SESSION ID:

#RSAC

Andreas Baumhof

The State of End-User Security Global Data from 30,000+ Websites

MBS-F02

Chief Technology OfficerThreatMetrix Inc.@abaumhof

#RSAC

Goal of this talk

2

Everybody talks mobile, but do we really know what’s out there? What is hype, what is myth?

Provide detailed data that will help you

To differentiate theoretical attacks from reality

Understand the risk surface you are facing

Enable you to make more informed decisions for your mobile strategy

#RSAC

ThreatMetrix Digital Identity Network

3

All data presented in this talk is powered by the ThreatMetrix Digital Identity Network

#RSAC

Digital Identity Network

4

Consists mainly of Financial Services, Online Retailers and Social Media sites

Main use cases are account logins (76%), payments (21%) and account creations (3%)

Global data from every single country

In short: It is representative data

#RSAC

Explosion of mobile transactions

5

#RSAC

Mobile share of transactions

6

#RSAC

Mobile Statistics for Top Digital Nations

7

#RSAC

Mobile Transaction Trends - Daily

8

#RSAC

Threat view

#RSAC

2004 – First virus for mobile (Cabir)

10

#RSAC

Security is not an afterthought anymore

11

#RSAC

So why is this skyrocketing?

12

792 14,259 89,556 403,002

1,612,008

5,158,426

11,864,379

2011 2012 e2013 e2014 e2015 e2016 e2017

Number of Unique New Mobile Malware Strains Released Per Year

Source: McAfee Labs, Aite Group

#RSAC

Software with the most vulnerabilities in 2015

13

Source: http://www.cvedetails.com/

In iOS9: 4 CVE’s with Impact: “Visiting a maliciously crafted website may lead to arbitrary

code execution”

#RSAC

Mobile traffic is different

14

Traditional securitymeasures don’t work aswell as they did in the

past

#RSACMost high risk transactions are still from the non-mobile channel

15

#RSACBrowser spoofing is one of the most common “attacks”

16

#RSACBrowser spoofing is significantly higher on mobile than on non-mobile

17

#RSAC

Detailed statistics

#RSAC

Mobile and Non-mobile OS is converging

19

Data is for all transactions, not just mobile transactions

#RSAC

iOS is leading the charge

20

#RSACReversed picture if we look at the high risk transactions

21

#RSAC

Jailbroken devices

22

#RSAC

Jailbreak detection methods

23

Most common identifier for Jailbreak

file:///private/var/lib/cydia

file:///private/var/stash

file:///private/var/lib/apt

Beware though

You would miss 65% of jailbroken detections if you “just” focus on these

#RSAC

How are people connecting?

24

#RSAC

Location is important

25

On a native mobile device, location can be obtained in many ways

GPS

IP (True IP, DNS IP, …)

Signal strength

#RSAC

How accurate is the IP Address Location?

26

Connection type: Cellular

#RSAC

How accurate is the IP Address Location?

27

Connection type: Wifi

#RSAC

IP Address Anomalies

28

Interesting anomalies can be found by interrogating the IP address of the device and comparing it to the IP address of its used DNS server

IP Geo DNS IP Geo

Russia USA

Ukraine USA

USA Russia

USA Iran, Islamic Republic of

… …

#RSAC

Other anomalies (Xposed)

29

Still on a very low level (< 0.1%), but growing

#RSAC

Device Encryption

30

Android only

#RSACSurprisingly, mobile app transactions represent more high risk transactions

31

#RSAC

Myths / Assumptions

#RSAC

Operating systems are converging

33

Windows 10

Mac OS/X – iOS

Android – Chrome

When is an OS a mobile OS?

#RSAC

Different OS’s have different attack surface

34

No surprise

Ecosystem

Mobile Ecosystemis much more diverse

#RSAC

Jailbreaking

35

Jailbroken devices are not as commonly used on a global scale

But they do represent a significantly higher risk if they are being used

#RSAC

OS anomalies

36

There are plenty of anomalies with mobile traffic that is there for the taking

Browser-string vs TCP fingerprint

#RSAC

Take advantage of additional information from mobile devices

#RSAC

Mobile Location

38

IP Address Location

DNS IP Address Location

Hardware / GPS Location

Carrier Location

#RSAC

Huge amount of forensics information available

39

Jailbreak detection

Root Cloaking detection

OS anomalies

Mobile App Integrity

Mobile App Reputation

#RSAC

Conclusion

#RSAC

Mobile is part of the omni-channel

✔✗

#RSAC

Rich data + advanced models = win

42