by Marc Goodman
The phenomenon, now standard practice in the workplace, means more and more corporate information is at risk thanks to point-and-click spyware attacks against mobile devices. Even when a corporate network is locked down and protected, personal mobile phones are an easy place from which to pilfer data. Criminal organizations won’t waste their time going to the most secure place where you have stored your information; they will always go after the weakest link in the chain to get what they want.
Criminals are growing increasingly inventive in how they target the information on your mobile device and even the phone networks themselves. For just a few hundred dollars, criminals can purchase and set up a femtocell, a wireless network extender to help people improve mobile phone service in areas with poor network signals. The device is in effect a mini-mobile-phone tower, and criminals can hack it to trick your mobile into believing it is legitimate, when in fact it is merely connecting to a portable mobile phone tower run and operated by criminals. Their goal in doing this? To capture all the data that is sent from your mobile, such as the password you type for your bank account or sensitive e-mails you might be sending. Rogue femtocells can be particularly useful for industrial espionage, and hackers need only set up the device outside the perimeter fences of your corporation to take advantage of the data coming off the mobile devices of hundreds of your employees. Other prime targets would be airports and big conferences where lots of businesspeople congregate. As it turns out, you are not the only one with an affinity for the data on your smart phone.
Hacking Mobile Payments
Of course, today’s mobile phones are just at their earliest stages of development, and many new sensors, such as radio-frequency identification (RFID) and near-field communication (NFC), will bring new capabilities to mobile phones, as well as new vulnerabilities. One area in which this will be most clearly seen is in the disappearance of physical currency. The future of money is mobile and virtual, and a bevy of new sensors and apps are on track to replace your wallet and the cash in your pocket. In fact, some mobile phone providers, such as Safaricom in Africa, dominate the overall payment space. In Kenya, for example, 25 percent of the nation’s GNP is actually transacted on Safaricom’s M-PESA payment system. Mobile money payment systems, which did not even exist at the turn of the last century, are now available in over seventy countries and are used to move billions of dollars every month. In particular, they have been incredibly useful in getting previously “unbanked” populations in the developing world access to the global world of commerce with significant positive impact for local economies.
In the developed world, there has also been a rush to adopt and deploy mobile phone payment systems. MasterCard and Visa have implemented numerous NFC payment programs that allow users to launch an app on their phones and wave or tap the device on a contactless sensor to quickly charge goods and services. From Starbucks, to Best Buy, to parking meters in San Francisco and cabs in New York City, “wave and pay” is increasingly the choice of users for quick checkout and payment. Though Google was an early adopter of NFC payment systems for its Android phones, in September 2014 Apple joined the bandwagon and added swipe-and-pay technology to its latest batch of iPhones. Within the Android ecosystem, Google’s Wallet payment system allows users to store their debit and credit card information with Google and launch the Google Wallet app to check out in an increasing number of stores via any PayPass-enabled store checkout terminal. Google Wallet works with the NFC chips on a wide variety of mobile phones from HTC, LG, Motorola, and Samsung.
The money as represented on these mobile devices is nothing more than data—data that are stored in vulnerable applications, controlled by deeply vulnerable mobile operating systems, using insecure sensor technologies and sensor data-transfer protocols. The obvious result? The future of mobile money may also be the future of mobile pick pocketing. The Google Wallet system has already been subverted by criminals on numerous occasions, and apps such as Wallet Cracker allow anybody to see a user’s personal identification code (PIN) number for the system on demand. Moreover, if and when a user loses his or her Android phone, any pre-stored money in the user’s Google Wallet (data on the device) can readily be spent in a store by the person who happens to steal or find the device. With the rise of NFC applications, and Apple’s notable entrée into mobile payments, we will undoubtedly see growing hacker attention targeting these and other sensors embedded in mobile devices, including GPS.
Your Location Becomes the Scene of the Crime
Advertisers and data brokers are not the only people interested in persistently tracking your location. Criminals, fraudsters, and stalkers have also found good use for the GPS chip on your smart phone. Often hackers can merely piggyback on the good work already done by data brokers as a means of subverting the data you are already leaking. Take, for example, the location-based dating application Tinder, which we discussed in chapter 4. Given the volumes of data, salacious photographs, and potential sex partners, it was not surprising that hackers worked to discover a security vulnerability in the app that allowed anybody to uncover the real-time location of any other users within five feet, information that was designed to be kept private. The best-case scenario with this locational data is that they lead to a positive dating experience. The worst-case scenario is that they and locational data generated by rogue apps such as Girls Around Me could prove a tremendous tool for stalkers, rapists, and potential child abusers. In fact, in 2012 police in South Australia warned members of the public that pedophiles were using geo-tagging data embedded in photographs of children posted online to track down potential targets, putting the subjects of these photographs at risk.
Increasingly, mobile data are being used to ill effect in cases of relationship discord and domestic violence. In 2012, the U.S. Department of Justice revealed that there were 3.4 million victims of stalking annually among those hundreds of thousands who were tracked by spyware and GPS hacks. Welcome to the world of point-and-click surveillance. To be clear, using such spyware is considered an unlawful interception under federal law and is illegal, but the tools are widely available to even novice hackers—or exes—with no prior experience. One product, Mobile Spy, will turn any phone into a bugging device, allowing for ambient recording of the surroundings, even when not on a call. The company also makes an “iPad monitor” product, and all of its software includes a “stealth camera” mode that allows third parties to remotely activate and monitor your camera in real time and store any photographs or videos they choose to record from your device on a central server for later download. Another product, Mobistealth, was used in 2011 by the convicted murderer Simon Gittany, a jealous and abusive boyfriend, to monitor the mobile phone activity of his fiancée, Lisa Harnum, in Sydney, Australia. Thus when Harnum sent an SMS message to her girlfriend confiding that she planned on leaving her abusive relationship, Gittany was immediately notified via Mobistealth of her intent on his own mobile phone. Furious with her plan to leave him, Gittany drove to her home and, in the altercation that ensued, threw her off the fifteenth-floor balcony of her apartment.
But in some cases, domestic abusers did not even need to add third-party spyware to a phone: they just activated the AT&T FamilyMap program offered as a service by the wireless carrier, which allows a cell-phone account holder to track all the devices on his plan. Using his wireless carrier’s family mapping service, Andre Leteve of Scottsdale, Arizona, was able to locate his estranged wife and their two children, whom he murdered. Today it’s no longer even necessary to pay for such a service from carriers like AT&T; the features are already built in to both iOS and Android devices, services with names such as Find My Friends and Find My Phone, which can be turned on to remotely track others. To help combat these threats, domestic violence shelters have learned the moment a new client arrives at their facilities to take away her mobile phone, remove the battery, and disassemble it to avoid acting as a beacon to potential stalkers and violent individuals. It’s not just victims of do
mestic violence who need to worry about inadvertently sharing their locations; even soldiers on the battlefield have cause for concern as terrorists monitor their online activities for potential avenues of attack.
“Is a badge on Foursquare or a check-in worth your life?” That question, now commonly asked by the U.S. Army of its soldiers, is not rhetorical when even terrorists are taking advantage of geo-tagged data. For instance, when American military forces received a new fleet of AH-64 Apache helicopters at their base in Iraq, some deployed soldiers uploaded photographs of themselves in front of their new choppers to Facebook. Unbeknownst to them, their phones had accidentally embedded their GPS coordinates in the photographs. Not only were insurgents monitoring the soldiers’ Facebook postings, but they were also downloading the photographs and analyzing them for useful intelligence. The longitude and latitude information embedded in the photos allowed the terrorists to launch a series of precise mortar attacks that directly targeted and destroyed four of the newly arrived Apaches on the compound.
Not only can we be tracked via the data we are leaking from our mobile phones and embedded files, such as photographs and videos, but increasingly we are leaking our locational data in the physical world. GPS bugging devices are cheap to buy online and are even available for sale in the ubiquitous SkyMall magazine available on every flight we take. In that catalog, Tracking Key sells a GPS hardware bug that attaches via magnet or Velcro to any car and allows owners of the device to replay on an online map everywhere the targeted vehicle drove, including speed of the vehicle, determined at one-second intervals. “Useful to see whether your teenager was speeding, where your spouse is going or where your employees are driving.” Previously, such high-tech gear would only have resided in a spy agency or with the FBI, but now, given the exponential drop in pricing of these technologies, even a neighborhood mom can spy on her kids or potentially cheating spouse.
In the world of big data, we can even leak our physical location without a bugged mobile phone or GPS tracker hidden in our car. A new technology, known as an automatic license plate reader (ALPR), allows both governments and individuals to use video cameras and optical character recognition to record the locations of cars as they pass from one camera point to another, revealing the real-time movement of any vehicle throughout a city or country with great detail. From Minnesota to New Jersey, and from Ankara to Sydney, hundreds of millions of individual license plate records have been stored. As a result, a query can be applied against these massive databases to determine the position of any vehicle over time. Interestingly, those being photographed are not charged with or suspected of any crime in the overwhelming majority of cases, but these data are being stored nonetheless, because they might be useful for a criminal investigation at some point in the future.
ALPR units are also being mounted on police cars and even tow trucks, vastly expanding these databases. Private companies such as Digital Recognition Network of Texas and MVTRAC of Illinois are also building massive databases of ALPR data, which they sell to agents in the vehicle repossession business. This way, if somebody falls behind on his payments, these companies know all the locations the vehicle has been and can send out a tow truck to repossess it. Just as Google Street View cars are driving up and down our city streets recording video of all they see, so too are private ALPR companies. They want to track your car and place its location in front of your home, at your workplace, and at all the places you shop. These data too of course will be monetized, and the practice in 2014 is entirely legal. But as these massive databases of ALPR mushroom, so will the criminal and privacy risks.
If Experian and Acxiom can suffer data breaches or sell their data sets to criminal organizations, why would ALPR vendors be any different? As a result, even victims of domestic violence who had no online presence and did not even carry mobile phones could still be tracked by where they drove in their cars. We’ve seen abuse of ALPR data in the past, way back in 1998, when a Washington, D.C., police lieutenant used his computer system to identify the owners of vehicles parked in the parking lot of a popular gay bar in town. He then used the data to extort the men, threatening to out them, unless they paid him a bribe. While the nature of the threats to ALPR data may be different today, they no doubt exist. How might this information be used in divorce cases (his car was parked at the home of the other woman) or by health insurers (we see his car parked at the bar five days a week)? There are other risks as well: ALPR systems are not flawless in their reading of license plate data, and errors can lead to grave consequences. In 2009, a forty-seven-year-old woman was pulled over in San Francisco by multiple police cars at gunpoint with six police officers pointing weapons at her—all because the ALPR system misread a single digit on her license plate, flagging her car as stolen, when in fact the woman was just out to buy groceries.
Even retailers have begun to pilfer our locational details in new and unexpected ways. The Nordstrom department store, for example, recently began tracking its customers via their Wi-Fi signals and MAC addresses on their smart phones when shopping in its stores. As you walked through the stores, Nordstrom could digitally follow you to see how much time you were spending in ladies’ underwear versus men’s shoes. The high-end retailer contracted with Euclid, a company specializing in helping retailers track customer movements via in-store Wi-Fi connections. To date, Euclid has fingerprinted and tracked more than fifty million mobile devices in the four thousand locations using its service, including hundreds of national retailers such as Home Depot; yes, the same company that leaked fifty-six million credit cards because of a data breach in September 2014 wants to collect even more data on you and your location within its stores. Absent any regulation of the phenomenon, shopping under surveillance will undoubtedly become the new norm, and technology is increasingly turning to tracking people off-line in real space.
At Nordstrom, the only notification customers were given about its use of the new tracking technology was a small, well-hidden sign, barely visible at the entrance to stores. The verbiage on the sign made it clear that this was an opt-out model only, meaning that if you did not want to participate, you had only two choices: don’t come in the store, or turn off your cell phone. Data obtained from services such as these can and will be stored in perpetuity. As a result, your spouse’s divorce attorney will be able to subpoena Nordstrom and Euclid to see if you and your mistress were in the same store together buying intimates. Your boss will be able to contract with a data broker to find out your location that day you called in sick: “If you were sick, why were you (and your cell phone) at the movie theater and Hooters that afternoon?” Worse, criminals will gain access to all this information over time via the digital underground and use it to blackmail, bribe, and stalk targets of their choosing.
Even Disneyland, the “Happiest Place on Earth,” is turning to location-based technologies to track its guests using bracelets called MagicBands, RFID-chip-enabled devices that allow Disney to track its guests throughout its parks. Its goal is to use big data to maximize your stay (and spending) in the Magic Kingdom. As goes Disney, others are likely to follow, and you can expect such human-tracking technologies to be deployed at casinos, resorts, and even airports in the future.
Cloudy Weather Ahead
Though massive amounts of data are leaking from our mobile devices, an increasing number of big-data risks come from the world of “cloud computing.” The cloud refers to the massive network of computing resources available online and the practice of using these remote servers to store, manage, and process the world’s information. The changing paradigm in computing means that less information is stored locally on our machines and is instead being hosted elsewhere on earth. We mostly do not buy software anymore; we just rent it or receive it for free using a new business model known as Software as a Service (SaaS).
On the personal front, cloud computing means Google is storing our mail, Instagram our photographs, and Dropbox our documents—not to mention what mobile phones are autom
atically uploading to the cloud for us. In the corporate world, enterprise customers not only are using Dropbox but also have outsourced primary business functions that would have previously been handled inside the company to SaaS providers such as Salesforce.com, Zoho.com, and Box.com. From a crime and security perspective, the aggregation of all these data, exabytes and exabytes of it, means that our most personal of information is no longer likely stored solely on our local hard drives but now aggregated on computer servers around the world. By aggregating everybody’s important data, financial and otherwise, on cloud-based computer servers, we’ve obviated the need for criminals to target everybody’s hard drive individually and instead put all the jewels in a single place for criminals and hackers to target—think Willie Sutton and his love of banks.
The cloud is here to stay, and at this point there is no going back. In early 2014, Google decreased the pricing of its cloud storage offerings by nearly 70 percent, to just $0.026 per gigabyte per month (just under three cents versus the $437,000 it cost in 1980). The move sent shock waves through the industry, and a price war ensued with the cloud storage giants Amazon and Microsoft also joining the fray. The availability of such cheap computing resources and a growing array of SaaS offerings will have untold positive impact on personal productivity, entrepreneurship, and innovation, which in turn will only hasten the inevitable transition to cloud computing. But with this move to store all available data in the cloud come additional risks. Think of the largest hacks to date—Target, Heartland Payment Systems, TJX, and Sony PlayStation Network. All of these thefts of hundreds of millions of accounts were made possible because the data were stored in the same virtual location. The cloud is equally convenient for individuals, businesses, and criminals. To deal with these risks, organizations such as the nonprofit Cloud Security Alliance have been formed to promote best practices and improve security in the age of cloud computing.
