PICKPOCKETING MWALLETS. A guide to looting mobile financial services

Similar documents
Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Mobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX

The Top Web Application Attacks: Are you vulnerable?

Application Intrusion Detection

International Journal of Computing and Business Research (IJCBR) INSECURE GSM NETWORK AND SECURITY SOLUTIONS FOR MOBILE BANKING

Rational AppScan & Ounce Products

Where every interaction matters.

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Application Security Testing

Check list for web developers

Mobile Banking. Product Overview

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Strategic Information Security. Attacking and Defending Web Services

Reaching the unbanked through technological innovation. Amjad H. Khan CEO, Bangla Phone Limited

Hack Proof Your Webapps

Mobile Security BYOD and Consumer Apps

The Key to Secure Online Financial Transactions

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Security Evaluation CLX.Sentinel

Right-Sizing M2M Security: The Best Security is Security Tailored to Your Application

EMV-TT. Now available on Android. White Paper by

ensuring security the way how we do it

Web Application Security

TechnoLabs Software Services Pvt Ltd. Enterprise Mobility - Mobile Device Security

Criteria for web application security check. Version

An Aujas White Paper MITIGATING SECURITY RISKS IN USSD-BASED MOBILE PAYMENT APPLICATIONS. By Suhas Desai

Web Application Security Considerations

05.0 Application Development

2012 Data Breach Investigations Report

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

2015 CENTRI Data Breach Report:

Global System for Mobile Communication Technology

Web Application Security

If you can't beat them - secure them

Security features include Authentication and encryption to protect data and prevent eavesdropping.

What is Web Security? Motivation

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

How to Secure Your Environment

Norton Mobile Privacy Notice

Trust Digital Best Practices

Applying the 80/20 approach for Operational Excellence. How to combat new age threats, optimize investments and increase security.

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Raising Awareness of Issues by Adapting the NIST IT Security Services Model to E-Business Systems. Robert L. Probert, Victor Sawma¹

Security and Privacy in Cloud Computing

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

Overview of Banking Application Security and PCI DSS Compliance for Banking Applications

Cloud Security:Threats & Mitgations

Copyright Telerad Tech RADSpa. HIPAA Compliance

Mobile Financial Services. Technology Risks. Mobile Financial Services. Working Group (MFSWG)

SHORT MESSAGE SERVICE SECURITY

APIs The Next Hacker Target Or a Business and Security Opportunity?

JVA-122. Secure Java Web Development

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Data Security Best Practices & Reasonable Methods

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

IAIK. Motivation 2. Advanced Computer Networks 2015/2016. Johannes Feichtner IAIK

FileCloud Security FAQ

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

elearning for Secure Application Development

WHITE PAPER Security in M2M Communication What is secure enough?

Guideline Note Mobile Financial Services: Technology Risks

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Thick Client Application Security

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Mobile Banking FEATURES & BENEFITS OF MOBILE BANKING

locuz.com Professional Services Security Audit Services

Reducing Application Vulnerabilities by Security Engineering

Understanding and evaluating risk to information assets in your software projects

Security. Tiffany Trent-Abram VP, Global Product Management. November 6 th, One Connection - A World of Opportunities

Mobile NFC 101. Presenter: Nick von Dadelszen Date: 31st August 2012 Company: Lateral Security (IT) Services Limited

CYBERTRON NETWORK SOLUTIONS

F-Secure Internet Security 2014 Data Transfer Declaration

Our Key Security Features Are:

M-Wallet: An SMS based payment system

Brainloop Cloud Security

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Hacking for Fun and Profit

SAFE SYSTEM: SECURE APPLICATIONS FOR FINANCIAL ENVIRONMENTS USING MOBILE PHONES

Information security controls. Briefing for clients on Experian information security controls

Internet threats: steps to security for your small business

Passing PCI Compliance How to Address the Application Security Mandates

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Best Practices (Top Security Tips)

THE HACKERS NEXT TARGET

External Supplier Control Requirements

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Enterprise Mobile Management

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Common Criteria Web Application Security Scoring CCWAPSS

Fraud Prevention Tips

Indexed Terms: attacks, challenges, cloud computing, countermeasures, hacker, security

Table of Contents. Page 2/13

Data Protection Act Bring your own device (BYOD)

Transcription:

PICKPOCKETING MWALLETS A guide to looting mobile financial services

THE GRUGQ Info Sec researcher since 1999 Experience Telcoms Info Sec Banking Info Sec Leads to Mobile Financial Security

MOBILE FINANCIAL APPS

MOBILE FINANCE STAKEHOLDERS

MOBILE FINANCE STAKEHOLDERS Mobile Service Provider Telco Operators

MOBILE FINANCE STAKEHOLDERS Mobile Service Provider Telco Operators Financial Services Provider Financial Institutes Banks, etc. Telco Operators

APPLICATIONS Mobile Banking Operator provides channel to financial service Mobile Wallet Operator provides financial services

MOTIVATORS Financial Institutions (FI) Users configure mobile banking once Reduce churn Operators Increase value of relationship Reduce churn

SECURITY GOALS Authenticate the customer Provide end-to-end security Confidentiality Integrity Availability At least as secure as an ATM

RISKS

RISKS Identity Lost / stolen phone Financial Fraud Non-repudiation

MORE RISKS Communications channel Monitoring / Sniffing Message Injection / Spoofing Duplicates

NOT RISKS (YET?) Mobile Malware Not prevalent Fractured mobile platform landscape

COMPONENTS

MOBILE ELEMENTS Handset Over The Air (OTA) Carrier Aggregator Financial Institution (FI)

ELEMENTS Aggregator Internet Carrier FI Carrier Network Base Station Mobile Handset

PLATFORMS

HANDSET PLATFORMS Web Application Thick Client SIM Card Application (STK)

WEB APP

WEB APP Easy to deploy

WEB APP Easy to deploy Easy to develop

WEB APP Easy to deploy Easy to develop Cross platform support

WEB APP Easy to deploy Easy to develop Cross platform support Limited control over look and feel

WEB APP Easy to deploy Easy to develop Web app security SQL injection, XSS Cross platform support Limited control over look and feel

WEB APP Easy to deploy Easy to develop Cross platform support Web app security SQL injection, XSS Slow data link Limited control over look and feel

WEB APP Easy to deploy Easy to develop Cross platform support Limited control over look and feel Web app security SQL injection, XSS Slow data link Expensive data plans

WEB APP Easy to deploy Easy to develop Cross platform support Limited control over look and feel Web app security SQL injection, XSS Slow data link Expensive data plans Subset of phones support browsers

THICK CLIENT

THICK CLIENT Complete control over look and feel

THICK CLIENT Complete control over look and feel Powerful operating environment

THICK CLIENT Complete control over look and feel Powerful operating environment Easy to develop*

THICK CLIENT Complete control over look and feel Fractured handset platform landscape Powerful operating environment Easy to develop*

THICK CLIENT Complete control over look and feel Powerful operating environment Fractured handset platform landscape Vulnerable to local attacks Easy to develop*

THICK CLIENT Complete control over look and feel Powerful operating environment Easy to develop* Fractured handset platform landscape Vulnerable to local attacks Hard to secure Phone developers are not very security aware

SIM APPLICATION

SIM APPLICATION More secure (potentially)

SIM APPLICATION More secure (potentially) Works on all SIM cards

SIM APPLICATION More secure (potentially) Works on all SIM cards Mature development environment

SIM APPLICATION More secure (potentially) Works on all SIM cards Mature development environment Deployable OTA

SIM APPLICATION More secure (potentially) Works on all SIM cards Mature development environment Deployable OTA Secure against malicious phone

SIM APPLICATION More secure (potentially) Cumbersome interface Works on all SIM cards Mature development environment Deployable OTA Secure against malicious phone

SIM APPLICATION More secure (potentially) Works on all SIM cards Mature development environment Cumbersome interface Looks terrible No multimedia Deployable OTA Secure against malicious phone

SIM APPLICATION More secure (potentially) Works on all SIM cards Mature development environment Deployable OTA Secure against malicious phone Cumbersome interface Looks terrible No multimedia Restricted operating environment Low power Low memory

MBANKING ARCHITECTURE SMS input Operator HTTP(S) input Aggregator XML input Financial Institution

MWALLET ARCHITECTURE SMS input Operator HTTP(S) input Operator - application Database manipulation

BACKEND PLATFORMS Problems Lack of verifiable audit trail Single entry book keeping

CONCERNS

HANDSET CONCERNS Identity Lost / Stolen Monitoring / Spoofing Malicious (e.g. hackers) Infected (not yet )

OTA CONCERNS Monitoring GSM encryption is cracked GSM monitoring equipment < 1000

OPERATOR CONCERNS Monitoring SMS processing is unencrypted Injection Spoofing SMS from SMSC is trivial

OPERATOR CONCERNS, CONT.

OPERATOR CONCERNS, CONT. Mobile Banking is Value Added Service (VAS) Ringtones, wallpaper, $10 tetris clones, all your financial data

OPERATOR CONCERNS, CONT. Mobile Banking is Value Added Service (VAS) Ringtones, wallpaper, $10 tetris clones, all your financial data Security awareness is limited Toll fraud: will this result in revenue leakage?

OPERATOR CONCERNS Poor understanding of financial risk management

AGGREGATOR Monitoring Malicious employees Other customers Injection See above.

FINANCIAL INSTITUTIONS Poor understanding of Operator concerns

RECOMMENDATIONS

RECOMMENDATIONS Identify customers via a unique mfin PIN + phone Transmit the PIN hashed with the message data Add a unique message ID (timestamp) per customer per request

Require customer notification for dangerous operations, e.g. transfers Signup process should include in-branch application Require secure audit trails for all transactions

FINANCIAL REGULATIONS Require the Carrier to follow financial regulations regarding access and control over the messages Require the Aggregator to follow financial regulations regarding access and control over the messages

Use an STK application on the handset Require code review before it goes live Require security reviews over major components of the environment Mobile app Carrier environment Aggregator environment

Develop a clear customer service management plan for lost / stolen handsets Work with the carrier Ensure it doesn t automatically cancel CC/ATM

ENCRYPTION KEYS Manage the encryption keys/certificates used by the application Work with the Carrier on SIM keys Work with the Aggregator

CONCLUSION mfin Apps present unique challenges Trust relationships with third parties Difficult application environments No existing best practices Vendors have immature products

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information