Your Guide to Authenticating Mobile Devices

51

© 2013 Wiley Periodicals, Inc.Published online in Wiley Online Library (wileyonlinelibrary.com).DOI 10.1002/jcaf.21875

featur

e article

J. Lowell Mooney, Abbie Gail Parham, and Timothy D. Cairney

Your Guide to Authenticating Mobile

Devices

INTRODUCTION

Criminals, hacktivists, and hostile governments understand that the quickest way to corporate data is through mobile workers’ unsecured endpoints.

Marble Security, 2013

The consumeriza-tion of mobile technol-ogy is creating major privacy and security headaches for corporate executives. Consumer-ization refers to the increasing tendency of new information technology to emerge first in the consumer market and then spread to the workplace. According to a recent survey by IDC, 40% of the devices used to access business applications are consumer-owned, up from 30% in 2010. The survey further revealed that IT groups typically underestimate significantly (by as much as 50%) the percent-age of employees who use their

own devices for work purposes (International Data Corpora-tion, 2013). And we are not just talking about one device per employee. Gartner Research (Matthews, 2012) predicts that by 2014, 80% of profession-als will use at least two mobile devices, whether employee-owned or company-owned, to access corporate systems and data. Then how does an orga-nization fully support the busi-ness demands of its employees

while managing the security risks created by allowing mobile access to sensitive networks and infor-mation?

In our last article, Your Firm’s Mobile Devices: How Secure Are They? (Wright, Mooney, & Parham, 2011), we reviewed eight security tools and discussed sev-eral best practices for securing mobile devices. We also described strategic goals related to mobile devices, pro-

vided guidance on the effective management of mobile technol-ogy, and discussed the advan-tages of creating a mobile device audit plan. Finally, we noted the importance of managing mobile devices strategically.

One of the eight security features we wrote about was authentication. Our mobile security checklist emphasized the importance of taking steps such as enabling password pro-tection on critical or sensitive

New information technology (IT) mobile devices—such as the iPhone and iPad—are increasingly emerging in the consumer market first. Then, they spread to the workplace. But this is creating major privacy and security headaches for corporate executives. Surveys show that IT groups signifi-cantly underestimate—by as much as 50%—how many employees use their own mobile devices for work purposes. So what is to be done? The authors take an in-depth look at one vitally important security measure: user authentication. Companies need to go beyond just using pass-words if they want to stay safe and secure. This article shows you how. It includes step-by-step instructions and a series of valuable checklists. © 2013 Wiley Periodicals, Inc.

52 The Journal of Corporate Accounting & Finance / July/August 2013

DOI 10.1002/jcaf © 2013 Wiley Periodicals, Inc.

gain access, users must know the password, possess the physical token, and confirm their identity with biometric data such as a fingerprint, DNA sample, voice-print, or retinal patterns.

Passwords Provide Paltry Protection

A 1995 study by the U.S. Computer Emergency Response Team found that approximately 80% of the security incidents that they received were related to poorly chosen passwords. A follow-up study more than 15 years later found that two thirds of organizations surveyed were still using just a password to secure remote access (EMC Cor-poration, 2011b). Making the situation even worse is a work-place security survey conducted by RSA in 2011, which reported that 41% of respondents use the same password to access multiple accounts and that 25% admitted to writing down their passwords (EMC Corporation, 2011a).

Many organizations have adopted a challenge/response protocol to enhance their one-factor password systems. Before granting access, challenge/response systems pose ques-tions to the user that are more personal in nature. But again this approach is based solely on something the user knows. Some questions are easy static ques-tions, such as the name of your pet. (Paris Hilton’s cell phone account was hacked because the perpetrator knew the answer.) It may be better to have more diffi-cult or even more dynamic ques-tions; however, if the user is an infrequent visitor, then the more difficult questions will be easily forgotten. Further, and perhaps more important, even when challenge/response questions are

Authentication methods that employ only one of the factors are referred to as single-factor authentication, and so on.

Single-factor authenticationThis method has been

around for millennia (Honan, 2012). Single-factor authentica-tion requires users to provide something they know such as a password to gain access.

Two-factor authenticationIn these systems, access

is granted to users based on something they know, such as a security code or PIN num-ber, and something they have in their possession, such as an authenticator that provides the password whenever access is needed. Authenticators may take several forms. Hardware authenticators are typically por-table devices such as key fobs, dongles, and smart cards small enough to fit on a key chain and ideal for users who need access from a number of different locations. Software authentica-tors are applications (“apps”) loaded on smartphones and other mobile devices that pro-vide digital certificates to verify a user’s identity. This way of doing authentication is referred to as Public Key Infrastructure (PKI) authentication. An iden-tity is given a digital certificate by a Certificate Authority (CA), which is then presented during the authentication process to verify that users are who they say they are. Finally, on-demand authenticators deliver passwords “on demand” via short message service (SMS) text message to the user’s mobile device or regis-tered e-mail address.

Three-factor authenticationThese authentication sys-

tems employ all three factors. To

data and applications, requir-ing employees to create strong (complex) passwords that have to be changed on a regular basis, and disabling auto-complete features that remember user names and passwords. In this article, we revisit the issue of user authentication. It is a brave new world out there. Though password systems are still widely used, we now challenge the notion that mere knowledge of a password proves users are who they say they are. We then describe enhanced authentica-tion protocols that use mul-tiple authentication factors to confirm the identity of those seeking access to the company’s computer networks. Next we compare and contrast the secu-rity provided by the primary mobile-device operating systems. Finally, we conclude with several checklists for your IS organiza-tion, for your employees, and for executive management that will help your company address the authentication of mobile devices strategically.

PASSWORDS ARE THE WEAKEST FORM OF AUTHENTICATION

First, we provide a brief description of how authentica-tion works and then explain why passwords don’t provide strong protection.

Authentication Primer

User authentication systems enable users to gain access to the data and other digital assets and resources they need to do their jobs. Authentication protocols are based on one or more of the following three authentica-tion factors: something users know, something users pos-sess, and something users are.

The Journal of Corporate Accounting & Finance / July/August 2013 53

© 2013 Wiley Periodicals, Inc. DOI 10.1002/jcaf

the only dangers. Marble Secu-rity recently identified the nine critical security threats against mobile workers, described in Exhibit 2 (Marble Security, 2013).

According to Bill Gates, the use of mobile devices has rung the death knell for keyboard-entered passwords as the sole authentication method (Bill Gates, 2004 RSA Security Conference). Yet passwords are still by far the most frequently used authentication method. In the most recent study we could find, 98% of the corpo-rate respondents required a username and password system, but less than one third (29%) employed multifactor authenti-cation. And even fewer organi-zations incorporated biometric data (22%) and smart card tech-nology (21%) in their authen-tication protocols (D’Costo-Alphonos, 2010).

The costs of weak password authentication are high. The average cost of a data breach in 2010 was $7.2 million, or $214 per compromised record, which does not include intangible costs (Messmer, 2011). In addition to the financial costs, corporate executives are also concerned about lost intellectual property and security compliance issues arising from such laws as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and such state acts as Massachusetts’s Mobile Device Privacy Act. The conflict between compa-nies’ desire to support employee use of mobile devices for work purposes and all of these cyber threats targeting mobile devices and exploiting what many experts believe is the weakest link in the corporate network (password systems) is a difficult issue.

Exhibit 1 describes some general categories.

The word “botnet” stems from the combination of “robot” and “network.” Here, criminals distribute malware that turns the victim’s computer into a robot that performs auto-mated tasks over the Internet without the victim knowing it. Criminals typically use bots to infect large numbers of comput-ers, which together form a net-work, or botnet. For example, botnets can be used to send out spam e-mail messages, spread viruses, attack computers and servers, and commit other kinds of crime and fraud. The previ-ously cited RSA study found that 90% of the Fortune 500 companies have reported suspi-cious botnet activity (Pistol Star, Inc., 2009).

Phishing expeditions are attempts by criminals to acquire confidential information such as passwords (and usernames and credit card information) by masquerading as a trustworthy person or entity in some type of electronic communication, usu-ally an e-mail message. When criminals target a specific orga-nization, group, or person, the expedition is referred to as spear phishing; and when particularly high-value organizations or groups are targeted, the expedi-tion is referred to as whaling. In all three types the e-mail messages appear to come from some large and well-known com-pany or website with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however, the appar-ent source of the e-mail is likely to be an individual within the recipient’s own company and generally someone in a position of authority (Rouse, 2011).

Unfortunately, malware, botnets, and phishing are not

used in conjunction with pass-words, the resulting authentica-tion protocol does not comply with many regulatory agencies as a multifactor method (Federal Financial Institutions Examina-tion Council, 2011).

Security experts now agree that this most common authen-tication approach is also the weakest. According to Guy Huntington of Huntington Ventures, Ltd, “In today’s digital world the ways to bypass this form of security are trivial. While many enterprises focus on strengthening passwords, these efforts are by and large mean-ingless in the face of the tools that attackers can use. The tools provide criminals with easy abil-ity to hack, trap, or crack most passwords easily” (2012).

The tools cyber criminals use to wreak havoc with your security systems include mal-ware, botnets, and phishing expeditions. And increasingly, criminals are targeting mobile devices in their search for propri-etary information. Consider for example, that for the first time, in 2012, malware attacks on mobile devices exceeded attacks on PCs in the U.S. and Australia (Marble Security, 2013). In fact, security expert Sean Bodmer, Chief Researcher of Counter-Exploitation Intelligence for CounterTack, predicts that mobile malware will emerge as one of the top three threats for cyber security in 2013 (Bodmer, 2012).

The word “malware” stems from the combination of “mali-cious” and “software” and is a general term for software writ-ten to compromise operation of any type of computer (desktop or mobile). Describing all of the many types of malware targeted against mobile devices is beyond the scope of this article, but



Some Common Types of Malware

Adware Malware that automatically delivers advertisements such as pop-up ads on websites and advertisements that are displayed by software. Often perpetrators offer no-cost versions of some type of software which is delivered bundled with the adware. While much adware is designed solely to deliver advertisements, it is not uncommon for adware to come bundled with spyware (see below) that is capable of tracking user activity and stealing information. Due to the added capabilities of spyware, adware/spyware bundles are significantly more dangerous than adware on its own (Adware is short for advertising-supported software.).

Dorkbot Malware

A family of malware worms that spreads through mobile instant messaging, USB flash drives, websites and social media channels such as Facebook and Twitter. Once downloaded to the victim’s computer, the malware opens a backdoor to gain remote access and potentially turns the computer into a botnet.

Financial Malware

Software designed to scan a computer system or network for information related to financial transactions such as electronic funds transfers.

Flame Malware:

Extremely sophisticated malware that infects a computer or device to spy on the machine’s activity and steal data from it with keystroke monitoring and packet sniffing (monitoring of data traveling over a network) functionality as well as backdoor capabilities that enable cyber attackers to update the malware and trigger it or erase it as desired. Additional distinctive characteristics of Flame include scanning for Bluetooth-enabled devices in order to steal data and infect the devices with the Flamer malware, the ability to turn on a computer’s internal microphone in order to secretly record conversations, and code for taking frequent screenshots of activity such as e-mail and instant messages and secretly uploading the screenshots to “command and control” servers. Security experts believe that Flame is so sophisticated and well-coordinated that it likely was created and conducted with “nation-state support” rather than by typical cyber criminals.

Ransomware Malware that contains rogue software code that effectively holds a victim’s computer hostage until a ransom fee is paid. Most ransomware attacks are the result of clicking on an infected e-mail attachment or visiting a hacked website. Upon compromising a victim’s computer, this malware will typically either lock a user’s system or encrypt files on the computer and then demand payment before the system or files will be restored.

Scareware Malware designed to damage or disrupt a computer system with the intention of tricking or scaring victims into making a purchase using their credit card.

Shylock Malware

Malware that relies on browser-based man-in-the-middle attacks and fake digital certificates to intercept network traffic and inject code into banking websites. The software is designed to trick customers into providing banking login and account details to hackers instead of to the financial institution. Some strains have the ability to open fake customer service chat windows on an infected computer to enable criminals to prompt users for their sensitive account information.

Skype Worm Malware that sends a message such as “LOL, is this your new profile pic?” from an infected Skype user’s contact list to entice other Skype users into clicking on the link and downloading and installing a worm that opens a backdoor to give the criminal remote access. The Skype worm can also install ransomware.

Spyware Malware that functions by spying on users’ activity without their knowledge. Spying capabilities can include activity monitoring, collecting keystrokes, data harvesting of account information, logins, and financial data, modifying security settings of software or browsers, and interfering with network connections.

Trojan Horse Destructive software that masquerades as a benign application. Although they do not replicate themselves like viruses, they can be just as destructive. One of the most devious types is a program that claims to rid your device of viruses but instead introduces viruses onto the device.

Source: Webopedia (http://www.webopedia.com/TERM/M/malware.html)

Exhibit 1



Marble Security’s Nine Critical Threats Against Mobile Workers

Advanced Persistent Threats (APT)

APT typically refers to a group such as a foreign government or criminal organization that conducts Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information. Other recognized attack vectors include infected media, supply chain compromise, and social engineering.

Compromised Wi-Fi Hotspots

Wi-Fi signals are radio waves; anyone within range of a public Wi-Fi network can listen in on what users are sending and receiving. Most Wi-Fi hotspots don’t encrypt the data being transmitted, which means everything transmitted from e-mail to bank and credit card information is fair game for hackers. According to the 2013 Identity Fraud Report released by Javelin Strategy & Research, smartphone and tablet users transmitting sensitive infor-mation through unsecured or compromised Wi-Fi hotspots were a significant component of the 12.6 million identity fraud victims (more than 5% of U.S. consumers) in 2012.

Jail Broken and Rooted Devices

Mobile device operating systems (OS) do have security features that restrict certain phone capabilities, but there are apps (often free) that allow users to “jailbreak’ the OS and free the device so that rogue users can:

• Install software that has not been approved or has not been made available by the manufacturer/carrier;

• Augment or create additional operating system features;• Install commercial software without purchasing licenses for that software;• Freely migrate from one carrier to another; and• Repurpose the device for a use not anticipated or intended by the manufacturer.With its security armor down, a mobile device may later allow the use of unsigned, unap-

proved code that contains viral or malicious instructions that steal data stored on the device, disable or prevent data encryption, and circumvent passwords to unlock devices.

Key Loggers A keylogger is a type of software (often spyware) that can record to an encrypted log file every keystroke a user makes and then transmit the log to specified receiver. Keyloggers do have some legitimate uses such as ensuring that employees use work computers for business purposes only. Unfortunately, they can also be embedded in spyware, allowing captured data to be transmitted to an unknown third party.

Malicious and Privacy Leaking Apps

The impetus behind these concerns is the fact that it is becoming increasingly easier for users to install and execute third-party applications that often contain malware. To combat this, Apple introduced a vetting process to ensure all applications conform to Apple’s (privacy) rules before they can be offered via the Apple Store. Even with this vetting process, malicious applications have appeared in the store (e.g., see http://www.extremetech.com/extreme/132381-malware-strikes-ios-for-the-first-time-apple-must-do-more-to-help-users-stay-safe?print).

Poisoned DNS With cache poisoning (i.e., a “pharming” attack), an attacker attempts to insert into the Domain Name System (DNS) a fake address record for a specific Internet domain. In a successful attempt the server accepts the fake record (the cache is poisoned) and sub-sequent requests for the address of the hacked domain are answered with the address of a server controlled by the attacker. Thus, while the fake entry is cached by the server (most DNS entries have a Time to Live (TTL) of a few hours), all subscribers’ browsers or e-mail servers will automatically go to the address provided by the compromised DNS server, allowing hackers to obtain passwords and other sensitive information. Unsuspecting users believe they are at a familiar site because their browser resolves the address of the domain automatically.

Exhibit 2

(Continues)



(e.g., flash drives) and are rela-tively inexpensive. Furthermore, according to the Smart Card Alliance (Smart Card Alliance Identity Council, 2012), devices equipped with smart card tech-nology have additional benefits associated with two factor authentication:

Generating and receiving • one-time passwords to log on to secure sites or access secure services;Storing digital identity • credentials on a mobile device’s secure element and using them to log on, digitally sign, and encrypt documents;Storing digital identity • credentials on the secure element in a Near Field Communication (NFC)-enabled mobile device and using the credentials for physical access or secure logon; and

factor authentication is required to protect critical and sensi-tive data. As noted previously, multifactor authentication uses ownership-based and inherent-based factors to strengthen the knowledge-based factor.

Something the user has (ownership-based) is a com-monly used second factor.

Historically, small electronic devices called fobs (also known as key fobs as they are com-monly attached to key chains) have been a popular ownership-based authentication factor. As mentioned earlier, the devices produce a random number that is synchronized with time or an event and is sent to the company, where the matched authentication software verifies the password with the time or event counter.

Mobile apps are now avail-able that can replicate the tokens produced by fobs and other elec-tronic devices such as dongles

Enhanced Authentication

Given the threats we described in the previous sec-tion, it is clear that the cyber criminals have organized and have technologically outpaced the security capabilities of single-factor authentication password systems. Thus, orga-nizations desiring to capture the productivity and business agility advantages offered by the use of mobile devices must move to multifactor (i.e., two- and three-factor) authentication protocols to contain the security, financial, and legal exposure associated with consumer technology.

Recall-enhanced authen-tication involves the use of more than one factor. Exhibit 3 offers at least one reason why organizations may be reluctant to employ more complex pro-tocols. The bottom line is this: Although more expensive and not quite as user friendly, multi-

Marble Security’s Nine Critical Threats Against Mobile Workers (Continued)

Exhibit 2

Spear Phishing As noted in Exhibit 1, spear phishing is an e-mail spoofing fraud.Unpatched OS Versions Malware that exploits unpatched operating systemsZero-Day Attacks Software developers are not perfect so most software is issued with unknown vulnerabilities.

If they find vulnerabilities before the developers do, cyber criminals can write malware to exploit them. Thus, the attack occurs on “day zero” of developers’ awareness of the vul-nerability, meaning that they have had zero days to address and patch the software.

Sources: http://en.wikipedia.org/wiki/Advanced_persistent_threat#cite_note-Dell_SecureWorks-1http://en.wikipedia.org/wiki/Advanced_persistent_threat#cite_note-Command_Five_Pty_Ltd-2http://blog.lifestore.aol.com/2013/03/10/public-wifi-hotspot-security/http://www.avema.com/mobile_device_management_blog/mobile-device-management-2/jailbroken-rooted-and-compromised-mobile-devices-in-the-workplace-%E2%80%A8what-does-that-mean-and-why-should-i-care/http://www.webopedia.com/TERM/K/keylogger.htmlhttp://www.syssec-project.eu/media/page-media/3/egele-ndss11.pdfhttp://www.networkworld.com/news/tech/2008/102008-tech-update.htmlhttp://en.wikipedia.org/wiki/Zero-day_attack#cite_note-1



device in order to be authenti-cated. Exhibit 4 describes other ways that smart card technology can improve two-factor authen-tication.

Gaining in popularity is the use of NFC that enables mobile devices to establish radio com-munication with each other by holding the devices a few

module (SIM). The benefits are obvious. Once a fully equipped employee was someone who might need to be issued multiple key fobs and flash drives and several coded badges; now a single mobile device is all that is needed. Just as is the case with the fob, the user must have phys-ical possession of the mobile

Using an NFC-enabled • mobile device as a low-cost reader to read identity cre-dentials presented with a contactless smart ID card securely.

In smartphones the smart card technology is embedded in the device’s subscriber identity

Cost and Ease of Use of Authentication Systems

Factor Example Ease of User Use Cost for Company

Something the user knows(Knowledge-based)

Password, answers to challenge questions, visual cues

Relatively simple to remember

Relatively inexpensive

Something the user has(Ownership-based)

Device number, one-time password, smart card, IP address, digital certificates

Somewhat more difficult to use

More expensive to deploy

Something the user is(Inherent-based)

Fingerprint, iris scan, voice recognition, heuristics

More complicated to enter

More expensive software to purchase

Exhibit 3

Smart Cards Enhance Authentication Protocols

Smartphones Store subscriber identity data securely Store mobile operator data securely Store subscriber phone books securely Authenticate subscribers to the mobile network Encrypt information communicated over the mobile network Support conditional access systems and digital rights management that enable mobile operators to deliver

content to consumers securelyOther Mobile Devices

Provide better, faster, more efficient access to e-services Safeguard privacy and prevent fraud by using secure technologies to protect personal data Improve mobility by implementing widely accepted and interoperable identity credentials Enable a wide range of use cases across logical and physical domains, including use for authentication, digital

signatures, and encryption Establish trust for the issuer as well as the credential holder

Source: Mobile Devices and Identity Applications (Smart Card Alliance Identity Council, 2012).

Exhibit 4



used in, the information that will be transmitted, the security of the mobile device, and the value to an attacker (Jacobs, 2012). In an airport, for instance, the cacophony of sounds may inter-fere with real-time voice recogni-tion. In a geographic location (e.g., rain-soaked Seattle), light may interfere with facial recog-nition. Out in a construction environment, as in fieldwork of engineers, the use of fingerprint, palm print, or iris scan recogni-tion may be hindered. Finally, it is important to note that real-time biometric recognition is not impervious to hacks—for example, the use of tape with another person’s fingerprint on it over the finger of the criminal (Farnum, 2009).

Finally, it must be acknowl-edged that potential weaknesses exist for all of the authentication tools on a mobile device (and elsewhere). However, it is the ability for all to be present in the same device that is its strength. The use of multifactor authenti-cation on these devices is getting a boost because popular mobile device-oriented companies are requiring it (on a voluntary basis for now). For example, Google Apps (Google, 2011) has an option for users to choose to verify with multifactor authen-tication, and both Facebook (Song, 2011) and Dropbox (Lee, 2012) use multifactor authenti-cation as well.

In sum, the smart mobile device significantly strengthens the all too critical authentication entryway to corporate data by: allowing enhanced authentica-tion to be easy and intuitive; making use of tools that the consumer-driven device market has supplied; using authentica-tion methods already employed by companies; and being cost-effective.

beyond the realm of stored data for authentication.

Three biometric applications are showing particular promise for smart device deployment (Jacobs, 2012):

Fingerprint recognition. Two smartphones have capabilities built into them, but they are not available in the U.S. Motorola (ATRX 4G) and Fugitsu (REGZA and ARROWS) use prod-ucts from AuthenTec, a Microsoft company (Octo-ber 2012). U.S. phones can use technology that was developed for desktops but require additional hard-ware outside the phone—decreasing ease of use. For example, Precise Biometrics has developed a case that slides over an iPhone that has a fi ngerprint reader.

Voice recognition. No additional hardware is required for those mobile devices that have micro-phones. Some products require repeating a phrase or talking for a few seconds (inappropriate if at a busi-ness meeting), and then the software sits on the compa-ny’s servers. Some products send the voice to a vendor server for authentication.

Facial recognition. Again, no new hardware is required for most devices. Samsung’s Galaxy S III has an app available for voice and facial recognition. But iris/retina scanning soft-ware is not widely available, although BIS Technology manufactures one app used by police forces that critics claim does not work well in low light.Before deciding on a policy,

it is important to consider the use, the environment it will be

centimeters apart. Communica-tion is also possible between an NFC-enabled device and unpowered smart identification chips, referred to as tags. The tags can hold the credentials of the user so that when the mobile device is used to log into the company database, the cre-dentials are read by the mobile device and communicated to the company to verify posses-sion and enhance the authen-tication. In essence, the mobile device becomes the smart card. In January of 2012, Intel announced this NFC capabil-ity in its Ultrabook computer manufactured under a variety of brands. Because most mobile phone users keep their smart-phones active, the NFC abilities allow criminals to stand in close proximity to users and suck the data right out of their smart-phones.

Something the user is (inherent-based) is the third factor

Of course, a major problem of ownership-based authenti-cation is that users often lose the devices or the devices are stolen. Therefore, because the third factor is so critical to the defense of high-risk objects, it often involves biometrics or behaviorally oriented factors. The software used to record and authenticate fingerprints, voice prints, eye prints, and facial prints is expensive, with voice prints being the least expensive. It is the specific attributes of smart mobile devices that allow users to take advantage of enhanced authen-tication: GPS location finders, microphones, cameras, touch screens, and gyro tools (used to orient the screen in smart-phones). The use of these tools in a real-time environment is what moves the mobile device



order to illustrate the variability that a Bring Your Own Device (BYOD) policy must address. For instance, iOS, Android, and Windows devices have the preponderance of the consumer market and so are likely to be part of a BYOD inventory. Blackberries are considered to be the most secure but are less likely to be purchased as a consumer device (in other words, more likely to be purchased by compa-nies for distribution to employ-ees, and that will rely on the Blackberry Enterprise System).

Device threats are increased when the device is lost to a bad guy. All devices have password logins to open the device and capabilities for remote locks and swipes as well as idle time autolocks. Androids have both non-keystroke password capa-bilities as well as facial unlock capabilities, although Search-Consumerization believes that the capability is not yet up to business standards (Steel, 2012). In addition, all devices have GPS capabilities to help locate the device.

downloads of software, and a consumer-oriented economy aimed at protecting these devices. In all, the security may be stron-ger than a PC that remains at the office, usually able to have software downloaded at will by the user, perhaps left on in order to access offsite through such applications as LogMeIn, and in all assumed to be more secure.

We believe the level of authentication should be related to the level of riskiness of the user and the level of riskiness of the data accessed. Exhibit 5 summarizes the rela-tive risk associated with mobile devices based on the user and data. Device threat refers to the possibility of loss of pos-session of the device; software threat refers to possible mal-ware gaining access through the applications downloaded to the device; and transmission threats refer the possible interception of communications with the enterprise.

In discussing the above threats, we will refer to some mobile device vulnerabilities in

Mobile Device Operating System Considerations

Bodmer, the security expert who we cited earlier, warns that “there will be crimeware threats for practically every mobile device or tablet OS platform and ported application.” That leads to an obvious question, “Are the security capabilities comparable from one mobile operating sys-tem to the next?”

The four common mobile-device operating systems are Blackberry OS (Research in Motion), iOS (Apple), Android (Google), and Windows (Micro-soft). In general, mobile devices are more secure than traditional desktop systems, although some threats are aimed just at mobile devices. This extra strength is due to the fact that these devices are in the possession of the owner, are controlled by the owner, and are naturally cared for by the owner.

There are also additional controls that can be built into each device to prevent access by others or to prevent mistaken

Threats by Employee Level

Employee type Device Threat Software Threat Transmission Threat

C-Suite higher lower higher

External operations manager higher lower higher

Internal operations manager lower lower lower

Compliance professional moderate moderate higher

General knowledge worker moderate higher lower

Field worker higher higher higher

Contractor normal moderate higher

Exhibit 5



offset by the fact that the data they are accessing may be less sensitive. Transmission threats are increased when the data in the communication is more sensitive. All of the devices have an app or capability to encrypt data in transit and at rest. This suggests that the above noted transmission threats can be con-trolled; although, for the more sensitive data of the C-Suite that may be stored on the device, it is also up to the individual to ensure that security is used.

Given our concern that we are in a BYOD environment where the cost of devices may be driven down to the employ-ees, it is also relevant that the Android devices have more price breaks than the iOS devices, and the popularity of the Android devices makes them a common choice of employees. Executives who are concerned about the inescapable rush of the BYOD environment will want to con-sider the riskiness of the data, the riskiness of the user, as well as the riskiness of the device. Exhibit 6 provides a summary of the authentication features for each mobile operating system.

Windows app store con-trols involve identifying who the developer is, and Android’s choice depends mainly on what the app does. Open sourcing of applications may mean that the consumer is the “beta-tester.” Of course, any of the phones can be jailbroken so controls over this are, again, up to the consumer. On the other hand, in loading applications the user has little choice to switch on and off permissions with the iOS apps. Android users are asked repeat-edly to approve permissions (which can range from access-ing the GPS, the SMS, and even the camera), so if the user is aware and cognizant of the implications, there is significant user control over downloads. A major problem is that refus-ing any of these permissions oftentimes rejects the download. This, then, is a likely place for malware developers to write code that abuses this permission process.

The higher software threat for knowledge workers (because these are regular mobile device consumers, rather than older or more careful executives) may be

Android passwords can be bypassed with knowledge of the root password, so a targeted attack could make the C-Suite (due to the nature of the data accessed and stored) and exter-nal (travelling) operations man-ager and field worker (due to the natures of the jobs) more vul-nerable. Lastly, the Secure Digi-tal (SD) card on the Android devices can be taken and put into any other device, and so the authentication could travel with that card.

Software threats are increased with more downloads of applications. Malware can enter the cellphone disguised as an app. All phones have the capability to separate busi-ness use apps from consumer use apps through “sandboxes,” although Android’s sandbox allows the applications to check the code of other applications (but not the operating system). The main issue is the control over the software. Apple app stores include only applications for which Apple has checked the code, and thus provides a stron-ger control than do Android and Windows.

Authentication Features of Mobile Operating Systems

Feature/Operating System Blackberry iOS Android Windows

Power on authentication 1 3 3 2

Inactivity Time-out 1 3 3 3

SIM change 1 2 2 2

Password strength requirements 1 3 3 2

Protection from too many log-ins 1 2 2 2

Note: 1= best; when numbers are the same, the systems are tied.Source: http://www.trendmicro.com/cloud-content/us/pdfs/business/reports/rpt_enterprise_readiness_consumerization_mobile_platforms.pdf

Exhibit 6



of password-related help desk calls. SSO architecture also supports the use of stronger forms of authentication for higher risk information and applications. As an example of how this might work, users may login using their ID and password to gain general low risk access. However, when they attempt to access more sensitive information and applications, the SSO application will require the user to input stronger authentication such as a secu-rity token, a digital certificate, and/or a biometric (Authentica-tionWorld, 2013).

Finally, there are many no-brainer steps that your IS organization can take to control the risks of malware and other cyber threats against mobile devices. Exhibit 9 lists some of these steps.

Educate usersEmployee training is also

an important component of any organization’s defense against cybercrime. Exhibit 10 provides a checklist of best prac-tices for employees who want to minimize the chances that their mobile device will become infected with malware, adware, spyware, and other cyber exploits.

In many instances employ-ees will not even be aware that their mobile device has been compromised, so it is important that you not only require that they bring in their devices peri-odically for inspection, but that you also teach them the warn-ing signs of cyber infection. We review some of the common symptoms of malware infection in Exhibit 11.

In addition to educating employees, many companies use mobile device management (MDM) software to ensure that

Therefore, you should draft rules, regulations, and a disaster recovery plan that addresses both company and employee-owned devices. You need to specify in detail the level of con-trol you will need to assume over employee devices should a secu-rity breach occur. In Exhibit 7, the chief technology officer of DRS, a major IT consulting and infrastructure management firm, summarizes why mobile security should be at the forefront of your planning for 2013.

Establish risk levels to manage the cost of mobile device security

One way to manage the cost of mobile device security is to identify different risk levels based on the consequences of unauthorized access. The more serious the consequences, the higher the level of authentica-tion required. The U.S. Office of Management and Budget recommends a 5-step process for implementing the proper level of assurance for remote authentica-tion: risk assessment, mapping risks to proper level of assur-ance, selecting the appropriate technology for authentication, validating the implemented sys-tem, and periodically reassess-ing risks and needs. Exhibit 8 describes four possible levels of assurance as established by the National Institute of Standards and Technology.

Another way to control costs is to employ a Single Sign-On (SSO), Reduced Sign-On (RSO), or Enterprise Single Sign-On (ESSO) authentication protocol. This will allow you to reduce the number of IDs and passwords that users have to remember. According to one source, in most enterprises a strong business case can be made to implement single sign-on by reducing the number

Trend Micro recommends that key executives, compliance-subject workers, and contrac-tors be given the most secure authentication using multifactor methods. On the other hand, operational managers, general knowledge workers, and field workers may not need such strong authentication. The company may want to pay for a more secure phone or device to ensure the stronger authentica-tion and security for the device and then have a BYOD policy for those who do not require the strong authentication.

Additional Strategies for Strengthening User Authentication

The key to ensuring effective protection of mobile devices is providing an effective and usable form of user authentication. We have established that traditional approaches, such as the pass-word and PIN, have been shown to be ineffective in thwarting unauthorized access to your organization’s proprietary data and information. Surely by now you are thinking, “Okay, we get it. We need to strengthen our password systems with multifac-tor authentication protocols. But will multifactor authentication alone secure our mobile devices? What else can we do?” In this section, we describe a variety of steps that can be taken to complement multifactor authen-tication that will give your orga-nization a multiprong defense system against malware, hack attempts, and a host of other cyber threats.

Make a planWe keep mentioning the fact

that many of the mobile devices connecting to your network are owned by your employees.



SUMMARY

The proliferation of increas-ingly more powerful mobile devices and the growing avail-ability of technologies such as multifactor authentication make it possible for you to pro-vide strong authentication of remote users. While passwords are still the leading mechanism for authenticating user identity, a growing number of organiza-tions now rely on public-key infrastructure, cryptographic keys, physical tokens, and bio-metrics to provide stronger

about your mobile device man-agement.

Involve executive managementFinally, the increasing pro-

liferation of security breaches against mobile devices highlights the need for a response from the entire set of C-suite execu-tives. Mobile security is not the sole responsibility of the IT organization. Citrix has created a resource for helping executive management govern and secure mobile device use in their com-panies. Exhibit 13 contains Cit-rix’s executive checklist.

compromised devices do not continue to be used. For exam-ple, MDM software packages typically enable companies to limit or prevent corporate data from being accessed from com-promised devices.

Periodically perform a high-level checkup

It is a good idea to take your mobile device security pulse from time to time. This will help ensure that you are looking at issues from multiple perspectives. Exhibit 12 provides a checklist of questions to ask

Why Mobile Security Needs to Be Paramount in Your Planning

Reason #1: Every company employee probably has at least one mobile device. Chances are that the minute an employee walks into the office their device connects to your network. If the device has a virus or malware, it can infect your network or give outsiders access to your data. Make sure your BYOD policies address this fact.

Reason #2: It can be difficult to identify mobile risks and ways to address them without an effective security strat-egy. Establish a concrete security plan that includes educating employees on the risks of mobile use and ways to mitigate those risks. Something as simple as making all devices connected to your network have an unlock pin can make a big security difference in the long run.

Reason #3: It can be difficult to identify every network-connected device without an up-to-date wireless infrastruc-ture. This technology makes it easy to block devices from connecting and require more than just one general Web key to connect. Enhanced authentication processes requiring additional forms of identification can be enforced so individual people can be allowed or denied access, and mobile devices can be associated with spe-cific users.

Reason #4: In the age of virtualization and the cloud, devices are probably linked to a cloud application like Apple iCloud. This means that any data put on that device for work may also end up on iCloud, outside the control of the company. One way to combat this is to put enterprise applications on a cloud that can be directly accessed from employee devices.

Reason #5: Mobile device management (MDM) is expensive but it can alleviate a large portion of data and network threats. MDM programs have capabilities such as tracking, which can locate mobile devices if they are stolen or lost, and sandboxing, so work and personal applications can be separated on the same device. In addition, remote wipe capabilities remove applications like email in the event that an employee leaves a company.

Reason #6: Establishing a new mobile security plan brings legal issues into play. Consumer devices owned by employees bring into play a number of complexities not seen with corporate property. Tracking devices after hours or on breaks, remote wiping a mobile device containing personal photos, and asking an employee to respond to emails or texts outside of their normal work hours all bring up complex legal and contractual issues that must be addressed.

Source: Why Mobile Security Should Be a Top Priority in 2013 (Wilkeson, 2013).

Exhibit 7



Risk Consequences Define Level of Assurance Required

Level 1: Security risk consequences are low. Therefore, there is no identity proofing requirement at this level. Any token method of authentication may be used. Successful authentication requires users to prove through a secure authentication protocol that they possess and control the token.

Level 2: Security risk consequences are moderate. Single-factor remote network authentication is still allowed, but identity proofing requirements are now required in which the user must first prove his or her identity before receiving credentials. A wide variety of authentication techniques can be used, including memorized secret tokens, preregistered knowledge tokens, look-up secret tokens, out of band tokens and single factor one-time password devices. Successful authentication requires that users prove through a secure authentication protocol that they control the token. Online guessing, replay, session hijacking, and eavesdropping attacks are resisted. Protocols are also required to be at least weakly resistant to man-in-the middle attacks.

Level 3: Security risk is moderately high. Level 3 requires identity proofing plus multifactor authentication, with at least two authentication factors required. At this level users must prove possession of the proper token through the use of cryptography. The remote user can unlock the token with a password or biometric, or use a secure multitoken authentication protocol.

Level 4: Security risk is high. The highest level requires the highest practical level of assurance requiring strong cryptographic authentication of all communicating parties and all sensitive data transfers. Either PKI or symmet-ric key technology may be used. At this level, in-person identity proofing is required and only hard cryptographic tokens (rather than software-based tokens) may be used to prove possession of the key.

Source: (National Institute of Standards and Technology, 2011).

Exhibit 8

Mobile Device Checklist for IS Organizations to Protect Against Malware

Employ multifactor authentication Regularly update capabilities of corporate firewall Regularly scan mobile devices for malware and viruses Enable automatic installation of software updates Provide regular backup service to employees (e.g., for their contacts, images, corporate data, etc.) Install app to remotely locate mobile devices Install security enhancements and vulnerability fixes as soon as possible Install antimalware tools (since less than 4% of shipped mobile devices have these preloaded) and “privacy

guard” apps to provide antispyware protection such as preventing individual apps from sending certain types of data

Invest in Mobile Device Management System (enables company to manage what is installed, remotely wipe and/or lock phone, and detect jailbreaking)

Provide users with recommended security settings for apps used for work purposes Test everything and anything that connects to your network

Sources: http://www.techrepublic.com/blog/cio-insights/mobile-malware-cheat-sheet/39749597Newman, Jared, July 11, 2012http://www.microsoft.com/security/pc-security/spyware-prevent.aspxhttp://techpp.com/2011/08/11/how-to-detect-and-avoid-trojans-infecting-your-android-smartphone-or-tablet/

Exhibit 9



Mobile Security Checklist for Employees

Keep your apps up to date Only download apps from reputable sources Never download “free apps” that are typically paid for Check your phone bill for rogue calls or texts Establish a regular back up routine Ignore notifications ads that appear on your taskbar, in browser bookmarks or as home screen icons. If pos-

sible, opt out of ad notifications Do not open email messages from unknown sources Read all security warnings, license agreements, and privacy statements associated with any software you

download Never click “Agree” or “OK” to close a window. Instead, click the red “x” in the corner of the window or press

Alt + F4 on your keyboard to close a window Be wary of popular “free” music and movie file-sharing programs, and be sure you understand all of the soft-

ware packaged with those programs Use a standard user account instead of an administrator account Be wary of app permission requests, especially requests for personal information and contacts Pay attention to app reviews from other users Run away when you see anything like bad English or an incomprehensible string of characters

Sources: http://www.techrepublic.com/blog/cio-insights/mobile-malware-cheat-sheet/39749597Newman, Jared, July 11, 2012http://www.microsoft.com/security/pc-security/spyware-prevent.aspxhttp://techpp.com/2011/08/11/how-to-detect-and-avoid-trojans-infecting-your-android-smartphone-or-tablet/

Exhibit 10

Common Symptoms of Malware Infection

Increased CPU usage Slow computer or web browser speeds Problems connecting to networks Freezing or crashing Modified or deleted files Appearance of strange files, apps, or desktop icons Apps running, turning off, or reconfiguring themselves (malware will often reconfigure or turn off antivirus and

firewall programs) Strange device behavior Emails/messages being sent automatically and without user’s knowledge (e.g., a friend receives a strange

email from you that you did not send)

Source: http://www.veracode.com/blog/2012/10/common-malware-types-cybersecurity-101/

Exhibit 11



authentication for resources that require greater security.

Cybercriminals are becom-ing increasingly coordinated and sophisticated. Tools and services

High-Level Mobile Device Security Checklist

How do we authenticate users (i.e., confirm that users/devices are who they say they are)?

Simple passwords? Enhanced authentication methods? Device location?

Do we limit mobile device access to our system?

Do we allow consumer devices to connect? Who is allowed to access the corporate network using mobile devices? Do we limit the use of mobile devices to certain employees? Do we limit the number of mobile devices for each user? Do we allow vendors/customers to access our data?

Do we protect our sensitive data?

What information are mobile users accessing? How are they using this information? Can they manipulate or change data?

Can users download or share sensitive data with other users/devices? Do we encrypt data that is sent and received in the network?

Do we regularly monitor employee use?

What programs are being accessed (such as social media websites, free games, free apps, etc.)? What apps are being downloaded or do we have controls in place to prevent individual downloads? Do we know where the employee is when accessing the network (e.g., Wi-Fi hotspots)?

What are our IT Capabilities?

Do we have the ability to support multiple operating systems? (This could be an issue if you permit BYOD.)Do we view the following as mandatory IT functions?

Automatically updating software? Installing security enhancements/patches as soon as possible? Installing firewalls? Having control to remote wipe or disable mobile devices? Keeping virus protection up to date (Antivirus, antispyware and antimalware protection)? Monitoring all computer logs? Testing everything connecting to the network?

Do we manage mobile devices strategically?

Do we have a BYOD (Bring Your Own Device) policy? Have we taught our employees how to recognize when their device may have been compromised? Do we require employees to install all OS updates in a timely manner? How do we know they do? Do we prohibit compromised mobile devices from accessing corporate data? How? Do we pilot and test the technologies we use with small groups of users? Do we have layered security so we don’t have vulnerabilities? With regard to cost, there is a price to doing security-related things and there is a price to the risk of not doing

them. How do we balance these costs? Do we have rules, regulations and a disaster recovery plan should a data breach occur?

Exhibit 12

once reserved for the cybercrime elite are now available on the black market as commodities. The more savvy criminals offer their goods and services to those

who may be starting out or are in need of setup and instruc-tions. “Whether selling off-the-shelf botnets, Trojans by the binary or Zeus recompiles, the



Mobile Security Checklist for Executives

Device consideration: Understand how your IT Professionals will…

Allow for the use of mobile devices: use of corporate issued devices only, allow users to bring their own device (BYOD), or allow for a hybrid system where certain users can BYOD

Have the ability to support a variety of differing mobile devices Recognize the tradeoffs between device freedom and the control, governance, and security issues that IT can

exert over these devices

User Considerations: Understand how your IT Professionals will …

Restrict mobile device usage based on title, position, departments, or business reasons Allow external users such as customers and vendors to access corporate data Limit the number of mobile devices per user Subsidize all or part of the cost of device/wireless service cost

App Considerations: Understand how your IT Professionals will …

Limit the number and types of “apps” enabled/allowed Enable application access to vary by role, group, device type, and whether the device is personal or company

owned Restrict the mobile apps and resources regardless of the source and to lock, wipe, and encrypt apps and data

Data Considerations: Understand how your IT Professionals will…

Restrict access to apps and data repositories containing intellectual property, personally identifiable information, business intelligence, nonpublic financial data, etc.

Plan for prevention, detection, and containment of data leakage Ensure that employees/users have access to the data when and where they need it Prevent users from circumventing controls

Policy Considerations: Understand how your IT Professionals will…

Support current compliance controls in regards to regulatory standards (i.e., HIPAA and SOX) and foreign laws and regulations

Monitor user compliance with company policies regarding mobile devices

Security Considerations: Understand how your IT professionals will …

Handle the presence of rogue devices, unauthorized users, and noncomplaint mobile apps on the network Secure sensitive data from unauthorized access (both internal and external threats) Monitor the security infrastructure for security threats as well as network, app, and device performance Remove company data from devices upon theft or loss of device or employee departure (while leaving personal

data intact on employee owned devices) Determine if there is a need to integrate your mobile device management plan with a security information and

event management (SIEM) and articulate a plan to accomplish this integration

Scalability and high-availability considerations: Understand how your IT Professionals will …

Recognize that your mobile strategy should account for growth Design systems that can support current and future users Be able to scale users cost effectively in terms of software, hardware, and service costs

Service Considerations: Understand how your IT Professionals will …

Understand the savings goals of the organization and have mechanisms in place to measure progress Provide remote support, diagnostics, and troubleshooting for mobile devices Provide a self-service portal for users to provide basic security and management actions on their mobile devices

Source: http://docs.media.bitpipe.com/io_10x/io_108462/item_644437/Whitepaper_Executive%20Checklist_00.pdf

Exhibit 13



from http://www.rsa.com/products/consumer/whitepapers/11634_CYBRC12_WP_0112.pdf

Farnum, M. (2009, January 5). Simple hack beats biometrics. Retrieved from http://www.pcworld.com/article/156377/hack_beats_biometrics.html

Federal Financial Institutions Examina-tion Council. (2011). Supplement to Authentication in an Internet Banking Environment. Retrieved from http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf

Google. (2011, February 10). Advanced sign-in security for your Google account. Retrieved from http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

Honan, M. (2012, November 7). Kill the password: Why a string of characters can’t protect us any-more. Retrieved from http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/

Huntington, G. (2012). Password authenti-cation. Retrieved from http://www.authenticationworld.com/Password-Authentication/

International Data Corporation. (2013). Chief Marketing Officer Top 10 Predictions. Retrieved from: http://docs.govinfose-curity.com/files/whitepapers/pdf/686_9CriticalThreatsMobile.pdf

Jacobs, D. (2012, December). Enter-prises have Smart-Phone Biometric Alternatives. Information Security, pp. 30–34.

Lee, M. (2012, August 27). Dropbox trials two-factor authentication beta. Retrieved from: http://www.zdnet.com/au/dropbox-trials-two-factor-authentication-beta-7000003186/

Marble Security. (2013). Nine critical threats against mobile workers.

Matthews, T. (2012, February 13). CISOs are in a mobile mindset, but plenty of work remains. Retrieved from http://www.symantec.com/connect/blogs/cisos-are-mobile-mindset-plenty-work-remains

Messmer, E. (2011). Corporate data breach average cost hits $7.2 million. Retrieved from: http://www.networkworld.com/news/2011/030811-ponemon-data-breach.html

Pistol Star, Inc. (2009). Technical Journal on Authentication, 3rd quarter, 2009. Retrieved from http://www.pistolstar

cumbersome security mechan-ics, or will not use the devices’ potential as envisioned by pro-ponents of BYOD.

As a result, we suggest that security must have a strong human interface. Therefore, we provided several checklists to help you plan your readi-ness for BYOD. The solutions to many checklist issues are available through device-housed apps, enterprise-housed software, and mobile device management systems. How-ever, if the control over the mobile device ultimately rests with the employee, then we believe training and education to be a cornerstone of every company’s attempts to have an ultimate benefit from BYOD. Accordingly, we also provided an employee training checklist and a checklist to help execu-tives understand how their IT Professionals will respond to the BYOD pressures. In the end, there is an opportunity for executives to avoid “Bring Your Own Disaster” by relying on the power of these devices to allow users to “Bring Your Own Authentication.”

REFERENCES

AuthenticationWorld. (2013). Single Sign On. Retrieved from http://www.authenticationworld.com/Single-Sign-On-Authentication/

Bodmer, S. (2012, December 7). Top 3 trends for cybersecurity in 2013. Retrieved from http://esj.com/articles/2012/12/07/3-trends-cybersecurity-2013.aspx

EMC Corporation. (2011a). RSA 2011 Workplace Security Report. Retrieved from http://www.emc.com/collateral/software/white-papers/rsa-workplace-security-report-wp.pdf

EMC Corporation. (2011b). Why passwords aren’t strong enough. Retrieved from http://www.rsa.com/products/securid/whitepapers/10762_SIDROI_WP_0711.pdf

EMC Corporation. (2012). RSA 2012 Cybercrime Trends Report. Retrieved

underground is loaded with tools to allow any ‘newbie’ cybercrimi-nal to launch an attack” (EMC Corporation, 2012). We have argued that because malware attacks on mobile devices are gaining momentum, then some enterprises may not be suffi-ciently prepared for the inevita-ble onslaught of mobile devices in the workplace and, indeed, do not have policies in place to address the current (underes-timated) use. If companies are unprepared, then BYOD may as well stand for Bring Your Own Disaster!

We described many signifi-cant cyber threats confronting mobile devices. Yet although industry leader Bill Gates believes we are now singing the password’s swan song, 98% of companies still rely on this single-factor authentication method. Given the costs of a breached password is high (aver-aging $7.2 million in 2010), we urged companies to use multi-factor authentication protocols which we described.

Fortunately, the cyber secu-rity risks associated with the exponential growth in the use of mobile devices may not be as bleak a world as first thought. Mobile devices have built in software and hardware that can match the second- and third-fac-tor authentication levels. Indeed, the consumerization of IT in your companies is also providing a market for many solutions to the authentication problem that may otherwise have been slow in evolving. However, a fundamen-tal fact is that the mobile devices of many of your employees are their personal property. For a generation that prizes ease of use, a natural result of con-sumerization is that employees have incentives to jailbreak their devices, seek alternatives to



techtarget.com/feature/Top-10-consumerization-and-BYOD-tips-of-2012

Wilkeson, D. (2013). Why mobile security should be a top priority in 2013.

Wright, H., Mooney, J. L., & Parham, A. G. (2011). Your firm’s mobile devices: How secure are they? The Journal of Corporate Accounting & Finance, 22(5), 13–21.

http://www.smartcardalliance.org/resources/pdf/mobile_identity_brief_082712.pdf

Song, A. (2011, May 12). Introducing login approvals. Retrieved from http://www.facebook.com/note.php?note_id=10150172618258920

Steel, C. (2012). Top 10 consumerization and BYOD tips of 2012. Retrieved from http://searchconsumerization.

.com/password-management-resources/newsletters/Q3-2009.htm

Rouse, M. (March 2011). Spear phishing. Retrieved from: http://searchsecurity.techtarget.com/definition/spear-phishing

Smart Card Alliance Identity Council. (2012). Mobile devices and identity applications. Smart Card Alliance Identity Council. Retrieved from:

J. Lowell Mooney, PhD, is a professor of accounting at Georgia Southern University in Statesboro, Georgia. He worked for several years in the information systems organization of a major telecommunications firm. His teaching and research interests include the Internet’s impact on business operations, computerized accounting information systems, and performance evaluation systems. Abbie Gail Parham, MBA, CPA, CMA, CFM, SAP Certified, is an assistant professor of accounting at Georgia Southern University in States-boro, Georgia. Ms. Parham has work experience in public accounting and private industry, where she was a cost accountant for a Fortune 500 company. Her teaching and research interests include managerial accounting, fraud and ethics, and student learning and retention using POGIL (Process Oriented Guided Inquiry Learning). Timothy D. Cairney, PhD, is an associate professor of accounting at Georgia Southern University in Statesboro, Georgia. He earned his Chartered Accountancy (Canada) professional designation, practiced as a CA, and was controller for a small enterprise. He is interested in issues associated with firm monitoring and subunit performance.

Documents

Your Guide to Authenticating Mobile Devices