Mobile Device Management

BYOD: Convenience or Crime?

When you look at a business’s infrastructure today, you see more employees using mobile devices for work purposes. Whether it’s BYOD or mobile point-of-sales devices, users download applications onto these devices that help improve efficiency and productivity, however the applications often lack security. As a result, businesses may face a damaging data breach that could have been prevented by conducting risk assessments, which include frequent penetration testing (a.k.a. ethical hacking) to help identify and remediate security weaknesses in a company’s infrastructure before criminals can exploit them.

For example, our security experts at Trustwave recently unveiled research findings that question the security of some iOS mobile point-of-sale devices that are used by retailers to accept payment card transactions. To facilitate transactions on these mobile devices, retailers use applications that are typically developed quickly, with speed-to-market as the priority. As a result, these applications are often not vetted for security best practices, poorly developed and contain serious security vulnerabilities. As part of a penetration testing project on behalf of our retail customers, one of our security experts infiltrated several mobile POS devices and was able to steal the payment card information of hundreds of customers in less than 20 minutes.

When the researcher performed the penetration test, he did it as if he were an actual criminal simulating the process a criminal would use.  He first swiped out the device, replacing it with one that looked similar so the employee wouldn‘t notice. Then, he “jail-broke” the device – unlocking the security of the standard Operating System so that he could get access to the operating system as the “root” or superuser (the process took 10-15 minutes).  He noticed the application software on the device did not encrypt information the moment the card was swiped so he installed malware that pulled unencrypted card information every time a customer swiped his/her card. For the average employee running the transactions, the activity on the device seemed to be “business as usual.”

Fortunately, because of the penetration test performed on the device, the customer was able to identify and repair the vulnerabilities before putting the device to use.  However, in cases where penetration testing has not been performed, a business may learn the hard way and face a costly compromise that could be tough to overcome.

Penetration testing is one element of a risk assessment, a security service that entails an in-depth evaluation of a business’s infrastructure to help it design a long-term security program that can withstand emerging threats and comply with government regulations. Risk assessments are especially valuable for businesses that are embracing mobile devices because they help identify weaknesses posed by the devices, including vulnerabilities within applications, as well as help a business implement security strategies and policies that are consistently fine-tuned based on the latest threats.

According to our 2013 Trustwave Global Security Report, mobile malware increased 400% in 2012 which is why it is crucial for businesses to deploy security technologies and services specifically for mobile. A risk assessment is the first step.  Here are some other tips:

  1. Get educated – Businesses should hold security awareness training for all employees so that they are aware of best security practices when using their mobile devices
  2. Encryption is critical – If businesses are using a mobile POS device, make sure it encrypts information in the hardware of the device and in the application software the moment a payment card is swiped
  3. A “self-sealing” solution – Specifically for BYOD security, businesses should deploy technology that identifies a malware infection and automatically quarantines an infected device from the rest of the network to prevent malware from spreading

Also, remember that cheaper is not necessarily better. If a business wants to incorporate mobile devices into its environment, security should be a top priority, even if it costs a little more. Most of all – be aware of the risks: a mobile device that contains security vulnerabilities opens the door to hackers looking to steal private, financial information in a matter of minutes.  Not only can this kind of breach lead to serious financial repercussions for a business, but it could also cause reputational damage and most importantly, sever the trusting relationship between a business and its customers.


Andrew Bokor is the General Manager of Threat Intelligence & Research at Trustwave


« Box IPO Is All About Persuaders and Storytellers


BI's Overlooked Success Story: Mid-Market Companies »
Andrew Bokor

Andrew Bokor is the General Manager of Threat Intelligence & Research at Trustwave

  • Mail


Do you think your smartphone is making you a workaholic?