Computer users seem to be getting better at spotting fake websites that are trying to steal their passwords, but when it comes to mobile phones, the deck is most definitely stacked against them.
Researchers at the University of California, Berkeley, recently took a look at 100 mobile applications, written for Android and the iPhone, and then thought up 15 techniques that scammers could use to write malicious programs that steal the victim's user name and password on websites such as Facebook or Twitter.
Their research underscores a thorny issue that promises to demand more attention as users increasingly reach to their mobile phones when they want to go online.
The problem is that mobile users are being trained to enter their passwords and user names into mobile apps.
The first time one mobile program wants access to another -- for example, if Groupon for iPhone wants to share something on Twitter -- the program typically pops up a window that invites the user to sign into that website. But there's usually no way to be sure that the login site is legitimate and that the phone's owner is really sending his user name and password to Twitter.
PC browsers have Web address bars, green warning lights and other features to help Internet users know if they're being tricked by phishers, but that's not the case in the mobile world. Phones are so small there often just isn't space for these protections.
In tests, researchers have shown that it's almost impossible for mobile-phone users to distinguish real websites from fakes, thanks to the small screens on mobile phones.
The Berkeley researchers said it would be easy for a criminal to develop a malicious program that could either spy on users as they typed in their passwords, or direct them to a phishing site that looked exactly like the real thing.
David Wagner, a Berkeley computer science professor, believes that until there are better ways for mobile applications to talk with each other, this could be a very hard problem to solve. "The reason we wrote this paper was because we saw the potential risk and we did not have a good solution," he said.
In their paper, Wagner and co-author Adrienne Felt conclude, "mobile users' passwords for several major sites (notably including Facebook and Twitter) might be at risk."
One person who's working on a fix is Markus Jakobsson, principal scientist of consumer security at PayPal. He's developing software that would work with smartphone operating systems, called Spoof Killer. It would keep track of which applications and websites are legitimately supposed to ask for login credentials and simply block the fake ones from working.
Sign up for Computerworld eNewsletters.