Cyber soothsaying: Mobile malware will be a very real threat
This is a guest post by cybersecurity investor at Bessemer Venture Partners David Cowan
This week, the RSA Conference will draw its annual pilgrimage of data security professionals seeking insights on market and technology trends.
As a seed-stage security investor in this industry, it has been my job to predict the future of cybersecurity, and so now’s a good time to share two important rules that have served me well:Follow the money: What’s the most lucrative opportunity emerging for hackers today? Identify the hacker’s next big opportunity, and you know who will need to respond. This rule, for example, steered me toward spam in 2002 (Postini), online banking theft in 2004 (Cyota), geopolitical warfare in 2009 (Endgame) and DDoS attacks in 2013 (Defense.Net).Where there’s a way, there’s a will: Physicists know that if a natural phenomenon can exist, then most likely it does. The cyber corollary is that vulnerabilities in the wild will be exploited. It’s only a matter of time. Poisoning the DNS, using the cloud to factor large numbers, and streaming smartphone microphones were all considered theoretical attacks — until they weren’t. Whenever we dismiss vulnerabilities as too difficult to exploit, hackers eventually humble us with their ingenuity.
In the last 48 hours, we’ve seen two important examples of this rule in action. The first is Apple’s confirmation of a glaring deficiency in their implementation of SSL that means we’ve been kidding ourselves about how secure the Mac and iPhone really are. The software engineers at Apple are mortal, and just as prone to the inevitable security lapses that plague any complex system.
The second example is a blog post by RSA about new malware on Android phones that coordinate with web based attacks to hijack banking sessions. I have been expecting this “innovation” since 2005, when I predicted that banks, plagued by the security shortcomings of passwords and biometrics, would adopt and embrace out-of-band authentication for any risky transaction:
That’s why solutions in the future will move away from 2-factor authentication and toward 2-channel authentication. Since your bank knows your phone numbers, a bank computer can simply call you when it needs to confirm your identity, and authorize the specific transaction (“This is Wells Fargo — please enter the code on your screen to authorize the transfer of $50,000 from your account to the account of the Boys and Girls Club of Belfast”). This is a very inexpensive and fast solution to deploy, and requires much less customer training. Not to mention that it’s secure (at least for many years, until hackers can easily identify and commandeer affiliated phone lines).
This prediction turned out well: 2-channel authentication has since become standard procedure for banks, application developers and consumers, thanks largely to three investments I made back then:If you’re a bank…
Cyota (acquired by RSA) is the market leader in assessing your transactions for risk so they can be escalated for authentication;If you’re a developer…
Bessemer Venture Partners’ portfolio company Twilio is the market leader in enabling apps to launch phone calls or SMS messages for out-of-band authentication (this may be Twilio’s single largest use case); andIf you’re an individual…
Another portfolio company Lifelock is in the Identity Theft market. It contacts you through multiple channels when the company spots a risky transaction involving your personally identifiable information.
However, as I parenthetically noted in 2005, it’s theoretically possible to “commandeer affiliated phone lines” in order to defeat two-channel authentication. This seemed like a pretty farfetched idea eight years ago, but sure enough where there’s a way there’s a will, and bank accounts are where the money is! So I wasn’t too surprised to hear from RSA that hackers now intercept your SMS messages and phone calls in order to defeat the banks’ security mechanism.
To quote cryptography expert Bruce Schneier: “Mobile is the new platform. Mobile is a very intimate platform. It’s where the attackers are going to go.”
This is why I funded Mojave Networks, which is building a cloud-based smartphone security service that filters out mobile malware during both download and execution, as well as providing URL filtering, data leak prevention, and enterprise cloud app visibility.
At the time I invested, many people warned me that mobile malware is simply not a big concern. But see Rules 1 and 2 above! Smartphones house our most precious secrets, and there are so many easy ways into them. I’m predicting that enterprises and governments will quickly understand this, and scramble to secure their employees’ phones just as they do their (larger) computers.
If you want to join me in predicting the future of cyberspace, look for the money chasing hackers, and pay more heed this week at RSA to the warnings of security gurus, since no vulnerability is too hard to exploit. Where there’s a way, there’s a will.
David Cowan, a partner in Bessemer’s Menlo Park, Calif. office, joined the firm in 1992. He has invested mostly in network technology, infrastructure SaaS, consumer Internet and cyber-security. His current portfolio includes CrowdFlower, Defense.net, Delivery Agent, Getinsured, LifeLock (IPO), LinkedIn (IPO), Nitrious.IO, Nominum, Reputation.com, Skybox Imaging, Smule, Twitch and Zoosk.