• Save
Securing 3-Mode Mobile Banking
Upcoming SlideShare
Loading in...5

Securing 3-Mode Mobile Banking



This presentation was given at the Credit Union InfoSec 2013 Conference in Las Vegas, NV.

This presentation was given at the Credit Union InfoSec 2013 Conference in Las Vegas, NV.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Securing 3-Mode Mobile Banking Securing 3-Mode Mobile Banking Presentation Transcript

  • Think beyond. Go beyond.Securing 3-mode Mobile BankingJay McLaughlin, CISSPSVP, Chief Security OfficerQ2ebanking
  • Agenda•  Impact: Consumerization of Technology•  Understanding the Threat Landscape•  Securing the Channel•  Evolving Security within this Space•  Summary & QA
  • Mobile Waves•  300,000•  1.2 billion•  8 trillion•  35 billion•  1 billion•  apps developed in 3 years•  mobile web users•  SMS messages sent last year•  value of apps downloaded•  Est mobile banking customers**Source: Juniper Research, Mar 2013
  • Consumerization of Technology•  Growing tendency for new informationtechnology to emerge first in the consumermarket and then spread into business andgovernment organizations•  Consumer markets as the primary driver ofinformation technology innovation•  One of the most difficult issues facingmobile banking today is providing accessto the multiplicity of devices that customersuse.–  This list of devices has only grown longer and morecomplex with the addition of tablets
  • Growing ImpactPeople camped outside of Apple’s stores to purchasedthe iPhone & iPad!When was the last time a customer camped outside ofyour branch with excitement?5
  • Source: Chetan Sharma Consulting, 2012 www.chetansharma.comPutting Global Mobile in Context
  • Mobile Phones Outnumber Credit Cards
  • Apps On The Rise
  • The Common Language: SMS•  Providing a text channel should be a high priority•  Text message banking offers compelling advantages–  Encourages consumers to avoid more costly in‐branchand phone interactions, while at the same time boostingconsumer satisfaction through increased convenience.Providing a text channel is necessary to raise mobilebanking–  And, unlike browser and app banking channels, textmessage banking does not require costly developmentacross multiple platforms.–  Adoption across all levels ofmobile device ownership
  • Critical Barrier to Adoption•  Awareness [about mobile banking] is limitedto slightly more than half of all smartphoneowners with a bank account•  Concerns about the security of mobilebanking and mobile payment technologiesremain one of the primary impediments tofurther adoption–  *Security concerns are cited as the top barrier toboth online and mobile banking(*Source: Javelin Research “Mobile Banking Financial Institution Scorecard, Nov 2012)
  • Think beyond. Go beyond.Understanding the Threats
  • •  As the technology changes, the attack surface will change•  Fraudsters have all the tools they need to effectively turnmobile malware into the biggest customer security problemweve ever seen.–  Important factor is lacking - customer adoption. Number of users who bankonline from their mobile devices is still relatively low in comparison.–  Additionally, transactions types are limited or not yet enabled for mobile devices.Since online fraud is mostly a big numbers game, attacking mobile bankers isnot yet an effective fraud operation.•  Security vendor Trusteer has predicted that within 12 to 24months over 1 in 20 (5.6%) of all Android and iOS devicesARE LIKELY to be infected by mobile malwareIncoming!!! Mobile!!!
  • Mobile: Current Threat Landscape•  App Stores–  AppStore, GooglePlay, BlackberryWorld, WindowsPhone store•  Mobile malware (Trojans, downloaders, etc.)•  Insecure device security (rooting, jail breaking, etc.)•  Insecure applications–  Ex. third-party APIs, insecure data storage, information disclosure•  User exploitation•  Failure to recognize the power of mobile devices
  • Remember 1993? …10 years later…
  • Mobile Malware•  Researchers identifyfirst instance ofmobile malware in2004•  More than 80 infectedapps have beenremoved from GooglePlay since 2011•  Android malware hasinfected more than250,000 usersex. Gozi
  • Mobile Malware Dangers
  • •  Mobile malware component that ZeuS entices usersto load and run in their mobile devices. •  ZitMO (aka “ZeuS-in-the-Mobile”) / CitMO (Carberg)Mobile Malwarehttp://www.infosecurity-magazine.com/view/29705/-zeus-malware-throws-36-million-lightning-bolt-across-europe
  • Malware Vectors•  Malicious apps in App Store•  Vulnerabilities in software leveraged duringnormal user behavior (exploits)•  Malicious e-mail or attachment (“spearphishing”)•  Malicious web content (“drive by download”)•  Fewer vectors – absence of Flash Java
  • Malicious Apps
  • Security Models: iOS vs. Android•  iOS–  Mandatory code signing by Apple–  Individual apps are sandboxed using mandatoryaccess control (MAC) security–  Uses ASLR on sysbin and some apps–  Single app store to control publishing•  Android–  Can load new code at runtime–  Sandbox is flawed allowing an app to exploit the kernel–  Apps can have any permissions, require approval–  Many app stores (Google, Amazon, underground)
  • Security Around The Delivery of the App•  Code Signing requires apps to bedownloaded from the App Store•  Publishers’ real-world identitiesare verified by Apple•  Apps are reviewed by Apple beforethey are available in App Store•  Apple acts as an Anti-Virus for iOS
  • Year in Review: Mobile Threatscape(*Source: F-Secure Mobile Threat Report Q4 2012)
  • Jail breaking Devices•  sn0wbreeze, redsn0w, acidsn0w,jailbreakme, greenpoison•  Why? for functionality, more apps•  “Jailbreaking” or “rooting destroysthe security model•  Jailbreaking techniques leave thedevice with a standard rootpassword that may grant admin-level access •  Convenience at the sake of security
  • Physical Attacks•  Latest proof of concept device attack– If physical access is ever gained, GAMEOVER.Source: BBC News, June 2013 http://www.bbc.co.uk/news/technology-22764815
  • QR Codes•  QR codes surfacingcontaining maliciouslinks•  First case confirmed byKaspersky Labs last year- mobile malware used tosend premium SMSmessageshttp://siliconangle.com/blog/2011/10/21/infected-qr-malware-surfaces-on-smartphones-apps/
  • Can you spot which one is EVIL?
  • Think beyond. Go beyond.Securing the Channel
  • Emerging Target•  Fraudsters target the largest bangfor their buck– Currently represents online channel•  Perception is not necessarilyReality– but expect the mobile channel topresent itself as a larger target asadoption increases
  • Mobile Security•  Mobile banking presents a set of securityrisks [significantly] different than those fornon-mobile online banking…NOT REALLY•  User authentication, transactionauthorization, and data security in themobile channel must be dealt with– Is it different than securing other channels?
  • Device Security•  It is hard to design a security model whichprotects against programs a userdownloads and wants to run•  It is typically not the job of the OS toprevent you from running the programsyou choose to run•  Anti-Virus is designed to help decidewhich programs are okay to run and whichare not
  • •  Defense-in-depthØ  “deep” or “elastic”•  Derived from a military strategy;requires that a defender deployresources at and well behind thefront line•  Reliance on any single control ormitigating factor is not sufficient•  Prevents shortfalls in any singledefense controlBuilding a Layered Security Model
  • Consumer Focus Group: Computer Security
  • Mobile Authentication•  Extend online security models– provides comprehensive, multi-layered securityfeatures for both you and your end users– FFIEC Guidance called out the mobile channel•  Out-of-band multi-factor authentication (MFA)•  Leveraging temporary access codes (TACs)•  Delivery via phone call, SMS, email•  Device registration using HTML5 cookies
  • Out-of-Band 2F Will Replace PasswordsOut-of-band two factor authentication is becoming more popularacross consumer technologies replacing passwords
  • It’s More Mainstream than you Realize
  • Mobile Transaction Authorization•  Out-of-Band Transaction approvalDirect from FFIEC’s June 2011 Guidance“Out-of-band authentication means that atransaction that is initiated via one deliverychannel [e.g.. online] must be re-authenticated or verified via anindependent delivery channel [e.g..telephone] in order for the transaction to becompleted”
  • Leverage Alerts•  Users must play a part and participate in fighting fraud•  Real-time alerts delivered to a victim are timely and providethe opportunity to alert the financial institution of activity•  Transactional AlertingØ  Ex: creation, authorization•  Changes to profile settings•  Security Event AlertsØ  Ex: pwd changes, failed logon attempts
  • Behavioral & Machine Learning ModelsLoginBehaviorTime of LoginLocation ofLoginTransactionBehaviorTransactionBehavioralModelsDom/Intl Wire,ACH, Payroll,Ext Transfer,TransactionPoliciesRecipientMonitoringModificationsto templatesEndpointInterrogationUser AgentDevice IDRecognizedDevicesScoreYes or NoSuspect or Normal
  • Secure Development & Testing•  Develop with security at the foundation– Follow best practices, SDLC, etc.•  Intentionally limit app caching– Can perform app cache clearing during init•  HTML5 rendering performed client side– BLOB sent from server to client– Limits injection, XSS, other attacks
  • Think beyond. Go beyond.Closing Remarks
  • “The futureain’t what itused to be.”-  Lawrence “Yogi” BerraNew York Yankees, 1946-1964The Future
  • Get Out in Front•  Ad-hoc approaches result inreactive decisions•  Disruptive changes presentopportunities
  • Q & ADeclare var $response!!if [?] >= ‘1’!!!then!!! !$response = ‘answer’!!!else !!! !$response = ‘thankyou’!!end if;!
  • linkedin.com/in/mclaughlinjay jmclaughlin@q2ebanking.com Thank you