Norman M. Sadeh Professor, School of Computer Science Director, Mobile Commerce Lab. Carnegie Mellon University www.cs.cmu.edu/~sadeh Smart Phone Security.

Slides:



Advertisements
Similar presentations
Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile.
Advertisements

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
7 Effective Habits when using the Internet Philip O’Kane 1.
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
Phishing, Pharming, and Spam Margaret StewartTuesday, Oct. 21, 2006.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
Mobile Phone Theft. Serving our communities and protecting them from harm Introduction Mobile Phone Theft There were an estimated 742,000 victims of mobile.
Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Apps VS Mobile Websites Which is better?. Bizness Apps Survey Bizness Apps surveyed over 500 small business owners with both a mobile app and a mobile.
Welcome to BYOT PD Informational Training By: Mr. Kirkpatrick & Mr. Saintvilus.
Introduction Our Topic: Mobile Security Why is mobile security important?
Protecting your Family From the dark places on the Internet Going beyond the standard PC Filter, and dealing with the multiple devices that access the.
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
Protecting Yourself Online (Information Assurance)
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
Phish your victims in 5 quick steps. Phish yourself today In less than 5 minutes What is Phish5? Phish5 is a Security Awareness service With Phish5, a.
PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
Social Media Attacks By Laura Jung. How the Attacks Start Popularity of these sites with millions of users makes them perfect places for cyber attacks.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
By Daniel Carroll and Jarred Givens. The internet has helped further many fields and forms of technology, including: Internet Advancements Cell Phones.
Security Awareness ITS SECURITY TRAINING. Why am I here ? Isn’t security an IT problem ?  Technology can address only a small fraction of security risks.
Managing and Securing Endpoints Bruce Hotte Chief Information Officer Jeff Swan Network Supervisor  The definition of “endpoint” used to be simple: a.
IT security By Tilly Gerlack.
Thoughts on Technology Issues for Small Business Top Five Technologies for Small Business.
Personal Privacy and Security Zenia C. Bahorski Ph.D. Department of Computer Science Eastern Michigan University Personal Privacy & Security - Z. Bahorski,
Extending Forefront beyond the limit TMG UAG ISA IAG Security Suite
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
E-Safety E-safety relates to the education of using new technology responsibly and safely focusing on raising awareness of the core messages of safe content,
The way to avoid being trap into cyber crime. What is cyber crime? The Department of Justice categorizes computer crime in three ways: 1. The computer.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Convenience product security Collin Busch. What is a convenience product? A convenience product is a device or application that makes your life easier.
What is Spam? d min.
C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.
Grants Management Training 200 Cyber Security There are two kinds of people in America today: Those who have experienced a cyber-attack and know it, and.
Basics of testing mobile apps
link2 is a GPS software application designed specifically to link professionals.
Usable Privacy and Security and Mobile Social Services Jason Hong
INTRODUCTION & QUESTIONS.
Computer Crime: Identity Theft, Misuse of Personal Information, and How to Protect Yourself (Tawny Walsh, Irina Lohina, Renair Jackson, Jahmele Betterson,
How to Ethically Generate Abundant Referrals to Your Practice: Turning Google’s Updates into Your Best Referral Source Turning Google’s Updates into Your.
Introduction: Introduction: As technology advances, we have cheaper and easier ways to stay connected to the world around us. We are able to order almost.
FLTCYBERCOM / C10F    U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET    1 Overall Classification of this Briefing is UNCLASSIFIED//FOUO Phishing.
KASPERSKY INTERNET SECURITY multi-device  Average number of devices in households: 4.5  Consumer device diversity will continue to expand.
THREATS, VULNERABILITIES IN ANDROID OS BY DNYANADA PRAMOD ARJUNWADKAR AJINKYA THORVE Guided by, Prof. Shambhu Upadhyay.
The Customer Thermometer business case + overview.
Difference between External and Internal Server Monitoring.
Identity Theft SS.8.FL.6.7 Evaluate social networking sites and other online activity from the perspective of making individuals vulnerable to harm caused.
How to Make Yourself More Secure Using Public Computers and Free Public Wi-Fi.
KASPERSKY INTERNET SECURITY FOR ANDROID. YOUR MOBILE DEVICES NEED PROTECTION More online communications and transaction are happening on tablets and phones.
How to stay safe using the internet & App’s
How to stay safe using the internet and app’s?
    Customer Profile: If you have tech savvy customers, having your site secured for mobile users is recommended. Business Needs: With the growing number.
Fraud Protection.
Fraud protection.
Social Media Attacks.
© EIT, Author Gay Robertson, 2017
Cybersecurity Awareness
Information Security Awareness 101
Information is at the heart of any University, and Harvard is no exception. We create it, analyze it, share it, and apply it. As you would imagine, we.
Digital $$ Quiz Test your knowledge.
Keeping your data, money & reputation safe
Teaching you NOT to fall for Phish
Internet Safety – Social Media
Security in mobile technologies
Employee Cybersecurity Program
Presentation transcript:

Norman M. Sadeh Professor, School of Computer Science Director, Mobile Commerce Lab. Carnegie Mellon University Smart Phone Security & Privacy: What Should We Teach Our Users?

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 2 Outline  Smart phone security and privacy awareness: unique challenges  Phishing: much worse with smart phone users What can we do?  Mobile Apps and Social Networking What we can we teach users?  Concluding remarks  Q&A

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 3 SMART PHONE SECURITY and PRIVACY AWARENESS: UNIQUE CHALLENGES

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 4 Cyber Security Training Awareness …Has been compared to trying to nail Jell-O to a wall

Copyright © Norman M. Sadeh Yet…  Filters, firewalls, IDS etc. have their limitations  Users are the last line of defense  Universities: A Dual Objective Protect the university’s infrastructure and sensitive data Educational mission EDUCAUSE Webinar – April Slide 5

Copyright © Norman M. Sadeh Universities  Diversity of users Faculty, staff, students  Diversity of cultures and environments Fragmented administration  Diversity of needs Research vs. education vs. admin  Diversity of devices Some managed & some not ...Yet the price of security breaches can be dire… EDUCAUSE Webinar – April Slide 6

Copyright © Norman M. Sadeh Smart Phones: The New Frontier EDUCAUSE Webinar – April Slide 7 Smart Phone Adoption to Approach 50% in the US in 2011

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 8  Our cell phones are now coming with the same vulnerabilities we have on our computers… …Along the Way… …and more…

Copyright © Norman M. Sadeh Universities at High Risk EDUCAUSE Webinar – April Slide 9 University Students…

Copyright © Norman M. Sadeh Mobile & Social Networking are Big EDUCAUSE Webinar – April Slide 10

Copyright © Norman M. Sadeh Diversity of Devices & OS’s EDUCAUSE Webinar – April Slide 11 Best practices are harder to articulate

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 12 The Biggest Security Risk? Millions of cell phones lost or stolen each year

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 13 Lost or Stolen Phone….  Private data & sensitive apps e.g. contacts list, pictures, phone calls, messages, , calendar, apps, etc  Risk of someone using your phone Impersonating you – SMS, voice, , social networks, etc. Placing expensive international calls  Reselling your phone  etc.

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 14 What Can We Teach?  Don’t leave your phone unattended Goes beyond theft and loss: malware is easy to install  Use a PIN to protect your cell phone Different options (e.g. iPhone)  Write down your IMEI number as well as phone make and model and cell phone number  Quickly report lost/stolen phone

Copyright © Norman M. Sadeh Quickly Tips Become Device-Specific EDUCAUSE Webinar – April Slide 15 Requires MobileMe Loud noise + contact info + map

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 16 Remote Erase  A number of solutions…  …Hopefully you’ve backed up your data  …Some products combine both back up and “remote wipe”  Watch out for malware - read reviews and select reputable solutions…

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 17 Dangers of Multi-Tasking  Phone call, SMS, , etc.  While driving, crossing the street.. Illegal in some places Not wise elsewhere

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 18 Understanding the risks…  Even more challenging than on a computer  Cell phones are highly personal devices with access to lots of sensitive information  …yet fewer people understand the risks  Lots of different cell phone models Not all with the same functionality or settings…  Users need to invest time in understanding and tweaking their security settings

Copyright © Norman M. Sadeh Different Activities Lead to Different Risks Voice SMS Bluetooth Browsing WiFi Location App Downloads Social networks …and more EDUCAUSE Webinar – April Slide 19 …A rather daunting task…

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 20 PHISHING: MUCH WORSE ON SMART PHONES

Copyright © Norman M. Sadeh Phishing: Worse on Mobile Phones  Trusteer – Jan 2011: Mobile users are first to arrive at phishing websites Mobile users 3x more likely to submit credentials than desktop users EDUCAUSE Webinar – April Slide 21

Copyright © Norman M. Sadeh Beyond Phishing  SMS-ishing  Vishing  IM phishing  Phishing via social networks  Phishing apps EDUCAUSE Webinar – April Slide 22

Copyright © Norman M. Sadeh What To Do?  Better filters can help Most spam filters rely on manually maintained blacklists that are several hours behind Example: Wombat’s PhishPatrol  Teach people to recognize traps in phishing s EDUCAUSE Webinar – April Slide 23

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 24 Teach people in the context they would be attacked If a person falls for simulated phish, then show intervention as to what just happened Unique “teachable moment” Training via Mock Attacks: PhishGuru

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 25 Select Target Employees Customize Fake Phishing

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 26 Select Target Employees Customize Fake Phishing Select Training

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 27 Select Target Employees Customize Fake Phishing Select Training Internal Test and Approval Process Hit Send

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 28 Select Target Employees Customize Fake Phishing Select Training Internal Test and Approval Process Hit Send Monitor & Analyze Employee Response

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 29 It works! Reduces the chance of falling for an attack by more than 50% ! (Actual Results) percentage

Copyright © Norman M. Sadeh Reinforce with Training Modules – Incl. Games EDUCAUSE Webinar – April Slide 30 Traditional training doesn’t work - but people like games Games teach users about phishing People more willing to play games than read training Shows higher long- term retention

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 31 Teaches people to identify “red flags” in fraudulent s

Copyright © Norman M. Sadeh Phishing is a Generic Threat  It is possible to identify device- independent tips and strategies  It is possible to teach these tips and strategies in a matter of minutes  Universities like CMU are using PhishGuru and training games (Phil and Phyllis training games) to train staff, faculty and students  A dedicated anti-phishing filter can also make a difference (e.g. PhishPatrol) EDUCAUSE Webinar – April Slide 32

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 33 MOBILE APPS & SOCIAL NETWORKING: WHAT CAN WE TEACH USERS?

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 34 Social Networking – Facebook, Twitter & Co.  Sharing is wonderful…  …until you regret you did it  Think and ask yourself whether: You really know who you are sharing with A week or a year from now, you’ll still be happy you did  Colleagues, friends, new acquaintances…  Beware of pictures and links that seem to come from friends….

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 35 All Those Great Apps

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 36 Malicious Apps  In January of 2010, the first malicious mobile banking app was detected Stole your banking credentials  Android doesn’t review applications  Apple does, but that’s no guarantee  Many apps collect a lot more information than they need to – e.g. location

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 37 Some Recommendations  Research apps before you download them  Best to wait until enough other people have tried them  Check ratings – but do not rely entirely on them  If you are courageous, take time to review privacy provisions  Possibly create a Google alert for apps you download

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 38 Location Sharing Apps.

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 39 Also referred to by some as…

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 40 If you are going to share your location, at least do it under conditions you control

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 41 Promoting Our Own Location Sharing Platform  More expressive privacy settings “My colleagues can only see my location when I’m on campus and only weekdays 9am-5pm” Invisible button  Auditing functionality  Available on Android Market, iPhone client, Ovi, laptop clients  Tens of thousands of downloads over the past year

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 42

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 43

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 44

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 45

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide 46 CONCLUDING REMARKS

Copyright © Norman M. Sadeh Concluding Remarks EDUCAUSE Webinar – April Slide 47  Cell phones are wonderful devices …  Most of us can’t even remember how we could operate without them  …Yet they come with many risks  …General guidelines are difficult to articulate Diversity of cell phones and usage scenarios  Yet in some areas such as phishing, results indicate that training can make a difference  We are extending this approach to mobile security at large

Copyright © Norman M. SadehEDUCAUSE Webinar – April Slide Q&A

Copyright © Norman M. Sadeh References  Scientific References How to Foil “Phishing Scams”, Scientific American, L. Cranor How to Foil “Phishing Scams”, Teaching Johnny Not to Fall for Phish P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. ACM Transactions on Internet Technology, Vol. V, No. N, September 2009, Pages 1–31. Teaching Johnny Not to Fall for Phish Learning to Detect Phishing s I. Fette, N. Sadeh, and A. Tomasic. In Proceedings of the 16th International Conference on World Wide Web, Banff, Alberta, Canada, May 8-12, Learning to Detect Phishing s Locaccino scientific publications:  Case Studies & White Papers “A Multi-Pronged Approach to Combat Phishing (Carnegie Mellon University case study)” “A Multi-Pronged Approach to Combat Phishing (Carnegie Mellon University case study)” “Empirical Evaluation of PhishGuru Embedded Training”,Empirical Evaluation of PhishGuru Embedded Training “Cyber Security Training Game Teaches People to Avoid Phishing Attacks”Cyber Security Training Game Teaches People to Avoid Phishing Attacks EDUCAUSE Webinar – April Slide 49

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.