January 28, 2020 / Modified jan 28, 2020 2:58 p.m.

Don't Be Like Jeff Bezos. Here's How To Keep Your Phone Safe From Hackers

Research shows that more general-purpose malware aimed at phones that the rest of us use is on the rise.

npr news bezos hack VIEW LARGER The phone of Jeff Bezos allegedly was hacked via a WhatsApp account held by Saudi Crown Prince Mohammed bin Salman.
Bandar Algaloud/Anadolu Agency/Getty Images

If Jeff Bezos can't keep his phone safe, how can the rest of us hope to?

Sure, Bezos, Amazon's CEO and the owner of The Washington Post, is smart and presumably has good security people helping him, says Matthew Green, a computer science professor at Johns Hopkins University. But, Green says, "the bad thing about being Jeff Bezos is that there are a lot of people with huge amounts of money who want to hack you."

Still, a targeted hack like the one the Saudis allegedly used against Bezos to get troves of information off his phone — which involved a video file allegedly sent by Crown Prince Mohammed bin Salman to Bezos over WhatsApp — is costly and hard to pull off, says Green, an expert on cryptography and cybersecurity.

Green says that if you're not very wealthy and not a celebrity, a politician or a top executive, "you probably are not a target." At least for that type of attack.

That's the good news. The not-so-good news: Research shows that more general-purpose malware aimed at phones that the rest of us use is also on the rise.

So here's what you need to know to reduce your chances of getting hacked.

1. Don't "jailbreak" your phone and install dubious apps

There is a whole netherworld of questionable apps that exists outside the supported app stores run by Apple, Google and Amazon.

Many people "jailbreak," or alter, their phones so they can install apps from outside the mainstream app stores — apps that look like games or promise to let you watch a big Hollywood blockbuster before it's officially released. But "that dramatically increases your risk for installing malicious apps," says Tim Erlin, a cybersecurity expert at Tripwire.

Overall, phones are getting much harder for hackers to break into, Green says. He says even if your phone is compromised in some way by malicious code, that doesn't mean the hackers can open all your apps, look inside them and get your bank account numbers, emails with your tax returns for your accountant or whatever else.

"Every single app you have runs in what's called a sandbox. Basically, it's isolated from all the other apps on the phone," Green says. "So even if there's a bug in one app ... that could lead to something bad — some malware being installed that affects that app. But generally speaking, it won't spread throughout your phone."

So that's a crucial protection to make hacks much more difficult. But if you jailbreak your phone, you're throwing aside that digital security and leaving yourself much more vulnerable.

Green notes that if your phone is four or five years old, you also don't have some of these important newer protections and are more at risk.

2. Install all operating system updates

Hackers and the phone manufacturers are in an ongoing race. The hackers find vulnerabilities, and then fixes are included in the software updates for your phone.

Social media and messaging companies are in this race against the hackers too. Facebook, which owns WhatsApp, warned about and fixed a video file vulnerability last year, but it's unclear whether it was the same one that allowed Bezos' iPhone to be hacked in 2018. Where you play a role in all this is by installing the latest updates to your phone and the apps installed on it.

"Keeping your phone updated is an important step in keeping it secure as well," Erlin says. "It's important to install those updates when they're available."

This is where having an old phone can be a problem. "It's a choice you can make: If you don't want to move to a newer phone, you want to accept that risk. Lots of people do, but it does put you at greater risk, because you're no longer receiving security updates," Erlin says.

3. Beware of questionable attachments and links

In traditional phishing attempts, ou might get an email on your computer asking you to click on a link or download a file that contains malware. But for hackers targeting phones, the threat might not be in an email.

"If you think about the apps that you use most commonly, maybe it's Facebook, maybe it's Instagram, maybe it's some other app where you have the capability to send and receive messages," Erlin says. "An example would be that in Instagram, you receive a link. Maybe it's not a file — maybe it's a link from someone you know or you follow that says, 'Here, I made this for you.' "

Just like with email phishing accounts, Erlin says, watch out for vague and general-sounding messages asking you to open a file or click on a link. Even if the message comes from someone you know, the person's account may have been compromised. "And so you click on that link and it compromises your phone," Erlin says.

Be careful about being tricked into giving away passwords or other sensitive personal or financial information. Erlin remembers a couple of years ago, an attacker was trying to get people to enter their credentials for their bank account so the hackers could steal them.

Erlin adds: "And they had compromised the phone in such a way that they replaced the phone number for the bank account with a phone number that they controlled, so that when you tried to call your bank to say, 'Hey, I can't get into my bank account,' you ended up with a person who was associated with this attack. That's a fairly sophisticated type of operation, but it was possible at that time."

4. Protect yourself from SIM-swap attacks. Don't use your cellphone as a way to verify identity

SIM-swap scams are some of the scariest phone hacks. They're more difficult and time intensive to pull off. So they're not that common, but they are on the rise.

Samy Tarazi, a criminal investigator with the Santa Clara County District Attorney's Office in California, works on a regional task force on the problem. He says he knows of about 4,000 cases nationally, "but there are more than that."

With a SIM swap, fraudsters take control of a victim's phone number. Tarazi says there are multiple ways they can do this. They might trick the phone company and claim they lost their phone and need to transfer the number. Sometimes it's an inside job where they bribe a phone company employee.

Once they get that number transferred over to a phone that the hackers control, Tarazi says, often "that phone number is linked to all of the victim's online accounts — their bank accounts."

Those accounts use the cellphone number to verify a customer's identity when the customer wants to do something like change a password. A bank might send you a text message with a temporary code that you then use to change your account's password.

So without knowing any of your actual passwords, a hacker can take control of an email account and then have control of both your phone number and your email. "From there, he can reset passwords to any other service — banks, cryptocurrency ... social media," Tarazi says. People have lost large sums of money this way, he says.

But Tarazi says there is a way to protect yourself: "We highly recommend that people not use their cellphone number as a form of verification of identity." Instead, he says, you should tell financial institutions and other services that you use that you want to use a password and some other form of two-step verification.

Tarazi says some companies may allow you to use a special authenticator app for this. Or he says you could use security questions that you know the answer to. But he says you should make up fictional answers if the security questions can be researched and figured out by others.

5. Be careful about public Wi-Fi when traveling abroad

This is actually an area where phones are getting more secure. Green says if you're running a relatively new phone with the most updated operating system, you don't have to worry that much about whether plugging into a public charging station or connecting to a public Wi-Fi network is going to let hackers break into your phone.

"There's still always a chance that somebody could look at the traffic going over the network. You should worry about that," Green says. "But really, hacking into your phone is getting much, much harder."

But Tarazi says you do want to be more careful when traveling abroad. He says many people want to use Wi-Fi to avoid roaming charges, and that's OK.

But, he says, be careful if you try to use a public network and it prompts you to do something suspicious. "Sometimes it's download this app and then use it to log in," Tarazi says. "If it ever requires you to download something, definitely do not do that."

Even with the improved security for smartphones, often you don't realize you've been hacked until it's too late. And if somebody opens a credit card in your name or steals money from an account, you also don't know how they got your personal information — from your phone, stealing your mail or the Equifax breach or some other massive hack of a corporation.

If the address book on your phone is compromised, an attacker would be able to email spam with malicious links to all your contacts. If one of those contacts clicks on the link and then does some online banking, "that lets the hackers steal credentials for their bank account and then they have access to that bank account," Erlin says.

Tarazi of the Santa Clara DA's office says that with so many ways to have your personal financial information stolen, it's a good idea to call the three major credit bureaus and tell them to put a freeze on your credit report. That makes it much harder for identity thieves to open a new bank account or credit card using your name.

MORE: NPR News
By posting comments, you agree to our
AZPM encourages comments, but comments that contain profanity, unrelated information, threats, libel, defamatory statements, obscenities, pornography or that violate the law are not allowed. Comments that promote commercial products or services are not allowed. Comments in violation of this policy will be removed. Continued posting of comments that violate this policy will result in the commenter being banned from the site.

By submitting your comments, you hereby give AZPM the right to post your comments and potentially use them in any other form of media operated by this institution.
AZPM is a service of the University of Arizona and our broadcast stations are licensed to the Arizona Board of Regents who hold the trademarks for Arizona Public Media and AZPM. We respectfully acknowledge the University of Arizona is on the land and territories of Indigenous peoples.
The University of Arizona