• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Mobile Processing: The Perfect Storm for Data Compromise
 

Mobile Processing: The Perfect Storm for Data Compromise

on

  • 1,043 views

Mobile device payment processing (e.g., dongles and apps that process credit cards) is a double-edged sword. It has been hyped as the future of consumer and business transactions in every industry, ...

Mobile device payment processing (e.g., dongles and apps that process credit cards) is a double-edged sword. It has been hyped as the future of consumer and business transactions in every industry, but as the number of businesses using mobile point-of-sale (mPOS) options escalates, so does the challenge of securing mobile devices. The problem is: smartphones weren't made for security or payment processing, and hackers know it. Every day, thousands of malicious apps are downloaded through app stores, putting numerous merchant smartphones and tablets at risk for payment card theft.

Statistics

Views

Total Views
1,043
Views on SlideShare
1,035
Embed Views
8

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 8

https://twitter.com 8

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Mobile Processing: The Perfect Storm for Data CompromiseMobile device payment processing (e.g., dongles and apps that process credit cards) is a double-edged sword. It has been hyped as the future of consumer and business transactions in every industry, but as the number of businesses using mobile point-of-sale (mPOS) options escalates, so does the challenge of securing mobile devices. The problem is: smartphones weren't made for security or payment processing, and hackers know it. Every day, thousands of malicious apps are downloaded through app stores, putting numerous merchant smartphones and tablets at risk for payment card theft. This presentation will explain the risks of processing via mobile devices, help attendees understand the implications to both business and consumer data security, and provide best practice solutions to securely fortify mPOS solutions.
  • We define mobile device as smartphones, internet connected phones, and tablets
  • 1958 was when the first BankAmericard (now Visa) credit card. Until 1958, no one had been able to create a working revolving credit financial instrument issued by a third party bank that was generally accepted by a large number of merchants.
  • Every smartphone/tablet a cash register.Mobile processing has been hyped as the future of consumer and business transactions, but as the number of businesses using mobile point-of-sale (mPOS) solutions increase, so does the challenge of securing mobile devices.
  • Mobile processing is great for dog groomers, tradesmen, and photographers because its convenient, cost effective, easy to implement, and anyone can buy a smartphone or tablet
  • We’re not going to focus on mobile wallets, because that’s not even remotely related to what we do. It’s all consumer facing, not merchant facing.
  • There are 4 main ways of accepting cards via mobile devices.
  • Data theft has been profitable in the past via computers, so why not with mobile?
  • People think this…and its totally wrong.Only 28% of consumers consider mobile processing to be secure.
  • Mobile devices were built for convenience, NOT security or payments
  • Mobile devices were built for convenience, NOT security or paymentsTexting, internet browsing, all these things are insecure communication threats
  • How are mobile devices become infected?
  • Examples of MalwareDroid Dream (2011) – infected legitimate apps on Android market, root access gained, affects 50,000 usersDroid Deluxe (2011) – root access to Android phone, all files accessibleiOS Code Signing Vulnerability (2011) – allowed unreviewed application into app storeFinSpy Mobile (2012)– mobile variant of Finfisher device “wire-tap”Works on iPhone, Android, Blackberry, Windows Mobile, SymbianMonitors calls, texts, emails, captures keystrokes, controls microphone, tracks GPS, etc.
  • Malicious URLS are easier to hide on a mobile screen because screen is smaller
  • How big is this problem? Because of its mammoth market share and open source development, Android is the #1 target for cybercriminals looking to infect mobile devices.The year 2012 saw a 163% jump in mobile malware with over 65,227 new varieties.
  • Tom owns a plumbing company and he’s always on the road. He loves the fact that he can just download an app that processes people’s credit cards on the go. So he thought, hey it’d be cool if I used a flashlight app instead of a real flashlight. So he downloaded a flashlight app. Unbeknownst to him, there was secret malware inside the flashlight app’s code that captured credit card data for the malware owner. The card brands get wind of it and they narrow it down to Tom. Poor Tom is nailed with forensic fees, payment card brand, and fines. Tom was not prepared.
  • Who is responsible for protecting users? Carriers? Operating system providers? App makers? Nobody.
  • Encrypt at swipe/type readersNever manually enter data (unless encrypt at type)Upgrade your apps and OS to fix bugs. People don’t update OS or apps partly because they’re lazyAnd partly because some smartphone manufacturers don’t require users to be alerted of security updates, so the user is simply unaware it needs to be done. But its really important to fix any security vulnerabilities.
  • Only install apps from official sources (aka the well known stores). No third party app vendorsEnsure everyone who comes into ontact with device (employees, waitresses, etc) is educated on mobile security!Use a mobile vulnerability scanner (aka SM MobileScan!)

Mobile Processing: The Perfect Storm for Data Compromise Mobile Processing: The Perfect Storm for Data Compromise Presentation Transcript

  • Mobile Processing:The Perfect Stormfor Data Compromise
  • Currently 1 mobile devicefor every 5 people on the planet. }{
  • 30 million businesses accept payments2 billion Visa cards$80 billion total transactions$6.3 trillion in total volume1958 2013First merchant transactionTHEN…NOW…
  • Mobile ProcessingIt has been estimatedthat mPOS couldexpand payment cardacceptance up to 19million businesses andincrease new-cardpayments by $1.1trillion by 2015.
  • Micromerchants love mobileprocessing (mPOS)– Convenient– Cost effective– Easy implementation– Low barrier of entry
  • Of the smallbusinesses that usemobile devices, 1/5use them to acceptpayments
  • Let me explain……our definition ofmobile processing.
  • MobileWalletsMobileProcessing
  • THE PROBLEMMOBILE POS
  • Card Reader Dongle + App{ }
  • Sled/Keypad + App}{
  • App Only }{
  • Picture/Video/Scanning App}{
  • THE PROBLEMPROBLEM: HACKERS
  • UsernamesInternet historySecurity question answersBank account numberPasswordsHealth dataPIN numbersCredit card numberWhat Data Do People Store On Their Device?
  • Hackers Want DataThey…• Steal data• Sell it to othercybercriminalsfor a profit• Use it to createfake credit cards
  • 32% of mobilemalware created in2012 wasdesigned to stealinformation fromyour device.
  • THE PROBLEMPROBLEM: TECHNOLOGY
  • “Mobile is so technologically advanced,its got to be secure against hackers…right?”
  • Mobile vs. POS• POS terminal– Firewall-controlledenvironment– Limited access toInternet– Built for payments
  • Mobile vs. POS• Smartphone/tablet– No firewalls– Internet alwaysavailable– Built for convenience– Insecure OS– Mobile malware– SMS threats
  • In a nutshell,phone operating systems haveless security than computersor typical POS terminals
  • THE PROBLEMPROBLEM: THREATS
  • Apple and Google are aboutto reach 50 billion total uniqueapp downloads.
  • Malicious AppMalware• Write code into newapps• Or write code into oldapps and repackage• Collect personaldata, changesettings, read from cardreaders
  • Open sourcedevelopment• Good for app creation• Bad for securitySusceptible to malwarein other ways• URLs redirect users tomalicious sites
  • In 2012, 97% ofmalware wasdesigned specificallyto attack Android &32.8 million deviceswere infected.
  • Meet Tom• Uses smartphoneto process cards• Downloadsflashlight app• App has malware• Customer’s datastolen
  • THE PROBLEMBEST PRACTICES
  • A more secureprocessing future…• Process cards on onechip• BrowseInternet, text, useapps on the otherDual processing
  • Who is Responsible for Mobile Security?• Regulated by PCI Council• Mobile Payment Acceptance SecurityGuidelines
  • 6 Best PracticesEncrypt attype/swipe1 2 3No manual cardentryUpdate appsand OS{ }
  • 6 Best PracticesInstall apps viaofficial sources4 5 6Employeemobile trainingMobile scans}{
  • • Android & iOS app• Scans for threats thatoriginate from:– Mobile malware– Wi-Fi networks– Account data access– NFC– Bluetooth
  • Malware will targetcardholder dataDon’t wait for PCI DSSmobile requirementsMake mobile processingsafer by following bestpracticesAcquirers and vendors mustoffer secure solutions
  • THE PROBLEMQUESTIONS?mobilescan@securitymetrics.com