Unit III

Cybercrime on Mobile and Wireless Devices

As mobile devices and wireless networks continue to play an increasingly important role in everyday
life, they have also become attractive targets for cybercriminals. These devices store sensitive
personal and business data, which makes them lucrative for theft, fraud, and other malicious
activities. Mobile and wireless security is therefore a critical concern, with new and evolving threats
posing significant challenges.

Let’s explore the major threats and security challenges associated with mobile and wireless devices,
including types of attacks, real-world examples, and security services.

1. Security Challenges Posed by Mobile Devices

Mobile devices, including smartphones and tablets, present a unique set of security challenges due
to their portability, constant connectivity, and widespread use for both personal and professional
purposes. Cybercriminals exploit these characteristics to launch various attacks.

• Increased Attack Surface: Modern smartphones are multifunctional devices that support
numerous apps, internet browsing, communication, and online transactions. With so many
potential access points, mobile devices offer a larger attack surface for cybercriminals. Apps,
web browsers, Wi-Fi connections, and mobile data networks can all serve as entry points for
attacks.

• Lack of Security Awareness: Many users do not implement basic security practices on their
mobile devices, such as enabling two-factor authentication (2FA), using complex passwords,
or keeping software updated. This lack of awareness and user negligence make mobile
devices more susceptible to cyberattacks.

• BYOD (Bring Your Own Device) Practices: In corporate environments, employees often use
their personal mobile devices for work. This practice, known as BYOD, blurs the line between
personal and business use, leading to security risks as personal devices may not have the
same level of security protocols as corporate devices.

• Weak Authentication: Many mobile devices still rely on simple PINs, pattern locks, or weak
passwords, which can be easily cracked or guessed by attackers. Weak authentication
methods open the door to unauthorized access to devices and the data stored within.

o Example: In 2019, a significant breach of data occurred when attackers exploited

vulnerabilities in mobile apps and used weak authentication to gain access to
corporate networks. The breach affected sensitive customer information, highlighting
how personal mobile devices can be an entry point for large-scale cyberattacks.
2. Attacks on Wireless Networks
Wireless networks, particularly Wi-Fi networks, have become essential for personal and business
communication. However, these networks are highly vulnerable to attacks, especially when security
configurations are weak.

• Rogue Access Points: A rogue access point is a wireless access point set up by an attacker to
mimic a legitimate Wi-Fi network. Unsuspecting users connect to the rogue network,
allowing the attacker to intercept data, steal login credentials, or install malware.
o Example: In public places such as airports or coffee shops, attackers can set up rogue
Wi-Fi networks with names that resemble legitimate ones (e.g., “CoffeeShop_WiFi”).
When users connect, attackers can capture sensitive
information, including passwords and credit card numbers.

• Evil Twin Attacks: Similar to a rogue access point, an evil twin attack involves creating a fake
Wi-Fi network that looks like a trusted network. Attackers trick users into connecting to the
fake network, enabling them to monitor and intercept the victim’s internet traffic.
o Example: A person in a hotel might unknowingly connect to an evil twin network set up
by a cybercriminal who then intercepts sensitive data such as online banking
credentials or confidential emails.

• Man-in-the-Middle (MITM) Attacks: In a MITM attack, an attacker intercepts

communication between two devices on a wireless network, allowing them to eavesdrop or
alter the communication. These attacks are particularly effective on poorly secured or open
Wi-Fi networks.
o Example: When users connect to an unsecured public Wi-Fi network, attackers can
insert themselves between the user and the internet service provider, intercepting
sensitive information like login credentials or payment information.

3. Credit Card Frauds in the Mobile and Wireless Era

This era belongs to technology where technology becomes a basic part of our lives whether in
business or home which requires connectivity with the internet and it is a big challenge to secure
these units from being a sufferer of cyber-crime. Wireless credit card processing is a tremendously
new service that will enable an individual to process credit cards electronically, virtually anywhere. It
permits corporations to process transactions from mobile locations quickly, efficiently, and
professionally and it is most regularly used via organizations that function in general in a cellular
environment. Nowadays there are some restaurants that are using Wi-Fi processing tools for the
safety of their credit card paying customers. Credit card fraud can take place when cards are
misplaced or stolen, mails are diverted by means of criminals, employees of a commercial enterprise
steal some consumer information.
 • Mobile Skimming: Mobile skimming is similar to traditional card skimming but occurs within
apps or mobile payment services. Attackers may infiltrate legitimate mobile payment
platforms or create fake apps that capture users’ payment card details.
o Example: In 2020, several Android apps were found to be skimming users' credit card
details by embedding malicious code into legitimate payment processing services. When
users made payments via these compromised apps, their card information was sent to
the attackers.

• Fake Payment Apps: Attackers create fake payment apps that appear legitimate but are
designed to steal credit card information once a user enters their payment details.
o Example: A fraudulent version of a popular mobile wallet app was discovered on an
unofficial app store. Users who downloaded the app and entered their card details
unknowingly transmitted their financial information to cybercriminals.

• Phishing Attacks on Mobile Devices: Cybercriminals may use phishing techniques to steal
credit card information. They send fake emails, text messages, or in-app alerts that trick
users into entering their card details on fraudulent websites or apps.
o Example: A user receives a text message claiming there is an issue with their mobile
payment account. The message includes a link to a website that looks identical to the
real payment platform’s site. Upon entering their credit card details, the information is
sent to attackers.

4. Authentication Security Services

Authentication security services are essential for securing mobile devices and preventing
unauthorized access. Mobile device manufacturers and app developers have implemented various
security measures to protect users from cyber threats.

• Two-Factor Authentication (2FA): Two-factor authentication adds an extra layer of security

by requiring users to provide two forms of verification: something they know (like a
password) and something they have (like a phone or biometric data).
o Example: A banking app might require users to enter their password and verify their
identity using a fingerprint scan or a one-time passcode sent to their mobile phone.

• Biometric Authentication: Many smartphones and apps now use biometric authentication
methods such as fingerprint scanning, facial recognition, or iris scanning to provide more
secure and convenient access control.
o Example: Apple’s Face ID allows users to unlock their iPhones and authorize payments
using facial recognition, making it more difficult for attackers to gain access to the device
without the owner’s face.

• Encryption: Encryption is a security measure that scrambles data so that it can only be read
by someone who has the correct decryption key. This ensures that even if attackers gain
access to a device, they cannot easily read sensitive data.
o Example: End-to-end encryption in messaging apps like WhatsApp ensures that only the
sender and recipient can read the messages, protecting them from interception by third
parties or cybercriminals.
5. Attacks on Mobile Phones
Cybercriminals often target mobile phones due to their extensive use for personal communication,
banking, and storage of sensitive information. Various attacks are tailored specifically for mobile
devices.

• Mobile Phone Theft: Physical theft of mobile phones remains a significant issue. Stolen
phones often contain sensitive information, and attackers may attempt to access personal
accounts or use the phone for fraudulent activities.
o Example: After stealing a smartphone, an attacker may attempt to bypass security
measures like PINs or passwords to access stored banking information or personal
contacts. They might also use the phone to perform SIM swapping attacks, where they
trick a mobile carrier into issuing a new SIM card with the victim’s phone number,
allowing them to intercept calls and messages.

• Mobile Virus: Just like computers, mobile devices can be infected with viruses or malware.
These malicious programs can compromise the functionality of the phone, steal data, or
perform unauthorized actions.
o Example: The "HummingBad" malware infected millions of Android devices in 2016.
Once installed, the malware gained root access to the device, allowing attackers to steal
sensitive information, install additional malware, and display fraudulent ads.

6. Mishing, Vishing, and Smishing

These are specific forms of phishing that target mobile phone users. These attacks rely on exploiting
trust and tricking individuals into revealing sensitive information via mobile communication.

• Mishing (Mobile Phishing): Mishing is phishing through SMS (text messages). Attackers send
messages that appear to come from legitimate sources (banks, service providers, etc.) and
prompt users to take action, often by clicking a malicious link.
o Example: A user receives an SMS claiming their bank account has been compromised.
The message instructs them to click a link to reset their password, but the link leads to a
phishing site that steals their login credentials.

• Vishing (Voice Phishing): Vishing involves attackers making phone calls impersonating
legitimate institutions (e.g., banks or government agencies) to trick victims into revealing
sensitive information such as credit card numbers or Social Security numbers.
o Example: An individual receives a call from someone claiming to be a representative
from their bank, informing them of suspicious activity on their account. The caller asks
for the victim’s account number and security details, which they then use to steal funds
from the account.
 • Smishing (SMS Phishing): Smishing is similar to mishing but often involves sending
fraudulent links or instructions through a messaging platform. The goal is to steal sensitive
information or install malware on the victim’s device.
o Example: A victim receives an SMS message offering a "free prize" and asks them to click
a link and enter their personal information. The link leads to a phishing website that
captures the user’s details.

7. Hacking Bluetooth
Bluetooth technology allows devices to communicate wirelessly over short distances, but it also
presents security risks if not properly secured. Attackers can exploit vulnerabilities in Bluetooth to
gain unauthorized access to devices or intercept communications.

• Bluejacking: Bluejacking involves sending unsolicited messages to nearby Bluetooth-enabled

devices. While this attack is typically more annoying than harmful, it can serve as a vector for
further exploitation.
o Example: In a public place, an attacker sends unsolicited promotional messages to
nearby devices via Bluetooth. While the messages themselves are harmless, they may
encourage users to visit malicious websites.

• Bluesnarfing: Bluesnarfing is a more dangerous attack where an attacker gains unauthorized

access to a Bluetooth-enabled device, allowing them to steal data such as contacts,
messages, and files.
o : An attacker exploits a vulnerability in a smartphone’s Bluetooth connection to access
sensitive files stored on the device without the user’s knowledge.