PICKPOCKETING MWALLETS. A guide to looting mobile financial services

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "PICKPOCKETING MWALLETS. A guide to looting mobile financial services"

Transcription

1 PICKPOCKETING MWALLETS A guide to looting mobile financial services

2 THE GRUGQ Info Sec researcher since 1999 Experience Telcoms Info Sec Banking Info Sec Leads to Mobile Financial Security

3 MOBILE FINANCIAL APPS

4 MOBILE FINANCE STAKEHOLDERS

5 MOBILE FINANCE STAKEHOLDERS Mobile Service Provider Telco Operators

6 MOBILE FINANCE STAKEHOLDERS Mobile Service Provider Telco Operators Financial Services Provider Financial Institutes Banks, etc. Telco Operators

7 APPLICATIONS Mobile Banking Operator provides channel to financial service Mobile Wallet Operator provides financial services

8 MOTIVATORS Financial Institutions (FI) Users configure mobile banking once Reduce churn Operators Increase value of relationship Reduce churn

9 SECURITY GOALS Authenticate the customer Provide end-to-end security Confidentiality Integrity Availability At least as secure as an ATM

10 RISKS

11 RISKS Identity Lost / stolen phone Financial Fraud Non-repudiation

12 MORE RISKS Communications channel Monitoring / Sniffing Message Injection / Spoofing Duplicates

13 NOT RISKS (YET?) Mobile Malware Not prevalent Fractured mobile platform landscape

14 COMPONENTS

15 MOBILE ELEMENTS Handset Over The Air (OTA) Carrier Aggregator Financial Institution (FI)

16 ELEMENTS Aggregator Internet Carrier FI Carrier Network Base Station Mobile Handset

17 PLATFORMS

18 HANDSET PLATFORMS Web Application Thick Client SIM Card Application (STK)

19 WEB APP

20 WEB APP Easy to deploy

21 WEB APP Easy to deploy Easy to develop

22 WEB APP Easy to deploy Easy to develop Cross platform support

23 WEB APP Easy to deploy Easy to develop Cross platform support Limited control over look and feel

24 WEB APP Easy to deploy Easy to develop Web app security SQL injection, XSS Cross platform support Limited control over look and feel

25 WEB APP Easy to deploy Easy to develop Cross platform support Web app security SQL injection, XSS Slow data link Limited control over look and feel

26 WEB APP Easy to deploy Easy to develop Cross platform support Limited control over look and feel Web app security SQL injection, XSS Slow data link Expensive data plans

27 WEB APP Easy to deploy Easy to develop Cross platform support Limited control over look and feel Web app security SQL injection, XSS Slow data link Expensive data plans Subset of phones support browsers

28 THICK CLIENT

29 THICK CLIENT Complete control over look and feel

30 THICK CLIENT Complete control over look and feel Powerful operating environment

31 THICK CLIENT Complete control over look and feel Powerful operating environment Easy to develop*

32 THICK CLIENT Complete control over look and feel Fractured handset platform landscape Powerful operating environment Easy to develop*

33 THICK CLIENT Complete control over look and feel Powerful operating environment Fractured handset platform landscape Vulnerable to local attacks Easy to develop*

34 THICK CLIENT Complete control over look and feel Powerful operating environment Easy to develop* Fractured handset platform landscape Vulnerable to local attacks Hard to secure Phone developers are not very security aware

35 SIM APPLICATION

36 SIM APPLICATION More secure (potentially)

37 SIM APPLICATION More secure (potentially) Works on all SIM cards

38 SIM APPLICATION More secure (potentially) Works on all SIM cards Mature development environment

39 SIM APPLICATION More secure (potentially) Works on all SIM cards Mature development environment Deployable OTA

40 SIM APPLICATION More secure (potentially) Works on all SIM cards Mature development environment Deployable OTA Secure against malicious phone

41 SIM APPLICATION More secure (potentially) Cumbersome interface Works on all SIM cards Mature development environment Deployable OTA Secure against malicious phone

42 SIM APPLICATION More secure (potentially) Works on all SIM cards Mature development environment Cumbersome interface Looks terrible No multimedia Deployable OTA Secure against malicious phone

43 SIM APPLICATION More secure (potentially) Works on all SIM cards Mature development environment Deployable OTA Secure against malicious phone Cumbersome interface Looks terrible No multimedia Restricted operating environment Low power Low memory

44 MBANKING ARCHITECTURE SMS input Operator HTTP(S) input Aggregator XML input Financial Institution

45 MWALLET ARCHITECTURE SMS input Operator HTTP(S) input Operator - application Database manipulation

46 BACKEND PLATFORMS Problems Lack of verifiable audit trail Single entry book keeping

47 CONCERNS

48 HANDSET CONCERNS Identity Lost / Stolen Monitoring / Spoofing Malicious (e.g. hackers) Infected (not yet )

49 OTA CONCERNS Monitoring GSM encryption is cracked GSM monitoring equipment < 1000

50 OPERATOR CONCERNS Monitoring SMS processing is unencrypted Injection Spoofing SMS from SMSC is trivial

51 OPERATOR CONCERNS, CONT.

52 OPERATOR CONCERNS, CONT. Mobile Banking is Value Added Service (VAS) Ringtones, wallpaper, $10 tetris clones, all your financial data

53 OPERATOR CONCERNS, CONT. Mobile Banking is Value Added Service (VAS) Ringtones, wallpaper, $10 tetris clones, all your financial data Security awareness is limited Toll fraud: will this result in revenue leakage?

54 OPERATOR CONCERNS Poor understanding of financial risk management

55 AGGREGATOR Monitoring Malicious employees Other customers Injection See above.

56 FINANCIAL INSTITUTIONS Poor understanding of Operator concerns

57 RECOMMENDATIONS

58 RECOMMENDATIONS Identify customers via a unique mfin PIN + phone Transmit the PIN hashed with the message data Add a unique message ID (timestamp) per customer per request

59 Require customer notification for dangerous operations, e.g. transfers Signup process should include in-branch application Require secure audit trails for all transactions

60 FINANCIAL REGULATIONS Require the Carrier to follow financial regulations regarding access and control over the messages Require the Aggregator to follow financial regulations regarding access and control over the messages

61 Use an STK application on the handset Require code review before it goes live Require security reviews over major components of the environment Mobile app Carrier environment Aggregator environment

62 Develop a clear customer service management plan for lost / stolen handsets Work with the carrier Ensure it doesn t automatically cancel CC/ATM

63 ENCRYPTION KEYS Manage the encryption keys/certificates used by the application Work with the Carrier on SIM keys Work with the Aggregator

64 CONCLUSION mfin Apps present unique challenges Trust relationships with third parties Difficult application environments No existing best practices Vendors have immature products

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability

More information

Mobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX

Mobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX Mobile Banking Secure Banking on the Go Matt Hillary, Director of Information Security, MX Mobile Banking Channels SMS / Texting Mobile Banking Channels Mobile Web Browser Mobile Banking Channels Mobile

More information

International Journal of Computing and Business Research (IJCBR) INSECURE GSM NETWORK AND SECURITY SOLUTIONS FOR MOBILE BANKING

International Journal of Computing and Business Research (IJCBR) INSECURE GSM NETWORK AND SECURITY SOLUTIONS FOR MOBILE BANKING INSECURE GSM NETWORK AND SECURITY SOLUTIONS FOR MOBILE BANKING Karun Madan, Surya World Institute of Engg. & Technology, Rajpura, Punjab ABSTRACT Out of the many revolutions in the current world, mobile

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

Application Intrusion Detection

Application Intrusion Detection Application Intrusion Detection Drew Miller Black Hat Consulting Application Intrusion Detection Introduction Mitigating Exposures Monitoring Exposures Response Times Proactive Risk Analysis Summary Introduction

More information

Mobile Banking. Product Overview

Mobile Banking. Product Overview Mobile Banking Product Overview financial services & retail enterprise internet content providers public sector telecommunications > PRODUCT transport Introduction Mobile phones have become an integral

More information

An Aujas White Paper MITIGATING SECURITY RISKS IN USSD-BASED MOBILE PAYMENT APPLICATIONS. By Suhas Desai

An Aujas White Paper MITIGATING SECURITY RISKS IN USSD-BASED MOBILE PAYMENT APPLICATIONS. By Suhas Desai An Aujas White Paper MITIGATING SECURITY RISKS IN USSD-BASED MOBILE PAYMENT APPLICATIONS By Suhas Desai CONTENTS Executive Summary The Need for Mobile Application Security 3 USSD-based Mobile Payment Application

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

Rational AppScan & Ounce Products

Rational AppScan & Ounce Products IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168

More information

The Key to Secure Online Financial Transactions

The Key to Secure Online Financial Transactions Transaction Security The Key to Secure Online Financial Transactions Transferring money, shopping, or paying debts online is no longer a novelty. These days, it s just one of many daily occurrences on

More information

Reaching the unbanked through technological innovation. Amjad H. Khan CEO, Bangla Phone Limited

Reaching the unbanked through technological innovation. Amjad H. Khan CEO, Bangla Phone Limited Reaching the unbanked through technological innovation Amjad H. Khan CEO, Bangla Phone Limited What limits financial inclusion in developing countries? Large rural population High illiteracy Low income

More information

TechnoLabs Software Services Pvt Ltd. Enterprise Mobility - Mobile Device Security

TechnoLabs Software Services Pvt Ltd. Enterprise Mobility - Mobile Device Security Enterprise Mobility - Mobile Device Security Story Context: TechnoLabs has been focusing and offers Enterprise Mobility as one of its solution offering. No can deny the fact that mobile computing can bring

More information

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

More information

EMV-TT. Now available on Android. White Paper by

EMV-TT. Now available on Android. White Paper by EMV-TT A virtualised payment system with the following benefits: MNO and TSM independence Full EMV terminal and backend compliance Scheme agnostic (MasterCard and VISA supported) Supports transactions

More information

Security features include Authentication and encryption to protect data and prevent eavesdropping.

Security features include Authentication and encryption to protect data and prevent eavesdropping. What is a SIM card? A SIM card, also known as a subscriber identity module, is a subscriber identity module application on a smartcard that stores data for GSM/CDMA Cellular telephone subscribers. Such

More information

Global System for Mobile Communication Technology

Global System for Mobile Communication Technology Global System for Mobile Communication Technology Mobile Device Investigations Program Technical Operations Division DHS - FLETC GSM Technology Global System for Mobile Communication or Groupe Special

More information

Reducing Application Vulnerabilities by Security Engineering

Reducing Application Vulnerabilities by Security Engineering Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information

More information

Security Evaluation CLX.Sentinel

Security Evaluation CLX.Sentinel Security Evaluation CLX.Sentinel October 15th, 2009 Walter Sprenger walter.sprenger@csnc.ch Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41

More information

Mobile Security BYOD and Consumer Apps

Mobile Security BYOD and Consumer Apps Mobile Security BYOD and Consumer Apps Adam Shnider, Managing Director, Coalfire October 16, 2012 Agenda I. The Mobile World - Trends I. Mobile devices - threats and risks I. BYOD Security Top Five I.

More information

Right-Sizing M2M Security: The Best Security is Security Tailored to Your Application

Right-Sizing M2M Security: The Best Security is Security Tailored to Your Application Right-Sizing M2M Security: The Best Security is Security Tailored to Your Application Introduction Security continues to be a hot topic in all areas of technology, including machine-tomachine (M2M) applications.

More information

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means EMV and Chip Cards Key Information On What This Is, How It Works and What It Means Document Purpose This document is intended to provide information about the concepts behind and the processes involved

More information

Web Application Security

Web Application Security Web Application Security Ng Wee Kai Senior Security Consultant PulseSecure Pte Ltd About PulseSecure IT Security Consulting Company Part of Consortium in IDA (T) 606 Term Tender Cover most of the IT Security

More information

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research National Information Security Group The Top Web Application Hack Attacks Danny Allan Director, Security Research 1 Agenda Web Application Security Background What are the Top 10 Web Application Attacks?

More information

Strategic Information Security. Attacking and Defending Web Services

Strategic Information Security. Attacking and Defending Web Services Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

Cloud Security:Threats & Mitgations

Cloud Security:Threats & Mitgations Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer

More information

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK John T Lounsbury Vice President Professional Services, Asia Pacific INTEGRALIS Session ID: MBS-W01 Session Classification: Advanced

More information

Mobile Payment Services- Security Risks, Trends and Countermeasures

Mobile Payment Services- Security Risks, Trends and Countermeasures Mobile Payment Services- Security Risks, Trends and Countermeasures Agenda Trends in mobile payments Security risks in mobile payments applications and devices Mitigation strategy through secure SDLC Mobile

More information

Hack Proof Your Webapps

Hack Proof Your Webapps Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University

More information

SHORT MESSAGE SERVICE SECURITY

SHORT MESSAGE SERVICE SECURITY SHORT MESSAGE SERVICE SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Overview of Banking Application Security and PCI DSS Compliance for Banking Applications

Overview of Banking Application Security and PCI DSS Compliance for Banking Applications Overview of Banking Application Security and PCI DSS Compliance for Banking Applications Thought Paper www.infosys.com/finacle Universal Banking Solution Systems Integration Consulting Business Process

More information

APIs The Next Hacker Target Or a Business and Security Opportunity?

APIs The Next Hacker Target Or a Business and Security Opportunity? APIs The Next Hacker Target Or a Business and Security Opportunity? SESSION ID: SEC-T07 Tim Mather VP, CISO Cadence Design Systems @mather_tim Why Should You Care About APIs? Amazon Web Services EC2 alone

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

Bharti Airtel response to TRAI Consultation Paper on Quality of Service requirements for delivery of basic financial services using mobile phones

Bharti Airtel response to TRAI Consultation Paper on Quality of Service requirements for delivery of basic financial services using mobile phones Bharti Airtel response to TRAI Consultation Paper on Quality of Service requirements for delivery of basic financial services using mobile phones Issues for consultation: 2.1 What method(s) of communication

More information

2012 Data Breach Investigations Report

2012 Data Breach Investigations Report 2012 Data Breach Investigations Report A study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting & Information

More information

Mobile Banking FEATURES & BENEFITS OF MOBILE BANKING

Mobile Banking FEATURES & BENEFITS OF MOBILE BANKING Mobile Banking Mobile banking is a system that allows customers of a financial institution to conduct a number of financial transactions through a mobile device such as a mobile phone or personal digital

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

Application Security Testing

Application Security Testing Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the

More information

Mobile NFC 101. Presenter: Nick von Dadelszen Date: 31st August 2012 Company: Lateral Security (IT) Services Limited

Mobile NFC 101. Presenter: Nick von Dadelszen Date: 31st August 2012 Company: Lateral Security (IT) Services Limited Mobile NFC 101 Presenter: Nick von Dadelszen Date: 31st August 2012 Company: Lateral Security (IT) Services Limited Company Lateral Security (IT) Services Limited Company Overview Founded in April 2008

More information

ensuring security the way how we do it

ensuring security the way how we do it ensuring security the way how we do it HUSTEF, 2015.11.18 Attila Tóth 1 Nokia Solutions and Networks 2014 Disclaimer The ideas, processes, tools are presented from a practitioner s point of view working

More information

elearning for Secure Application Development

elearning for Secure Application Development elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security

More information

2015 CENTRI Data Breach Report:

2015 CENTRI Data Breach Report: INDUSTRY REPORT 2015 CENTRI Data Breach Report: An Analysis of Enterprise Data Breaches & How to Mitigate Their Impact P r o t e c t y o u r d a t a Introduction This industry report attempts to answer

More information

How to Secure Your Environment

How to Secure Your Environment End Point Security How to Secure Your Environment Learning Objectives Define Endpoint Security Describe most common endpoints of data leakage Identify most common security gaps Preview solutions to bridge

More information

Security. Tiffany Trent-Abram VP, Global Product Management. November 6 th, 2015. One Connection - A World of Opportunities

Security. Tiffany Trent-Abram VP, Global Product Management. November 6 th, 2015. One Connection - A World of Opportunities One Connection - A World of Opportunities Security Tiffany Trent-Abram VP, Global Product Management November 6 th, 2015 2015 TNS Inc. All Rights Reserved. Bringing Global Credibility and History TNS Specializes

More information

Mobile Financial Services. Technology Risks. Mobile Financial Services. Working Group (MFSWG)

Mobile Financial Services. Technology Risks. Mobile Financial Services. Working Group (MFSWG) Mobile Financial Services Working Group (MFSWG) Mobile Financial Services Technology Risks This guideline note was developed by AFI s Mobile Financial Services Working Group (MFSWG) to identify the types

More information

Trust Digital Best Practices

Trust Digital Best Practices > ARMING IT AGAINST SMARTPHONE THREATS Trust Digital Best Practices April 2009 The information contained herein is subject to change at any time, and Trust Digital makes no warranties, either express or

More information

Application Security Testing. Indian Computer Emergency Response Team (CERT-In)

Application Security Testing. Indian Computer Emergency Response Team (CERT-In) Application Security Testing Indian Computer Emergency Response Team (CERT-In) OWASP Top 10 Place to start for learning about application security risks. Periodically updated What is OWASP? Open Web Application

More information

Applying the 80/20 approach for Operational Excellence. How to combat new age threats, optimize investments and increase security.

Applying the 80/20 approach for Operational Excellence. How to combat new age threats, optimize investments and increase security. Applying the 80/20 approach for Operational Excellence How to combat new age threats, optimize investments and increase security Vinod Vasudevan Agenda Current Threat Landscape The 80/20 Approach Achieving

More information

CYBERTRON NETWORK SOLUTIONS

CYBERTRON NETWORK SOLUTIONS CYBERTRON NETWORK SOLUTIONS CybertTron Certified Ethical Hacker (CT-CEH) CT-CEH a Certification offered by CyberTron @Copyright 2015 CyberTron Network Solutions All Rights Reserved CyberTron Certified

More information

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

Common Criteria Web Application Security Scoring CCWAPSS

Common Criteria Web Application Security Scoring CCWAPSS Criteria Web Application Security Scoring CCWAPSS Author Frédéric Charpentier, security pentester. France. Fcharpentier@xmcopartners.com Releases Version 1.0 : First public release September 2007 Version

More information

SAFE SYSTEM: SECURE APPLICATIONS FOR FINANCIAL ENVIRONMENTS USING MOBILE PHONES

SAFE SYSTEM: SECURE APPLICATIONS FOR FINANCIAL ENVIRONMENTS USING MOBILE PHONES SAFE SYSTEM: SECURE APPLICATIONS FOR FINANCIAL ENVIRONMENTS USING MOBILE PHONES Sead Muftic 1, Feng Zhang 1 1Department of Computer and System Sciences, Royal Institute of Technology, Stockholm, Sweden

More information

Raising Awareness of Issues by Adapting the NIST IT Security Services Model to E-Business Systems. Robert L. Probert, Victor Sawma¹

Raising Awareness of Issues by Adapting the NIST IT Security Services Model to E-Business Systems. Robert L. Probert, Victor Sawma¹ E-Commerce Security Raising Awareness of Issues by Adapting the NIST IT Security Services Model to E-Business Systems Robert L. Probert, Victor Sawma¹ School of Information Technology and Engineering University

More information

IT Security & Compliance. On Time. On Budget. On Demand.

IT Security & Compliance. On Time. On Budget. On Demand. IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount

More information

Copyright Telerad Tech 2009. RADSpa. HIPAA Compliance

Copyright Telerad Tech 2009. RADSpa. HIPAA Compliance RADSpa HIPAA Compliance 1. Introduction 3 1.1. Scope and Field of Application 3 1.2. HIPAA 3 2. Security Architecture 4 2.1 Authentication 4 2.2 Authorization 4 2.3 Confidentiality 4 2.3.1 Secure Communication

More information

Mobile Security Framework; Advances in Mobile Governance in Korea. TaeKyung Kim tkkim@stu.ac.kr

Mobile Security Framework; Advances in Mobile Governance in Korea. TaeKyung Kim tkkim@stu.ac.kr Mobile Security Framework; Advances in Mobile Governance in Korea TaeKyung Kim tkkim@stu.ac.kr I. e-banking in Korea 1. e-banking? BIS (Bank for International Settlements) - e-finance(electronic banking)

More information

Guideline Note Mobile Financial Services: Technology Risks

Guideline Note Mobile Financial Services: Technology Risks Mobile Financial Services Working Group (MFSWG) Guideline Note Mobile Financial Services: Technology Risks About AFI Guideline Notes This guideline note on mobile financial services (MFS) technology risks

More information

Brainloop Cloud Security

Brainloop Cloud Security Whitepaper Brainloop Cloud Security Guide to secure collaboration in the cloud www.brainloop.com Sharing information over the internet The internet is the ideal platform for sharing data globally and communicating

More information

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved Building a Mobile App Security Risk Management Program Your Presenters Who Are We? Chris Salerno, Consultant, Security Risk Advisors Lead consultant for mobile, network, web application penetration testing

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Mobile phone based business models. Sundar Murthi CAB

Mobile phone based business models. Sundar Murthi CAB Mobile phone based business models Sundar Murthi CAB Session Plan Overview of mobile business Mobiles for banking Guidelines for mobile banking Technologies for mobile banking Mobile banking solutions

More information

IAIK. Motivation 2. Advanced Computer Networks 2015/2016. Johannes Feichtner johannes.feichtner@iaik.tugraz.at IAIK

IAIK. Motivation 2. Advanced Computer Networks 2015/2016. Johannes Feichtner johannes.feichtner@iaik.tugraz.at IAIK Motivation 2 Advanced Computer Networks 2015/2016 Johannes Feichtner johannes.feichtner@iaik.tugraz.at What you have heard last time Mobile devices: Short history, features Technical evolution, major OS,

More information

Table of Contents. Page 2/13

Table of Contents. Page 2/13 Page 1/13 Table of Contents Introduction...3 Top Reasons Firewalls Are Not Enough...3 Extreme Vulnerabilities...3 TD Ameritrade Security Breach...3 OWASP s Top 10 Web Application Security Vulnerabilities

More information

TABLE OF CONTENTS. Introduction 3 OTP SMS Two-Factor Authentication 5 Technical Overview 9 Features 10 Benefits 11 About MobiWeb 12 Quality 13

TABLE OF CONTENTS. Introduction 3 OTP SMS Two-Factor Authentication 5 Technical Overview 9 Features 10 Benefits 11 About MobiWeb 12 Quality 13 TABLE OF CONTENTS Introduction 3 OTP SMS Two-Factor Authentication 5 Technical Overview 9 Features 10 Benefits 11 About MobiWeb 12 Quality 13 Introduction Our world is more Mobile now than ever. In 2013

More information

Kaspersky Fraud Prevention platform: a comprehensive solution for secure payment processing

Kaspersky Fraud Prevention platform: a comprehensive solution for secure payment processing Kaspersky Fraud Prevention platform: a comprehensive solution for secure Today s bank customers can perform most of their financial operations online. According to a global survey of Internet users conducted

More information

Data Protection Act 1998. Bring your own device (BYOD)

Data Protection Act 1998. Bring your own device (BYOD) Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...

More information

Thick Client Application Security

Thick Client Application Security Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two

More information

Hacking for Fun and Profit

Hacking for Fun and Profit Hacking for Fun and Profit W3Lc0me to Th3 Fu1ur How to break stuff How to trade How to hide Help! Page 1 Knowing the enemy Page 2 E1 - Who am I ^ Ivan Bütler, Uznach, 31.12.1970 ^ Speaker at Blackhat 2008

More information

BlackBerry 10.3 Work and Personal Corporate

BlackBerry 10.3 Work and Personal Corporate GOV.UK Guidance BlackBerry 10.3 Work and Personal Corporate Published Contents 1. Usage scenario 2. Summary of platform security 3. How the platform can best satisfy the security recommendations 4. Network

More information

Norton Mobile Privacy Notice

Norton Mobile Privacy Notice Effective: April 12, 2016 Symantec and the Norton brand have been entrusted by consumers around the world to protect their computing devices and most important digital assets. This Norton Mobile Privacy

More information

MatriXay WEB Application Vulnerability Scanner V 5.0. 1. Overview. (DAS- WEBScan ) - - - - - The best WEB application assessment tool

MatriXay WEB Application Vulnerability Scanner V 5.0. 1. Overview. (DAS- WEBScan ) - - - - - The best WEB application assessment tool MatriXay DAS-WEBScan MatriXay WEB Application Vulnerability Scanner V 5.0 (DAS- WEBScan ) - - - - - The best WEB application assessment tool 1. Overview MatriXay DAS- Webscan is a specific application

More information

MITB Grabbing Login Credentials

MITB Grabbing Login Credentials MITB Grabbing Login Credentials Original pre-login fields UID, password & site Modified pre-login fields Now with ATM details and MMN New fields added MITB malware inserted additional fields. Records them,

More information

Table of Contents. Application Vulnerability Trends Report 2013. Introduction. 99% of Tested Applications Have Vulnerabilities

Table of Contents. Application Vulnerability Trends Report 2013. Introduction. 99% of Tested Applications Have Vulnerabilities Application Vulnerability Trends Report : 2013 Table of Contents 3 4 5 6 7 8 8 9 10 10 Introduction 99% of Tested Applications Have Vulnerabilities Cross Site Scripting Tops a Long List of Vulnerabilities

More information

F-Secure Internet Security 2014 Data Transfer Declaration

F-Secure Internet Security 2014 Data Transfer Declaration F-Secure Internet Security 2014 Data Transfer Declaration The product s impact on privacy and bandwidth usage F-Secure Corporation April 15 th 2014 Table of Contents Version history... 3 Abstract... 3

More information

Security Issues In Cloud Computing and Countermeasures

Security Issues In Cloud Computing and Countermeasures Security Issues In Cloud Computing and Countermeasures Shipra Dubey 1, Suman Bhajia 2 and Deepika Trivedi 3 1 Department of Computer Science, Banasthali University, Jaipur, Rajasthan / India 2 Department

More information

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive Cloud Security Through Threat Modeling Robert M. Zigweid Director of Services for IOActive 1 Key Points Introduction Threat Model Primer Assessing Threats Mitigating Threats Sample Threat Model Exercise

More information

Learn to protect yourself from Identity Theft. First National Bank can help.

Learn to protect yourself from Identity Theft. First National Bank can help. Learn to protect yourself from Identity Theft. First National Bank can help. Your identity is one of the most valuable things you own. It s important to keep your identity from being stolen by someone

More information

If you can't beat them - secure them

If you can't beat them - secure them If you can't beat them - secure them v1.0 October 2012 Accenture, its logo, and High Performance delivered are trademarks of Accenture. Preface: Mobile adoption New apps deployed in the cloud Allow access

More information

Use of C-SIM (R-UIM) in Roaming. 2006 3G CDMA Latin America Regional Conference

Use of C-SIM (R-UIM) in Roaming. 2006 3G CDMA Latin America Regional Conference Use of C-SIM (R-UIM) in Roaming 2006 3G CDMA Latin America Regional Conference AGENDA 1 C-SIM role in Roaming 2 CSIM for advanced roaming 3 CSIM beyond roaming The C-SIM Card Security PIN = Secret codes

More information

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, 2014. Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, 2014. Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661 Adobe ColdFusion Secure Profile Web Application Penetration Test July 31, 2014 Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661 Chicago Dallas This document contains and constitutes the

More information

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014 SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014 Table of Contents Introduction AMI Communication Architecture Security Threats Security

More information

WHITE PAPER Security in M2M Communication What is secure enough?

WHITE PAPER Security in M2M Communication What is secure enough? WHITE PAPER Security in M2M Communication What is secure enough? Motivation Wireless Machine-To-Machine (M2M) communication has grown dramatically over the past decade and is still growing rapidly. In

More information

Best Practices (Top Security Tips)

Best Practices (Top Security Tips) Best Practices (Top Security Tips) For use with all versions of PDshop Revised: 10/1/2015 PageDown Technology, LLC / Copyright 2002-2015 All Rights Reserved. 1 Table of Contents Table of Contents... 2

More information

Web Application Report

Web Application Report Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012

More information

Norton Mobile Privacy Notice

Norton Mobile Privacy Notice Effective: October 25, 2016 Symantec and the Norton brand have been entrusted by consumers around the world to protect their computing devices and digital assets. This Norton Mobile Privacy Notice tells

More information

International Journal of Computing and Business Research (IJCBR)

International Journal of Computing and Business Research (IJCBR) AN INVESTIGATION OF GSM ARCHITECTURE AND OVERLAYING WITH EFFICIENT SECURITY PROTOCOL Karun Madan, Surya World Institute of Engg. & Technology, Rajpura, Punjab ABSTRACT The Global System for Mobile Communications

More information

Security and Privacy in Cloud Computing

Security and Privacy in Cloud Computing Security and Privacy in Cloud Computing Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 2 02/01/2010 Threats, vulnerabilities, and enemies Goal Learn the cloud computing threat model

More information

Web Application Security Considerations

Web Application Security Considerations Web Application Security Considerations Eric Peele, Kevin Gainey International Field Directors & Technology Conference 2006 May 21 24, 2006 RTI International is a trade name of Research Triangle Institute

More information

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

WEB APPLICATION FIREWALLS: DO WE NEED THEM? DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?

More information

Mobile Financial Services

Mobile Financial Services Mobile Financial Services CANTO AGM 2014 January 27, 2014 27 janvier 2014 1 Agenda MoreMagic and Oberthur Technologies International TopUp and White label The Digital Revolution The Caribbean Opportunity

More information

Control Traffic from Grey Routes and Boost Enterprise Messaging Revenue

Control Traffic from Grey Routes and Boost Enterprise Messaging Revenue SAP Brief SAP Mobile Services SAP SMS Firewall 365 Objectives Control Traffic from Grey Routes and Boost Enterprise Messaging Revenue Cloud-based managed service helps control messaging abuse Cloud-based

More information

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise WICKSoft Corporation http://www.wicksoft.com Copyright WICKSoft 2007. WICKSoft Mobile Documents

More information

Magento Security and Vulnerabilities. Roman Stepanov

Magento Security and Vulnerabilities. Roman Stepanov Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection

More information

M-Wallet: An SMS based payment system

M-Wallet: An SMS based payment system M-Wallet: An SMS based payment system Nitika Rai*, Anurag Ashok**, Janhvi Chakraborty**, Prajakta Arolker**, Saumeel Gajera** *(Associate Professor, Department of Information Technology, St. Francis Institute

More information

THE HACKERS NEXT TARGET

THE HACKERS NEXT TARGET Governance and Risk Management THE HACKERS NEXT TARGET YOUR WEB AND SOFTWARE Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software ISC2 CyberSecurity Conference 09 Kuala

More information

JVA-122. Secure Java Web Development

JVA-122. Secure Java Web Development JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard

More information

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking Today s bank customers can perform most of their financial activities online. According to a global survey

More information

Internet threats: steps to security for your small business

Internet threats: steps to security for your small business Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential

More information

Fraud Prevention Tips

Fraud Prevention Tips Fraud Prevention Tips The best defense against fraud or identity theft is a proactive approach. Here are a few steps you can take to help protect yourself. Protect your identity Copy the front and back

More information

Addressing Cyber Security in Oracle Utilities Applications

Addressing Cyber Security in Oracle Utilities Applications Addressing Cyber Security in Oracle Utilities Applications Anthony Shorten Principal Product Manager Oracle Utilities Global Business Unit Sept, 2014 Safe Harbor Statement The following is intended to

More information