Wednesday January 29, 2020
Home Lead Story Advanced SMS ...

Advanced SMS Phishing Attacks Affecting Android Phones: Report

However, Sony refused to acknowledge the vulnerability, stating that their devices follow the OMA CP specification

0
//
Data,Privacy
A French soldier watches code lines on his computer during the International Cybersecurity forum in Lille, northern France, Jan. 23, 2018. VOA

A security flaw in Samsung, LG, Sony, Huawei and other Android smartphones has been discovered that leaves users vulnerable to advanced SMS phishing attacks, Check Point Research — the threat intelligence arm of cybersecurity firm Check Point Software Technologies Ltd. said on Thursday.

Researchers at the cybersecurity firm said certain Samsung phones are the most vulnerable to this form of phishing attack because they do not have an authenticity check for senders of Open Mobile Alliance Client Provisioning (OMA CP) messages.

“Given the popularity of Android devices, this is a critical vulnerability that must be addressed. Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air (OTA) provisioning.

“When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept’, they could very well be letting an attacker into their phone,” Slava Makkaveev, Security Researcher, Check Point Software Technologies, said in a statement.

The affected Android phones use OTA provisioning, through which cellular network operators can deploy network-specific settings to a new phone joining their network.

americans, inactive
FILE – A worker sits a computer at the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Va., Aug. 22, 2018. VOA

However, researchers at Check Point found that the industry standard for OTA provisioning — the OMA CP, includes limited authentication methods and remote agents can exploit this to pose as network operators and send deceptive OMA CP messages to users.

The message tricks users into accepting malicious settings that route their Internet traffic through a proxy server owned by the hacker.

Also Read: Lenovo Launches Three New Smartphones in India

The findings were disclosed to the affected vendors in March; Samsung included a fix addressing this phishing flaw in their Security Maintenance Release for May (SVE-2019-14073), LG released their fix in July (LVE-SMP-190006), and Huawei is planning to include UI fixes for OMA CP in the next generation of Mate series or P series smartphones.

However, Sony refused to acknowledge the vulnerability, stating that their devices follow the OMA CP specification. (IANS)

Next Story

Data Privacy Cause of Concern Without Structural Framework

There are other concerns from the industry as well

0
Data, Apps, Privacy
As cybersecurity firm Kaspersky explained in a blog, most apps collect some information about the user. Pixabay

The Indian Data Protection bill 2019 which aims to help consumers exercise their privacy rights needs a proper structural framework else personal data of millions of users in the country will be at stake, leading industry experts said on Monday.

As the world observes Data Privacy Day on January 28, experts and leading industry bodies have already demanded clarification in several areas of ambiguity that exists in the draft Bill.

The Personal Data Protection Bill 2019, which was introduced in Lok Sabha in the winter session last year, has been referred to a Joint Parliamentary Committee (JPC) of both the Houses. The JPC has been constituted under the chairmanship of New Delhi MP Meenakashi Lekhi for examination and report.

“Although the Indian Data Protection bill aims to play an important role in fabricating regulations for governing the increasingly data-driven landscape, without a structural framework data privacy becomes a cause of concern, Lovneesh Chanana, Vice President, Digital Governments (Asia Pacific & Japan), SAP, told IANS.

A report by the Internet and Mobile Association of India (IAMAI) in December said that the bill categorises data as Personal data, Sensitive Personal data and Critical Personal data, but the industry lacks clarity on to which data qualifies under which head and hence is not equipped to take necessary precautions.

“The problem gets aggravated when data collection and processing are done by different agencies, in which case, each fiduciary will have to take consent at every step of the operation,” said the report.

Telecom Minister Ravi Shankar Prasad, while introducing the Personal Data Protection Bill, 2019, in the Lok Sabha on December 11, announced that the draft Bill empowers the government to ask companies including Facebook, Google and others for anonymised personal data and non-personal data.

However, there are concerns around a provision in the draft bill, seeking to allow the use of personal and non-personal data of users in some cases, especially when national security is involved.

Data,Privacy
A French soldier watches code lines on his computer during the International Cybersecurity forum in Lille, northern France, Jan. 23, 2019. VOA

Several legal experts have said the provision will give the government unaccounted access to personal data of users in the country.

Ashish Aggarwal, Senior Director and Head, Policy & Advocacy, NASSCOM, however, said the Indian Data Protection bill will be the basis for consumers to exercise their privacy rights.

“The industry will benefit from increased trust by implementing the law diligently. The IT industry has a huge role in using technology solutions to implement the key principles of the law for both the industry and government, in an intuitive and cost effective manner,” Aggarwal told IANS.

There are other concerns from the industry as well.

Also Read: Tesla CEO Elon Musk Allays Environmental Fears on Tesla’s Plant in Germany

Shankar Roddam, Chief Operating Officer, Subex said that the Data Protection bill 2019 talks about monetary compositions like penalties for any abuse or failure to comply with guidelines.

“I personally feel that government should consider sanctions that are being monetary compositions like banning certain privileges for subsidies, funding, directorship, etc. This will help ensure privacy and regulate protection for companies,” Roddam noted.

The experts have demanded clarification in several areas of ambiguity that exists in the draft Bill which need to be better clarified for businesses to fully comprehend the extent of adjustments businesses will have to do to comply with them. (IANS)