RSA has produced an interesting report “The Current State of Cybercrime 2014: An Inside Look at the Changing Threat Landscape.” The report claims that “phishing,” using various techniques to get people to reveal their usernames and passwords, resulted in $5.9 billion in losses in 2013. Data fraud is clearly a big business.
RSA identified four trends it expects to see in 2014:
- Mobile threats will become more sophisticated and pervasive
- Bitcoin’s popularity will make it more of a target for theft; growth in private virtual currencies to facilitate cybercrime
- Increasing sophistication of malware
- Mobile will redefine user authentication
Growth in Mobile Threats to Data Security
Over a billion smartphones were shipped in 2013, far outstripping the roughly 318 million PCs that were shipped worldwide. As internet users migrate to portable devices cyber thieves follow. The report cites a Trend Micro report claiming there are 1.4 million malicious or high-risk Android apps, many of them fake, malicious version of popular legitimate apps. There have even been cases of Android-based devices shipping with malicious apps pre-installed: somehow cybercriminals managed to penetrate the supply chain to install malware on brand new phones.
“SMS sniffers” are also becoming increasingly common and sophisticated. Such tools allow cyber thieves to hijack the “secondary authentication” some banks use of sending a one-time use password via SMS text message to a customer’s phone to provide authentication for high-risk transactions.
Bitcoin and Other Virtual Currencies
Bitcoin has been growing in popularity and acceptance. It is being accepted for payment by gaming outlets and retailers including Overstock and Zynga; last year the currency was also recognized as a “legal private currency” by the government of Germany and was subjected to taxation.
As is the case with smartphones, increasing popularity also means increasing attention from hackers and cyber thieves.
Cybercriminals are increasingly turning to “forum-specific currencies” that are only accessible to members of the forum to facilitate their illegal transactions, for example selling malware or selling credit card information.
Increasing sophistication of malware
Cybercriminals frequently rely on “botnets” to launch attacks websites. “Botnet” is a term coined from combining “robot” and “network.” The malware installed on the computers in a botnet turns them into sort of “zombie computers” obeying remote orders without question. New generations of botnet malware are getting better at hiding and protecting themselves.
There is an ongoing “arms race” between cybercriminals and corporations; the criminals launch attacks using one set of tools, industry adapts to those tools, and the criminals change their methodology.
Malware is increasingly being found on point-of-sale terminals, allowing for the theft of credit card information.
Mobile and User Authentication
The report identifies the same “password problems” that we identified in our report “For Data Security, Employees Are the Weakest Link.” Consumers can’t keep track of all of their different “digital identities,” so they act like humans: reusing passwords, using simple passwords that they can remember, etc. Those activities expose the “digital identities” to great risk, and facilitate the theft of sensitive information.
The report forecasts an increase in alternatives to passwords for authentication:
Using cost-effective technologies built into those mobile devices, such as the camera, speaker, accelerometer, fingerprint sensor and geo-location to enhance authentication also enables a more convenient user experience.
PACid Technology and the Cyber-Threats of 2014
Really winning the battle against the cybercriminals requires more than continuing the same old “arms race.” What’s needed is a new paradigm. PACid’s Bolt-on Strong Security (BoSS) is a revolutionary new way to manage data security. PACid’s patented technology provides the following benefits:
- People are no longer the “weak link” in data security as username/password management is handled automatically with long, complex credentials that are never reused.
- Not vulnerable to “phishing” attacks because users never directly login to sites and don’t know and never access the Master Secrets used in authentication/encryption.
- Not vulnerable to brute force attacks because credentials are long, complex, and never reused.
- Not vulnerable to “man in the middle” attacks because there is no TLS or SSL exchange.
- Not vulnerable to “hijacking” attacks because the system will only respond to local inputs.
- Not vulnerable to keystroke logging because the username and password the user enters is not entered directly on a PC.
Instead of Band-Aids on vulnerable and leaky technology what’s needed is a new approach to data security. The cost of implementing PACid’s game-changing technology would be a small fraction of the current losses to cybercriminals.