Mobile Devices 2013—The New Attack Vector for Distributed Denial of Service

Mobile Devices—The New Attach Vector for Distributed Denial of Service

The slate of distributed denial of service (DDoS) attacks in 2012 will be irrevocably seared into the memories of FI security professionals. The phenomenon is not new, but in response to private industry’s efforts to mitigate the effects of an attack, hackers have proven capable of developing increasingly sophisticated means of crippling IT infrastructure. Hackers will undoubtedly continue their nefarious activities, but the mobile device will provide a new attack vector that requires less technical prowess than those that recently brought FI websites to their knees.
Implementing defensive security techniques sufficiently limited the efficacy of most DDoS attacks over the past several years, but the hackers that targeted FIs in 2012 brought bigger guns to the fight. The use of each mitigation technique comes at a cost, some of which are purely financial in requisitioning the resources, whereas others can inadvertently divert valid web traffic. In seeking the right balance, FIs likely made certain compromises at the cost of security – which was compounded by the increased bandwidth utilized by FI user authentication solutions. FIs simply could not handle the amount of traffic generated by the techniques of the activist group Izz ad-Din al-Qassam29.  For hackers or groups without the sophistication to implement a similar attack, targeting mobile devices for use in DDoS attacks presents an attractive alternative.
Mobile devices have drawn the interest of hackers, as evidenced by the burgeoning number of malware being detected by security firms.  Of particular concern to the financial industry, mobile malware is beginning to evolve from programs that are designed to fatten the hacker’s wallet to ones that support more esoteric goals.  Popular hacking tools are being ported to Android which can be further “weaponized” to infect mobile devices for use in DDoS attacks.
According to mobile device owners surveyed by Javelin, security software is deployed on 33% of smartphones and 29% of tablets (see Figure 6), which means hackers have potential access to over 102 million unprotected devices. Considering the always-on nature of many devices, advances in processor design and the race to provide greater wireless network bandwidth, mobile devices represent an opportunity to replicate the success of the FI DDoS attacks of 2012 – this type of attack could conceivably generate the same volume of website-clogging traffic.
Over Two-Thirds of Smartphone and Tablet Owners Do Not Protect Their Devices from Viruses and Malware
Figure 6: Use of Antivirus and Antimalware by Smartphone and Tablet Owners, 2011
Unfortunately, attempts to increase network capacity while disallowing questionable traffic often results in increased costs and a diminished experience for legitimate consumers who are mistakenly denied access to an organization’s website.  A kneejerk response to continue the IT security arms race, should the scenario of mobile DDoS ensue, need not be inevitable.

The slate of distributed denial of service (DDoS) attacks in 2012 will be irrevocably seared into the memories of FI security professionals. The phenomenon is not new, but in response to private industry’s efforts to mitigate the effects of an attack, hackers have proven capable of developing increasingly sophisticated means of crippling IT infrastructure. According to Javelin’s newly published report-10 Trends for Financial Services in 2013in the coming year, hackers will undoubtedly continue their nefarious activities. But the mobile device will provide a new attack vector that requires less technical prowess than those that recently brought FI websites to their knees.

Implementing defensive security techniques sufficiently limited the efficacy of most DDoS attacks over the past several years, but the hackers that targeted FIs in 2012 brought bigger guns to the fight. The use of each mitigation technique comes at a cost, some of which are purely financial in requisitioning the resources, whereas others can inadvertently divert valid web traffic. In seeking the right balance, FIs likely made certain compromises at the cost of security – which was compounded by the increased bandwidth utilized by FI user authentication solutions. FIs simply could not handle the amount of traffic generated by the techniques of the activist group Izz ad-Din al-Qassam.  For hackers or groups without the sophistication to implement a similar attack, targeting mobile devices for use in DDoS attacks presents an attractive alternative.

Mobile devices have drawn the interest of hackers, as evidenced by the burgeoning number of malware being detected by security firms.  Of particular concern to the financial industry, mobile malware is beginning to evolve from programs that are designed to fatten the hacker’s wallet to ones that support more esoteric goals.  Popular hacking tools are being ported to Android which can be further “weaponized” to infect mobile devices for use in DDoS attacks.

According to mobile device owners surveyed by Javelin, security software is deployed on 33% of smartphones and 29% of tablets (see Figure 6), which means hackers have potential access to over 102 million unprotected devices. Considering the always-on nature of many devices, advances in processor design and the race to provide greater wireless network bandwidth, mobile devices represent an opportunity to replicate the success of the FI DDoS attacks of 2012 – this type of attack could conceivably generate the same volume of website-clogging traffic.

Javelin.Smartphone.TabletAdoption.2012


Unfortunately, attempts to increase network capacity while disallowing questionable traffic often results in increased costs and a diminished experience for legitimate consumers who are mistakenly denied access to an organization’s website.  A knee-jerk response to continue the IT security arms race, should the scenario of mobile DDoS ensue, need not be inevitable.

For more on the  DDoS for mobile devices in 2013, see Javelin’s report–-10 Trends for Financial Services in 2013.

Category: Mobile, Security, Risk & Fraud

Tagged:      , , , , ,

Leave a Reply