Every month I attend “Mobile Learning Lab” event. As the name suggests every event delves into one aspect of mobile (and recently wearables and Internet of Things) technology. This time the topic was on Mobile Security and I learned a few interesting things through expert panel speakers.
First, I learned that Verizon publishes an annual report on data breach. This report which is written wittily and is easy to read (thank goodness for that) gives you a clear picture on main security breaches across different industries and platforms (desktop, mobile, Internet of Things). The following graph shows the breach trends over the past 5 years and for me it was one of the most interesting graphs through out the report. As you see RAM scraping and Phishing are major and growing problems:
Verizon report, data breach trends
RAM scraping is the type of malware that mostly targets credit card numbers at point-of-sales (POS) systems during milliseconds that it’s stored unencrypted in the back-end server’s memory for processing the transaction. RAM scraping has been identified as the primary reason of of high-profile retail data breaches such as Target and Home Depot. While email has become an essential part of our day-to-day work activities, Phishing has also become one of the easiest ways for criminals to load malware to a computers and spread it around.
RAM scraping is the type of malware that mostly targets credit card numbers at point-of-sales (POS) systems during milliseconds that it’s stored unencrypted in the back-end server’s memory for processing the transaction. RAM scraping has been identified as the primary reason of of high-profile retail data breaches such as Target and Home Depot.
Often an attack takes advantage of multiple techniques to target a primary victim and use it to further the real attack on its final company. Case in point, Target breach started with a hacked vendor — a heating and air conditioning company that was relieved of remote-access credentials after someone inside the company opened a virus-laden email attachment. Few days later, Target announced that attackers had stolen more than 70 million customer email addresses. The report shows nearly 70% of the attacks takes place on companies to use their compromised servers in denial-of- service (DoS) attacks, host malware, or be repurposed for a phishing site in order to attack another company. How awful!
Mobile security (Android vs Apple)
One of interesting part of the report and the subsequent panel discussion was the lack of serious threats on mobile phones. Above graph showed the main trends in threats and attacks on Android or iOS ain’t one of them. A closer look at all these attacks showed that Android phones have been more targeted than iPhones but most of attacks are short lived (less than a month until they fade away). One reason for lack of threats is the huge diversity among consumers’ hardware as well as different running version of OS on hand held items. Penetrating these many different phones and systems where no real financial gain opportunity is available (and there are so many easier ways to do so) has made hackers wary of targeting phones.
However this doesn’t mean mobile is going to be a safe haven in the future. There is a good chance that enterprise mobile devices will be a good first target. Mostly because targeting one specific device model and OS will yield access to large population who’re using same or similar devices. Another area is older and more vulnerable protocols and technologies that have not been properly patched up. For example many companies are still using older (and often free) bluetooth technology that is very easy to penetrate. In fact Verizon report mentioned that 99.9% of vulnerability exploits happen more than a year after the vulnerability was disclosed!
In the end involving security/IT team into the product development process early on as well as informing and educating mobile users on how to use their phones safely will be the most effective in preventing further attacks.