Mobile Banking Channel Security - Cyber Security Conference 2011

1,051 views

Published on

Lecture on Mobile Banking Channel Security for the Cyber Security Conference 2011, London.

Published in: Technology, Business
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,051
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Mobile Banking Channel Security - Cyber Security Conference 2011

  1. 1. Mobile  Channel  Security  for  the  Banking  Industry  A  new  genera)on  of  banking    Cyber  Security  2011,    Protec8ng  Cri8cal  Infrastructure  &  Intellectual  Property      Filip  Maertens  Avydian  Cyber  Defense   Cyber  Defense  Group  
  2. 2. Agenda  ➤  About  the  speaker  ➤  The  mobile  situa8on  ➤  Mobile  channel  security  limita8ons  and  capabili8es  ➤  The  mobile  banking  business  case  ➤  Towards  a  mul8-­‐channel  security  approach   Cyber  Defense  Group  
  3. 3. About  the  speaker  ➤  Cybercrime  inves8gator  and  tac8cal  advisor  ➤  Head  of  Cyber-­‐Security  at  European  Corporate  Security  Associa8on  ➤  CISSP,  CISM,  CISA,  CPO,  CFE  and  CCSP  (“cer)fied  common  sense  prac))oner”)  ➤  MSc.  Informa8on  Risk  and  BSc.  Informa8on  Opera8ons  ➤  Mobile  aficionado  (building  mobile  channels  for  Fortune  500  banks  and  mobile  investor)   Cyber  Defense  Group  
  4. 4. Part  1  -­‐  The  mobile  “situaAon”    (no,  not  another  market  analysis)   Cyber  Defense  Group  
  5. 5. è   ProliferaAon  of  smartphones  is  exponenAal  Fast  growing  market  -­‐  43%  CAGR  (2010-­‐2014)  Fast  growing  threats  -­‐  250%  increase  on  malware   Cyber  Defense  Group  
  6. 6. Some  market  staAsAcs  ➤  X   Cyber  Defense  Group  
  7. 7. “  Cell  phones  behave  like  ducks  ”     (you  may  quote  me  on  this)   Cyber  Defense  Group  
  8. 8. The  imminent  threat  of  our  mobile  networks   If  it  looks  like  a  duck   ,  walks  like  a  duck   ,  talks  like  a  duck   =   it’s  a  duck  !   ?  MCC=525,  MNC=010   Handset  registers  to  who  ?   This  is  where  you  do  “Hello”   Cyber  Defense  Group  
  9. 9. è   Everyone  can  hack  the  GSM  network!  Layer  2  aNacks  (“Link  Layer”):  GSM/UMTS/Wi-­‐Fi  •  GSM  protocol  has  become  easy  to  hack   •  Intercept  SMS  •  A5.1/2  Rainbow  Table  Codebooks   •  Intercept  voice  calls  •  Open  source  so_ware  (OpenBTS,  Airprobe,  …)   •  Crash  handsets  •  Open  source  Radio  so_ware  (GnuRadio)   •  Crash  cell-­‐towers  •  Open  source  hardware  (USRP  Hardware)   •  Get  smartphone  OS  access   Cyber  Defense  Group  
  10. 10. SMS  or  voice  authenAcaAon?  Bad  idea.   Free  McDonalds!   Cyber  Defense  Group  
  11. 11. Many  handsets  have  insecure  protocol  è   implementaAons!  Layer  3  aNacks:  SMS/MMS/NFC/WAP  •  SMS  implementa8ons  proven  to  be  insecure   •  Intercept  SMS  •  OTA  provisioning  abacks   •  Crash  smartphone  •  Bluetooth  protocol  integra8ons  are  broken   •  Impersonate  SMS  &  calls  •  NFC  tags  can  be  exploited  (NFCWorm)   •  Make  unsolicited  calls  •  Sensors  (GPS,  Accelerometer,  Mic,  …)   •  Silent  install  of  malware   Cyber  Defense  Group  
  12. 12. è   Malware  is  growing  exponenAally!  Layer  7  aNacks  (“App  Layer”):  IOS,  Android,  …  •  App-­‐stores  act  as  a  security  control  (or  don’t)   •  Phishing  /  Social  •  Smartphone  OS  systems  only  have  basic  security   Engineering  /  App   controls   Impersona8on  •  Many  0-­‐days  on  smartphone  OS  systems   •  Large  scale  malware   infec8ons  •  Orphaned  opera8ng  systems  and  jail-­‐broken   devices  are  easy  targets   •  Fake  app  downloads   Cyber  Defense  Group  
  13. 13. Different  pla^orms.  Different  security  basics.  ➤  Apple’s  IOS  (iPhone/iPad/iPod):   ➤  Subset  of  MacOS  (Objec8ve-­‐C)  with  NX  Stack/Heap  Protec8on  ➤  Google’s  Android  (Smartphone/Tablets):   ➤  Based  on  Java  &  NDK  with  Java  security  model  (Dalvik  sandbox)  ➤  Nokia’s  Symbian:   ➤  Based  on  C++  with  Enhanced  Memory  Management  ➤  Microso_’s  Windows  Mobile:   ➤  Based  on  .NET  /  C++  with  GS  Enhanced  Security   Cyber  Defense  Group  
  14. 14. Android:  Yikes.   Cyber  Defense  Group  
  15. 15. Rapidly  evolving  mobile  OS’s  show  signs  of  insecurity  ➤  Fuzzing  target:   ➤  GSM  stack  in  baseband  processor   ➤  GSM  func8on  libraries  in  opera8ng  system  ➤  Fuzzing  results  a_er  one  month  (using  scapy):   ➤  iPhone  IOS  5.01,  already  1  crash   ➤  Windows  Mobile  7,  already  7  crashes   ➤  Android  ICS,  already  2  crashes  ➤  Not  sure  if  they  are  exploitable  yet.   Cyber  Defense  Group  
  16. 16. Part  2  -­‐  Mobile  channel  security     limitaAons  and  capabiliAes   Cyber  Defense  Group  
  17. 17. è   Smartphone  security  today  =  PC  security  in  1980s  No  awareness    No  AV    No  stable  OS    New  HW   de   Cyber  Defense  Group  
  18. 18. Mobile  channel  risks  for  banks  ➤  The_  or  loss  of  device  (raise  your  hand  :-­‐))  ➤  Phishing  abacks  (impersona8on  of  an  app)  ➤  Weak  PIN  code  protec8on  mechanisms  ➤  Reverse  engineering  by  clients  ➤  Data  recovery  of  decommissioned  devices  ➤  Possible  incompliance  with  regulatory  bodies  ➤  Man-­‐in-­‐the-­‐middle  abacks   Cyber  Defense  Group  
  19. 19. So,  building  a  security  model  …  ➤  The  mobile  client  is  inherently  insecure,  so  threat  it  as   such:   ➤  Keep  as  much  as  possible  security  controls  in  the  backend   ➤  Filter  input  and  output  of  data   ➤  Use  a  typical  Web  Services  architecture   ➤  Use  strong  cryptographic  sessions  for  transit  and  storage  ➤  Decide  what  products  you  want  to  ‘mobilize’.   Cyber  Defense  Group  
  20. 20. …  is  based  on  your  product  maturity  !  ➤  Lower  maturity  requires   less  stringent  security   measures.     Cyber  Defense  Group  
  21. 21. Not  all  features  need  to  be  secured  ➤  Each  feature  needs  to  have  its  own  level  of  security:   ➤  Remibance  vs.  Third  Party  Transfers  ?   ➤  Account  Balance  vs.  Bill  Payments  ?   ➤  Payment  Prepara8on  vs.  Payment  Execu8on  ?   ➤  Ticker  Alerts  vs.  Stock  Trading  ?  ➤  A  mobile  channel  for  banks  need  to  have  a  very   granular  security  model   Cyber  Defense  Group  
  22. 22. Some  mobile  banking  building  blocks  ➤  Strong  cryptography:   ➤  In  transit  of  data  (server  +  client  side  cer8ficates  required!)   ➤  In  storage  of  data  (strong  cryptography  required!)  ➤  Profile  authen8ca8on  and  transac8on  authoriza8on:   ➤  OTP  by  SMS  or  UCR  ?  Or  something  else,  such  as  PIN  or  QR  Tag  ?   ➤  Does  not  equal  to  Signing  of  a  transac8on  (non-­‐repudia8on)  !  ➤  Applica8on  process  security:   ➤  Backgrounding  of  the  process  can  open  risks   Cyber  Defense  Group  
  23. 23. Some  mobile  banking  building  blocks  ➤  Disabling  of  default  OS  behavior:   ➤  Spell-­‐checker   ➤  Copy-­‐Paste  func8onali8es  ➤  Secure  and  enterprise  app  distribu8on  mechanism   ➤  Apple  is  trying  to,  and  …   ➤  …  Google  isn’t  geared  for  the  task  ➤  Legal  disclaimer  for  jail-­‐broken  devices  ➤  Granular  Mobile  Channel  Limits  Model   Cyber  Defense  Group  
  24. 24. Some  mobile  banking  building  blocks  ➤  Total  channel  management:   ➤  Ability  to  close  it  down  for  all  users   ➤  But  also  more  granular  shutdown  /  blocking  possibili8es  ➤  Emergency  channel  communica8on:   ➤  Useful  in  cases  of  channel  “repairs”  ➤  Keep  code  safe  and  adhere  secure  coding  prac8ces  ➤  Forced  upgrade  of  the  mobile  banking  app  ➤  Security  awareness  to  the  end-­‐user   Cyber  Defense  Group  
  25. 25. LimitaAons  to  your  mobile  channel  security  ➤  User-­‐friendliness  vs.  security:   ➤  Mobile  Channel  =  Impulse  Channel   ➤  Unconnected  Card  Reader  is  cumbersome  even  for  web-­‐based   online  banking  solu8ons.  ➤  Security  model  dependent  on  mobile  channel  plaporm   selec8on:   ➤  Hybrid  or  Na8ve  or  HTML5  (or  Cross-­‐Plaporm  Framework)  ➤  Security  model  dependent  on  mobile  channel   func8onali8es   Cyber  Defense  Group  
  26. 26. Part  3  -­‐  The  mobile  banking  business  case   Cyber  Defense  Group  
  27. 27. Reasons  to  build  a  mobile  channel  ➤  Not  “IF”,  but  “HOW”  ➤  Rapidly  expanding  market,  with  a  lower  cost  of   acquisi8on  of  new  direct  banking  customers  ➤  Opportunity  to  build  close  rela8onships  with   clients:   ➤  Improved  client  profiling   ➤  Push  no8fica8ons   ➤  Loca8on  and  intelligent  adver8sing   Cyber  Defense  Group  
  28. 28. Business  case  criteria  ➤  Plaporm  selec8on   ➤  Na8ve,  Hybrid,  HTML5  or  other  ?   ➤  Take  in  mind  plaporm  maturity  and  security  impact  ➤  Func8onality  and  Features   ➤  Retail  direct  banking  features   ➤  Private  banking  features   ➤  Added  value  services   ➤  Payments     Cyber  Defense  Group  
  29. 29. Business  case  criteria  ➤  Sales  and  marke8ng  mechanisms   ➤  New  customer  acquisi8on  (simulators,  etc.)   ➤  Cross-­‐selling  of  financial  products  (require  STP)   ➤  Using  web-­‐channel,  e-­‐mail  and  mobile  in  a  smart  way  ➤  Mobile  analy8cs  and  metrics  ➤  Security  requirements   Cyber  Defense  Group  
  30. 30. Part  4  -­‐  Towards  a  mulA-­‐channel  security  approach   Cyber  Defense  Group  
  31. 31. General  banking  security  problems  ➤  When  mobile  and  web-­‐channels  are  used  as  two   separate  delivery  channels,  they  can  enforce  each   other:   ➤  Increasingly  growing  problem  for  banks  is  the  consistent   stream  of  man-­‐in-­‐the-­‐browser  abacks.  ➤  Think  how  a  secondary  channel  might  be  used  to   upgrade  the  overall  security  posture   Cyber  Defense  Group  
  32. 32. Many  security  opportuniAes  ➤  Leverage  of  your  web  channel:   ➤  Reuse  strong  authen8ca8on  for  the  iden8fica8on  and   crea8on  of  cer8ficates  during  enrolment   ➤  Prepare  payments  to  third  par8es  in  your  mobile  channel   and  approve  them  in  your  web  channel  ➤  Leverage  of  your  mobile  channel:   ➤  Present  web-­‐channel  transac8ons  in  mobile  channel  for   confirma8on  and  awareness   ➤  Mobile  OTP  as  replacement  for  UCR  OTP  ?   Cyber  Defense  Group  
  33. 33. Many  security  opportuniAes  ➤  Using  your  sensors  as  security  controls:   ➤  Using  GPS  to  iden8fy  transac8on  conflicts  +  warning   ➤  Using  Decibel  meter  to  see  if  you’re  in  a  bar   ➤  Using  Accelerometer  to  learn  if  you’re  driving   ➤  Face-­‐recogni8on  as  authen8ca8on  ➤  Using  social  networks  as  valida8on  mechanisms:   ➤  CAPTCHA’s  didn’t  work,  perhaps  face-­‐valida8on  does   Cyber  Defense  Group  
  34. 34. Some  final  thoughts   Cyber  Defense  Group  
  35. 35. Some  final  thoughts  on  mobile  banking  ➤  Put  security  and  business  logic  in  the  back-­‐end.   Never  trust  the  client  device.  It  is  highly  insecure   and  might  already  be  infected.  ➤  Many  new  security  opportuniAes  present  itself.  It   takes  an  open  mindset  and  customer  oriented   artude  to  take  the  plunge.  ➤  Leverage  on  Cross-­‐Channel  security   opportuniAes.  It’s  there  already.  Reuse  it.   Cyber  Defense  Group  
  36. 36. Mobile  Channel  Security  for  the  Banking  Industry  A  new  genera)on  of  banking    Cyber  Security  2011,    Protec8ng  Cri8cal  Infrastructure  &  Intellectual  Property      Filip  Maertens  filip.maertens@avydian.com    +32  495  77  97  37   Cyber  Defense  Group  

×