In rush for new iPhones, experts warn, don't forget mobile security

Today's launch of Apple's in-demand iPhone 6S has mobile-security pundits hitting the pulpits to remind mobile users that increasingly capable mobile-payments platforms carry novel risks on top of existing exposure to data movement and fluidity.

The device is already reportedly sold out locally, with long lines of people and even robots at Apple Stores around Australia and many purchasers having flown in from countries with a later launch date.

Enthusiasm over mobile devices is at record levels, but the increasing use of the devices for mobile payments has raised alarm bells at peak security-industry body ISACA, which warned in its new 2015 Mobile Payment Security Study that 87 percent of information-security professionals expect an increase in mobile payment breaches over the next 12 months.

Some 42 percent of those same security professionals said they have used mobile payments this year – despite 47 percent saying that mobile payments are not secure and only 9 percent saying they prefer cash over digital payments.

“ISACA members, who are some of the most cyber-aware professionals in the world, are using mobile payments while simultaneously identifying and contemplating their potential security risks,” said ISACA risk advisor and president of IP Architects John Pironti in a statement.

Asked to rank the major vulnerabilities associated with mobile payments, the 900 surveyed ISACA members nominated use of public WiFi (26 percent), lost or stolen devices (21 percent), SMS-based phishing (18 percent), weak passwords (13 percent), and user error (7 percent).

Symantec information developer John-Paul Power addressed many of these in his reminder that eager adopters remember the recent risks from iOS-based KeyRaider malware, which targets jailbroken iPhones, the XcodeGhost app vulnerability, the so-called XARA sandboxing exploit, and last year's iCloud-hacking scandal as a reminder that mobile devices require new vigilance to ensure data security.

Writing in a blog post, Power noted that the new iOS 9 operating system includes several improvements in overall security including 6-digit instead of 4-digit passcodes, VPN extension support, and two-factor authentication for iTunes and iCloud signins.

Users should match such controls with protections including the use of a strong, unique Apple ID password, use of Apple's TouchID fingerprint authentication, and turning off the Simple Passcode option to use passcodes with letters and symbols as well as numbers.

Other tips include disabling access to Siri from the lock screen; managing apps' access to data (through the Privacy section of iOS settings); disabling AutoFill; and turning off WiFi when you're not using it, as well as being careful to only connect to trusted and known WiFi hotspots.

Security has been a major focus for Apple's latest operating-system updates, with the company patching 101 security flaws in iOS 9 alone and telling iOS developers to use HTTPS “exclusively”.

The surveyed ISACA experts also offered some tips for making mobile payments secure, with 66 percent nominating the use of 2-factor authentication as the best approach. Some 18 percent recommended use of short-term authentication codes, while just 9 percent recommended using phone-based security apps.


Read more: Hands-on certifications defining, testing ideal traits of cybersecurity pros: ISACA

Blast from the past?

Try our new Space Invaders inspired video game NOW.

What score can you get ?


Read more: Appointment of two Australians to ISACA board reflects regional security expertise: director

Join the CSO newsletter!

Error: Please check your email address.

Tags iOS 9iPhonesiPhone 6s PlusMobile Payment SecurityISACAmobile securityJohn PirontiApple Stores

More about AppleISACASymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place