Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile Banking Channel Security - Cyber Security Conference 2011


Published on

Lecture on Mobile Banking Channel Security for the Cyber Security Conference 2011, London.

Published in: Technology, Business
  • Be the first to comment

Mobile Banking Channel Security - Cyber Security Conference 2011

  1. 1. Mobile  Channel  Security  for  the  Banking  Industry  A  new  genera)on  of  banking    Cyber  Security  2011,    Protec8ng  Cri8cal  Infrastructure  &  Intellectual  Property      Filip  Maertens  Avydian  Cyber  Defense   Cyber  Defense  Group  
  2. 2. Agenda  ➤  About  the  speaker  ➤  The  mobile  situa8on  ➤  Mobile  channel  security  limita8ons  and  capabili8es  ➤  The  mobile  banking  business  case  ➤  Towards  a  mul8-­‐channel  security  approach   Cyber  Defense  Group  
  3. 3. About  the  speaker  ➤  Cybercrime  inves8gator  and  tac8cal  advisor  ➤  Head  of  Cyber-­‐Security  at  European  Corporate  Security  Associa8on  ➤  CISSP,  CISM,  CISA,  CPO,  CFE  and  CCSP  (“cer)fied  common  sense  prac))oner”)  ➤  MSc.  Informa8on  Risk  and  BSc.  Informa8on  Opera8ons  ➤  Mobile  aficionado  (building  mobile  channels  for  Fortune  500  banks  and  mobile  investor)   Cyber  Defense  Group  
  4. 4. Part  1  -­‐  The  mobile  “situaAon”    (no,  not  another  market  analysis)   Cyber  Defense  Group  
  5. 5. è   ProliferaAon  of  smartphones  is  exponenAal  Fast  growing  market  -­‐  43%  CAGR  (2010-­‐2014)  Fast  growing  threats  -­‐  250%  increase  on  malware   Cyber  Defense  Group  
  6. 6. Some  market  staAsAcs  ➤  X   Cyber  Defense  Group  
  7. 7. “  Cell  phones  behave  like  ducks  ”     (you  may  quote  me  on  this)   Cyber  Defense  Group  
  8. 8. The  imminent  threat  of  our  mobile  networks   If  it  looks  like  a  duck   ,  walks  like  a  duck   ,  talks  like  a  duck   =   it’s  a  duck  !   ?  MCC=525,  MNC=010   Handset  registers  to  who  ?   This  is  where  you  do  “Hello”   Cyber  Defense  Group  
  9. 9. è   Everyone  can  hack  the  GSM  network!  Layer  2  aNacks  (“Link  Layer”):  GSM/UMTS/Wi-­‐Fi  •  GSM  protocol  has  become  easy  to  hack   •  Intercept  SMS  •  A5.1/2  Rainbow  Table  Codebooks   •  Intercept  voice  calls  •  Open  source  so_ware  (OpenBTS,  Airprobe,  …)   •  Crash  handsets  •  Open  source  Radio  so_ware  (GnuRadio)   •  Crash  cell-­‐towers  •  Open  source  hardware  (USRP  Hardware)   •  Get  smartphone  OS  access   Cyber  Defense  Group  
  10. 10. SMS  or  voice  authenAcaAon?  Bad  idea.   Free  McDonalds!   Cyber  Defense  Group  
  11. 11. Many  handsets  have  insecure  protocol  è   implementaAons!  Layer  3  aNacks:  SMS/MMS/NFC/WAP  •  SMS  implementa8ons  proven  to  be  insecure   •  Intercept  SMS  •  OTA  provisioning  abacks   •  Crash  smartphone  •  Bluetooth  protocol  integra8ons  are  broken   •  Impersonate  SMS  &  calls  •  NFC  tags  can  be  exploited  (NFCWorm)   •  Make  unsolicited  calls  •  Sensors  (GPS,  Accelerometer,  Mic,  …)   •  Silent  install  of  malware   Cyber  Defense  Group  
  12. 12. è   Malware  is  growing  exponenAally!  Layer  7  aNacks  (“App  Layer”):  IOS,  Android,  …  •  App-­‐stores  act  as  a  security  control  (or  don’t)   •  Phishing  /  Social  •  Smartphone  OS  systems  only  have  basic  security   Engineering  /  App   controls   Impersona8on  •  Many  0-­‐days  on  smartphone  OS  systems   •  Large  scale  malware   infec8ons  •  Orphaned  opera8ng  systems  and  jail-­‐broken   devices  are  easy  targets   •  Fake  app  downloads   Cyber  Defense  Group  
  13. 13. Different  pla^orms.  Different  security  basics.  ➤  Apple’s  IOS  (iPhone/iPad/iPod):   ➤  Subset  of  MacOS  (Objec8ve-­‐C)  with  NX  Stack/Heap  Protec8on  ➤  Google’s  Android  (Smartphone/Tablets):   ➤  Based  on  Java  &  NDK  with  Java  security  model  (Dalvik  sandbox)  ➤  Nokia’s  Symbian:   ➤  Based  on  C++  with  Enhanced  Memory  Management  ➤  Microso_’s  Windows  Mobile:   ➤  Based  on  .NET  /  C++  with  GS  Enhanced  Security   Cyber  Defense  Group  
  14. 14. Android:  Yikes.   Cyber  Defense  Group  
  15. 15. Rapidly  evolving  mobile  OS’s  show  signs  of  insecurity  ➤  Fuzzing  target:   ➤  GSM  stack  in  baseband  processor   ➤  GSM  func8on  libraries  in  opera8ng  system  ➤  Fuzzing  results  a_er  one  month  (using  scapy):   ➤  iPhone  IOS  5.01,  already  1  crash   ➤  Windows  Mobile  7,  already  7  crashes   ➤  Android  ICS,  already  2  crashes  ➤  Not  sure  if  they  are  exploitable  yet.   Cyber  Defense  Group  
  16. 16. Part  2  -­‐  Mobile  channel  security     limitaAons  and  capabiliAes   Cyber  Defense  Group  
  17. 17. è   Smartphone  security  today  =  PC  security  in  1980s  No  awareness    No  AV    No  stable  OS    New  HW   de   Cyber  Defense  Group  
  18. 18. Mobile  channel  risks  for  banks  ➤  The_  or  loss  of  device  (raise  your  hand  :-­‐))  ➤  Phishing  abacks  (impersona8on  of  an  app)  ➤  Weak  PIN  code  protec8on  mechanisms  ➤  Reverse  engineering  by  clients  ➤  Data  recovery  of  decommissioned  devices  ➤  Possible  incompliance  with  regulatory  bodies  ➤  Man-­‐in-­‐the-­‐middle  abacks   Cyber  Defense  Group  
  19. 19. So,  building  a  security  model  …  ➤  The  mobile  client  is  inherently  insecure,  so  threat  it  as   such:   ➤  Keep  as  much  as  possible  security  controls  in  the  backend   ➤  Filter  input  and  output  of  data   ➤  Use  a  typical  Web  Services  architecture   ➤  Use  strong  cryptographic  sessions  for  transit  and  storage  ➤  Decide  what  products  you  want  to  ‘mobilize’.   Cyber  Defense  Group  
  20. 20. …  is  based  on  your  product  maturity  !  ➤  Lower  maturity  requires   less  stringent  security   measures.     Cyber  Defense  Group  
  21. 21. Not  all  features  need  to  be  secured  ➤  Each  feature  needs  to  have  its  own  level  of  security:   ➤  Remibance  vs.  Third  Party  Transfers  ?   ➤  Account  Balance  vs.  Bill  Payments  ?   ➤  Payment  Prepara8on  vs.  Payment  Execu8on  ?   ➤  Ticker  Alerts  vs.  Stock  Trading  ?  ➤  A  mobile  channel  for  banks  need  to  have  a  very   granular  security  model   Cyber  Defense  Group  
  22. 22. Some  mobile  banking  building  blocks  ➤  Strong  cryptography:   ➤  In  transit  of  data  (server  +  client  side  cer8ficates  required!)   ➤  In  storage  of  data  (strong  cryptography  required!)  ➤  Profile  authen8ca8on  and  transac8on  authoriza8on:   ➤  OTP  by  SMS  or  UCR  ?  Or  something  else,  such  as  PIN  or  QR  Tag  ?   ➤  Does  not  equal  to  Signing  of  a  transac8on  (non-­‐repudia8on)  !  ➤  Applica8on  process  security:   ➤  Backgrounding  of  the  process  can  open  risks   Cyber  Defense  Group  
  23. 23. Some  mobile  banking  building  blocks  ➤  Disabling  of  default  OS  behavior:   ➤  Spell-­‐checker   ➤  Copy-­‐Paste  func8onali8es  ➤  Secure  and  enterprise  app  distribu8on  mechanism   ➤  Apple  is  trying  to,  and  …   ➤  …  Google  isn’t  geared  for  the  task  ➤  Legal  disclaimer  for  jail-­‐broken  devices  ➤  Granular  Mobile  Channel  Limits  Model   Cyber  Defense  Group  
  24. 24. Some  mobile  banking  building  blocks  ➤  Total  channel  management:   ➤  Ability  to  close  it  down  for  all  users   ➤  But  also  more  granular  shutdown  /  blocking  possibili8es  ➤  Emergency  channel  communica8on:   ➤  Useful  in  cases  of  channel  “repairs”  ➤  Keep  code  safe  and  adhere  secure  coding  prac8ces  ➤  Forced  upgrade  of  the  mobile  banking  app  ➤  Security  awareness  to  the  end-­‐user   Cyber  Defense  Group  
  25. 25. LimitaAons  to  your  mobile  channel  security  ➤  User-­‐friendliness  vs.  security:   ➤  Mobile  Channel  =  Impulse  Channel   ➤  Unconnected  Card  Reader  is  cumbersome  even  for  web-­‐based   online  banking  solu8ons.  ➤  Security  model  dependent  on  mobile  channel  plaporm   selec8on:   ➤  Hybrid  or  Na8ve  or  HTML5  (or  Cross-­‐Plaporm  Framework)  ➤  Security  model  dependent  on  mobile  channel   func8onali8es   Cyber  Defense  Group  
  26. 26. Part  3  -­‐  The  mobile  banking  business  case   Cyber  Defense  Group  
  27. 27. Reasons  to  build  a  mobile  channel  ➤  Not  “IF”,  but  “HOW”  ➤  Rapidly  expanding  market,  with  a  lower  cost  of   acquisi8on  of  new  direct  banking  customers  ➤  Opportunity  to  build  close  rela8onships  with   clients:   ➤  Improved  client  profiling   ➤  Push  no8fica8ons   ➤  Loca8on  and  intelligent  adver8sing   Cyber  Defense  Group  
  28. 28. Business  case  criteria  ➤  Plaporm  selec8on   ➤  Na8ve,  Hybrid,  HTML5  or  other  ?   ➤  Take  in  mind  plaporm  maturity  and  security  impact  ➤  Func8onality  and  Features   ➤  Retail  direct  banking  features   ➤  Private  banking  features   ➤  Added  value  services   ➤  Payments     Cyber  Defense  Group  
  29. 29. Business  case  criteria  ➤  Sales  and  marke8ng  mechanisms   ➤  New  customer  acquisi8on  (simulators,  etc.)   ➤  Cross-­‐selling  of  financial  products  (require  STP)   ➤  Using  web-­‐channel,  e-­‐mail  and  mobile  in  a  smart  way  ➤  Mobile  analy8cs  and  metrics  ➤  Security  requirements   Cyber  Defense  Group  
  30. 30. Part  4  -­‐  Towards  a  mulA-­‐channel  security  approach   Cyber  Defense  Group  
  31. 31. General  banking  security  problems  ➤  When  mobile  and  web-­‐channels  are  used  as  two   separate  delivery  channels,  they  can  enforce  each   other:   ➤  Increasingly  growing  problem  for  banks  is  the  consistent   stream  of  man-­‐in-­‐the-­‐browser  abacks.  ➤  Think  how  a  secondary  channel  might  be  used  to   upgrade  the  overall  security  posture   Cyber  Defense  Group  
  32. 32. Many  security  opportuniAes  ➤  Leverage  of  your  web  channel:   ➤  Reuse  strong  authen8ca8on  for  the  iden8fica8on  and   crea8on  of  cer8ficates  during  enrolment   ➤  Prepare  payments  to  third  par8es  in  your  mobile  channel   and  approve  them  in  your  web  channel  ➤  Leverage  of  your  mobile  channel:   ➤  Present  web-­‐channel  transac8ons  in  mobile  channel  for   confirma8on  and  awareness   ➤  Mobile  OTP  as  replacement  for  UCR  OTP  ?   Cyber  Defense  Group  
  33. 33. Many  security  opportuniAes  ➤  Using  your  sensors  as  security  controls:   ➤  Using  GPS  to  iden8fy  transac8on  conflicts  +  warning   ➤  Using  Decibel  meter  to  see  if  you’re  in  a  bar   ➤  Using  Accelerometer  to  learn  if  you’re  driving   ➤  Face-­‐recogni8on  as  authen8ca8on  ➤  Using  social  networks  as  valida8on  mechanisms:   ➤  CAPTCHA’s  didn’t  work,  perhaps  face-­‐valida8on  does   Cyber  Defense  Group  
  34. 34. Some  final  thoughts   Cyber  Defense  Group  
  35. 35. Some  final  thoughts  on  mobile  banking  ➤  Put  security  and  business  logic  in  the  back-­‐end.   Never  trust  the  client  device.  It  is  highly  insecure   and  might  already  be  infected.  ➤  Many  new  security  opportuniAes  present  itself.  It   takes  an  open  mindset  and  customer  oriented   artude  to  take  the  plunge.  ➤  Leverage  on  Cross-­‐Channel  security   opportuniAes.  It’s  there  already.  Reuse  it.   Cyber  Defense  Group  
  36. 36. Mobile  Channel  Security  for  the  Banking  Industry  A  new  genera)on  of  banking    Cyber  Security  2011,    Protec8ng  Cri8cal  Infrastructure  &  Intellectual  Property      Filip  Maertens    +32  495  77  97  37   Cyber  Defense  Group