Contactless Technology Attacks Threaten Individuals, Businesses

Hackers know people are using their mobile devices now more than ever.

Edward Gately, Senior News Editor

August 14, 2020

10 Min Read
Cybersecurity Roundup, security roundup
Shutterstock

With COVID-19 related social distancing requirements, contactless technology like quick response (QR) codes are skyrocketing in popularity and frequency. But contactless technology also poses a threat to users less familiar with their risks and more curious to scan them.

Contactless technology attack vectors typically include QR codes, barcodes and magstripes on credit cards and ID cards. A hacker can embed a malicious URL containing custom malware into a QR code. It could then exfiltrate data from victims’ devices when scanned.

A malicious URL in a QR code could also direct to a phishing site. The site then encourages victims to divulge banking or other personal information, which the hackers could then steal.

To learn more about the threat posed by contactless technology, we spoke with Alex Mosher, MobileIron‘s global vice president of solutions. He also talks about how unified endpoint management (UEM) can help stop contactless technology attacks.

Mosher-Alex_MobileIron.jpg

MobileIron’s Alex Mosher

MobileIron’s phishing protection for iOS and Android devices now detects and remediates phishing attacks across all mobile threat vectors.

Channel Futures: Have attacks involving contactless technology increased during the pandemic?

Alex Mosher: I don’t necessarily think there has been a greater volume of contactless attacks, but we’ve seen an increase in attacks across other mobile threat vectors during the pandemic. Hackers know that people are using their mobile devices – and in many cases, their own unsecured devices – more than ever before to connect with others, complete online payments and access corporate data. That’s why they are increasingly targeting mobile devices and applications with sophisticated attacks. I expect we’ll continue to see mobile attacks trend upward as the pandemic continues to surge.

CF: Do contactless technology attacks threaten both individuals and businesses? If so, how?

AM: Yes, contactless attacks threaten both individuals and businesses. A contactless attack on your mobile device could not only result in your personal information being compromised, but it could potentially weaponize that device against your company and result in sensitive corporate data being leaked. That’s why enterprises need to ensure mobile devices that have access to business resources are secure.

CF: Why are so many mobile users left unprotected from these types of attacks?

AM: It’s easy to manipulate users on mobile devices because people interact with mobile devices much differently than they do with laptops and desktops. For example, the mobile user interface prompts users to take immediate actions, while limiting the amount of information available due to small screen size. That’s why being able to stop attacks on mobile devices is incredibly important.

CF: Can MSSPs and other cybersecurity providers help prevent contactless technology attacks? If so, how?

AM: MSSPs and other cybersecurity providers need to help today’s companies rethink their security strategies to focus on the technology at the center of the everywhere enterprise: mobile devices. A mobile-centric zero trust security approach can provide the visibility and IT controls needed to secure, manage and monitor every device, user, app and network being used to access business data.

CF: How can UEM help protect against these types of threats?

AM: With UEM, organizations can achieve comprehensive control over their business data and employees can increase productivity. A UEM solution allows for continuous enforcement and protection of data, both on the device and on the network. Organizations can also build upon UEM with a mobile threat defense solution to detect and remediate mobile threats such as contactless attacks, even when a device is offline.

Network Security Startup Scores $40 Million in Funding

Perimeter 81, a secure access service edge (SASE) and network-as-a-service provider, has completed a $40 million Series B funding round led by Insight Partners.

The financing will help support Perimeter 81’s growth, and accelerate the company’s …

… hiring and development. The company previously raised $25 million from its seed investor Spring Ventures, and Series A investors SonicWall and Toba Capital.

The company partners with MSPs and MSSPs.

Jim Finnerty, is Perimeter 81’s channel partner manager.

Finnerty-Jim_Perimeter-81.jpg

Perimeter 81’s Jim Finnerty

“This funding will absolutely benefit our MSP and MSSP partners as it will enable Perimeter 81 to accelerate the development of our holistic SASE platform,” he said. “The unification of networking and security tools within one cloud-native, multi-tenant solution eliminates the major pains hardware management and legacy tool sprawl has created for MSPs and MSSPs in the past, and allows them to manage their client’s networks all in one place.”

Partner relationships are a major part of Perimeter 81’s growth plans, Finnerty said.

“Currently, we have 60 partners, including global technology reseller Ingram Micro,” he said. “In the coming year, we plan to increase our number of partners by 400% and expand our partner base worldwide. [The funding] will allow us to rapidly accelerate our product development so that we can quickly develop new features and resources based on our partners’ valuable product feedback.”

In February, Perimeter 81 unveiled a new SASE platform that combines its network-as-a-service offering with SonicWall’s cloud security capabilities.

Perimeter 81 has close to 1,000 customers. That includes Fortune 500 companies and prominent organizations in government, entertainment, technology and AI.

Positive Technologies: Hackers Moving Faster than Ever

Got 30 minutes? That could be all it takes to hack a company.

That’s according to new research by Positive Technologies. It’s based on the results of external penetration testing of corporate information systems performed by the company in 2019.

Companies tested included finance, IT, fuel and energy, government agencies, hospitality and entertainment, industrial and telecoms.

Findings include:

  • Criminals can hack a company in as little as 30 minutes.

  • For 93% of companies, the pen testers succeeded in breaching the network perimeter and accessing the local network.

  • At three-quarters of companies, there was at least one easy penetration vector.

  • Researchers found traces of previous attacks in one out of every six tested companies.

  • Pen testers were able to brute-force web applications at 68% of companies and obtain log-in credentials. At one tested organization, they got more than 9,000 email addresses using this method.

  • Seventy-seven percent of attack vectors were related to insufficient protection of web applications.

Kilyusheva-Ekaterina_Positive-Technologies.jpg

Positive Technologies’ Ekaterina Kilyusheva

Ekaterina Kilyusheva is head of Positive Technologies‘ information security analytics research group.

“Our research found that the level of security of even large organizations remains very low,” she said. “And low-skilled hackers can penetrate the local networks of such companies. This is mainly due to known security flaws, and the use of vulnerable software versions and dictionary passwords.”

In 68% of companies tested, an attacker can gain access to the internal network in no more than two steps.

“For example, an attacker can quickly gain access to an internal network if a web application contains a known vulnerability for which a public exploit exists,” Kilyusheva said. “And at one quarter of organizations, a hack of the local network was possible in just one step.”

The average time for penetrating a local network was …

… four days, Kilyusheva said. In one case, the hacker needed only 30 minutes, she said.

“In most cases, attack complexity was low, meaning that the attack was within the capabilities of a hacker with basic skills,” she said. “At 71% of companies, there was at least one easy penetration vector.”

Many attack vectors involve exploitation of known security flaws, Kilyusheva said. So it’s necessary to observe the general principles of information security to protect the network perimeter, she said.

“The management of the company should understand what incidents of information security are unacceptable for them and put emphasis in protection on key business risks,” she said. “In turn, in order to provide information security services most efficiently, the MSSP needs to have a good understanding of the infrastructure and business processes of the customer, and clearly understand which customer systems are critically important for the business.”

MSSPs should help the client build protection to ensure the continuity and security of the systems, Kilyusheva said. 

“The MSSP should provide protection services based on modern technical means that allow identifying the latest techniques of intruders,” she said. “For example, to protect web applications, you should use a modern web application firewall (WAF) that allows you to identify exploitation of not only known vulnerabilities, but also zero-day vulnerabilities. And in the work of the security operations center (SOC), you cannot do without a whole set of reliable tools, such as security information and event management (SIEM), network traffic analysis (NTA) and sandboxes, which together allow you to get the most complete picture of what is happening in the infrastructure, both at the endpoints and in network traffic, and therefore notice and stop the attack in time.”

Organizations Not Prioritizing Zero Trust

A new report by Illumio shows most IT and security professionals still have a long way to go in implementing zero trust in their cybersecurity plans.

Users continue to move off-campus networks to a distributed work-from-home model, and face new and expanding threat vectors. Organizations must quickly adopt the zero-trust security mindset of “never trust, always verify.” This mitigates the spread of breaches by limiting access and preventing lateral movement, Illumio said.

About half of those surveyed find zero trust to be critical to their organizational security model. Only 2% of business leaders believe zero trust is nonessential for their enterprise security posture.

Only 19% who find zero trust to be very important to their security have fully or widely implemented their plan. More than one quarter of these have started their zero-trust planning or deployment process. In short, all but 9% of the organizations surveyed are in some way working toward achieving zero trust.

Matt Glenn is Illumio‘s vice president of product management.

Glenn-Matt_Illumio.jpg

Illumio’s Matt Glenn

“The biggest difficulty in adopting zero trust is time,” he said. “Zero trust is not a product, but a strategy – default deny – only allow what should be allowed. To achieve zero trust, leaders need to understand that it is a journey that will make their organizations safer and ultimately more efficient. However, it is not a light switch that is simply flicked on by buying one product. Yes, there are products that solve many of the pillars of zero trust, but ultimately adopting those solutions takes time. So setting internal expectations is important.”

The biggest barrier to adopting zero trust is cost, Glenn said.

“Nearly 30% of our survey respondents told us they won’t have enough budget to pursue additional technologies,” he said. “And 20% shared that their teams simply aren’t big enough to support another new technology.”

Illumio asked which technologies companies have implemented on their journey to achieve zero trust. Solutions with a lower barrier to entry, like multifactor authentication (MFA) and single sign-on (SSO), are more widely adopted.

Still, one in three (32%) of respondents have adopted campuswide segmentation. Another 30% have incorporated software-defined perimeter (SDP) technologies. And 26% are leveraging microsegmentation, a key zero-trust technology for preventing the lateral movement of attackers.

“There’s no single solution that can enable an organization to achieve zero trust in one fell swoop,” Glenn said. “MSSPs and other cybersecurity providers can start by educating organizations on the value of adopting zero trust and helping them map out a realistic plan to get there quickly. Partners that have intimate relationships with their customers can be part of the team that maps out a zero-trust strategy and recommend solutions that help fill in gaps.”

And if an organization doesn’t have a big enough team, that is an opportunity for an MSSP, he said. They can provide solutions to customers that ensure they don’t have to add additional staff.

Read more about:

MSPs

About the Author

Edward Gately

Senior News Editor, Channel Futures

As senior news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like