It’s coming to the end of 2010, and it may be coming to our mind that what to expect in terms of new threats and related trends in 2011. I have to say that I don’t see total revolutions in the threats – just continuing evolutions of the same threats we have seen for years (and more or less for centuries).
So here’s my top of mind list:
a) More Zeus like attacks – where sessions are hijacked. In 2011, expect to see PC device identification and credentials stolen and copied so that criminals look just like the good guy/owner of the PC. This has already started but will increase substantially in 2011, so that PC fingerprinting or tagging on its own will be circumvented.
b) More Proxying of phone services, so that the criminals can fake the caller id to make it look legitimate. This is already an attack method but it will pick up in 2011.
c) Government agencies (e.g. FTC in the U.S.) will require that the browser companies institute features that consumers can use to turn off tracking by web sites and services. (For example Microsoft just announced such a feature in IE9). However, these are impractical for consumers to manage and won’t be very useful.
d) Likewise, new government regulations in response to privacy concerns will move online advertising companies and networks to start relying on ‘clientless’ device fingerprinting technology instead of tagging PCs with files. See our research on this if you are interested. For example “Privacy Concerns Collide with Flash Cookies”).
e) Mobile devices will increasingly be used for fraud detection, so that payment services and banks can correlate mobile location information with other transaction information before making an authorization decision. (See recent Visa announcement with Validsoft).
f) More flash attacks that fly under the radar of bank fraud detection systems, forcing U.S. banks to move to stronger cardholder authentication (e.g. OTP or chip cards or using the phone as a chip card).
g) More skimming at POS systems and unattended self-service terminals (e.g. gas pumps), sending the card companies and PCI Council into a tizzy over what to do about it.
h) Hijacking of workstation sessions that are used to apply for loans or credit cards at distributed user workstations.
i) More merchant account takeover – and initiation of refunds from them to criminal accounts. Also setting up fake merchant accounts and using stolen cards to charge fake goods and services to, in order to launder money through these fake merchant accounts.
j) and of course more targeted attacks against employee and internal accounts going after sensitive information and systems (e.g. control systems), as much as data.
I’m sure we will see a lot more than just these but these are the ones that I’m expecting to see pick up in 2011.
Of course, all of this is good news for the innovative security firms that have good defenses to sell…