Well, it’s this time of the year again. Scores of well-known gurus, security companies as well as some simple mortals come out with their prediction on how the cyber fraud will evolve in coming 12 months. Sometimes these “prognosis” is limited to attaching “security threat” or “attack vector” to general emerging technologies – e.g. “more fraud on smart devices”, “cloud security threats” etc. – such predictions are based on common principle of any new functionality is a potential security threat, and the fraud attempts are proportional to its popularity. Naturally, like any generalization, this approach has its limits… indeed, if a new functionality proves to have a higher bar for penetration than the existing ones, the fraudsters will happily stick to the old known methods without complicating their lives.
Having said that, I couldn’t resist the temptation myself – and came out with some prognosis of my own:
- Trojans will become more mature and deadly. User machines are becoming both Holy Grail and the Weakest Link in the defense against the cyber criminals. With the client machine compromised most of the server-side anti-fraud technologies are useless – even in some cases 2FA may be circumvented (naturally, this is true for client-side attacks like XSS or XSRF). There’s little hope that a remedy is within reach – the trend of fraudsters to shift their attention from relatively hardened OSes to application layer (such as browser plugins, but also stand-alone ones like PDF reader) will continue to grow in 2011 resulting in a race which good guys may not be able to win.
- Phishing – i.e. tricking netizens to reveal their passwords, PII, SSN, and other information – the problem is going to get more severe – taking spear attacks to mass production. Indeed, taking into account the volume and availability of mass information (enough to mention alleged 100 mln Facebook accounts information put on torrent) it’s only a matter of time before massive old-style phishing attacks (with the low success rate of around 0.1-0.3%) become more personal and targeted and thus much more effective (success rate may jump to 1-3%).
- Information Security – how long it’ll take governments and corporations to move to close environments – with machines which have no burnable DVD drives or USB ports, hard drives living in clouds and isolated access to the public net (not even mentioning having our smartphones banned at workplace – as we could still take a picture of the screen and email it right away?). My take – forever. So WikiLeaks will continue making headlines and more copycats of it will proliferate in 2011.
- IPv6 – most probably 2011 will be the first year where IPv6 starts to be used in wild (as IPv4 free space will finally be depleted). Taking into account general procrastination of big businesses (for whom security is an afterthought until it bites them in the a*s) they are going to be less prepared (to put it mildly) to the transition to IPv6 than the fraudsters community. Now imagine all the IP3 filters, IP geolocation and other techniques which became mainstream, all the infrastructure tuned to IPv4 built on back-ends of the companies start behaving “strange” as soon as requests come in with IPv6 addresses. Subsequently, if these requests prove to be more effective in hiding fraud, guess how much (or little) time fraudster will need to jump on the opportunity.
- Smartphones – if anything, Android – being inherently more open platform than iPhone OS – but overall I do not think we’ll witness any spectacular security breaches (including using smartphones as tools to commit fraud) because of obvious smartphones proliferation; generally speaking they are safer than our desktops and laptops, harder to get by, harder to infect and inherently easier to locate (tied to a geolocation).
- Cloud computing – if anything, it’ll be increasingly leveraged by the bad guys to achieve their nefarious goals, rather than having breaches itself (e.g. stealing data from the cloud). Not that it’s impossible, I just think there are more available and easier to access means.
- Virtual currency – as much as it’s volumes are going through some spectacular growth period, there’s a conceivable ceiling to their expansion, and so for the associated fraud. I don’t think that they will become the Big Story for 2011, although the fraud will grow proportionally to the volume of virtual goods and services.
All the above is more intuition than science, and naturally only time will show how right or wrong I am now (fortunately, we don’t have to wait too long). Plus, many reputable specialists would disagree with my relatively low risk ranking of smartphones, clouds and virtual currency – which makes it even more intriguing and worth looking forward to.