Isn't it sweet...
Every time we come up with a supposed sure fire method to increase security, we soon have a nice method to completely circumvent it...
Malware-makers are stepping up the assault on Android handsets and are now quietly redirecting phone calls to steal voice-based two factor authentication details. An update to the Android.Bankosy trojan horse means it not only locks down handsets but steals data from hacked devices. Symantec threat-throttler Dinesh Venkatesan …
We always knew Android was just about as secure as Windows 95, so no surprise someone is stealing your two-factor authentication. Hopefully you don't have your passwords on your phone too, requiring someone to find your computer AND phone to get into your stuff. You don't bank on your phone, do you? Do you?
If you're serious about 2-factor authentication, you use an RSA tag that can't be hacked remotely.
Blah, newsflash... Supposedly the other "trusted" applications, where every single one of them will -surely- have a disclaimer saying how they could destroy us at any point and nobody on this planet can do anything about it - if we accept, install... Those apps are fine, then, right (lolz).
The Android approach is, just, fundamentally flawed - giving all sorts of permissions, to whatever (and whoever, heh.) in order for anything to function. It's insane and daily we see celebrities' pictures hacked - surely teh banks are swamped with people having their money stolen, only because their kid scanned a QR code, or whatever - phone bills going through the roof, for unknown reasons and so on & so forth.
^^ Just because people reading The Register have a clue - it says nothing about the rest of the world and millions of Android (L) users
"Just because people reading The Register have a clue - it says nothing about the rest of the world and millions of Android (L) users"
And therein lies the problem, I might have a clue about security, but you won't find me messing with the brakes on my car. If you don't know, don't touch.
The problem is users don't consider 'Allow unknown sources' a threat as I do the brakes on my car, so are quite happy to fiddle without thinking about the risks because "free game".
RSA got majorly hacked and handled it terribly. Anyone who uses RSA should seriously consider whether they are a suitable company to trust with important security - not so much the hack but more the response - they caused most of the post revelation misery.
A Windows PC is far, far more likely to get malware than a phone, far less safe for online banking. Compare the drive-by malware installs on PC versus on a phone - on a phone the attempt mean you have to have overridden security settings and and said yes to the prompt to install an unsafe app. I have yet to see malware on a phone personally, whereas I see many on PCs every month.
A Windows PC is far, far more likely to get malware than a phone
I'm not so sure about that. A smartphone has far less power available, and is less equipped to run tasks in parallel than a Windows PC. Yes, a Windows PC is not the safest means of using the Internet but even I (not a Windows fan at all) would prefer that over a phone as I can at least change enough to make it safe. I don't feel I have that sort of control with Android.
Caveat: I am uncertain that statement holds up for Windows 10. I don't even want to consider it..
Wait, what... People have down-voted Bob 18's comment - for, what? :D
Android is terrible, without a rooted system and a whole bunch of tools (including a carefully managed rule-based firewall): shouldn't -really- trust and use any applications - which, everyone does it by default, which is ridiculous, hehe. xD
"Every time we come up with a supposed sure fire method to increase security, we soon have a nice method to completely circumvent it..."
Some Android handsets can be upgraded to Windows 10. That's about as secure as it gets at the moment in mobile. Zero malware so far across over 100 million devices.
God, I hope that's sarcasm because I've been reading about how millions of PCs are upgraded to Windows 10 (I can only assume these are PCs who's dull-eyed muggle owners have set to automatically apply all updates and weekly reboots.
I've yet to encounter a PC/laptop that wasn't bought with W10 that is running W10, with the exclusion of one friend who just dropped his laptop off (which he upgraded to Windows 10) with instructions to "get this shit off my laptop, I want Windows 7 back".
IMO, there are different ways of lookin' @it, for example: when I go to my bank (Banca Intesa, Italian bank), they regularly inform me that they have an online service and would I like to enable E-banking...
Only the first time I had inquired about it, went to their portal - to see how it was done via teh MSIE Internet Exploder and some BHOs (& maybe certificates, can't -really- remember, but prolly not). These days, it *has* been updated to work with Firefox and other browsers - using Java; However, there will be (some) problems for whoever has installed 32-bit and 64-bit Java, on their x64 Windows - using a, regular, 32-bit browser.
*the possibilities, there, are endless really - just taking these manifestations into account (you know, the system responds to errors, with generous feedback; then, there is more than one path to take and so on - it could be wonderful, hehe)
The decision was and is quite simple. This kind of a system *can* be used and its coding is acceptable, but only a madman would enable and use their E-banking service. So, depends how you look at it: you can keep your money safe, or some people like to gamble - for convenience purposes, right...
You, just, don't (do not) keep your database online - if you'd like it to stay secure; it's, really, simple. :)
^^ Things which ARE put online... Shouldn't be made by children (which is what happens, on regular basis; err, in fact, kids would do it better, LOL)
the "once the malware is installed on the victim’s device" disclaimer. Its like "once the robbers are inside fort knox...". Conveniently skipping the slight bit about how to get in there in the first place. This is the whole point of security. A chimpanzee can write a malware.
A little reminder that the reason android malware exists is because of large numbers of non-google play store phones from china and other 3rd world countries, and the little bit about that "allow unknown sources" checkbox.