SlideShare a Scribd company logo

Smartphone Vulnerabilities Explained

Jason Kong
Jason Kong

seminar on 2FA

1 of 27
Download to read offline
1
2
Vulnerability of Smart Phones Smartphones are a permanent point of access to the internet (mostly on), they can be compromised easier than computers Implied permission •  this infection is based on the fact that the user has a habit of installing software. Most trojans try to seduce the user into installing attractive applications (games, useful applications etc.) that actually contain malware. Common interaction •  this infection is related to a common behavior, such as opening an MMS or email. http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf 3
Dangers of Relying Solely on User ID / Password for sensitive data •  Flexispy is a commercially available application for spying. •  The program sends all information received and sent from the smartphone to a Flexispy server. It was originally created to protect children and spy on adulterous spouses. 4
5
Typical Mobile Malware Gameplan http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf 6
Get Malware installed by user http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf 7
What Hackers want to achieve http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf 8
Level of enforcement before allowing apps on AppStore/ Goggle Play Will a hacker be deterred by the need to provide IP/SMS or Credit Card? Is Corporate ID and Personal ID ( Drivers License) numbers good enough to ensure malware is not disguised as an App ? http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf 9
Public Feedback on 2FA 10
National Authentication Framework What is NAF •  nationwide platform for the adoption of strong authentication •  for eServices that handle sensitive information and/ or facilitate transaction •  provide trusted and cost-effective authentication. Why •  fulfill strong authentication requirements from regulators, banks and financial institutions, government & healthcare The National 2FA system has been operational since December 2011 11
Service Providers live on OneKey 1212
•  Stronger security is required to protect •  SingPass – set up for sensitive data every resident aged 15 •  This valuable repository •  Assurity, a subsidiary and above in 2003 …. of personal information of IDA is the sole There are more than includes income tax, CPF bidder 2.8 million SingPass and HDB Loan Records. users today. 1313
OneKey Mission: Consumer Security & Convenience OneKey can be used across multiple Service Providers, Banks, Government, online services, corporate VPN etc… 14
OneKey’s Value Proposition •  Stronger protection against online identity theft & fraud •  Convenience to end-users: a single authentication device across multiple online services ( e.g. banking, trading, govt e-services, insurance, online commerce etc) •  Giving consumer a choice to manage their own security policies 15
OneKey: A Convenient, Secure Authentication Mechanism •  Current Offerings –  Assurity provides 2FA services via the OneKey Pad – a robust and integrated mechanism that is secure, convenient and cost-effective –  OneKey Pad offers 3 options of 2FA - OTP, Challenge Response and Transaction Signing. –  OneKey SMS – OTP delivered via SMS for convenience to users •  Under Development –  OneKey Card –  OneKey Mobile 16
OneKey: A Reliable & Trusted Security Device *Compliances & Certifications Your complete •  Certified to ISO/IEC 27001:2005 solution to compliance with •  **Complied to MAS IBTRM V3 & ***MAS and 2012 Consultation Paper 2nd Factor Authentication •  Complied to Government IM8 requirements – •  Complied to SS540 Quick, •  Complied to TIA942 Cost-Effective & •  Complied to FIPS Always Updated! *Certifications are renewed and audited annually ** Fully redundant active-active tier 3 data centres *** Assurity is the appointed NAF operator and works closely with MAS 17
Assurity’s Service Model Send On eKey Deliver SM to End U SO ser to End Us TP er mobile de ’s vice SP – Service Providers OTP – One Time Password 18
Committed Service Level Basic Service §  2FA using OneKey Pads Offering §  2nd factor credential registration, issuance and management §  Authentication Service : §  99.99% service availability §  90% within 800ms, 100% within 2 seconds §  24x7 technical support Additional Service Offerings §  Dedicated technical support packages §  SMS OTP traffic charges 19
Service Levels Item Service Level Authentication Service Availability 99.99% in a month Authentication requests completed 90% within 800 msec 100% within 2 sec Issuance of tokens and password Within 3 and 3+2 working days* mailers to end-user Severity 1, 2, 3 requests 3 levels of service support •  Basic •  Gold •  Platinum 20
Use Cases of OneKey 1.  2FA for online services 2.  Incorporate OneKey 2FA into mobile apps so that consumers know that it is an authentic app 3.  Corporate VPN 2FA to access corporate application Assurity provide SPs with test environment and specifications to connect to OneKey 21
Budget to leverage on OneKey •  Volume based pricing      Volume  per  year   up  to  3M   ¢/Transac/on   6  cents   •  Early-adoption special for SPs that signs up before Dec 2013 ¢/Transac/on   4.5  cents   •  Billed monthly based on prorated volume •  Fees waived for 1st 2 years from system live-date (Dec 2011 – Dec 2013) 22
Other Costs for Budgeting •  SP’s Setup –  Application 2FA Page (Resources to develop, test) –  Connections to Assurity (MPLS or IPSec VPN over Internet) •  SMS Traffic Cost for Authentications Using SMS OTP –  Connection to SMS aggregator, SMS traffic cost •  Customer Support –  SPs handle 1st level of calls typically –  Assurity provides training materials to help SP helpdesk –  Assurity will offer 24 x 7 customer support for 2FA calls that require escalation •  NAF Gateway from accredited partners –  Easier implementation –  Time to market •  Budget range from SGD 70K – 250K depending on organisation’s requirements 23
Service Support Levels Communication Support Level Severity Initial Response* Resolution *** Frequency ** 1 2 hours Every 2 hours 8 hours Basic 2 4 hours Every business day 4 business days Support Every 2 business 3 8 hours 7 business days days 1 30 minutes Every 30 minutes 4 hours Gold 2 1 hour Every 2 hours 8 hours Support 3 4 hours Every business day 4 business days 1 15 minutes Every 15 minutes 2 hours Platinum 2 30 minutes Every 1 hour 4 hours Support 3 3 hours Every business day 3 business days * Initial Response: First update to SP regarding the current status of the issue from the time the incident is reported. ** Communication Frequency: Frequency at which support team updates the SP on the status of the issue. *** Resolution: Time allowed to resolve the issue. 24
NAF Technical Architecture Fully redundant Architecture 2 Data centres with: •  Dual tele- communications providers and Internet service providers •  Dual power supply •  Synchronised data between both Active sites 25
NAF Technical Architecture •  Fully redundant architecture (active-active) •  NAF Systems to the SPs are NOT exposed directly to the Internet -  NAF AO connects to SPs only via Private Network •  NAF’s infrastructure service availability and uptime ~ 99.999% availability and RTO=0 26
THANK YOU Jason Kong, Deputy Director Assurity Trusted Solutions, a wholly owned subsidiary of IDA jason@assurity.sg jason_kong@ida.gov.sg Mobile: +65 9851 – 0020 27

Recommended

Cidway Secure Mobile Access Transactions Short 05 12
Cidway Secure Mobile Access Transactions Short 05 12Cidway Secure Mobile Access Transactions Short 05 12
Cidway Secure Mobile Access Transactions Short 05 12lfilliat
 
Cidway Banking 02 2011
Cidway Banking 02 2011Cidway Banking 02 2011
Cidway Banking 02 2011lfilliat
 
Rsa Secur Id From Signify
Rsa Secur Id From SignifyRsa Secur Id From Signify
Rsa Secur Id From Signifypjpallen
 
Signify Passcode On Demand
Signify Passcode On DemandSignify Passcode On Demand
Signify Passcode On Demandpjpallen
 
Cidway Corporate Access 06 2009 Full
Cidway Corporate Access 06 2009 FullCidway Corporate Access 06 2009 Full
Cidway Corporate Access 06 2009 Fulllfilliat
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer
 
Entrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust Datacard
 
CIS 2015-Putting Control Back in the Users’ Hands- David Pollington
CIS 2015-Putting Control Back in the Users’ Hands- David PollingtonCIS 2015-Putting Control Back in the Users’ Hands- David Pollington
CIS 2015-Putting Control Back in the Users’ Hands- David PollingtonCloudIDSummit
 

Recommended

Cidway Secure Mobile Access Transactions Short 05 12
Cidway Secure Mobile Access Transactions Short 05 12Cidway Secure Mobile Access Transactions Short 05 12
Cidway Secure Mobile Access Transactions Short 05 12lfilliat
 
Cidway Banking 02 2011
Cidway Banking 02 2011Cidway Banking 02 2011
Cidway Banking 02 2011lfilliat
 
Rsa Secur Id From Signify
Rsa Secur Id From SignifyRsa Secur Id From Signify
Rsa Secur Id From Signifypjpallen
 
Signify Passcode On Demand
Signify Passcode On DemandSignify Passcode On Demand
Signify Passcode On Demandpjpallen
 
Cidway Corporate Access 06 2009 Full
Cidway Corporate Access 06 2009 FullCidway Corporate Access 06 2009 Full
Cidway Corporate Access 06 2009 Fulllfilliat
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer
 
Entrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust Datacard
 
CIS 2015-Putting Control Back in the Users’ Hands- David Pollington
CIS 2015-Putting Control Back in the Users’ Hands- David PollingtonCIS 2015-Putting Control Back in the Users’ Hands- David Pollington
CIS 2015-Putting Control Back in the Users’ Hands- David PollingtonCloudIDSummit
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok LabsFIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok LabsNok Nok Labs, Inc
 
Securing Wireless Cellular Systems
Securing Wireless Cellular SystemsSecuring Wireless Cellular Systems
Securing Wireless Cellular SystemsACMBangalore
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
From E-Transactions to M-Transactions: Enabling mobile transactions with info...
From E-Transactions to M-Transactions: Enabling mobile transactions with info...From E-Transactions to M-Transactions: Enabling mobile transactions with info...
From E-Transactions to M-Transactions: Enabling mobile transactions with info...drctan
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutionsfrontone
 
NetAuthority Brochure
NetAuthority BrochureNetAuthority Brochure
NetAuthority BrochureVivastream
 
FIDO Authentication for Multifactor Payments
FIDO Authentication for Multifactor PaymentsFIDO Authentication for Multifactor Payments
FIDO Authentication for Multifactor PaymentsFIDO Alliance
 
FIDO and Mobile Connect
FIDO and Mobile ConnectFIDO and Mobile Connect
FIDO and Mobile ConnectFIDO Alliance
 
Signify Overview
Signify OverviewSignify Overview
Signify Overviewpjpallen
 
Banking the Unbanked
Banking the UnbankedBanking the Unbanked
Banking the UnbankedVeridium
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud IdentityMark Diodati
 
TS31103 ISIM introduction
TS31103 ISIM introductionTS31103 ISIM introduction
TS31103 ISIM introductionKimmy Yang
 
Blockchain, Biometrics, and the Future of Financial Services
Blockchain, Biometrics, and the Future of Financial ServicesBlockchain, Biometrics, and the Future of Financial Services
Blockchain, Biometrics, and the Future of Financial ServicesVeridium
 
Bio-Authentication (FIDO) and PKI Trends in Korea
Bio-Authentication (FIDO) and PKI Trends in KoreaBio-Authentication (FIDO) and PKI Trends in Korea
Bio-Authentication (FIDO) and PKI Trends in KoreaFIDO Alliance
 
Market Study on Mobile Authentication
Market Study on Mobile AuthenticationMarket Study on Mobile Authentication
Market Study on Mobile AuthenticationFIDO Alliance
 
Cidway Secure Mobile Access Transactions Short 05 12
Cidway Secure Mobile Access Transactions Short 05 12Cidway Secure Mobile Access Transactions Short 05 12
Cidway Secure Mobile Access Transactions Short 05 12lfilliat
 
FIDO UAF Adoption in Hong Kong
FIDO UAF Adoption in Hong KongFIDO UAF Adoption in Hong Kong
FIDO UAF Adoption in Hong KongFIDO Alliance
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingPing Identity
 
Mobilize your workforce with secure identity services
Mobilize your workforce with secure identity servicesMobilize your workforce with secure identity services
Mobilize your workforce with secure identity servicesSumana Mehta
 
FIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong AuthenticationFIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong AuthenticationFIDO Alliance
 

More Related Content

What's hot

Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok LabsFIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok LabsNok Nok Labs, Inc
 
Securing Wireless Cellular Systems
Securing Wireless Cellular SystemsSecuring Wireless Cellular Systems
Securing Wireless Cellular SystemsACMBangalore
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
From E-Transactions to M-Transactions: Enabling mobile transactions with info...
From E-Transactions to M-Transactions: Enabling mobile transactions with info...From E-Transactions to M-Transactions: Enabling mobile transactions with info...
From E-Transactions to M-Transactions: Enabling mobile transactions with info...drctan
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutionsfrontone
 
NetAuthority Brochure
NetAuthority BrochureNetAuthority Brochure
NetAuthority BrochureVivastream
 
FIDO Authentication for Multifactor Payments
FIDO Authentication for Multifactor PaymentsFIDO Authentication for Multifactor Payments
FIDO Authentication for Multifactor PaymentsFIDO Alliance
 
FIDO and Mobile Connect
FIDO and Mobile ConnectFIDO and Mobile Connect
FIDO and Mobile ConnectFIDO Alliance
 
Signify Overview
Signify OverviewSignify Overview
Signify Overviewpjpallen
 
Banking the Unbanked
Banking the UnbankedBanking the Unbanked
Banking the UnbankedVeridium
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud IdentityMark Diodati
 
TS31103 ISIM introduction
TS31103 ISIM introductionTS31103 ISIM introduction
TS31103 ISIM introductionKimmy Yang
 
Blockchain, Biometrics, and the Future of Financial Services
Blockchain, Biometrics, and the Future of Financial ServicesBlockchain, Biometrics, and the Future of Financial Services
Blockchain, Biometrics, and the Future of Financial ServicesVeridium
 
Bio-Authentication (FIDO) and PKI Trends in Korea
Bio-Authentication (FIDO) and PKI Trends in KoreaBio-Authentication (FIDO) and PKI Trends in Korea
Bio-Authentication (FIDO) and PKI Trends in KoreaFIDO Alliance
 

What's hot (16)

Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
 
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok LabsFIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
 
Securing Wireless Cellular Systems
Securing Wireless Cellular SystemsSecuring Wireless Cellular Systems
Securing Wireless Cellular Systems
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSS
 
From E-Transactions to M-Transactions: Enabling mobile transactions with info...
From E-Transactions to M-Transactions: Enabling mobile transactions with info...From E-Transactions to M-Transactions: Enabling mobile transactions with info...
From E-Transactions to M-Transactions: Enabling mobile transactions with info...
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutions
 
NetAuthority Brochure
NetAuthority BrochureNetAuthority Brochure
NetAuthority Brochure
 
FIDO Authentication for Multifactor Payments
FIDO Authentication for Multifactor PaymentsFIDO Authentication for Multifactor Payments
FIDO Authentication for Multifactor Payments
 
FIDO and Mobile Connect
FIDO and Mobile ConnectFIDO and Mobile Connect
FIDO and Mobile Connect
 
Signify Overview
Signify OverviewSignify Overview
Signify Overview
 
Banking the Unbanked
Banking the UnbankedBanking the Unbanked
Banking the Unbanked
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud Identity
 
TS31103 ISIM introduction
TS31103 ISIM introductionTS31103 ISIM introduction
TS31103 ISIM introduction
 
Blockchain, Biometrics, and the Future of Financial Services
Blockchain, Biometrics, and the Future of Financial ServicesBlockchain, Biometrics, and the Future of Financial Services
Blockchain, Biometrics, and the Future of Financial Services
 
Bio-Authentication (FIDO) and PKI Trends in Korea
Bio-Authentication (FIDO) and PKI Trends in KoreaBio-Authentication (FIDO) and PKI Trends in Korea
Bio-Authentication (FIDO) and PKI Trends in Korea
 

Similar to Smartphone Vulnerabilities Explained

Market Study on Mobile Authentication
Market Study on Mobile AuthenticationMarket Study on Mobile Authentication
Market Study on Mobile AuthenticationFIDO Alliance
 
Cidway Secure Mobile Access Transactions Short 05 12
Cidway Secure Mobile Access Transactions Short 05 12Cidway Secure Mobile Access Transactions Short 05 12
Cidway Secure Mobile Access Transactions Short 05 12lfilliat
 
FIDO UAF Adoption in Hong Kong
FIDO UAF Adoption in Hong KongFIDO UAF Adoption in Hong Kong
FIDO UAF Adoption in Hong KongFIDO Alliance
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingPing Identity
 
Mobilize your workforce with secure identity services
Mobilize your workforce with secure identity servicesMobilize your workforce with secure identity services
Mobilize your workforce with secure identity servicesSumana Mehta
 
FIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong AuthenticationFIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong AuthenticationFIDO Alliance
 
Mtel Cash Mobile Commerce Suite
Mtel Cash Mobile Commerce SuiteMtel Cash Mobile Commerce Suite
Mtel Cash Mobile Commerce Suitewatsongallery
 
Mobile Connections – FIDO Alliance and GSMA Presentation
Mobile Connections – FIDO Alliance and GSMA PresentationMobile Connections – FIDO Alliance and GSMA Presentation
Mobile Connections – FIDO Alliance and GSMA PresentationFIDO Alliance
 
Tradetech Hybrid MeetUp_N.Jaure_Onespan_210610
Tradetech Hybrid MeetUp_N.Jaure_Onespan_210610 Tradetech Hybrid MeetUp_N.Jaure_Onespan_210610
Tradetech Hybrid MeetUp_N.Jaure_Onespan_210610 FinTech Belgium
 
Cidway Byod Authentication
Cidway Byod AuthenticationCidway Byod Authentication
Cidway Byod Authenticationlfilliat
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" mycroftinc
 
SmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketSmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketOKsystem
 
Optimising mobile signature v4
Optimising mobile signature v4Optimising mobile signature v4
Optimising mobile signature v4moldovaictsummit
 
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...IRJET Journal
 
Managing & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengManaging & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengKnowledge Group
 
Rsa Secur Id From Signify
Rsa Secur Id From SignifyRsa Secur Id From Signify
Rsa Secur Id From Signifykate_holden
 
Embracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and CentrifyEmbracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and CentrifySumana Mehta
 
Signify Passcode On Demand
Signify Passcode On DemandSignify Passcode On Demand
Signify Passcode On Demandkate_holden
 

Similar to Smartphone Vulnerabilities Explained (20)

Market Study on Mobile Authentication
Market Study on Mobile AuthenticationMarket Study on Mobile Authentication
Market Study on Mobile Authentication
 
Cidway Secure Mobile Access Transactions Short 05 12
Cidway Secure Mobile Access Transactions Short 05 12Cidway Secure Mobile Access Transactions Short 05 12
Cidway Secure Mobile Access Transactions Short 05 12
 
FIDO UAF Adoption in Hong Kong
FIDO UAF Adoption in Hong KongFIDO UAF Adoption in Hong Kong
FIDO UAF Adoption in Hong Kong
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
 
Mobilize your workforce with secure identity services
Mobilize your workforce with secure identity servicesMobilize your workforce with secure identity services
Mobilize your workforce with secure identity services
 
FIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong AuthenticationFIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong Authentication
 
Mtel Cash Mobile Commerce Suite
Mtel Cash Mobile Commerce SuiteMtel Cash Mobile Commerce Suite
Mtel Cash Mobile Commerce Suite
 
Mobile Connections – FIDO Alliance and GSMA Presentation
Mobile Connections – FIDO Alliance and GSMA PresentationMobile Connections – FIDO Alliance and GSMA Presentation
Mobile Connections – FIDO Alliance and GSMA Presentation
 
Zero Trust Networks
Zero Trust NetworksZero Trust Networks
Zero Trust Networks
 
Tradetech Hybrid MeetUp_N.Jaure_Onespan_210610
Tradetech Hybrid MeetUp_N.Jaure_Onespan_210610 Tradetech Hybrid MeetUp_N.Jaure_Onespan_210610
Tradetech Hybrid MeetUp_N.Jaure_Onespan_210610
 
Cidway Byod Authentication
Cidway Byod AuthenticationCidway Byod Authentication
Cidway Byod Authentication
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
 
SmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketSmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication market
 
Optimising mobile signature v4
Optimising mobile signature v4Optimising mobile signature v4
Optimising mobile signature v4
 
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...
 
Banking and Mobile Identity
Banking and Mobile IdentityBanking and Mobile Identity
Banking and Mobile Identity
 
Managing & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengManaging & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee Seng
 
Rsa Secur Id From Signify
Rsa Secur Id From SignifyRsa Secur Id From Signify
Rsa Secur Id From Signify
 
Embracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and CentrifyEmbracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and Centrify
 
Signify Passcode On Demand
Signify Passcode On DemandSignify Passcode On Demand
Signify Passcode On Demand
 

Smartphone Vulnerabilities Explained

  • 1. 1
  • 2. 2
  • 3. Vulnerability of Smart Phones Smartphones are a permanent point of access to the internet (mostly on), they can be compromised easier than computers Implied permission •  this infection is based on the fact that the user has a habit of installing software. Most trojans try to seduce the user into installing attractive applications (games, useful applications etc.) that actually contain malware. Common interaction •  this infection is related to a common behavior, such as opening an MMS or email. http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf 3
  • 4. Dangers of Relying Solely on User ID / Password for sensitive data •  Flexispy is a commercially available application for spying. •  The program sends all information received and sent from the smartphone to a Flexispy server. It was originally created to protect children and spy on adulterous spouses. 4
  • 5. 5
  • 6. Typical Mobile Malware Gameplan http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf 6
  • 7. Get Malware installed by user http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf 7
  • 8. What Hackers want to achieve http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf 8
  • 9. Level of enforcement before allowing apps on AppStore/ Goggle Play Will a hacker be deterred by the need to provide IP/SMS or Credit Card? Is Corporate ID and Personal ID ( Drivers License) numbers good enough to ensure malware is not disguised as an App ? http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf 9
  • 11. National Authentication Framework What is NAF •  nationwide platform for the adoption of strong authentication •  for eServices that handle sensitive information and/ or facilitate transaction •  provide trusted and cost-effective authentication. Why •  fulfill strong authentication requirements from regulators, banks and financial institutions, government & healthcare The National 2FA system has been operational since December 2011 11
  • 12. Service Providers live on OneKey 1212
  • 13. •  Stronger security is required to protect •  SingPass – set up for sensitive data every resident aged 15 •  This valuable repository •  Assurity, a subsidiary and above in 2003 …. of personal information of IDA is the sole There are more than includes income tax, CPF bidder 2.8 million SingPass and HDB Loan Records. users today. 1313
  • 14. OneKey Mission: Consumer Security & Convenience OneKey can be used across multiple Service Providers, Banks, Government, online services, corporate VPN etc… 14
  • 15. OneKey’s Value Proposition •  Stronger protection against online identity theft & fraud •  Convenience to end-users: a single authentication device across multiple online services ( e.g. banking, trading, govt e-services, insurance, online commerce etc) •  Giving consumer a choice to manage their own security policies 15
  • 16. OneKey: A Convenient, Secure Authentication Mechanism •  Current Offerings –  Assurity provides 2FA services via the OneKey Pad – a robust and integrated mechanism that is secure, convenient and cost-effective –  OneKey Pad offers 3 options of 2FA - OTP, Challenge Response and Transaction Signing. –  OneKey SMS – OTP delivered via SMS for convenience to users •  Under Development –  OneKey Card –  OneKey Mobile 16
  • 17. OneKey: A Reliable & Trusted Security Device *Compliances & Certifications Your complete •  Certified to ISO/IEC 27001:2005 solution to compliance with •  **Complied to MAS IBTRM V3 & ***MAS and 2012 Consultation Paper 2nd Factor Authentication •  Complied to Government IM8 requirements – •  Complied to SS540 Quick, •  Complied to TIA942 Cost-Effective & •  Complied to FIPS Always Updated! *Certifications are renewed and audited annually ** Fully redundant active-active tier 3 data centres *** Assurity is the appointed NAF operator and works closely with MAS 17
  • 18. Assurity’s Service Model Send On eKey Deliver SM to End U SO ser to End Us TP er mobile de ’s vice SP – Service Providers OTP – One Time Password 18
  • 19. Committed Service Level Basic Service §  2FA using OneKey Pads Offering §  2nd factor credential registration, issuance and management §  Authentication Service : §  99.99% service availability §  90% within 800ms, 100% within 2 seconds §  24x7 technical support Additional Service Offerings §  Dedicated technical support packages §  SMS OTP traffic charges 19
  • 20. Service Levels Item Service Level Authentication Service Availability 99.99% in a month Authentication requests completed 90% within 800 msec 100% within 2 sec Issuance of tokens and password Within 3 and 3+2 working days* mailers to end-user Severity 1, 2, 3 requests 3 levels of service support •  Basic •  Gold •  Platinum 20
  • 21. Use Cases of OneKey 1.  2FA for online services 2.  Incorporate OneKey 2FA into mobile apps so that consumers know that it is an authentic app 3.  Corporate VPN 2FA to access corporate application Assurity provide SPs with test environment and specifications to connect to OneKey 21
  • 22. Budget to leverage on OneKey •  Volume based pricing      Volume  per  year   up  to  3M   ¢/Transac/on   6  cents   •  Early-adoption special for SPs that signs up before Dec 2013 ¢/Transac/on   4.5  cents   •  Billed monthly based on prorated volume •  Fees waived for 1st 2 years from system live-date (Dec 2011 – Dec 2013) 22
  • 23. Other Costs for Budgeting •  SP’s Setup –  Application 2FA Page (Resources to develop, test) –  Connections to Assurity (MPLS or IPSec VPN over Internet) •  SMS Traffic Cost for Authentications Using SMS OTP –  Connection to SMS aggregator, SMS traffic cost •  Customer Support –  SPs handle 1st level of calls typically –  Assurity provides training materials to help SP helpdesk –  Assurity will offer 24 x 7 customer support for 2FA calls that require escalation •  NAF Gateway from accredited partners –  Easier implementation –  Time to market •  Budget range from SGD 70K – 250K depending on organisation’s requirements 23
  • 24. Service Support Levels Communication Support Level Severity Initial Response* Resolution *** Frequency ** 1 2 hours Every 2 hours 8 hours Basic 2 4 hours Every business day 4 business days Support Every 2 business 3 8 hours 7 business days days 1 30 minutes Every 30 minutes 4 hours Gold 2 1 hour Every 2 hours 8 hours Support 3 4 hours Every business day 4 business days 1 15 minutes Every 15 minutes 2 hours Platinum 2 30 minutes Every 1 hour 4 hours Support 3 3 hours Every business day 3 business days * Initial Response: First update to SP regarding the current status of the issue from the time the incident is reported. ** Communication Frequency: Frequency at which support team updates the SP on the status of the issue. *** Resolution: Time allowed to resolve the issue. 24
  • 25. NAF Technical Architecture Fully redundant Architecture 2 Data centres with: •  Dual tele- communications providers and Internet service providers •  Dual power supply •  Synchronised data between both Active sites 25
  • 26. NAF Technical Architecture •  Fully redundant architecture (active-active) •  NAF Systems to the SPs are NOT exposed directly to the Internet -  NAF AO connects to SPs only via Private Network •  NAF’s infrastructure service availability and uptime ~ 99.999% availability and RTO=0 26
  • 27. THANK YOU Jason Kong, Deputy Director Assurity Trusted Solutions, a wholly owned subsidiary of IDA jason@assurity.sg jason_kong@ida.gov.sg Mobile: +65 9851 – 0020 27