Surviving the Mobile Phenomenon: Identify At-Risk Mobile Devices Before it is Too Late

© 2015 IBM Corporation

Surviving the Mobile Phenomenon: Identify At-Risk Mobile Devices Before it is Too Late

Jason Hardy Worldwide Market Segment Manager, Mobile Security IBM Security Shaked Vax Product Strategist, IBM Trusteer IBM Security

IBM Mobile Security

2 © 2015 IBM Corporation

by 2017 Mobile downloads will increase to

268 billion Gartner

by 2016 The number of smartphone users worldwide will surpass

2 billion

eMarketer

Enterprise mobile trends

“Enterprise mobility will continue to be one of the hottest topics in IT, and high on the list of priorities for all CIOs.”

Ovum

“IT organizations will dedicate at least 25% of their software budget to mobile application development, deployment, and management by 2017.”

IDC


387new threats every minute or more than six every second McAfee

As mobile grows, so do security threats

“With the growing penetration of mobile devices in the enterprise, security testing and protection of mobile applications and data become mandatory.”

Gartner

“Enterprise mobility… new systems of engagement. These new systems help firms empower their customers, partners,

and employees with context-aware apps and smart products.” Forrester

Arxan

Top mobile devices and apps hacked 97% Android

87% iOS


What concerns does this create for the enterprise?

Source: 2014 Information Security Media Group Survey, “The State of Mobile Security Maturity”

32% are concerned about fraudulent transactions

Only 18% can detect malware / jailbreaks

52% worry about application vulnerabilities

Only 23% have tamper-proofing capabilities

50% are content and data leakage are their top security concern

60% use secure containers for data security

57% say a lost or stolen device is top concern 60% use passcodes for device security


MobileFirst Protect (MaaS360)

AppScan, Arxan, Trusteer M; bile SDK

IBM Mobile Security Framework

AirWatch, MobileIron, Good, Citrix, Microsoft, Mocana

HP Fortify, Veracode, Proguard CA, Oracle, RSA

•  Manage multi-OS BYOD environment

•  Mitigate risks of lost and compromised devices

•  Separate enterprise and personal data

•  Enforce compliance with security policies

•  Distribute and control enterprise apps

•  Build and secure apps and protect them “in the wild”

•  Provide secure web, mobile, API access and identify device risk

•  Meet authentication ease-of-use expectation

Extend Security Intelligence

•  Extend security information and event management (SIEM) to mobile platform •  Incorporate mobile log management, anomaly detection, configuration and vulnerability management

Manage Access and Fraud

Safeguard Applications and Data

Secure Content and Collaboration

Protect Devices


IBM Mobile Security Portfolio

IBM Security Access Manager

IBM DataPower

Gateway IBM

BigFix

IBM MobileFirst

Platform

IBM MobileFirst

Protect MaaS360

IBM Security AppScan

Arxan Application Protection

for IBM Solutions

IBM QRadar Security

Intelligence Platform

IBM Security Trusteer

IBM Mobile

Security Services


The mobile security challenge

Mobile malware is increasing

Mobile malware growth in just one year

2012 - 2013 Juniper Mobile Threat Report

614%

Mobile banking adoption rising

Phone users use mobile banking,

up 18% in one year 2014 – Federal Reserve Survey

33%

End users fall victim to mobile attacks

September, 2012

Your smartphone will (eventually) be hacked

March, 2013

‘Millions’ risk fraud and ID theft through mobile

November, 2013

Mobile: The Emerging Fraud Target Attackers Will Shift Their Focus, Expert Says


Malware is out there

H1’ 2015 infection rates

Source: Trusteer Mobile Malware Threat Report, July 2015


Infection vector - Fake apps

Over 80,000 users have granted the apps permission

to run on their browser, despite the warning the games

will receive full access to a player’s web activity


Vulnerable devices


Mobile cybercrime underground


Example of underground price list

ITEM PURPOSE PRICE* PRICING MODEL

BOT ADMIN PANNEL

MANAGE A BOTNET $4000 DOWN + $500 MONTHLY FEES

TO RENT

MAZELTOV! MALWARING SPREADING $3000 SERVICE SPYWARE CYBER-ESPIONAGE $7,000 TO OWN BANKIR FINANCIAL INFORMATION

STEALER

$5000 TO OWN

X-iTmo SMS 2FA INTERCEPTOR $715 TO RENT (3 MONTHS)

*Prices In USD. Original prices are in USD or BTC


Infection vectors of iPhones (without JailBreak)

!  Apple provides an “Enterprise provisioning” (299$/y, valid credit card, D-U-N-S) !  Distributed mostly via link (email/webpage/SMS) or USB !  Legitimate use

–  MDM providers and “alternative markets” to some degree –  Other “alternative” markets (Emu4iOS, iNoCydia, …)

!  Also used maliciously in APT/targeted attacks

Pop Quiz

Which of the below pop-ups

is legit?


Account Takeover via a Criminal Mobile

Device

Cross-Channel Attacks

Compromised & Vulnerable Devices

Understanding the mobile risk landscape

Susceptible to suspicious apps &

mobile malware

Server-side device ID isn't effective for mobile

device

Credential theft from the desktop enables mobile

fraud

Mobile fraud risk vectors

Customer Criminal


!  Advanced Rooted or Jailbroken Devices !  New jailbreak techniques !  Jailbreak and roo:ng evasion

! Mobile Malware !  SMS interceptors !  Overlay aAacks !  Automated malware !  Device Rooters & Data stealers

!  Suspicious applica:ons !  Unsecured wi-‐fi access

Detecting Vulnerable & Compromised Devices


Example of mobile malware Real Financial Malware & Ransomware

Installing malicious app as “device admin”

App prevents user from deleting it


Examples of mobile malware Screen Injec<on -‐ SVPENG

Overlay on Russian Bank Login Screen Overlay on Google Play


!  Server-side Device ID is not effective for mobile devices

!  Mobile devices share many identical attributes !  Mobile devices have the same attributes: OS, browser, fonts etc..

!  Cybercriminals can easily trick traditional device ID systems

Account takeover via a Criminal’s Mobile Device

18

Detecting criminal devices


!  Cybercriminals convince users to supply mobile phone number to install app on phone via malware or phishing

!  Users install fake security applica:on and enter ac:va:on code

!  Malware captures all SMS traffic, including OTP and forwards to fraudsters where fraudulent transfers via online and captured OTP need to bypass authen:ca:on

Cross-channel attacks

19

Coordinated attacks across PC and mobile


Example of cross-channel attack

20

Coordinated attacks across PC and mobile


IBM Security Trusteer Mobile Solution set

Backend Website Mob

ile Device

Your Mobile App

Trusteer Mobile SDK

TRX

API

Trusteer Pinpoint Criminal DetecAon

TRX

Cross Channel Risk

Factors

Trusteer Mobile SDK Persistent Device ID Device Risk Factors

•  Jailbroken / Rooted Device •  Malware Infec:on •  Suspicious Geo-‐loca:on •  Unpatched OS •  Unsecure Wi-‐Fi connec:on •  Suspicious Apps •  Geo Loca:on •  SIM ID •  Device Face down

Trusteer Mobile Browser

Trusteer Mobile SDK

Customer-‐ provided Device ID, Risk Data

Customer Risk Engine / Web App

Criminal Device

Database

Customer


Trusteer Mobile SDK

Seamless Authentication and Risk Detection

* Some limitation with iOS

!  Persistent client-side device ID !  Geo location !  Malware detection !  Jailbroken/Rooted !  Suspicious applications !  Wi-Fi connection !  OS up-to-date !  SIM ID !  Device Face down


•  OS vulnerabilities detected •  Unsecure Wi-Fi detected •  Device is rooted •  Device Face down

Low-risk detected

IBM Trusteer Mobile SDK

Example of access from a low-risk device

Disable Funds Payment Functionality

Mobile Banking App


Unique device ID persistent over app and OS reinstallation

Determines device ID

•  MAC •  CPU •  IMEI

•  Battery ID •  Chip ID

Example of first-time access


Mobile Banking App

Requires Out-of-Band Authentication


•  Overlay malware detected - svpeng

•  Root hider detected

Overlay attack detected

Example of malware attack

25


Mobile Banking App Block Access

to Application


Developing more secure mobile banking applications

Manage and enforce policy based on risk without customer impact

Control Maintenance Costs

Control Development Costs Time-to-Market Customer

Experience Compliance

Imperatives / Considerations

Allow Access

Authenticate Access

Block Access

Detect risks at the device, application, and session level

Device Risks •  Malware infection •  Rooted / jailbroken •  Suspicious

applications •  OS vulnerabilities

•  Known criminal device

Application Risks •  Application tampering •  Fake applications •  Overlay attacks

Session Risks •  Unsecure Wi-Fi •  Unusual geo location

•  Eavesdropping •  Pharming


The IBM Mobile Banking Security solution

Policy Management and Control

Policy Definitions

Policy Enforcement

Simplified Development

Control Maintenance Costs

Control Development Costs Time-to-Market Customer

Experience Compliance

Imperatives / Considerations


IBM MobileFirst Foundation

Manage and enforce policy based on risk without customer impact

Detect risks at the device, application, and session level


Fully integrated into the IBM MobileFirst Platform Development Environment

Enforce policy

Send risk Data to server

Device ID persistent over app

and OS

Integrated security library

Analyze risk data


Security U

pdates

Trusteer Mobile Fraud Risk With ISAM Context based Access

Mob

ile D

evic

e

TRX

On / Off Premises Applications and Data

IBM Security Access Manager

TRX

Customer

Risk-based access with unique context from Trusteer including: •  Jailbroken /Rooted •  Jailbreak Hiders •  Persistent Device ID •  Malware Infection

•  Unpatched OS •  Unsecure Wi-Fi •  Suspicious Apps

Your Mobile App

Trusteer Mobile SDK

Trusteer

Mobile Browser

Trusteer Mobile SDK


Preventing non-secure browsers from connecting !  Decreasing the risk of malware, customize user experience & no

application changes required !  Simple policy can be authored that directs users to a page notifying them

that a secure browser is required

Mobile Chrome Browser (non-secure)


Mobile malware & high-risk device detection and enforcement

!  Reduce the risk of malware collecting sensitive data !  When connecting with registered web applications, Trusteer Mobile

Browser will transmit in the HTTP request details about the connecting mobile device

!  IBM Security Access Manager for Mobile will extract the details into a set of context attributes that are ready to be included in a policy


IBM MobileFirst Platform and IBM Trusteer solution highlights

Captures persistent device id and device, user and session risk factors

Comprehensive fraud protection across mobile banking apps

Fully integrated with your IBM MobileFirst Platform Environment formerly known as IBM Worklight


www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY

Surviving the Mobile Phenomenon: Identify At-Risk Mobile Devices Before it is Too Late

Technology

Transcript of Surviving the Mobile Phenomenon: Identify At-Risk Mobile Devices Before it is Too Late