SESSION ID:
#RSAC
Andreas Baumhof
The State of End-User Security Global Data from 30,000+ Websites
MBS-F02
Chief Technology OfficerThreatMetrix Inc.@abaumhof
#RSAC
Goal of this talk
2
Everybody talks mobile, but do we really know what’s out there? What is hype, what is myth?
Provide detailed data that will help you
To differentiate theoretical attacks from reality
Understand the risk surface you are facing
Enable you to make more informed decisions for your mobile strategy
#RSAC
ThreatMetrix Digital Identity Network
3
All data presented in this talk is powered by the ThreatMetrix Digital Identity Network
#RSAC
Digital Identity Network
4
Consists mainly of Financial Services, Online Retailers and Social Media sites
Main use cases are account logins (76%), payments (21%) and account creations (3%)
Global data from every single country
In short: It is representative data
#RSAC
Explosion of mobile transactions
5
#RSAC
Mobile share of transactions
6
#RSAC
Mobile Statistics for Top Digital Nations
7
#RSAC
Mobile Transaction Trends - Daily
8
#RSAC
Threat view
#RSAC
2004 – First virus for mobile (Cabir)
10
#RSAC
Security is not an afterthought anymore
11
#RSAC
So why is this skyrocketing?
12
792 14,259 89,556 403,002
1,612,008
5,158,426
11,864,379
2011 2012 e2013 e2014 e2015 e2016 e2017
Number of Unique New Mobile Malware Strains Released Per Year
Source: McAfee Labs, Aite Group
#RSAC
Software with the most vulnerabilities in 2015
13
Source: http://www.cvedetails.com/
In iOS9: 4 CVE’s with Impact: “Visiting a maliciously crafted website may lead to arbitrary
code execution”
#RSAC
Mobile traffic is different
14
Traditional securitymeasures don’t work aswell as they did in the
past
#RSACMost high risk transactions are still from the non-mobile channel
15
#RSACBrowser spoofing is one of the most common “attacks”
16
#RSACBrowser spoofing is significantly higher on mobile than on non-mobile
17
#RSAC
Detailed statistics
#RSAC
Mobile and Non-mobile OS is converging
19
Data is for all transactions, not just mobile transactions
#RSAC
iOS is leading the charge
20
#RSACReversed picture if we look at the high risk transactions
21
#RSAC
Jailbroken devices
22
#RSAC
Jailbreak detection methods
23
Most common identifier for Jailbreak
file:///private/var/lib/cydia
file:///private/var/stash
file:///private/var/lib/apt
Beware though
You would miss 65% of jailbroken detections if you “just” focus on these
#RSAC
How are people connecting?
24
#RSAC
Location is important
25
On a native mobile device, location can be obtained in many ways
GPS
IP (True IP, DNS IP, …)
Signal strength
#RSAC
How accurate is the IP Address Location?
26
Connection type: Cellular
#RSAC
How accurate is the IP Address Location?
27
Connection type: Wifi
#RSAC
IP Address Anomalies
28
Interesting anomalies can be found by interrogating the IP address of the device and comparing it to the IP address of its used DNS server
IP Geo DNS IP Geo
Russia USA
Ukraine USA
USA Russia
USA Iran, Islamic Republic of
… …
#RSAC
Other anomalies (Xposed)
29
Still on a very low level (< 0.1%), but growing
#RSAC
Device Encryption
30
Android only
#RSACSurprisingly, mobile app transactions represent more high risk transactions
31
#RSAC
Myths / Assumptions
#RSAC
Operating systems are converging
33
Windows 10
Mac OS/X – iOS
Android – Chrome
When is an OS a mobile OS?
#RSAC
Different OS’s have different attack surface
34
No surprise
Ecosystem
Mobile Ecosystemis much more diverse
#RSAC
Jailbreaking
35
Jailbroken devices are not as commonly used on a global scale
But they do represent a significantly higher risk if they are being used
#RSAC
OS anomalies
36
There are plenty of anomalies with mobile traffic that is there for the taking
Browser-string vs TCP fingerprint
#RSAC
Take advantage of additional information from mobile devices
#RSAC
Mobile Location
38
IP Address Location
DNS IP Address Location
Hardware / GPS Location
Carrier Location
#RSAC
Huge amount of forensics information available
39
Jailbreak detection
Root Cloaking detection
OS anomalies
Mobile App Integrity
Mobile App Reputation
#RSAC
Conclusion
#RSAC
Mobile is part of the omni-channel
✔✗
#RSAC
Rich data + advanced models = win
42