PICKPOCKETING MWALLETS. A guide to looting mobile financial services

Size: px

Start display at page:

Download "PICKPOCKETING MWALLETS. A guide to looting mobile financial services"

Arnold Hopkins
8 years ago
Views:

1 PICKPOCKETING MWALLETS A guide to looting mobile financial services

2 THE GRUGQ Info Sec researcher since 1999 Experience Telcoms Info Sec Banking Info Sec Leads to Mobile Financial Security

3 MOBILE FINANCIAL APPS

4 MOBILE FINANCE STAKEHOLDERS

5 MOBILE FINANCE STAKEHOLDERS Mobile Service Provider Telco Operators

6 MOBILE FINANCE STAKEHOLDERS Mobile Service Provider Telco Operators Financial Services Provider Financial Institutes Banks, etc. Telco Operators

7 APPLICATIONS Mobile Banking Operator provides channel to financial service Mobile Wallet Operator provides financial services

8 MOTIVATORS Financial Institutions (FI) Users configure mobile banking once Reduce churn Operators Increase value of relationship Reduce churn

9 SECURITY GOALS Authenticate the customer Provide end-to-end security Confidentiality Integrity Availability At least as secure as an ATM

10 RISKS

11 RISKS Identity Lost / stolen phone Financial Fraud Non-repudiation

12 MORE RISKS Communications channel Monitoring / Sniffing Message Injection / Spoofing Duplicates

13 NOT RISKS (YET?) Mobile Malware Not prevalent Fractured mobile platform landscape

14 COMPONENTS

15 MOBILE ELEMENTS Handset Over The Air (OTA) Carrier Aggregator Financial Institution (FI)

16 ELEMENTS Aggregator Internet Carrier FI Carrier Network Base Station Mobile Handset

17 PLATFORMS

18 HANDSET PLATFORMS Web Application Thick Client SIM Card Application (STK)

19 WEB APP

20 WEB APP Easy to deploy

21 WEB APP Easy to deploy Easy to develop

22 WEB APP Easy to deploy Easy to develop Cross platform support

23 WEB APP Easy to deploy Easy to develop Cross platform support Limited control over look and feel

24 WEB APP Easy to deploy Easy to develop Web app security SQL injection, XSS Cross platform support Limited control over look and feel

25 WEB APP Easy to deploy Easy to develop Cross platform support Web app security SQL injection, XSS Slow data link Limited control over look and feel

26 WEB APP Easy to deploy Easy to develop Cross platform support Limited control over look and feel Web app security SQL injection, XSS Slow data link Expensive data plans

27 WEB APP Easy to deploy Easy to develop Cross platform support Limited control over look and feel Web app security SQL injection, XSS Slow data link Expensive data plans Subset of phones support browsers

28 THICK CLIENT

29 THICK CLIENT Complete control over look and feel

30 THICK CLIENT Complete control over look and feel Powerful operating environment

31 THICK CLIENT Complete control over look and feel Powerful operating environment Easy to develop*

32 THICK CLIENT Complete control over look and feel Fractured handset platform landscape Powerful operating environment Easy to develop*

33 THICK CLIENT Complete control over look and feel Powerful operating environment Fractured handset platform landscape Vulnerable to local attacks Easy to develop*

34 THICK CLIENT Complete control over look and feel Powerful operating environment Easy to develop* Fractured handset platform landscape Vulnerable to local attacks Hard to secure Phone developers are not very security aware

35 SIM APPLICATION

36 SIM APPLICATION More secure (potentially)

37 SIM APPLICATION More secure (potentially) Works on all SIM cards

38 SIM APPLICATION More secure (potentially) Works on all SIM cards Mature development environment

39 SIM APPLICATION More secure (potentially) Works on all SIM cards Mature development environment Deployable OTA

40 SIM APPLICATION More secure (potentially) Works on all SIM cards Mature development environment Deployable OTA Secure against malicious phone

41 SIM APPLICATION More secure (potentially) Cumbersome interface Works on all SIM cards Mature development environment Deployable OTA Secure against malicious phone

42 SIM APPLICATION More secure (potentially) Works on all SIM cards Mature development environment Cumbersome interface Looks terrible No multimedia Deployable OTA Secure against malicious phone

43 SIM APPLICATION More secure (potentially) Works on all SIM cards Mature development environment Deployable OTA Secure against malicious phone Cumbersome interface Looks terrible No multimedia Restricted operating environment Low power Low memory

44 MBANKING ARCHITECTURE SMS input Operator HTTP(S) input Aggregator XML input Financial Institution

45 MWALLET ARCHITECTURE SMS input Operator HTTP(S) input Operator - application Database manipulation

46 BACKEND PLATFORMS Problems Lack of verifiable audit trail Single entry book keeping

47 CONCERNS

48 HANDSET CONCERNS Identity Lost / Stolen Monitoring / Spoofing Malicious (e.g. hackers) Infected (not yet )

49 OTA CONCERNS Monitoring GSM encryption is cracked GSM monitoring equipment < 1000

50 OPERATOR CONCERNS Monitoring SMS processing is unencrypted Injection Spoofing SMS from SMSC is trivial

51 OPERATOR CONCERNS, CONT.

52 OPERATOR CONCERNS, CONT. Mobile Banking is Value Added Service (VAS) Ringtones, wallpaper, $10 tetris clones, all your financial data

53 OPERATOR CONCERNS, CONT. Mobile Banking is Value Added Service (VAS) Ringtones, wallpaper, $10 tetris clones, all your financial data Security awareness is limited Toll fraud: will this result in revenue leakage?

54 OPERATOR CONCERNS Poor understanding of financial risk management

55 AGGREGATOR Monitoring Malicious employees Other customers Injection See above.

56 FINANCIAL INSTITUTIONS Poor understanding of Operator concerns

57 RECOMMENDATIONS

58 RECOMMENDATIONS Identify customers via a unique mfin PIN + phone Transmit the PIN hashed with the message data Add a unique message ID (timestamp) per customer per request

59 Require customer notification for dangerous operations, e.g. transfers Signup process should include in-branch application Require secure audit trails for all transactions

60 FINANCIAL REGULATIONS Require the Carrier to follow financial regulations regarding access and control over the messages Require the Aggregator to follow financial regulations regarding access and control over the messages

61 Use an STK application on the handset Require code review before it goes live Require security reviews over major components of the environment Mobile app Carrier environment Aggregator environment

62 Develop a clear customer service management plan for lost / stolen handsets Work with the carrier Ensure it doesn t automatically cancel CC/ATM

63 ENCRYPTION KEYS Manage the encryption keys/certificates used by the application Work with the Carrier on SIM keys Work with the Aggregator

64 CONCLUSION mfin Apps present unique challenges Trust relationships with third parties Difficult application environments No existing best practices Vendors have immature products

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability