Why Verizon’s 2015 Data Breach Investigations Report doesn’t add up, leaving consumers exposed to phishing attacks on mobile

April 15, 2015
Comment

I read an interesting post on the ComputerWorld blog by Lucian Constantin this morning – it’s entitled “Web app attacks, PoS intrusions and cyberespionage top causes of data breaches“. You can read the full article here. I’m writing this post to emphasize a very important point about the threat that consumers face and which, isn’t understood or appreciated by Verizon and other mobile operators. It’s the threat of phishing attacks on mobile.

According to Verizon:

People were again the weak link that led to many of the compromises. The data shows that phishing — whether used to trick users into opening infected email attachments, click on malicious links, or input their credentials on rogue websites — remains the weapon of choice for many criminals and spies.

For the past two years, more than two-thirds of cyberespionage incidents involved phishing, the Verizon team said in its report. Hundreds of incidents from the crimeware section have also included the technique in their event chain, they said.

The data showed that 23 percent of phishing email recipients open the messages and 11 percent of them click on the attachment inside. A small phishing campaign of only 10 emails comes with a more than 90 percent chance that at least one person will become a victim, the Verizon team said.

In his article Constantin emphasizes another quote from Verizon:

Phishing attacks continue to be effective, but mobile threats are not a big concern, according to a Verizon report

Wait. What?! Phishing is a problem but not on mobile?

53% of total email opens occurred on a mobile phone or tablet in Q3 2014. This is an increase from the 48% percent seen in Q2 2014. – Experian “Quarterly email benchmark report” (Q3 2014)

More email is read Mobile than on a desktop email client. Stats say 48% of email is now opened on a mobile device Litmus –”Email Analytics” (Jan 2015)

But you don’t need stats on the number of people who read email first on mobile. You know that most people do it on a regular basis. So, if most people read email first on mobile, how can Verizon be right in saying that mobile threats are not a big concern? Of course it’s a concern.

Why phishing attacks is a problem on mobile

  • The email app on your mobile device does not check the validity or safety level of links when you click on them. You might want to be warned when visiting sites flagged as malware or phishing. You might want to block sites that are nsfw.
  • The browser on your mobile devices (unless you are using Browse – depending on the browser you use, this might open iTunes) does not check the validity or safety level of links before opening webpages.
  • And none of the mobile apps you use, check the validity or safety level of links when you click on them either. That is, unless the apps you use are protecting you with the MetaCert Security API.

In order to emphasize my point, there isn’t a single email app, mobile browser or message/chat app that has any built-in security to stop end-users from either sending or opening malicious links. Now, read Verizon’s findings above again about phishing threats and see if you can make sense of these two quotes.

So when Verizon says:

Mobile devices are not a theme in our breach data, nor are they a theme in our partners’ breach and security data,” Verizon said. “We feel safe saying that while a major carrier is looking for and monitoring the security of mobile devices on its network, data breaches involving mobile devices should not be in any top-whatever list. This report is filled with thousands of stories of data loss — as it has been for years — and rarely do those stories include a smartphone.

… it doesn’t instill much confidence in their efforts to keep mobile consumers safe.

There is a solution to this problem however. The MetaCert Security API adds a thin, but very powerful layer of security to mobile apps. The Security API allows you to check the reputation of web links in real time, providing an invisibly secure experience by blocking malicious web pages from loading or navigating to. If you’re a developer building apps, or a platform engineer, check out our doc for more info.