Does Your Threat Model Consider Country and Culture? A Case Study of Brazilian Internet Banking Security to Show That It Should!

Note: Presentation times are in Pacific Standard Time (PST).

Wednesday, February 03, 2021 - 11:50 am12:20 pm

Marcus Botacin, Federal University of Paraná (UFPR-Brazil)


Every attack has a story. Uncovering these stories is essential to identify the gaps that allowed the attack to occur and the countermeasures to prevent it from happening again. Over time, many security players tried to model these gaps and countermeasures in their threat models, but all these attempts present the same drawback: they generalize everything! However, not every threat is global. The threats I used to find in Brazil were distinct from those reported in the global news and their prevalence significantly differed from what was described in the literature. What was going on? The problem is that the Brazilian scenario presents characteristics that make it unique (e.g, the way Internet banks operate, the way the Internet access is provided and charged), and these factors significantly influence the way that threats are developed and how users are targeted. For instance, even before the Web-based systems, attackers exploited the early computerization of the Brazilian bank system to deploy phishing applications mimicking the Bank’s operations. The movement towards the Web generated a profusion of JAVA-based malware never seen elsewhere, as the Brazilian bank systems were JAVA-based. Recently, with the emergence of mobile devices, prepaid data plans with free Whatsapp access motivated the deployment of banks-powered Whatsapp-based banking transactions. Are we prepared to handle these scenarios or are we overlooking them? Furthermore, these likely-overlooked scenarios might not be limited to Brazil, but these attacks might have already been happening elsewhere. Therefore, I invite you to come with me to take a look at a dataset of more than 40 thousand unique malware samples collected in Brazil over 7 years to understand what we missed by not looking at regionalized threats. This talk is a call to action for more personalized threat models and security evaluations.

Marcus Botacin, Federal University of Paraná

Marcus is a Ph.D. candidate at Federal University of Paraná (UFPR), Brazil. He is also a Computer Engineer and has a Master in Computer Science from the University of Campinas (UNICAMP), Brazil. His main research interests are malware analysis and reverse engineering, with years of experience in sandbox development.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@conference {264148,
author = {Marcus Botacin},
title = {Does Your Threat Model Consider Country and Culture? A Case Study of Brazilian Internet Banking Security to Show That It Should!},
year = {2021},
publisher = {USENIX Association},
month = feb

Presentation Video