I found this bit about hazards uniquely faced by internation travelers very interesting: Q: Do you think organizations are understanding and taking the threat among these new mobile attack vectors seriously yet? Are security managers really getting it? Why or why not? A: The most-security-aware organizations are taking these threats very seriously. They're destroying phones after taking them to hostile areas with known malicious carriers, they're limiting what information gets copied to the default inbox/contact list on devices, they're limiting what applications can be installed on devices which have access to enterprise infrastructure. [...] Q: In your presentation, you specifically referred to some of the threats mobile users are facing now while traveling internationally. What are you observing? A: There are two major threat categories when it comes to international travel, the malicious foreign carrier and the enterprising private mobile attacker. These threats result from the fact that citizens of a foreign country generally have no rights to privacy and no official recourse if their information gets stolen while they are in the foreign country. I already spoke about how foreign carriers have total control over devices which are associated with their networks. Probably the most alarming thing we've seen happen in our tests is how foreign carriers can steal the cryptographic seed values from soft-tokens installed on smartphones. One take-away I'd love to get across to all of your readers is to never let soft-tokens become a solution to be relied on for organizations which have a large number of international travelers. [...] http://www.csoonline.com/article/print/733691 I'm wary of distortions, outright bullshit, and vague handwaving by security industry guys. As usual, interviewee Aaron Turner (of IntegriCell, formerly Idaho National Laboratory, formerly Microsoft security division) is vague about how code gets executed to do undesirable things. Smartphone 'soft-tokens' means virtual dongles used for (supposed) two-factor authentication such as Symantec VIP or SecurEnvoy SecurAccess. Pity Turner doesn't say _how_ iOS, Android, and BlackberryOS yield 'total control over devices' to local carriers. Turner goes on, in the bit about international travelers, to talk about a cruise ship passenger who uses a cafe's WiFi in port, and 'the coffee shop owner has realized he can make more money selling your address book to spearfishers than he ever can make selling you even his most-expensive latte'. I'm intrigued, Mr. Turner. How does connecting a smartphone to a WAP give the WAP owner automatic access to the smartphone's address book? I'm used to assuming that networks are dangerous and untrustworthy and layering things trustworthy over them. Why is that approach not feasible with a smartphone -- or is Turner just another guy selling unnecessary gear to the rubes?