ISACA warns on mobile device geo-location security risks

Citing research that shows 50% of smart phone users globally access location-based applications such as Facebook, Groupon and Google Maps on their mobile devices - and that this percentile is expected to grow significantly – ISACA has published a white paper on the potential geo-location security problem.

The paper - Geolocation: Risk, Issues and Strategies - cautions that regulating the use of geo-location data is still in its infancy, so individuals must be aware of the information they are sharing and enterprises must act now to protect themselves and the information they provide, collect and use.

According to ISACA, geo-location technology uses data acquired from a computer or mobile device to identify a physical location. Applications using the technology offer consumers greater convenience, discounted prices and easy information sharing, and enable enterprises to deliver more personalized customer service and offers.

But as geo-location services become more common, the paper warns that the need for data management and enterprise controls increases significantly.

Problems start to increase when a person’s personal information, such as gender, race, occupation and financial history, is combined with information from a GPS and geolocation tags, as the data can be used by criminals to identify an individual’s present or future location.

This raises the potential of threats ranging from burglary and theft to stalking and kidnapping.

“Geo-location is becoming more and more a real source of commercial and financial benefits for organisations, but unfortunately as with any technology that becomes popular, geo-location becomes also more and more interesting for hackers, scammers and spammers,” said Marc Vael, CISA, CISM, CGEIT, CISSP, ISACA's chair of the knowledge board and cloud computing task force.

“That is why this ISACA white paper is right on time to bring an independent but constructive view on the risks and issues, as well as and strategies to follow in order to use geo-location in a sensible manner”, he added.

According to the white paper, current current law does not articulate a stance on the privacy and security aspect of geo-location. Therefore, the paper asserts, it is uncertain whether enterprises have a legal obligation to the users and developers of the geo-location data.

The paper goes to note that, as the sophistication of the geo-location technologies themselves increases, along with the diversity of services built on them, there will be recurring topics and themes – and questions - that society will continue to consider and debate.

“Finding answers to these and other questions in the future should prove challenging, yet enlightening. The increasingly global nature of content and the migration of multimedia content distribution from typical broadcast channels to the Internet make geo-location a requirement for enforcing access restrictions, supporting fraud prevention, and providing the basis for traditional performance-enhancing and disaster recovery solutions”, the paper concludes.

What’s Hot on Infosecurity Magazine?