power. A few years
ago, the choice was between a wireless phone and a simple PDA.
Now the buyers have a choice between high-end PDAs with
integrated wireless modems and small phones with wireless Web-
browsing capabilities.

A long list of options is available to the mobile users. A simple hand-

held mobile device provides enough computing power to run small
applications, play games and music, and make voice calls. A key
driver for the growth of mobile technology is the rapid growth of
business solutions into hand-held devices.

As the term "mobile device" includes many products. We first

provide a clear distinction among the key terms: mobile computing,
wireless computing and hand-held devices.
2. Proliferation of Mobile and Wireless Devices
Mobile computing is "taking a computer and all necessary files and
software out into the field." Many types of mobile computers have
been introduced since 1990s. They are as follows:

1. Portable computer: It is a general-purpose computer that can be

easily moved from one place to another, but cannot be used while
in transit, usually because it requires some "setting-up" and an AC
power source.

2. Tablet PC: It lacks a keyboard, is shaped like a slate or a paper

notebook and has features of a touchscreen with a stylus and
handwriting recognition software. Tablets may not be best suited
for applications requiring a physical keyboard for typing, but are
otherwise capable of carrying out most tasks that an ordinary
laptop would be able to perform.

3. Internet tablet: It is the Internet appliance in tablet form. Unlike a

Tablet PC, the Internet tablet does not have much computing
power and its applications suite is limited. Also it cannot replace a
general-purpose computer. The Internet tablets typically feature
an MP3 and video player, a Web browser, a chat application and a
picture viewer.
2. Proliferation of Mobile and Wireless Devices

4. Personal digital assistant (PDA): It is a small, usually pocket-sized,

computer with limited functionality. It is intended to supplement and
synchronize with a desktop computer, giving access to contacts, address
book, notes, E-Mail and other features.

5. Ultramobile (PC): It is a full-featured, PDA-sized computer running a

general-purpose operating system (OS).

6. Smartphone: It is a PDA with an integrated cell phone functionality.

Current Smartphones have a wide range of features and installable
applications.

7. Carputer: It is a computing device installed in an automobile. It operates

as a wireless computer, sound system, global positioning system (GPS)
and DVD player. It also contains word processing software and is
Bluetooth compatible.

8. Fly Fusion Pentop computer: It is a computing device with the size and
shape of a pen. It functions as a writing utensil, MP3 player, language
translator, digital storage device and calculator.
  Mobile computing is moving into a new era, third generation
3. Trends in Mobility ( 3G), which promises greater variety in applications and have
highly improved usability as well as speedier networking.
"iPhone" from Apple and Google-led "Android" phones are the
best examples of this trend and there are plenty of other
developments that point in this direction. This smart mobile
technology is rapidly gaining popularity and the attackers
(hackers and crackers) are among its biggest fans.

 It is worth noting the trends in mobile computing; this will help

readers to readers to realize the seriousness of cybersecurity
issues in the mobile computing domain.

 The new technology 3G networks are not entirely built with IP

data security. Moreover, IP data world when compared to voice-
centric security threats is new to mobile operators.

 There are numerous attacks that can be committed against

mobile networks and they can originate from two primary vectors.
One is from outside the mobile network - that is, public Internet,
private networks and other operator's networks - and
the other is within the mobile networks- that is, devices such as
data-capable handsets and Smartphones, notebook computers
or even desktop computers connected to the 3G network.
3. Trends in Mobility
 Popular types of attacks against 3G mobile networks are as follows:
3. Trends in Mobility
1. Malwares, viruses and worms: Although many users are still in the
transient process of switching from 2G,2.5G to 3G, it is a growing need
to educate the community people and provide awareness of such
threats that exist while using mobile devices.

Here are few examples of malware(s) specific to mobile devices:

 Skull Trojan: It targets Series 60 phones equipped with the Symbian

mobile OS.
 Cabir Worm: It is the first dedicated mobile-phone worm infects phones
running on Symbian OS and scans other mobile devices to send a copy
of itself to the first vulnerable phone it finds through Bluetooth Wireless
technology. The worst thing about this worm is that the source code for
the Cabir-H and Cabir-I viruses is available online.
 Mosquito Trojan: It affects the Series 60 Smartphones and is a cracked
version of "Mosquitos" mobile phone game.
 Brador Trojan: It affects the Windows CE OS by creating a svchost.
exe file in the Windows start-up folder which allows full control of the
device. This executable file is conductive to traditional worm propagation
vector such as E-Mail file attachments.
 Lasco Worm: It was released first in 2005 to target PDAs and mobile
phones running the Symbian OS. Lasco is based on Cabir's source code
and replicates over Bluetooth connection.
3. Trends in Mobility
2. Denial-of-service (DoS): The main objective behind this attack is to
make the system unavailable to the intended users. Virus attacks can be
used to damage the system to make the system unavailable. Presently, one
of the most common cyber security threats to wired Internet service
providers (iSPs) is a distributed denial-of-service (DDos) attack .DDoS
attacks are used to flood the target system with the data so that the
response from the target system is either slowed or stopped.

3. Overbilling attack: Overbilling involves an attacker hijacking a

subscriber's IP address and then using it (i.e., the connection) to initiate
downloads that are not "Free downloads" or simply use it for his/her own
purposes. In either case, the legitimate user is charged for the activity
which the user did not conduct or authorize to conduct.

4. Spoofed policy development process (PDP): These of attacks exploit

the vulnerabilities in the GTP [General Packet Radio Service (GPRS)
Tunneling Protocol].

5. Signaling-level attacks: The Session Initiation Protocol (SIP) is a

signaling protocol used in IP multimedia subsystem (IMS) networks to
provide Voice Over Internet Protocol (VoIP) services. There are several
vulnerabilities with SIP-based VolP systems.
4. Credit Card Frauds in Mobile and Wireless Computing Era
Credit card frauds are now becoming commonplace given the ever-
increasing power and the ever-reducing prices of the mobile hand-held
devices, factors that result in easy availability of these gadgets to
almost anyone. Mobile credit card transactions are now very common;
new technologies combine low-cost mobile phone technologies with the
capabilities of a point-of-sale (POS) terminal.

Today belongs to "mobile computing" that is, anywhere anytime

computing. The developments in wireless technology have fueled this
new mode of working for white collar workers. This is true for credit
card processing too; wireless credit card processing is a relatively new
service that will allow a person to process credit cards electronically,
virtually anywhere.

Wireless credit card processing is a very desirable system, because it

allows businesses to process transactions from mobile locations quickly,
efficiently and professionally. It is most often used by businesses that
operate mainly in a mobile environment. These businesses include
mobile utility repair service businesses, locksmiths, mobile windshield
repair and others. Some upscale restaurants are using wireless
processing equipment for the security of their credit card paying
customers.
4. Credit Card Frauds in Mobile and Wireless Computing Era

As shown in Figure, the basic flow is as

follows:

i. Merchant sends a transaction to bank

ii. The bank transmits the request to the
authorized cardholder
iii. The cardholder approves or rejects
(password protected)
iv. The bank/merchant is notified
v. The credit card transaction is completed.
4.1. Types and Techniques of Credit Card Frauds
a. Traditional Techniques:

The traditional and the first type of credit card fraud is paper-based-
application fraud, wherein a criminal uses stolen or fake documents
such as utility bills and bank statements that can build up useful
personally Identifiable Information (PII) to open an account in someone
else's name.

Application fraud can be divided into:

 ID theft: Where an individual pretends to be someone else.

 Financial fraud: Where an individual gives false information about

his or her financial status to acquire credit. Illegal use of lost and
stolen cards is another form of traditional technique. Stealing a
credit card is either by pickpocket or from postal service before it
reaches its final destination.
4.1. Types and Techniques of Credit Card Frauds
b. Modern Techniques:

1. Triangulation: It is another method of credit card fraud and works in

the fashion as explained further.

 The criminal offers the goods with heavy discounted rates through a
website designed and hosted
 The customer registers on this website with his/her name, address,
shipping address and valid credit card details.
 The criminal orders the goods from a legitimate website with the
help of stolen credit card details and supply shipping address that
have been provided by the customer while registering on the
criminal's website.
 The goods are shipped to the customer and the transaction gets
completed.
 The criminal keeps on purchasing other goods using fraudulent
credit card details of different customers till the criminal closes
existing website and starts a new one.

2. Credit card generators: It is another modern technique computer

emulation software that creates valid credit card numbers and expiry
dates. The criminals highly rely on these generators to create valid
credit cards. These are available for free download on the Internet.
 5. Security Challenges Posed by Mobile Devices
Mobility brings two main challenges to cybersecurity:
 first, on the hand-held devices, information is being taken outside
the physically controlled environment and
 second remote access back to the protected environment is being
granted.
Simple PowerPoint Presentation
As the number of mobile device users increases, two challenges are
presented: one at the device level called "micro challenges" and
another at the organizational level called "macro-challenges.“

Some well-known technical challenges in mobile security are:

Managing the registry settings and configurations,
 Authentication service security,
 Cryptography security,
 Lightweight directory access protocol (LDAP) security,
 Remote access server (RAS) security,
 Media player control security,
 Networking application program interface (API) security etc.
 6. Registry Settings for Mobile Devices
Let us understand the issue of registry settings on mobile devices
through an example:

 Microsoft Activesync is meant for synchronization with Windows-

powered personal computers (PCs) and Microsoft Outlook.
Simple PowerPoint Presentation
 ActiveSync acts as the "gateway between Windows-powered PC
and Windows mobile-powered device, enabling the transfer of
applications such as Outlook information, Microsoft Office
documents, pictures, music, videos and applications from a user's
desktop to his/her device.

 In addition to synchronizing with a PC, ActiveSync can synchronize

directly with the Microsoft exchange server so that the users can
keep their E-Mails, calendar, notes and contacts updated wirelessly
when they are away from their PCs.

 In this context, registry setting becomes an important issue given

the ease with which various applications allow a free flow of
information.