Mobile Processing:The Perfect Stormfor Data Compromise
Currently 1 mobile devicefor every 5 people on the planet. }{
30 million businesses accept payments2 billion Visa cards$80 billion total transactions$6.3 trillion in total volume1958 2...
Mobile ProcessingIt has been estimatedthat mPOS couldexpand payment cardacceptance up to 19million businesses andincrease ...
Micromerchants love mobileprocessing (mPOS)– Convenient– Cost effective– Easy implementation– Low barrier of entry
Of the smallbusinesses that usemobile devices, 1/5use them to acceptpayments
Let me explain……our definition ofmobile processing.
MobileWalletsMobileProcessing
THE PROBLEMMOBILE POS
Card Reader Dongle + App{ }
Sled/Keypad + App}{
App Only }{
Picture/Video/Scanning App}{
THE PROBLEMPROBLEM: HACKERS
UsernamesInternet historySecurity question answersBank account numberPasswordsHealth dataPIN numbersCredit card numberWhat...
Hackers Want DataThey…• Steal data• Sell it to othercybercriminalsfor a profit• Use it to createfake credit cards
32% of mobilemalware created in2012 wasdesigned to stealinformation fromyour device.
THE PROBLEMPROBLEM: TECHNOLOGY
“Mobile is so technologically advanced,its got to be secure against hackers…right?”
Mobile vs. POS• POS terminal– Firewall-controlledenvironment– Limited access toInternet– Built for payments
Mobile vs. POS• Smartphone/tablet– No firewalls– Internet alwaysavailable– Built for convenience– Insecure OS– Mobile malw...
In a nutshell,phone operating systems haveless security than computersor typical POS terminals
THE PROBLEMPROBLEM: THREATS
Apple and Google are aboutto reach 50 billion total uniqueapp downloads.
Malicious AppMalware• Write code into newapps• Or write code into oldapps and repackage• Collect personaldata, changesetti...
Open sourcedevelopment• Good for app creation• Bad for securitySusceptible to malwarein other ways• URLs redirect users to...
In 2012, 97% ofmalware wasdesigned specificallyto attack Android &32.8 million deviceswere infected.
Meet Tom• Uses smartphoneto process cards• Downloadsflashlight app• App has malware• Customer’s datastolen
THE PROBLEMBEST PRACTICES
A more secureprocessing future…• Process cards on onechip• BrowseInternet, text, useapps on the otherDual processing
Who is Responsible for Mobile Security?• Regulated by PCI Council• Mobile Payment Acceptance SecurityGuidelines
6 Best PracticesEncrypt attype/swipe1 2 3No manual cardentryUpdate appsand OS{ }
6 Best PracticesInstall apps viaofficial sources4 5 6Employeemobile trainingMobile scans}{
• Android & iOS app• Scans for threats thatoriginate from:– Mobile malware– Wi-Fi networks– Account data access– NFC– Blue...
Malware will targetcardholder dataDon’t wait for PCI DSSmobile requirementsMake mobile processingsafer by following bes...
THE PROBLEMQUESTIONS?mobilescan@securitymetrics.com
Upcoming SlideShare
Loading in …5
×

Mobile Processing: The Perfect Storm for Data Compromise

1,095 views

Published on

Mobile device payment processing (e.g., dongles and apps that process credit cards) is a double-edged sword. It has been hyped as the future of consumer and business transactions in every industry, but as the number of businesses using mobile point-of-sale (mPOS) options escalates, so does the challenge of securing mobile devices. The problem is: smartphones weren't made for security or payment processing, and hackers know it. Every day, thousands of malicious apps are downloaded through app stores, putting numerous merchant smartphones and tablets at risk for payment card theft.

Published in: Business, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,095
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Mobile Processing: The Perfect Storm for Data CompromiseMobile device payment processing (e.g., dongles and apps that process credit cards) is a double-edged sword. It has been hyped as the future of consumer and business transactions in every industry, but as the number of businesses using mobile point-of-sale (mPOS) options escalates, so does the challenge of securing mobile devices. The problem is: smartphones weren't made for security or payment processing, and hackers know it. Every day, thousands of malicious apps are downloaded through app stores, putting numerous merchant smartphones and tablets at risk for payment card theft. This presentation will explain the risks of processing via mobile devices, help attendees understand the implications to both business and consumer data security, and provide best practice solutions to securely fortify mPOS solutions.
  • We define mobile device as smartphones, internet connected phones, and tablets
  • 1958 was when the first BankAmericard (now Visa) credit card. Until 1958, no one had been able to create a working revolving credit financial instrument issued by a third party bank that was generally accepted by a large number of merchants.
  • Every smartphone/tablet a cash register.Mobile processing has been hyped as the future of consumer and business transactions, but as the number of businesses using mobile point-of-sale (mPOS) solutions increase, so does the challenge of securing mobile devices.
  • Mobile processing is great for dog groomers, tradesmen, and photographers because its convenient, cost effective, easy to implement, and anyone can buy a smartphone or tablet
  • We’re not going to focus on mobile wallets, because that’s not even remotely related to what we do. It’s all consumer facing, not merchant facing.
  • There are 4 main ways of accepting cards via mobile devices.
  • Data theft has been profitable in the past via computers, so why not with mobile?
  • People think this…and its totally wrong.Only 28% of consumers consider mobile processing to be secure.
  • Mobile devices were built for convenience, NOT security or payments
  • Mobile devices were built for convenience, NOT security or paymentsTexting, internet browsing, all these things are insecure communication threats
  • How are mobile devices become infected?
  • Examples of MalwareDroid Dream (2011) – infected legitimate apps on Android market, root access gained, affects 50,000 usersDroid Deluxe (2011) – root access to Android phone, all files accessibleiOS Code Signing Vulnerability (2011) – allowed unreviewed application into app storeFinSpy Mobile (2012)– mobile variant of Finfisher device “wire-tap”Works on iPhone, Android, Blackberry, Windows Mobile, SymbianMonitors calls, texts, emails, captures keystrokes, controls microphone, tracks GPS, etc.
  • Malicious URLS are easier to hide on a mobile screen because screen is smaller
  • How big is this problem? Because of its mammoth market share and open source development, Android is the #1 target for cybercriminals looking to infect mobile devices.The year 2012 saw a 163% jump in mobile malware with over 65,227 new varieties.
  • Tom owns a plumbing company and he’s always on the road. He loves the fact that he can just download an app that processes people’s credit cards on the go. So he thought, hey it’d be cool if I used a flashlight app instead of a real flashlight. So he downloaded a flashlight app. Unbeknownst to him, there was secret malware inside the flashlight app’s code that captured credit card data for the malware owner. The card brands get wind of it and they narrow it down to Tom. Poor Tom is nailed with forensic fees, payment card brand, and fines. Tom was not prepared.
  • Who is responsible for protecting users? Carriers? Operating system providers? App makers? Nobody.
  • Encrypt at swipe/type readersNever manually enter data (unless encrypt at type)Upgrade your apps and OS to fix bugs. People don’t update OS or apps partly because they’re lazyAnd partly because some smartphone manufacturers don’t require users to be alerted of security updates, so the user is simply unaware it needs to be done. But its really important to fix any security vulnerabilities.
  • Only install apps from official sources (aka the well known stores). No third party app vendorsEnsure everyone who comes into ontact with device (employees, waitresses, etc) is educated on mobile security!Use a mobile vulnerability scanner (aka SM MobileScan!)
  • Mobile Processing: The Perfect Storm for Data Compromise

    1. 1. Mobile Processing:The Perfect Stormfor Data Compromise
    2. 2. Currently 1 mobile devicefor every 5 people on the planet. }{
    3. 3. 30 million businesses accept payments2 billion Visa cards$80 billion total transactions$6.3 trillion in total volume1958 2013First merchant transactionTHEN…NOW…
    4. 4. Mobile ProcessingIt has been estimatedthat mPOS couldexpand payment cardacceptance up to 19million businesses andincrease new-cardpayments by $1.1trillion by 2015.
    5. 5. Micromerchants love mobileprocessing (mPOS)– Convenient– Cost effective– Easy implementation– Low barrier of entry
    6. 6. Of the smallbusinesses that usemobile devices, 1/5use them to acceptpayments
    7. 7. Let me explain……our definition ofmobile processing.
    8. 8. MobileWalletsMobileProcessing
    9. 9. THE PROBLEMMOBILE POS
    10. 10. Card Reader Dongle + App{ }
    11. 11. Sled/Keypad + App}{
    12. 12. App Only }{
    13. 13. Picture/Video/Scanning App}{
    14. 14. THE PROBLEMPROBLEM: HACKERS
    15. 15. UsernamesInternet historySecurity question answersBank account numberPasswordsHealth dataPIN numbersCredit card numberWhat Data Do People Store On Their Device?
    16. 16. Hackers Want DataThey…• Steal data• Sell it to othercybercriminalsfor a profit• Use it to createfake credit cards
    17. 17. 32% of mobilemalware created in2012 wasdesigned to stealinformation fromyour device.
    18. 18. THE PROBLEMPROBLEM: TECHNOLOGY
    19. 19. “Mobile is so technologically advanced,its got to be secure against hackers…right?”
    20. 20. Mobile vs. POS• POS terminal– Firewall-controlledenvironment– Limited access toInternet– Built for payments
    21. 21. Mobile vs. POS• Smartphone/tablet– No firewalls– Internet alwaysavailable– Built for convenience– Insecure OS– Mobile malware– SMS threats
    22. 22. In a nutshell,phone operating systems haveless security than computersor typical POS terminals
    23. 23. THE PROBLEMPROBLEM: THREATS
    24. 24. Apple and Google are aboutto reach 50 billion total uniqueapp downloads.
    25. 25. Malicious AppMalware• Write code into newapps• Or write code into oldapps and repackage• Collect personaldata, changesettings, read from cardreaders
    26. 26. Open sourcedevelopment• Good for app creation• Bad for securitySusceptible to malwarein other ways• URLs redirect users tomalicious sites
    27. 27. In 2012, 97% ofmalware wasdesigned specificallyto attack Android &32.8 million deviceswere infected.
    28. 28. Meet Tom• Uses smartphoneto process cards• Downloadsflashlight app• App has malware• Customer’s datastolen
    29. 29. THE PROBLEMBEST PRACTICES
    30. 30. A more secureprocessing future…• Process cards on onechip• BrowseInternet, text, useapps on the otherDual processing
    31. 31. Who is Responsible for Mobile Security?• Regulated by PCI Council• Mobile Payment Acceptance SecurityGuidelines
    32. 32. 6 Best PracticesEncrypt attype/swipe1 2 3No manual cardentryUpdate appsand OS{ }
    33. 33. 6 Best PracticesInstall apps viaofficial sources4 5 6Employeemobile trainingMobile scans}{
    34. 34. • Android & iOS app• Scans for threats thatoriginate from:– Mobile malware– Wi-Fi networks– Account data access– NFC– Bluetooth
    35. 35. Malware will targetcardholder dataDon’t wait for PCI DSSmobile requirementsMake mobile processingsafer by following bestpracticesAcquirers and vendors mustoffer secure solutions
    36. 36. THE PROBLEMQUESTIONS?mobilescan@securitymetrics.com

    ×