South African mobile network operators understand that they need to address mobile security. Six months ago it was an area of concern but now they realise that it can have a very real impact on the bottom line, writes Robert Oostergetel, director of global OEM sales at BullGuard.
There is a general feeling in the mobile business that security needs to be addressed. It’s an issue that particularly affects operators’ helpdesks; the fewer support calls they get from customers, the less strain there is on their call centres, with a direct correlation to revenues. Vodacom claims in excess of 30-million customers as of June 2007, MTN claims 40-million group subscribers as of March 2007 and Cell C in excess of 2-million.
If just 1% of those subscribers make one support call per month due to a malware infection, that’s 300 000 additional calls to Vodacom’s helpdesk, 400 000 to MTN’s helpdesk and 20 000 to Cell C’s. That represents an enormous expense.
Some of the effects viruses have on cellphone users and some of the issues helpdesk consultants will face include:
* Sending mass SMS and MMS messages or dialing premium rate numbers without user knowledge – all billed to users;
* Loss of personal information such as address books, files and photos, or theft of confidential information;
* Disabled functions on the phone such as SMS, games and camera or completely disabling the entire device;
* Using the phone’s battery charge much faster than usual;
* Sending infected files to people in the user’s name via e-mail, WiFi, Bluetooth and others; and
* Transferring malicious code from the smart phone to a PC upon connection.
Malware infects phones via Bluetooth connections, MMS messages and when users download programs to smart phones from unreliable sources.
Properly addressing security also puts less strain on operator networks because users won’t spend unnecessary time and bandwidth downloading tools and fixes.
Six months ago when I was in South Africa to discuss this issue with the operators, I had to help bring them up to speed. This time they had a “ready to do it” attitude and several local operators had commissioned reports on the impact security will have in the mobile arena. They’re ready to talk business.
The operators are taking security seriously because they need to gauge the extent of the problem, how the user base will be affected and then decide whether or not they are going to be proactive or reactive to the situation.
Corporate users realise that if they have one infected device in the corporate framework, then they have a problem. Operators cannot afford to lag.
In July last year Orange in the UK launched a mobile anti-virus solution for UK smart phones. The company’s head of product management said: “As handsets have become more advanced and open to meet customer needs, both the sophistication and proliferation of the mobile viruses has become an issue.” He continued by saying that Orange had “witnessed a growing number of cases on our network”.
Mobile phone malware lags the PC market by eight or nine years. At the moment the threat is slight but since it almost perfectly mirrors the PC market of almost a decade ago, it will mushroom. Once malicious software creators have a financial reason to conduct their business, malware will proliferate. South Africa, one of the countries in the world where cellphone banking is available, will be high on their hitlist.
In the South African mobile banking context the network operator owns the simcard. It’s the unique simcard that is used to verify and conduct mobile banking. That potentially puts the operator at risk if a user’s mobile banking security is compromised. In addition, if the simcard is vulnerable then the consumer’s finances are vulnerable and that makes mobile devices a sexy target for hackers.
Operators now must decide if they are going to proactively tackle the problem, as Orange did in the UK, or be reactive and possibly undermine confidence in devices and the services offered through them. Online shopping vendors reacted to the security situation when it arose in the PC market, instead of proactively securing devices, and as a result 35% of people still won’t shop online.
Although the mobile malware market currently mirrors the PC malware market of yesteryear, there are a few key differences in the technologies that will shape the future of mobile security. Modern mobile handsets are hardcore communication devices born with every means of communicating and sharing information. As tools for spreading viruses they’re potentially far more effective than PCs used to be.
The lack of financial gain for hackers, industry awareness, user awareness and the multitude of operating systems is all that currently stems the flow of malware. Also, 80% to 90% of handsets in the field today are low-end and won’t be affected by viruses. Once that changes and the majority of people have upgraded to the newer types currently available, particularly in the corporate environment where the features show specific potential, then the situation is reversed.
Eventually most of the threats associated with the PC market today will flow together with mobile devices. In fact, scripts that run on PCs will likely port directly to mobile devices and vice versa. This means that enterprises will need to protect their mobile devices as well as they protect their computer networks to preserve the status quo. Data security is also a concern to home users. People don’t want their call and text message records to fall into the wrong hands.
Digital images stored on mobile devices are also valuable to people. The likelihood of both consumers and corporate users considering security software for their smart phones is therefore increasing.
The corporate market has shown a degree of interest since 2005. Employees charged with securing the corporation are going to be cautious by nature. They take even the smallest risk into account.
Also, corporate security execs can obtain bigger budgets by drumming up a little scare hype. Compare that to consumers who have to decide between new anti-virus software for their phone or a new pair of shoes. It’s really no contest at this stage and that is why most vendors currently focus their efforts on the corporate market.
Fortunately for consumers, the mobile operators have been very responsive to the security message and they all have a security policy or are deeply committed to the process of writing one. The potential impact at the helpdesk is driving that and they see early widespread security vulnerabilities as a potential block to future revenue streams generated from value-added services.
Operators have taken different approaches when addressing security software. In Europe some bundled security software as part of the mobile package in a blanket approach, using it as a competitive advantage in a highly contested market.
In some cases the major device distributors bundle security software with the hardware before they ship it, which is a likely model for South Africa. But some European operators have also left the security issue entirely up to users, allowing them to download the software of their choice if they wish to do so.
Competition is already tough. This market is 20 times bigger than the PC market so vendors are expending a great deal of effort to make early inroads. It’s only a question of time before the bidding wars start. The fact that so many of the operators already have security policies in place indicates that vendors have been doing the rounds and as the relationships mature and revenue streams stabilise, then operators will begin to more finely negotiate the terms of their partnerships.
Nobody is quite sure about the extent of the market at this stage because of the number of devices being used, the many different types of hardware and operating systems and the plethora services and value-added benefits that result in a great many different uses. Once that’s established, competition will become particularly stiff as the real value of the market emerges.
It’ll happen sooner rather than later. From what I’ve seen here in South Africa, I expect consumer-focused services to be rolled out in the next three months. On the corporate side I expect it will take a little longer since discussions are more complex, primarily because they involve three parties instead of just two: the operator, the vendor and the corporate customer. But, be it three months or six, security is undoubtedly coming to mobile devices in one form or another.