Delfigo Security - Strong Authentication

Over the past 25 years, the cell phone has evolved from the one dimensional brick phones to the powerful smartphone technology of today. Estimates indicate that smartphone ownership will reach 43% of the US mobile population by 2015 with Gartner stating that sales of smartphones will reach 95 million in 2011. With ever increasing processing power, and hundreds of thousands of applications currently available, the smartphone has rapidly become the primary device for everyday access to social media, banking, commerce, shopping, and personal entertainment.

What is often lost in this love affair with mobility is that the smartphone presents the same level of risk as the PC. The rapid expansion of capabilities and acceptance of these devices as an essential element of our personal and professional life has regrettably coincided with an overall indifference to security. Convenience - in the moment, on the go convenience - trumps any concern for protection of assets. The average user has a wide variety of confidential private data stored on these very personal devices, and estimates show that 40% of business professionals carry sensitive business information as well.

Look no further than the recent articles on Zitmo or DroidDream to see that the risk is real. Zitmo, a variant of the Zeus Trojan, has been adapted to target phones running the Android OS. Users are tricked in to adding a “security component” that they assume comes from their bank, but is really malware. DroidDream, malware that initially exploited a bug in older versions of Android that resulted in 58 apps being pulled from the Android marketplace, recently resurfaced in 4 additional apps in July.

User indifference is often identified as a key part of the problem. The user fails to play the role that security managers expect them to play. They do this for an obvious reason; they do not want to be inconvenienced. Vendors that assume the user should play a key role in security strategy are missing an important element in developing, and implementing strong authentication solutions for the mobile user. The user does not want to be inconvenienced. Security should operate invisibly in the background and not in any way interfere with their user experience.

_______________________________________________

1. “Smartphone Malware Report” Raising Awareness of the Threats Affecting Mobile Devices

2. Zeus Banking Trojan Hits Android Phones

3. DroidDream Again Appears in Android Market Apps 

4. Smartphone Market Statisitcs

5. Research and Markets – Mobile Phone Biometric Security Report 

Security firm Trusteer has identified a new trojan they have named OddJob which keeps banking sessions open after banking customers believe they have logged off. From Trusteer:

We have found a new type of financial malware with the ability to hijack customers’ online banking sessions in real time using their session ID tokens. OddJob, which is the name we have given this Trojan, keeps sessions open after customers think they have “logged off”’, enabling criminals to extract money and commit fraud unnoticed. This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users' digital - and online monetary - assets.  We have been monitoring OddJob for a few months, but have not been able to report on its activities until now due to ongoing investigations by law enforcement agencies. These have just been completed. 

Information Week also reports the security firm F-Secure has found that a variant of the financial malware Zeus Mitmo is again active, this time targeting mobile phone customers of ING Bank in Poland. 

"Computers infected with a ZeuS Mitmo Trojan will inject a 'security notification' into the Web banking process, attempting to lure the user into providing their phone number," said Sean Sulllivan [of S-Secure]. "If a phone number is provided, the user will receive an SMS link pointing to the mobile component, ZeusMitmo.A." Clicking on the link then presents Symbian and BlackBerry users with Zeus Mitmo malware tailored to their smartphone.

The goal of Zeus Mitmo is to create fraudulent transactions using the mobile device, while subverting the bank's security procedures. In particular, the malware's mobile component creates a man-in-the-middle attack that steals the one-time password that some banks send via SMS to authorize a financial transaction, which are also known as mobile transaction authentication numbers (mTANs). By hijacking this security verification process, Zeus Mitmo disguises its fraudulent activities from users.

Information Week sites a new report that states there was a 654% increase in botnet victims in 2010!

The botnet market is both growing and consolidating. The top 10 botnets of 2010 -- based on total number of PCs compromised -- began the year with 22% market share, but grew to account for 57% of all botnet infections by the end of the year. Meanwhile, in the same timeframe, the number of unique botnet victims grew by 654%.

Much of this is the result of readily available botnet building toolkits. These crimeware toolkits such as MPack, Neosploit, Zeus, Nukesploit P4ck, and Phoenix compete with each other on the black market according to the Symantec Report on Attack Toolkits and Malicious Websites. Prewritten code allows those with limited skills to "to customize, deploy, and automate widespread attacks, such as command-and-control (C&C) server administration tools. As with a majority of malicious code in the threat landscape, attack kits are typically used to enable the theft of sensitive information or to convert compromised computers into a network of zombie bots (botnet) in order to mount additional attacks."

California's new law SB-1411, calls for criminal penalities for impersonating someone online:

"any person who knowingly and without consent credibly impersonates another actual person through or on an Internet Web site or by other electronic means, as specified, for purposes of harming, intimidating, threatening, or defrauding another person is guilty of a misdemeanor." 

Source: ZDNet: Analysis: California's Online Impersonation Law, Effective January 1