Phone hacking can extend beyond voice mail

While the phone hacking by British tabloid News of the World was unexceptional by technical standards, security experts say the scandal portends how the growth of smartphones will lead to more sophisticated breaches.The tactics that tabloid reporters used to eavesdrop on high-profile British targets -- and eventually led News Corp. to announce Thursday it is killing the 167-year-old publication -- were remarkably low tech.Former News of the World staffers say that reporters employed tricks to access voice-mail inboxes and procure a great deal of information from British celebrities and the royal family. Experts say that to obtain the PIN codes needed to access those accounts, the reporters used an illegal method known as pretexting.This tactic involves calling, say, a customer-service representative for a cell-phone operator and impersonating someone to get details about that person's account. In many places, such as the United Kingdom and the United States, such practices are now prohibited.Pretexting used to be a vital tool for freelance investigators, said Frank Ahearn, a former detective who does consulting on how to avoid detection, in an interview with CNN last year. "I could still do it, but I just don't, because it's illegal now," he said.News of the World appears to have exploited a mechanism in mobile-phone carriers' systems that allows people to access voice-mail messages remotely, from any phone, experts say.The episodes followed an even more primitive breach in the 1990s when the Sun, another British tabloid, published recordings of royal family members' phone conversations. Among the revelations: James Gilbey, a close friend of Princess Diana's, frequently referred to her affectionately as "Squidgy."Those unsecured mobile communications, in the days of analog transmissions, were easily tapped by amateur ham-radio operators as well.Squidgygate aside, the migration to more advanced cell phones in recent years has facilitated more sophisticated intrusions. Smartphones have become the dominant type of mobile device bought in the U.S., according to Nielsen, and are growing rapidly worldwide.With these pocket computers, intruders have myriad more entry points available to them.Two of the most common, security analysts say, involve tricking a phone user into installing poison applications or opening malicious links in their Web browsers. Attacks using the latter method are becoming ever more sophisticated because software makers provide few safeguards against them.With the proliferation of curated app stores, scammers are finding it difficult to sneak their virus-laden software onto people's phones undetected. Apple and many others, not including Google's Android, vet apps before making them available online.Software providers also maintain a "kill switch" that allows them to delete problem programs remotely from customers' phones after they've taken root. And some carriers, such as AT&T, have required that customers only install Android apps from trusted storefronts.Security researchers have long warned that cell phones are poised to be the next frontier for cyber attack."It's always been a concern," said John Walls, a spokesman for industry group CTIA Wireless. "That's why, No. 1, the carriers do invest a vast amount of resources to provide security within their own networks."For example, operators have increased the security measures in place to block junk text messages before they reach a recipient's handset, Walls said.Cell phones are "built with at least some form of protection engineered from the beginning, which was not the case with PCs," said Horace Dediu, who runs a Helsinki, Finland, mobile consulting firm called Asymco.But those protections have, in some cases, bred a false sense of security, Dediu said."People feel safer with these things," he said. "You can see that psychologic attacks (convincing someone to install a malicious app, for example) are always going to be possible."Pretexting is ultimately about social engineering, Walls said. And telecoms increasingly train customer-service workers to follow strict guidelines to keep information from falling into the wrong hands, he said.Convincing phone users to click a strange link or install an app that steals their data is also a form of social manipulation. And a relatively easy one at that, researchers say. But the mobile security apocalypse that has long been forecasted hasn't come.So far, mobile attacks have most often attempted to trick people into sending expensive text messages or making pricey phone calls to 900 numbers, because those ruses are the simplest and most lucrative, experts say.When it comes to stealing personal information, cyberthieves prefer to grab reams of private data from corporate servers, such as the recent attacks on Sony, experts say.Some security firms are working on software to protect smartphones. AnchorFree, for example, is building a program that remotely shields Apple customers from problems.Eugene Lapidous, AnchorFree's chief architect, said in a recent interview that "iPhone doesn't protect itself. So we have to provide some intermediary service in the cloud."If you regularly download apps or media files, or access shared Wi-Fi networks via your phone, CNN mobile columnist Amy Gahran says it's a good idea to purchase a mobile security package.Many mobile security packages are available for $20-$30 upfront, plus about the same amount per year. TopTenReviews.com recently published a comparison chart of 10 leading mobile security services for consumers.But security software for phones so far has mostly been an underserved and largely undesired market.While many more safeguards are in place for phones, the checklist for protecting oneself sounds similar to the handouts many corporate information-technology departments give to employees: Don't lend your equipment out; don't install suspicious programs; use common sense."We urge people, just like you would on a computer: Be wary of addresses or communications with which you're not familiar," Walls said. "It sounds simple."It is. But as unscrupulous reporters have shown, some phones can be fairly easy to crack.