Issue link: https://digital.copcomm.com/i/7359
R ecent versions of desktop Web browsers and email clients feature phishing and malware protection in addition to improved security notifications and in- dicators. Unfortunately, many of these improvements have not reached their mobile device counterparts. While the patterns of use and the threat model for Web browsing and email on mobile devices differ from desktop applica- tions, as smartphones become more capable they present an increasingly attractive target. Institutions and services that wish to protect their mobile user base should seri- ously consider additional server-based filtering for both email and Web content on mobile devices. For example, currently, it is difficult—to nearly impossible—to verify the authenticity of email messages and the destination of hy- perlinks on many common smartphones. While many organizations provide filtering and threat detection at the network level, modern desktop brows- ers offer additional protection by displaying warnings for potential phishing sites, sites known to contain malware, and for invalid or expired SSL certificates. It is a rare orga- nization that does not provide server based email filtering for spam and viruses. Most modern Web browsers and desktop email clients can utilize third-party software and blacklists to display warnings for potential phishing at- tacks, viruses, and other types of malware. Most Web mail providers offer these features as well. Improvements in se- curity notifications have begun to appear in smartphone Web browsers through the use of blacklists, although they have been slow to arrive for mobile email clients. In my column "You Can Fool Some of the People All of the Time: Research on Usability, Security and Phishing" I summarized research papers on phishing vulnerabilities from both academia and industry. In closing the column, I discussed potential areas of weakness in mobile and embedded browsers found by researchers. One year later, these platforms face increased attacks. According to a 2009 study by Pew Internet and American Life, 55 percent of U.S. adults connect to the Internet via a WiFi enabled laptop, smartphone, or consumer device. Of U.S. adults, 39 percent connect wirelessly via a laptop, 32 percent with a mobile phone (19 percent on a typical day), 12 percent with a desktop computer, 9 percent with a game console, 7 percent with a PDA type device, 5 percent with an MP3 player, and 1 percent with an ebook reader. This means that a significant portion of any user base is likely to spend at least a portion of their time connected via insecure and unfiltered networks. Users with mobile devices are far more likely to connect via an unsecured WiFi network when they are outside of a standard enterprise network. VPN and enterprise WiFi security on mobile devices re- quire complicated configuration and are typically only used when configured or provisioned by IT staff. Although consumers increasingly use mobile devices for high value interactions such as online banking and mak- ing significant purchases, there has been little published research investigating authentication and authorization from these devices. Many mobile devices have reduced keyboards, which make long complicated passwords cumbersome and error prone. The small size of mobile screens may limit the ability to view credentials while typ- ing, which creates additional difficulties when logging in and provides fewer options to display security indicators. Advance Web browsers available on the iPhone, Android- based devices, and those using the Opera mobile browser Smartphone Anti-Phishing Protection Leaves Much to be Desired 19 messagingnews.com 19 messagingnews.com 19 messagingnews.com ON MESSAGE WITH BEN GROSS