Founder & CEO of MSP, focus on optimizing mobile commerce from both biz & tech perspective; participated in a number of security reviews in a variety of verticals; spoken on mobile security, authored whitepaperAs a part of my practice I help companies with risk assessmentsShow of hands – PIN lock on phone? looked at someone else’s phone on a train or plane?(Credent 5/09, 40% don’t lock, 99% have sens. data) http://www.darkreading.com/security/client/showArticle.jhtml?articleID=215901048The real threat isn’t in what people fear, but in other overlooked areas
USAA, BofA, numbers on fraud caught immediately by consumers b/c of mobile?
Transcript of "Mobile Strategy Partners Mobile Security"
Mobile Security<br />Mobile Commerce USA - November 2009<br />David Eads, Founder<br />david@MobileStrategyPartners.com<br />+1 (404) 285-4219 <br />
Background<br />Founder & CEO, Mobile Strategy Partners LLC<br />Help organizations optimize mobile commerce from both a business & tech perspective<br />Perform Risk Assessments as a part of my practice<br />Participated in many IT security reviews throughout my career in ecommerce, mobile commerce<br />Confidential<br />
Frozen in fear<br />Security consistently reported as the biggest barrier to mobile banking and mobile commerce usage<br />47% of non-adopters cite security;73% fear hackers can break into their phones (Tom Wills, Javelin, 12/08 )<br />Security considered during purchase, implementation<br />Fraud fears limit Mobile Commerce functionality in N. America<br />Few commerce apps with a real checkout process<br />Limited transactional capabilities in mobile banking<br />Mobile payments wheels still spinning (esp. P2P)<br />Attacks follow adoption: Africa was first, hackers will turn to us<br />Phishing seems the most common & effective attack<br />SIM, Mobile phone fraud also related (Absa ‘07)<br />Confidential<br />
It’s not what we fear…<br />Mobile Commerce is basically safe, however consumers are still afraid<br />Everyone generally learned lessons of ecommerce<br />128-bit SSL<br />Multifactor Authentication<br />Phone Disabling features<br />Phone viruses, network hacks rare so far<br />Mobile makes us MORE secure in many ways<br />Balance, Transaction alerts, visibility<br />Confidential<br />
… the danger is the unknown<br />Untested defenses are weak defenses<br />Monitoring systems an afterthought<br />Mobile new to Information Security teams<br />Consumer education lacking<br />Unsophisticated users with smart phones<br />Confidential<br />
Social trickery<br />Phishing proven effective, likely to continue<br />Phishing often cross-channel<br />Fake call centers, targeted attacks, detailed research<br />URL not visible on mobile browsers, URL shorteners<br />SMS alerts perfect temptation for phishing<br />Shortcode registration limits spoofing, but possible<br />Linking from SMS to web encourages email to web<br />Social networking, mobile convergence amplifies risk<br />Confidential<br />
Limited Detection<br />Few organizations monitor for mobile attacks<br />Variety of fraud detection systems exist for ecommerce sites but not optimized for mobile<br />Some adaptable to mobile, mobile requires more(e.g. monitor SMS patterns, web services, mobile web)<br />Security companies yet to fully focus on mobile<br />Recession, limited adoption discourages investment in defensive systems<br />Attacks can happen even if adoption is low!<br />Confidential<br />
Unsophisticated Users<br />What happens when my Mom has a smartphone?!<br />Unsophisticated userstoday tend to have unsophisticated phones which provide significant protection<br />Smartphone trend means most phones will be smart<br />My Mother-in-law & Father-in-Law have Blackberries<br />They are more vulnerable via phone than AOL dial-up<br />Damage to unsophisticated users can create major perception problems for the entire industry<br />Confidential<br />
Recommendations<br />Continue discouraging SMS, email links to apps<br />Promote, encourage PIN-locking phones<br />Require Multifactor Authentication & don’t bypass it<br />Avoid storing sensitive data on phones<br />Architect mobile systems with security in mind<br />Keep sensitive data out of DMZs<br />Continual penetration testing<br />Mobile-aware fraud detection<br />Confidential<br />
Best Practices<br />DO Encourage transactional functionality that drives revenue, like checkout, payments, etc.<br />DO perform a thorough risk assessment with mobile experts starting at the design phase<br />DO continual penetration testing and monitoring<br />DO user experience design to prevent confusion<br />DO require true MFA before transactions, etc.<br />DO provide strong encryption, etc.<br />Confidential<br />
Worst Practices<br />DON’T store sensitive data on the phone<br />DON’T encourage linking from SMS messages<br />DON’T let vendor architecture create security risks<br />DON’T display user identifiable information without proper multifactor authentication<br />DON’T do transactions in SMS without authentication from another channel (like voice)<br />DON’T encourage putting sensitive info in SMS<br />Confidential<br />
Threat Examples<br />Hacker getting to credit card numbers or other useful identity theft information through a breach in corporate access through mobile connection<br />Phishing attacks to trick users into providing access<br />Phishers then transfer money out of their account<br />Phishers could also potentially manipulate stocks<br />Using identifiable information to gain access<br />Mobile app doesn’t do transactions, but exposes data<br />Thief uses data to gain access to acct. over phone<br />Confidential<br />