:: Mobile browsing security threats ::
Mobile users should be careful about responding to messages (i.e. WAP push) that take them to wap sites. They may just be fake.
In my forthcoming book, I've just started writing about securing HTTP and WAP connections. When I started thinking about the vulnerabilities of authentication, it occurred to me that mobile sites are perhaps a lot less safe then their desktop counterparts.
One way to gain a password from a user is to spoof a server. Pretend to be a particular website and then ask your users to log in. Voila! If they bite, then you have their username and password. This has been done on numerous occasions with famous websites and is an ongoing threat. In fact, regular users of sites like Ebay should learn to become vigilant against these types of spook attacks. With mobile sites it appears to be even easier.
Firstly, on most mobile browsers, to save real estate, the URL display box is not displayed, or there simply isn't one. This means a user typically has NO idea what website they are actually on in terms of its web address - surfing on mobile sites is sometimes an eerie experience, like walking in the dark. If a user is directed to a spoof website, they would have little or no idea.
Secondly, due to sparse interfaces, it takes little effort to mimic a mobile website, perhaps just by copying a logo at the top of the screen.
WAP push will soon start to become more widespread. It has been slow to catch on, but with the increasing number of picture-messaging phones, the necessary inclusion of the WAP browser means that more and more mobile users can access mobile sites, whether they know it or not. However, they don't need to know it to respond to a WAP push message - the phone itself will take care of accessing the embedded URL in the message if the user chooses to respond.
The other weakness is with the WAP push mechanism itself. It uses text messaging as the transport mechanism. With text messaging it is easy to change the sender's address in the message. In fact, many text-messaging bureaus offer this service to their bulk-messaging customers. This has some interesting and legitimate uses, but can also be malignant. It is easy to spoof the sender in order to make the message look legitimate, thus adding to the bait used to lure an unsuspecting user onto a spoof site.
Mobile users should be educated in the dangers of responding to WAP push messages.
1:23:19 PM 
|
