Tuesday, 6 May 2014

How thieves can use your mobile to empty your bank account via dodgy public WiFi connections and 'bluesnarfing'

By Guy Walters

As well as socialising, we may use the time and free access to a wireless connection to get on top of our finances. That £75 you owe the plumber can be paid instantly by accessing your bank’s website or app. Transferring money from your savings account to your current account is nothing more than a few taps on your screen.

Not so smart phone: If you connect to an insecure Wi-Fi, thieves may be able to access your bank account
Not so smart phone: If you connect to an insecure Wi-Fi, thieves may be able to access your bank account

But what coffee drinkers do not suspect is that lurking among their fellow latte lovers are bank robbers. Unlike the figures of popular imagination, these thieves will not be wearing stockings over their head or brandishing a sawn-off shotgun.

Instead, the thief could be that smartly dressed middle-aged man hunched over his laptop, seemingly catching up on his emails. Or maybe it’s the student in the corner, chatting to a friend on his phone while tapping at a tablet computer.

Unbeknown to you, this modern form of bank robber is silently harvesting all your private data. The only sign of his thievery is perhaps a little smile as your bank log-in details appear on his screen, ready for him to copy and paste before plundering your account within seconds of you finishing your coffee.

In short, you’ve just been mugged — but you’ll only realise when you later go to a cash machine to withdraw some money, and discover that every penny in your account has been cleared out.

During an anxious phone call to the bank, you’ll learn that an online thief has hacked into your account and stolen all your money.

Although the bank will usually restore your balance, they won’t be able to restore the feeling of security you had before the cyber robbery.

‘When I first found out that it had happened to me I felt utterly violated,’ says Pam Clover, 40, a marketing consultant and mother-of-three from Salisbury, Wiltshire.

‘After all, your bank details are some of the most private things you have, and somehow a complete stranger had gained access to mine. My first question was: “How had he done it?”’

Increasingly, the most likely answer to that question is through your smartphone. Although we like to think that our devices are secure, it is disturbingly easy for criminals to access them.

Be careful: The process is so simple that the thieves can steal thousands of pounds in just a few hours while sitting in their local Starbucks
Be careful: The process is so simple that the thieves can steal thousands of pounds in just a few hours while sitting in their local Starbucks

As the banks are not obliged to report to the police every time a breach of their security takes place, it is very hard to establish the size of the problem. However, according to internet security experts, it is a growing menace.

‘This is a real challenge for our industry,’ says James Lyne, the global head of security research for the Oxford-based firm Sophos, which provides data protection services to businesses. ‘There’s undoubtedly a lot of this type of crime going on, and it is going unreported.’

There are two main ways in which thieves can access your smartphone

One route is through your phone’s wireless ‘Bluetooth’ function, which, when switched on, allows it to ‘talk’ to other enabled devices nearby. This means that a hacker sitting near you can use his Bluetooth-enabled laptop to connect to your device without your knowledge. This process is sometimes called ‘bluejacking’ or, more properly, ‘bluesnarfing’ (from the slang word ‘snarf’ which means to eat, drink or devour).

However, this is relatively rare. The more common method is for crooks to use your smartphone’s Wi-Fi connection. They rely on the fact that most of us are blase about the security of the networks we connect to.

For example, when you are in a coffee shop, your smartphone will present you with a list of available Wi-Fi networks that you can use to connect your phone to the internet. The majority of these networks are run by legitimate companies, but sometimes they are actually created by a criminal sitting nearby with little more than a laptop.

These networks are often given innocent-sounding names, such as ‘Free Public Wi-Fi’, that gull smartphone users into logging in. On the surface, everything seems normal, and you will be able to connect just as you would with a legitimate Wi-Fi service.

However, because you have connected to a network controlled by a thief, he can monitor everything you do, enabling him to vacuum up passwords and login details for your bank account.

In fact, the process is so simple that the thieves can steal thousands of pounds in just a few hours while sitting in their local Starbucks.

In order to show just how easy it is — and quite how trusting people are — the security firm Sophos decided to set up its own Wi-Fi networks on the streets of London to prove how much data it could capture. The firm sent head of security research James Lyne to tour the capital on a bicycle equipped with its own Wi-Fi generator, under various names: ‘FreePublicWifi’, ‘Free Internet’, and even, somewhat cheekily, ‘DO NOT CONNECT’.

According to internet security experts, bank robbery by mobile phone is a growing menace
According to internet security experts, bank robbery by mobile phone is a growing menace

Within three hours, 2,907 people had connected to his network. One hundred and three of those used it to access a banking service. Had Mr Lyne been a criminal, he could have easily accessed their accounts and helped himself to their money. Even if he had skimmed just £100 from each account, he would have made over £10,000 — not bad for a morning’s work.

‘This willingness to connect to any wireless network that professes to offer free Wi-Fi, without ensuring you have some kind of security measures in place, is like shouting your personal or company information out of the nearest window and being surprised when someone abuses it,’ says Mr Lyne.

For victims such as Mrs Clover, the idea of using her smartphone — or even her computer — to access her bank account is now distinctly unappealing.

‘The whole experience has made me want to go nowhere near internet banking ever again,’ she says. ‘Yes, I know how practical it is, but I’m going to for ever worry that someone is spying on me.’

Thankfully, there are ways to beat the robbers. By far the best way is to set up your own Virtual Private Network (VPN) on your computer at home. Then, when you are using a public Wi-Fi hotspot, you can use your smartphone to connect to your home computer, and use its secure connection to the internet to access web pages safely.

However, this is clearly technically challenging and most of us would need help from an IT expert to do this. Nevertheless, Mr Lyne urges smartphone users to establish their own VPNs.

Another way to stay secure is to make sure that any supposedly secure webpages you look at feature a little padlock in the address bar, as well as the preface ‘https’ rather than ‘http’. This means that the page is secure, and not visible to others.

Third, make sure that you regularly install the suggested updates for your smartphone’s browser software. ‘This is a really boring thing to say,’ says Mr Lyne, ‘but I can’t stress it enough. These updates contain all the latest tools for combating hackers, who like nothing better than out-of-date browsers.’

Ultimately, the best defence is to use common sense, and to only access private information over the web when you are absolutely sure that the Wi-Fi network is legitimate. If you have your doubts, then put down your smartphone, and leave it for later.

Perhaps then, instead of flicking through your phone while you have your macchiato, you might talk to a friend or read that book you’ve been meaning to get around to.

No comments:

Post a Comment