Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile Strategy Partners Mobile Security


Published on

Mobile Security presentation for Mobile Commerce USA conference in San Francisco, November 3, 2009

  • Be the first to comment

  • Be the first to like this

Mobile Strategy Partners Mobile Security

  1. 1. Mobile Security<br />Mobile Commerce USA - November 2009<br />David Eads, Founder<br /><br />+1 (404) 285-4219 <br />
  2. 2. Background<br />Founder & CEO, Mobile Strategy Partners LLC<br />Help organizations optimize mobile commerce from both a business & tech perspective<br />Perform Risk Assessments as a part of my practice<br />Participated in many IT security reviews throughout my career in ecommerce, mobile commerce<br />Confidential<br />
  3. 3. Frozen in fear<br />Security consistently reported as the biggest barrier to mobile banking and mobile commerce usage<br />47% of non-adopters cite security;73% fear hackers can break into their phones (Tom Wills, Javelin, 12/08 )<br />Security considered during purchase, implementation<br />Fraud fears limit Mobile Commerce functionality in N. America<br />Few commerce apps with a real checkout process<br />Limited transactional capabilities in mobile banking<br />Mobile payments wheels still spinning (esp. P2P)<br />Attacks follow adoption: Africa was first, hackers will turn to us<br />Phishing seems the most common & effective attack<br />SIM, Mobile phone fraud also related (Absa ‘07)<br />Confidential<br />
  4. 4. It’s not what we fear…<br />Mobile Commerce is basically safe, however consumers are still afraid<br />Everyone generally learned lessons of ecommerce<br />128-bit SSL<br />Multifactor Authentication<br />Phone Disabling features<br />Phone viruses, network hacks rare so far<br />Mobile makes us MORE secure in many ways<br />Balance, Transaction alerts, visibility<br />Confidential<br />
  5. 5. … the danger is the unknown<br />Untested defenses are weak defenses<br />Monitoring systems an afterthought<br />Mobile new to Information Security teams<br />Consumer education lacking<br />Unsophisticated users with smart phones<br />Confidential<br />
  6. 6. Social trickery<br />Phishing proven effective, likely to continue<br />Phishing often cross-channel<br />Fake call centers, targeted attacks, detailed research<br />URL not visible on mobile browsers, URL shorteners<br />SMS alerts perfect temptation for phishing<br />Shortcode registration limits spoofing, but possible<br />Linking from SMS to web encourages email to web<br />Social networking, mobile convergence amplifies risk<br />Confidential<br />
  7. 7. Limited Detection<br />Few organizations monitor for mobile attacks<br />Variety of fraud detection systems exist for ecommerce sites but not optimized for mobile<br />Some adaptable to mobile, mobile requires more(e.g. monitor SMS patterns, web services, mobile web)<br />Security companies yet to fully focus on mobile<br />Recession, limited adoption discourages investment in defensive systems<br />Attacks can happen even if adoption is low!<br />Confidential<br />
  8. 8. Unsophisticated Users<br />What happens when my Mom has a smartphone?!<br />Unsophisticated userstoday tend to have unsophisticated phones which provide significant protection<br />Smartphone trend means most phones will be smart<br />My Mother-in-law & Father-in-Law have Blackberries<br />They are more vulnerable via phone than AOL dial-up<br />Damage to unsophisticated users can create major perception problems for the entire industry<br />Confidential<br />
  9. 9. Recommendations<br />Continue discouraging SMS, email links to apps<br />Promote, encourage PIN-locking phones<br />Require Multifactor Authentication & don’t bypass it<br />Avoid storing sensitive data on phones<br />Architect mobile systems with security in mind<br />Keep sensitive data out of DMZs<br />Continual penetration testing<br />Mobile-aware fraud detection<br />Confidential<br />
  10. 10. Additional Slides<br />Confidential<br />
  11. 11. Best Practices<br />DO Encourage transactional functionality that drives revenue, like checkout, payments, etc.<br />DO perform a thorough risk assessment with mobile experts starting at the design phase<br />DO continual penetration testing and monitoring<br />DO user experience design to prevent confusion<br />DO require true MFA before transactions, etc.<br />DO provide strong encryption, etc.<br />Confidential<br />
  12. 12. Worst Practices<br />DON’T store sensitive data on the phone<br />DON’T encourage linking from SMS messages<br />DON’T let vendor architecture create security risks<br />DON’T display user identifiable information without proper multifactor authentication<br />DON’T do transactions in SMS without authentication from another channel (like voice)<br />DON’T encourage putting sensitive info in SMS<br />Confidential<br />
  13. 13. Threat Examples<br />Hacker getting to credit card numbers or other useful identity theft information through a breach in corporate access through mobile connection<br />Phishing attacks to trick users into providing access<br />Phishers then transfer money out of their account<br />Phishers could also potentially manipulate stocks<br />Using identifiable information to gain access<br />Mobile app doesn’t do transactions, but exposes data<br />Thief uses data to gain access to acct. over phone<br />Confidential<br />
  14. 14. Brokerage Examples<br />Confidential<br />