3 Cybercrime: Mobile and

Wireless Devices
Learning Objectives
After reading this chapter, you will be able to:

.Understand the security challenges presented Understand the organizational security impli-
by mobile devices and information systems cations with electronic gadgets and learn what

access in the cybercrime world. organizational measures need to be imple-

mented for protecting information systems
.Understand the challenges faced by the mobile from threats in mobile computing area.
workforce and their implications under the
cybercrime era.
Understand Smishing and Vishing attacks in
like the Mobile World.
Get an overview on mitigation strategy
the CLEW for possible protection of credit Understand the security issues arising due to

card users. daily use of removable media such as pen/zip

due to use
drives in this mobile environnment.
Learn about security issues arising
of media players.

3.1 Introduction
mobile hand-held devices) which
the rising importance of electronic gadgets (i.e.,
-

this modern era,

in with the Internet outside the office brings -

Decame an integral part of business, providing connectivity

the use of
from being a victim of cybercrime. In the
recent years,
challenges to secure these devices
many mobile phones has grown from limited u s e r
communities to
laptops, personal digital assistants (PDAs), and According to Quocirca Insight Report (2009),
widespread desktop replacement and broad deployment. the world had the Internet access. In November
the end of 2008 around 1.5 billion individuals around
by of those mobile devices
3.3 billion, with a growing proportion
400, mobile phone users were numbered these devices outside the walls of the office is
enabled for the Internet access. The complexity of managing
in the organizations need to address. Remote
mething that the information technology (IT) departments and smart hand-held devices
to wireless-on-the-nmove,
nnection has extended from fixed location dial-inwith mobile
as PDAs have become nerworked, converging phones. Furthermore, the maturation of the
Lcn have converged into a n e w category of mobile phone
PD advancements in cellular phone technology
device: the Smartphone.
and wireless technologies and blend them into a useful
martphones combine the best aspects of mobile as are not
yet swapping employees' company-provided
S Ool.
Although IT departments of organizations
 82 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
PDAs (as the case may be) for theSmartphones, many users may bring these devices from home and use them
the offhce. Research in Motion's (RIM) Blackberry Wireless Hand-held is an alternate technology. Accordi in
Report (2009). there are over 175,000 organizations with BlackBerry Fnter ding to
Research in Motion Annual
the terprise
installed behind
Server corporate hrewall
(i.e., corporations that use the BlackBerry
enterprise server and
client/server software for data communication between corporate BlackBerry devices and other mail svstems
Thus, the larger and more diverse community of mobile users and their devices increase the
demands on the
IT fanction to secure the device, data and connection to the network,
keeping control of the corporate assets.
while atthe same time supporting mobile user productivity. Clearly, these technological developments presenr
new set of security challenges to the
a
global organizations.

3.2 Proliferation of Mobile and Wireless Devices

Today, incredible advances are being made for mobile devices. The trend is for smaller devices and more
processing power. A few years ago, the choice was berween a wireless phone and a simple PDA. Now the
buyers have a choice between high-end PDAs with integrated wireless modems and small
less Web-browsing capabilities. A phones with wire-
long list of options is available to the mobile users. A simple hand-held
mobile device provides enough
computing power to run small applications, play games and music, and
make voice calls. A key driver for the
growth of mobile technology is the rapid growth of business solutions
into hand-held devices. Figure 3.1 shows some typical hand-held devices.
As the term "mobile device" includes many
products. We first provide a clear distinction among the key
terms: mobile
computing, wireless computing and hand-held devices. Figure 3.2 helps us understand how
these terms are related. Let us understand the concept of mobile
computing and the various types of devices.

niniai

Figure 3.1 Typical hand-held devices.

Source: Nina Godbole (2009), Information Systems
Frameworks and Best Practices, Wiley India. Security: Security Management, MetricS,
 83
Cybercrime: Mobile and Wireless Devices

Standard Standard PDA

laptop

Laptop with
wireless
access Mobile Handheld
A

Desktop PC
Wireless/
Smartphone
with wireless
access

A OAD

digital assistant
PDA Personal

Mobile device
A-Wireless device

O -
Handheld device

Figure 3.2 Mobile, wireless and hand-held devices.

Source: Nina Godbole (2009), Information Systems Security: Security Management, Metrics,
Frameworks and Best Practices, Wiley India.

Mobile computing is "taking a computer and all necessary files and software out into the field." Many types
are as follows:
of mobile computers have been introduced since 1990s.They
moved from one place to
1. Portable computer: It is a general-purpose computer that can be easily
some "setting-up" and an AC
another, but cannot be used while in transit, usually because requires
it

power source.
notebook and has features of a touch-
2. Tablet PC: It lacks a keyboard, is shaped like a slate or a paper
screen with a stylus and handwriting recognition software. Tablets may not be best suited for appli-
for but otherwise capable of carrying out most
cations requiring a physical keyboard typing, are

tasks that an ordinary laptop would be able to pertornm.

Unlike a Tablet PC, the Internet tablet
3. Internet tablet: It is the Internet appliance in tablet form.
suite is limited. Also it cannot replace a
does not have much computing power and its applications
feature an MP3 and video player, a Web
general-purpose computer. The Internet tablets typically
browser, a chat application and a picture viewer.
with limited lunc-
4. Personal digital assistant (PDA): It is a small, usually pocket-sized, computer
tionality. It is intended to supplement and synchronize with desktop computer, giving
access to
a

contacts, address book, notes, E-Mail and other

features.
Ultramobile PC: It is a full-featured, PDA-sized computer running a general-purpose operating
5.
system (OS).
have
6. Smartphone: It is a PDA with an integrated cell phone functionality. Current Smartphones a

wide range of features and installable applications.

7. Carputer: It is a computing device installed in an automobile. It operates as a wireless computer,
sound system, global positioning system (GPS) and DVD player. t also contains word processing
software and is Bluetooth compatible.
8. Fly Fusion Pentop computer: It is a computing device with the size and shape of a pen. It functions
as a writing utensil, MP3 player, language translator, digital storage device and calculator.
 84 Cyber Security:Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Wireless refers to the method of transferring information between a computing device (such as a PDA) and
data source (such as an agency database server) without a physicalconnection. Not all wireless communication
ion
technologies are mobile. For example, lasers are used in wircless data transter between buildings, but cannot he
used in mobile communications at this time. Mobile simply describes a computing device thatis not restricte
ro a desktop. that is, not tethered. As more personal devices hnd their way into the enterprise, corporations are
cybersecurity
realizing threats that come along with the achieved with mobile
benefits solutions.
Mobile computing does notnecessarily require wireless communication. In fact, it may not require com.
munication among devices at all. Thus, while "wireless is a "mobile," in most cases, an application
subset of
can be mobile without being wireless. Smart hand-helds are defined as hand-held or pocket-sized devices thar

connect to a wireless or cellular network, and can have software installed on them; this includes networked
PDAs and Smartphones. In this chapter the term "hand-held" is used as an all-embracingterm.
 Wireless Devices 87
Cybercrime: Mobile and

Computing Era
3.4 Credit Card Frauds in Mobile and Wireless
mobile commerce
coming up with mobile computing
-

These are new trends in cybercrime that are

Credit card frauds are now becoming commonplace

(M-Commerce) and mobile banking (M-Banking). factors
the ever-increasing power and the ever-reducing prices of
the mobile hand-held devices,
given Mobile credit card transactions are
now

that result in easy of these gadgets to almost anyone.

availability
with the capabilities of a
common; new technologies combine low-cost mobile phone technologies
very
point-of-sale (POS) terminal.
The developments in
Today belongs to computing," that is, anywhere anytime computing.
"mobile
for white collar workers. This is true for
wireless technology have fuelled this new mode of working allow
is a relatively new service that will
credit card processing too; wireless credit card processing
card processing is
a person to process
credit cards electronically, virtually anywhere. Wireless credit
mobile locations
because it allows businesses to process transactions from
a very desirable system, in a
etticiently and professionally. It is most often used by businesses that operate mainly
quickly, service businesses, locksmiths,
mobile environment. These businesses include mobile utility repair
wireless processing equipment
mobile windshield repair and others. Some upscale restaurants are using
3.4 shows the basic flow of transactions
for the security of their credit card paying customers. Figure
involved in purchases done using credit cards.I7 Credit
card companies, normally, do a good job of
occur. But they
to Chapter 5) once they
consumers resolve identity (ID) theft problems (refer
helping better tools to monitor their accounts and
could reduce ID fraud even more if they give c o n s u m e r s
limit high-risk transactions (Box 3.2).

Security control
module

Card swiped to obtain

magnetic stripe data

Cardholder
magnetic
stripe card Magnetic stripe Merchant
reader and server
PIN pad

Host security module Security

checks PIN inside Back-end control module
encrypted PIN block- network

with optional
PIN offset data Acquiring bank
Card issuing bank

Figure 3.4 Online environment for credit card transactions.

Source: Nina Godbole (2009), Information Systems Security: Security Management, Metrics,
Frameworks and Best Practices, Wiley India.
88 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspecti
erspectives
Box 3.2 Tips to Prevent Credit Card Frauds
The curent topic is about credit card frauds in mobile and wireless Compufing era, hOwe
wever We
WOuld like to include these tips to prevent credit card frauds caused due fo individual iG

about a few known facts ignoronce

Do's
1. Put your signature on the card immediately upon its receipt.
2. Make the photocopy of both the sides of your card and preserve it afa sate place to
to rere
remember
the card number, expiration date in case of loss of card.
identification number (PIN) from
received from the bank befora.
before
3. Change the default personal doing
any transaction.
Always cary the details about contact numbers of your bank in case of loss of your carc
4
holder than your wallet.
5. Camy your cards ina separate pouch/card
Keep an eye on your card during the transaction, and ensure fo get it back immediately
6.
invoice.
Preserve all the receipts to compare with credit card
7.
8. Reconcile your monthly invoice/statement with your receipts.
invoice/statement.
9. Report immediately any discrepancy observed in the monthly
invoice/statement.
10. Destroy all the receipts after reconciling it with the monthly
11. Inform your bank in advance, about any change in your contact detals such as home addrece
S5,
cell phone number and E-Mail address.
card details.
12. Ensure the legitimacy of the website before providing any of your
13. Report the loss of the card immediately in your bank and at the police station, if necessary.

Dont's
Store your card number and PINS in your cell.

2 Lend your cards to anyone.

3. Leave cards or transaction receipts lying around.
. Sign a blank receipt (if the transaction detais are not legible, ask for another receipt to ensure
the amount instead of trusting the seller).
5. Write your card number/PlN on a postcard or the outside of an envelope.
6. Give out immediately your account number over the phone (unless you are calling to a com
pany/to your bank).
7. Destroy credit card receipts by simpiy dropping into garbage box/dustbin.
Source: http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre07.shtm

There is a system available from an Australian company "Alacrity" called closed-loop environment tar
wireless (CLEW). Figure 3.5 shows the flow of events with CLEW which is a registered trademark of Alacri
used here only to demonstrate the flow in this environment.
As shown in Figure 3.5, the basic flow is as follows:
1. Merchant sends a transaction to bank;
2. the bank transmits the request to the authorized cardholder [not short message service (SMS)|
3. the cardholder approves or rejects (password protected);
the bank/merchant is notified;
5. the credit card transaction is completed.
3.4.1 Types and Techniques of Credit Card Frauds
Traditional Techniques
he traditional and the first type of credit card fraud is paper-based fraud-application fraud, wher
nal uses
stolen or fake documents such as utility bills and bank statements
Dersonal

that can buila up

ldentihiable Information (PII) (refer to
Chapter 5) to an account in
open someone elses
ndi
 Cybercrime: Mobile and Wireless Devices 89

NEW EC security
control module

Merchant Bank

Yes-Approve No- Reject

transaction transaction

Advises bank Request for approval

Yes or no from credit card owner

Individual card holder using cell phone

for credit card transaction

Figure 3.5 Closed-loop.environment for wireless (CLEW).

Source: Nina Godbole (2009), Information Systems Security: Security Management, Metrics,
Frameworks and Best Practices, Wiley India.

Users Beware!
Box 3.3 Potential Wireless
it is not for all
Although wireless processing is a very good system for many Companies, however,
drawbacks fo wireless processing that many potential wireless
mobile businesses. There are some
venture into wireless processing. They are as follows:
Users should be aware of before they

is no way to get around this. Wireless credit

1. Wireless processing equlpment is expensive: There
card machines are the most advanced processing ferminals available. You get what yoU pay
fo pay at least US$ 800 for a new terminal and
for! For a wireless terminal with a printer, expect
US$ 700 for a refurbished terminal. If you are purchasing a ferminal that is much cheaper than
equipment that uses outdated cellular networks. In
any other you find, is it most likely outdated
other words, it is a scam, and you are about fo buy a really expensive paperweight.
Wireless processing comes with extra fees: Just like a cell phone, wireless credit card machines
2.
operate on cellular networks. You have fo pay for this cellular service in addition to the high
cost of equipment. Luckily, wireless fees for processing are nowhere near what they are for cell
wireless service fee.
phones. Expect to pay US$ 20-25 per month for a
3. Wireless credit card machines are subject to cellular coverage blackouts: I know what you are
will too."
thinking- "My cell phone works almost everywhere, so my wireless credit card machine
this is not the case. Wireless credit card processing uses a business cellular network called
Sadly,
the Motient or Mobitex network. Your cell phone may be using a network called code division
mulftiple access (CDMA) or time division multiple access (TDMA) Iglobal system for mobile com
munications (GSM)] or some other technalogy-based network. The coverage that your cell
phone gets is much greater than the wireless processing network. There can be some states in
your country with no coverage for wireless processing at all.
 Perspectives
Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal

Box 3.3 Potential Wireless... (Continued)

network: Currently owina to
transactions over a wireless
4 You cannot process checks or debit checks over a wire
debit transaction or electronic
federal regulations, it is impossible to process allowed in the fufure, but as of nou
end up being
less network. This is something that will probably these transactions wireless.
to process
fhere is not sufficient security or encryption
Metrics, Frameworks and Best
Source: Nina Godbole (2009), Information Systems Security: Security Management,
Practices, Wiley India.

Application fraud can be divided into

someone else (see more
on ID Theft Chapter 5),
in
1. ID theft: Where an individual pretends to be
information about his or her financial status to
2. Financial fraud: Where an individual gives false
acquire credit.
a credit card is either
and stolen cards is another form of traditional technique. Stealing by
Illegal use
of lost
pickpocket or from service before it reaches its final destination.
postal
Modern Techniques
fake and doctored cards. Then there also those are
Sophisticated techniquesenable criminals to produce held on either the magnetic strip on
who use skimming to commit fraud. Skimming is where the information
are copied from one card to
another (see more
the back of the credit card or the data stored on the smart chip
on skimming frauds in Chapter 11 in CD).
Site cloning and false merchant sites on the Internet are becoming
more on this
a popular method of fraud and to
direct the users to such bogus/fake sites is called Phishing (see
to hand over their credit card details
without realizing that
in Chapter 5). Such sites are designed to get people
weblink/website (i.e., they have been scammed).
they have been directed to a fake
fraud and works in the fashion
explained further
Triangulation: It is another method ofcredit card
as
1.
a website designed and hosted
The criminal offers the goods with heavy discounted rates through
merchandise website.
by him, which appears to be legitimate address and valid
The customer registers on this website with his/her name, address, shipping
credit card details.
of stolen credit card
The criminal orders the goods from a legitimate website with the help
details and supply shipping address that have been provided by the customer while registering
on the criminal's website.
The goods are shipped to the customer and the transaction gets completed.
The crminal keeps on purchasing other goods using fraudulent credit
card details of difterent
customers till the criminal closes existing website and starts a new one.
the websites
websites are usually available for few weeks/months, till the authorities track
Such
through which the criminal has enticed the individuals to reveal their personal details, which enabicu
The entire
criminal to commit the transactions by using the credit card details of these customers.
ne
investigation process for tracking and reaching these criminals is time-consuming, and thecrmin s
may close such fake website in berween he process that may cause further difficulty to trace thecru
rate
inal. Ihe criminals aim to create a great deal of confusion for the authorities so that they can
ongenough to accumulate a vast amount of goods purchased through such fraudulent transactioi
2. Credit card generators: It is another niodern technique computer emulation sortwa .that
Creates valid credit cardnumbers and expiry dates. The criminals highly rely on these generato to
create valid credit cards.
These are available for free download on the lnternet.