2. About Me
▪ Sucked at games, started hacking
▪ Maths & Algo background
▪ Dev at European Space Agency
▪ Security Consultant in EU and AU
▪ Sometimes I have interesting
projects:
▪ Printers, ATMs
▪ FOREX trading software
▪ Online banking systems
▪ Voice biometrics
▪ Published research at BlackHat,
HackInTheBox, OWASP AppSec,
Zeronights, AusCERT, BSides
3. Attack surface – WHERE
Threat modelling – WHAT
Threat actors - WHO
Attack vectors – HOW
MITIGATION
Using phone in cafes
Phone theft
Opportunistic pickpocketer
Pick it up when you go to the toilet
KEEP THE PHONE WITH YOU
Threat Modelling
4. Your assets
▪ Devices:
▪ Phone
▪ Computer
▪ IoT
▪ Home router
▪ Accounts:
▪ SIM card
▪ Mail
▪ Social Media
▪ Bank
▪ Finances:
▪ Bank
▪ Paypal / similar
▪ SIM credit line
▪ Amazon/Uber/Netflix/any
service
▪ Information / Identity:
▪ Documents, scans
▪ Private data / nudes
6. Level of paranoia
99% people
▪ Log in to their bank
account on a public
computer
▪ Have one password
▪ Travel to China, use
public wi-fi,
▪ Leave phone & wallet on
the beach, enjoy a swim
Security conscious
▪ Log in to their bank only
on phone / their own
computer
▪ Use password manager
▪ Keep their phone with
them all time
▪ Take only one card and
use a phone cheap
enough to not cry when
you loose it
Security paranoid
▪ Use 2-FA, distribute
money between multiple
accounts
▪ Use 30-char passwords
▪ Take a burner phone,
destroy it afterwards
▪ Don’t go further than 5
seconds from the bag
7. Your assets
▪ Devices:
▪ Phone
▪ Computer
▪ IoT
▪ Home router
▪ Accounts:
▪ SIM card
▪ Mail
▪ Social Media
▪ Bank
▪ Finances:
▪ Bank
▪ Paypal / similar
▪ SIM credit line
▪ Amazon/Uber/Netflix/any service
▪ Information / Identity:
▪ Documents, scans
▪ Private data / nudes
▪ OTHER
▪ Your brain
8. General scams/hacks
▪ Buying crypto wallets on ebay
▪ SMS, phone call
▪ Fake anti-virus scam
▪ Fake ads on ATM
▪ Gumtree
▪ Fake hacked webcam
▪ Fake FB/Tinder nudes
▪ Premium line call back
▪ Facebook - friends asking for money
▪ Ebay hijacked accounts
▪ FBI / police locking your computer
▪ “top Google ad" scam
9. General scams/hacks
▪ Buying crypto wallets on ebay
▪ SMS, phone call
▪ Fake anti-virus scam
▪ Fake ads on ATM
▪ Gumtree
▪ Fake hacked webcam
▪ Fake FB/Tinder nudes
▪ Premium line call back
▪ Facebook - friends asking for money
▪ Ebay hijacked accounts
▪ FBI / police locking your computer
▪ “top Google ad" scam
10. General scams/hacks
▪ Buying crypto wallets on ebay
▪ SMS, phone call
▪ Fake anti-virus scam
▪ Fake ads on ATM
▪ Gumtree
▪ Fake hacked webcam
▪ Fake FB/Tinder nudes
▪ Premium line call back
▪ Facebook - friends asking for money
▪ Ebay hijacked accounts
▪ FBI / police locking your computer
▪ “top Google ad" scam
11. General scams/hacks
▪ Buying crypto wallets on ebay
▪ SMS, phone call
▪ Fake anti-virus scam
▪ Fake ads on ATM
▪ Gumtree
▪ Fake hacked webcam
▪ Fake FB/Tinder nudes
▪ Premium line call back
▪ Facebook - friends asking for money
▪ Ebay hijacked accounts
▪ FBI / police locking your computer
▪ “top Google ad" scam
12. General scams/hacks
▪ Buying crypto wallets on ebay
▪ SMS, phone call
▪ Fake anti-virus scam
▪ Fake ads on ATM
▪ Gumtree
▪ Fake hacked webcam
▪ Fake FB/Tinder nudes
▪ Premium line call back
▪ Facebook - friends asking for money
▪ Ebay hijacked accounts
▪ FBI / police locking your computer
▪ “top Google ad" scam
13. General scams/hacks
▪ Buying crypto wallets on ebay
▪ SMS, phone call
▪ Fake anti-virus scam
▪ Fake ads on ATM
▪ Gumtree
▪ Fake hacked webcam
▪ Fake FB/Tinder nudes
▪ Premium line call back
▪ Facebook - friends asking for money
▪ Ebay hijacked accounts
▪ FBI / police locking your computer
▪ “top Google ad" scam
14. General scams/hacks
▪ Buying crypto wallets on ebay
▪ SMS, phone call
▪ Fake anti-virus scam
▪ Fake ads on ATM
▪ Gumtree
▪ Fake hacked webcam
▪ Fake FB/Tinder nudes
▪ Premium line call back
▪ Facebook - friends asking for money
▪ Ebay hijacked accounts
▪ FBI / police locking your computer
▪ “top Google ad" scam
▪ lost phone scam - check location
15. General scams/hacks
▪ Buying crypto wallets on ebay
▪ SMS, phone call
▪ Fake anti-virus scam
▪ Fake ads on ATM
▪ Gumtree
▪ Fake hacked webcam
▪ Fake FB/Tinder nudes
▪ Premium line call back
▪ Facebook - friends asking for money
▪ Ebay hijacked accounts
▪ FBI / police locking your computer
▪ “top Google ad" scam
16. General scams/hacks
▪ Buying crypto wallets on ebay
▪ SMS, phone call
▪ Fake anti-virus scam
▪ Fake ads on ATM
▪ Gumtree
▪ Fake hacked webcam
▪ Fake FB/Tinder nudes
▪ Premium line call back
▪ Facebook - friends asking for money
▪ Ebay hijacked accounts
▪ FBI / police locking your computer
▪ “top Google ad" scam
17. General scams/hacks
▪ Buying crypto wallets on ebay
▪ SMS, phone call
▪ Fake anti-virus scam
▪ Fake ads on ATM
▪ Gumtree
▪ Fake hacked webcam
▪ Fake FB/Tinder nudes
▪ Premium line call back
▪ Facebook - friends asking for money
▪ Ebay hijacked accounts
▪ FBI / police locking your computer
▪ “top Google ad" scam
18. General scams/hacks
▪ Buying crypto wallets on ebay
▪ SMS, phone call
▪ Fake anti-virus scam
▪ Fake ads on ATM
▪ Gumtree
▪ Fake hacked webcam
▪ Fake FB/Tinder nudes
▪ Premium line call back
▪ Facebook - friends asking for money
▪ Ebay hijacked accounts
▪ FBI / police locking your computer
▪ “top Google ad" scam
19. General scams/hacks
▪ Buying crypto wallets on ebay
▪ SMS, phone call
▪ Fake anti-virus scam
▪ Fake ads on ATM
▪ Gumtree
▪ Fake hacked webcam
▪ Fake FB/Tinder nudes
▪ Premium line call back
▪ Facebook - friends asking for money
▪ Ebay hijacked accounts
▪ FBI / police locking your computer
▪ “Top Google ad" scam
20. General scams/hacks
▪ Buying crypto wallets on ebay
▪ SMS, phone call
▪ Fake anti-virus scam
▪ Fake ads on ATM
▪ Gumtree
▪ Fake hacked webcam
▪ Fake FB/Tinder nudes
▪ Premium line call back
▪ Facebook - friends asking for money
▪ Ebay hijacked accounts
▪ FBI / police locking your computer
▪ “Top Google ad" scam
▪ lost phone scam - check location
28. PHONE threats
This is NOT a Tesla hack:
▪ Tricked Android 4.4 user to
connect to fake McD Wi-Fi
▪ Redirected him to a fake
website
▪ Tricked him into installing
malicious app from
unknown sources
▪ The app used a public
exploit toolbox (Kingroot)
to root Android 4.4 device
40. ROUTER threats
▪ Keep it up-to-date
▪ Choose WPA2 for Wi-Fi security
▪ Don’t share passwords
41. ACCOUNTS THREATS
“Give a man an 0day and he'll have access for a day, teach a man to phish and he'll
have access for life” – @thegrugq
42. ACCOUNTS threats
▪ Make a list of all your important accounts
▪ USE A PASSWORD MANAGER
The top 10 passwords on the 2017 list:
▪ 1. 123456 (Unchanged)
▪ 2. Password (Unchanged)
▪ 3. 12345678 (Up 1)
▪ 4. qwerty (Up 2)
▪ 5. 12345 (Down 2)
▪ 6. 123456789 (New)
▪ 7. letmein (New)
▪ 8. 1234567 (Unchanged)
▪ 9. football (Down 4)
▪ 10. iloveyou (New)
47. ACCOUNTS threats
Hardware
token
SMS Push U2F Biometrics No 2-FA
Password guess
/ theft
OK OK OK OK OK NO
Phishing ~NO ~NO OK ~OK ~OK NO
PC Malware NO ~OK ~OK ~NO ~NO NO
Phone Malware OK NO ~NO OK ~NO NO
SIM hijacking OK NO ~OK OK ~OK OK
OK GOOD VERY GOOD VERY GOOD ~OK NOT GOOD
48. ACCOUNTS threats
▪ For financial accounts: device with a screen - mobile push notifications (very good) or SMS
(good)
▪ For all other: U2F (very good), SMS (good)
52. SIM card threats
▪ Set additional security features
▪ Do not use and disable insecure features – sending and receiving messages via web
▪ Understand that sender (and caller) ID may be spoofed
60. Bank account threats
▪ Enable alerts
▪ Check balance regularly
▪ Check access via other channels
▪ Keep bigger money on a separate account
61. Bank account threats
▪ Set limits – for transactions, credit card, mobile payments
▪ Change credit card regularly
▪ Prefer to pay in cash, especially overseas
▪ Never let the waitress go away with your card
62. Bank account threats
▪ Online shopping: use a separate card – a pre-paid with limits
▪ There is chargeback
▪ Pay via trusted gateways – e.g. paypal, rather than directly
▪ Do not enter your banking password on any website (POLi, Trustly) other than the bank itself