Riscure, profile picture
Uploaded byRiscure
PDF, PPTX950 views

How to secure HCE

The document discusses the security challenges and risks associated with Host Card Emulation (HCE) in mobile payment applications, emphasizing the need for security measures that surpass traditional mag-stripe technology. It highlights the evolution of transaction security, various types of malware threats, and the importance of rigorous evaluation and mitigation strategies. Riscure offers security certification services to help identify and address vulnerabilities in mobile applications.

Embed presentation

Download as PDF, PPTX
How to secure HCE? Marc Witteman (CTO) HCE Summit, October 15, 2014, London
Mobile payment apps a) should be (almost) as secure as smart cards? b) should just be more secure than mag-stripe? How much security do we need? public 2
• Introduction • Attacks • Mitigation • Conclusion Content public 3
SE transaction NFC transaction evolution public 4 HCE transaction HCE benefits • Reuse of payment infrastructure • Banks independent from SE owner
User App Assets • Key proves transaction participation • PIN proves user consent Conceptual transaction protection public 5 Transaction details Approval request Approval Signed transaction Approve (PIN) Sign Key Terminal
1. Sign manipulated transactions Malware intercepts and changes details in valid transaction 2. Sign arbitrary transactions Malware invokes signing function 3. Extract key Malware reads key 4. Attacks scale Main malware threats public 6 Mobile phone OS App Crypto Key Malware
Basic mobile security public 7 App signing Permissions Sandbox Key store
• Introduction • Attacks • Mitigation • Conclusion Content public 8
• Rooting = getting system level access to all resources • Files • Memory • Peripherals • Interfaces • All OS protection voids with rooting • Rooting is achieved by exploiting an OS bug • Many attacks start by rooting… Rooting public 9
• Source: androidvulnerabilities.org Android vulnerabilities public 10
Android attack tools public 11 Rooting tool e.g. Towelroot Development kit Inspection tool e.g. Androguard Disassembler e.g. IDA Debugger e.g. GDB, JDWP Instrumenting e.g. ADBI, DDI Decompiler e.g. JEB
• Any phone may be rooted • Any application may be reversed • Any asset may be compromised • Malware attacks tend to scale easily • Is there any hope for mobile software security? Rooting impact public 12
• Introduction • Attacks • Mitigation • Conclusion Content public 13
• Software protection • Obfuscation • Tamper proofing • White-Box crypto • Hardware security support • Secure Element • Trusted Execution Environment • Cloud • Secure Element in the cloud • Tokenization • Key rotation / software update Great security requires an effective mix of countermeasures Increased security for mobile apps public 14
Hurdles to great security • Awareness • Readiness • Cost • Bugs How can you know the strength of your solution? • Wait for security breach in the field (plug and pray) • Test before you go (evaluation) Perfect security? public 15
5. Recognition • Independent proof of strengths • Exposure through scheme 6. Quality • Timely address issues • Stay ahead of new threats 1. Validate assumptions • Trust the context? • New threats? 2. Find weaknesses • Known threats addressed? • Implementation flaws? 3. Rate vulnerabilities • Severity • Impact 4. Mitigate issues • Workarounds • Development directions Find your weaknesses before they hurt! Evaluation benefits public 16
• Riscure is a leading lab, accredited by major schemes • Clients: banks and solution providers • Methodology: o black-box (incl. reverse engineering, hacking style) o white-box (incl. vulnerability analysis of source code) • Workload: 25-40 days (incl. iterations) • Completed and ongoing projects: 4 • Price: Meet you at booth 8 to discuss more… HCE security certification by Riscure public 17
• Introduction • Attacks • Mitigation • Conclusion Content public 18
Conclusion 19 • We’re in trouble… • Smart phones are not secure platforms • Scalability of malware attacks increases risk • Can HCE be secure? • New concepts are emerging that may enable secure apps • Evaluation can help identify & mitigate risk • Interaction between development and evaluation drives industry best practices • The race is on public
Riscure North America 550 Kearny Street, Suite 330 San Francisco CA 94108 USA Phone: +1 650 646 99 79 inforequest@riscure.com Riscure B.V. Frontier Building, Delftechpark 49 2628 XJ Delft The Netherlands Phone: +31 15 251 40 90 www.riscure.com Contact: Marc Witteman (witteman@riscure.com) Evaluation needed? Visit us at booth 8

More Related Content

PDF
Fault Injection on Automotive Diagnosis Protocols
byRiscure
 
PDF
Riscure Introduction
byRiscure
 
PDF
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
byRiscure
 
PDF
Software Attacks on Hardware Wallets
byRiscure
 
PDF
How to secure electronic passports
byRiscure
 
PDF
Efficient Reverse Engineering of Automotive Firmware
byRiscure
 
PDF
Riscure Assurance for Premium Content at a glance
byRiscure
 
PDF
Why is it so hard to make secure chips?
byRiscure
 
Fault Injection on Automotive Diagnosis Protocols
byRiscure
 
Riscure Introduction
byRiscure
 
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
byRiscure
 
Software Attacks on Hardware Wallets
byRiscure
 
How to secure electronic passports
byRiscure
 
Efficient Reverse Engineering of Automotive Firmware
byRiscure
 
Riscure Assurance for Premium Content at a glance
byRiscure
 
Why is it so hard to make secure chips?
byRiscure
 

What's hot

PDF
Hack one iot device, break them all!
byJustin Black
 
PDF
What is Penetration & Penetration test ?
byBhavin Shah
 
PPTX
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
byPositive Hack Days
 
PPTX
Vulnerability Inheritance in ICS (English)
byDigital Bond
 
PPTX
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
byChase Schultz
 
PDF
Silabus Training Reverse Engineering
bySatria Ady Pradana
 
PPTX
Slide Deck – Session 9 – FRSecure CISSP
byFRSecure
 
PPTX
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
byPositive Hack Days
 
PDF
Physical Penetration Testing - RootedCON 2015
byHykeos
 
PDF
Pki 201 Key Management
byNCC Group
 
PDF
ICS Network Security Monitoring (NSM)
byDigital Bond
 
PPTX
Fingerprinting and Attacking a Healthcare Infrastructure
byPositive Hack Days
 
PPTX
Bypass Security Checking with Frida
bySatria Ady Pradana
 
PDF
Java Card Security
byRiscure
 
PDF
Track 5 session 2 - st dev con 2016 - security iot best practices
byST_World
 
PPTX
Path of Cyber Security
bySatria Ady Pradana
 
PPTX
Inria Tech Talk IoT - 28 Mars 2018
byFrenchTechCentral
 
PPTX
Safe and secure programming practices for embedded devices
bySoumitra Bhattacharyya
 
PDF
APT Webinar
byJoseph Schorr
 
PDF
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
byPositive Hack Days
 
Hack one iot device, break them all!
byJustin Black
 
What is Penetration & Penetration test ?
byBhavin Shah
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
byPositive Hack Days
 
Vulnerability Inheritance in ICS (English)
byDigital Bond
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
byChase Schultz
 
Silabus Training Reverse Engineering
bySatria Ady Pradana
 
Slide Deck – Session 9 – FRSecure CISSP
byFRSecure
 
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
byPositive Hack Days
 
Physical Penetration Testing - RootedCON 2015
byHykeos
 
Pki 201 Key Management
byNCC Group
 
ICS Network Security Monitoring (NSM)
byDigital Bond
 
Fingerprinting and Attacking a Healthcare Infrastructure
byPositive Hack Days
 
Bypass Security Checking with Frida
bySatria Ady Pradana
 
Java Card Security
byRiscure
 
Track 5 session 2 - st dev con 2016 - security iot best practices
byST_World
 
Path of Cyber Security
bySatria Ady Pradana
 
Inria Tech Talk IoT - 28 Mars 2018
byFrenchTechCentral
 
Safe and secure programming practices for embedded devices
bySoumitra Bhattacharyya
 
APT Webinar
byJoseph Schorr
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
byPositive Hack Days
 

Similar to How to secure HCE

PDF
AppSec in an Agile World
byDavid Lindner
 
PPTX
Digital Product Security
bySoftServe
 
PPTX
Application Hackers Have A Handbook. Why Shouldn't You?
byLondon School of Cyber Security
 
PDF
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
byDenim Group
 
PPT
Web Application Security Testing
byMarco Morana
 
PDF
Beyond the Bug Hunt: Unlocking Your AppSec Superpowers
bySteven Carlson
 
PDF
ByteCode pentest report example
byIhor Uzhvenko
 
PDF
New Era of Software with modern Application Security v1.0
byDinis Cruz
 
PPTX
Application Security: What do we need to know?
byJose L. Quiñones-Borrero
 
PDF
New Era of Software with modern Application Security (v0.6)
byDinis Cruz
 
PDF
Top 6 Web Application Security Best Practices.pdf
bySolviosTechnology
 
PPTX
Ethical Hacking Conference 2015- Building Secure Products -a perspective
byDr. Anish Cheriyan (PhD)
 
PPTX
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
bylior mazor
 
PPTX
Security engineering 101 when good design & security work together
byWendy Knox Everette
 
PDF
Cyber security webinar 6 - How to build systems that resist attacks?
byF-Secure Corporation
 
PPT
六合彩香港-六合彩
bybaoyin
 
PPT
Sql securitytesting
byThilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
Unified application security analyser
byTim Youm
 
PDF
OWASP AppSecUSA Recap
byTodd Grotenhuis
 
PDF
Mobile Application Security Service.pdf
byBriskinfosec Technology and Consulting
 
AppSec in an Agile World
byDavid Lindner
 
Digital Product Security
bySoftServe
 
Application Hackers Have A Handbook. Why Shouldn't You?
byLondon School of Cyber Security
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
byDenim Group
 
Web Application Security Testing
byMarco Morana
 
Beyond the Bug Hunt: Unlocking Your AppSec Superpowers
bySteven Carlson
 
ByteCode pentest report example
byIhor Uzhvenko
 
New Era of Software with modern Application Security v1.0
byDinis Cruz
 
Application Security: What do we need to know?
byJose L. Quiñones-Borrero
 
New Era of Software with modern Application Security (v0.6)
byDinis Cruz
 
Top 6 Web Application Security Best Practices.pdf
bySolviosTechnology
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
byDr. Anish Cheriyan (PhD)
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
bylior mazor
 
Security engineering 101 when good design & security work together
byWendy Knox Everette
 
Cyber security webinar 6 - How to build systems that resist attacks?
byF-Secure Corporation
 
六合彩香港-六合彩
bybaoyin
 
Sql securitytesting
byThilak Pathirage -Senior IT Gov and Risk Consultant
 
Unified application security analyser
byTim Youm
 
OWASP AppSecUSA Recap
byTodd Grotenhuis
 
Mobile Application Security Service.pdf
byBriskinfosec Technology and Consulting
 

More from Riscure

PDF
Bypassing Secure Boot using Fault Injection
byRiscure
 
PDF
CheapSCAte: Attacking IoT with less than $60
byRiscure
 
PDF
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
byRiscure
 
PDF
Lowering the bar: deep learning for side-channel analysis
byRiscure
 
PDF
Practical Differential Fault Attack on AES
byRiscure
 
PDF
Defeating RSA Multiply-Always and Message Blinding Countermeasures
byRiscure
 
PDF
Why are we still vulnerable to Side Channel Attacks?
byRiscure
 
PDF
PEW PEW PEW: Designing Secure Boot Securely
byRiscure
 
PDF
Controlling PC on ARM using Fault Injection
byRiscure
 
PDF
How multi-fault injection breaks the security of smart cards
byRiscure
 
Bypassing Secure Boot using Fault Injection
byRiscure
 
CheapSCAte: Attacking IoT with less than $60
byRiscure
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
byRiscure
 
Lowering the bar: deep learning for side-channel analysis
byRiscure
 
Practical Differential Fault Attack on AES
byRiscure
 
Defeating RSA Multiply-Always and Message Blinding Countermeasures
byRiscure
 
Why are we still vulnerable to Side Channel Attacks?
byRiscure
 
PEW PEW PEW: Designing Secure Boot Securely
byRiscure
 
Controlling PC on ARM using Fault Injection
byRiscure
 
How multi-fault injection breaks the security of smart cards
byRiscure
 

Recently uploaded

PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
API-First Architecture in Financial Systems
bycyy111112
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 

How to secure HCE

  • 1.
    How to secureHCE? Marc Witteman (CTO) HCE Summit, October 15, 2014, London
  • 2.
    Mobile payment apps a)should be (almost) as secure as smart cards? b) should just be more secure than mag-stripe? How much security do we need? public 2
  • 3.
    • Introduction • Attacks •Mitigation • Conclusion Content public 3
  • 4.
    SE transaction NFC transactionevolution public 4 HCE transaction HCE benefits • Reuse of payment infrastructure • Banks independent from SE owner
  • 5.
    User App Assets • Key provestransaction participation • PIN proves user consent Conceptual transaction protection public 5 Transaction details Approval request Approval Signed transaction Approve (PIN) Sign Key Terminal
  • 6.
    1. Sign manipulatedtransactions Malware intercepts and changes details in valid transaction 2. Sign arbitrary transactions Malware invokes signing function 3. Extract key Malware reads key 4. Attacks scale Main malware threats public 6 Mobile phone OS App Crypto Key Malware
  • 7.
    Basic mobile security public 7 Appsigning Permissions Sandbox Key store
  • 8.
    • Introduction • Attacks •Mitigation • Conclusion Content public 8
  • 9.
    • Rooting =getting system level access to all resources • Files • Memory • Peripherals • Interfaces • All OS protection voids with rooting • Rooting is achieved by exploiting an OS bug • Many attacks start by rooting… Rooting public 9
  • 10.
  • 11.
    Android attack tools public 11 Rootingtool e.g. Towelroot Development kit Inspection tool e.g. Androguard Disassembler e.g. IDA Debugger e.g. GDB, JDWP Instrumenting e.g. ADBI, DDI Decompiler e.g. JEB
  • 12.
    • Any phone maybe rooted • Any application may be reversed • Any asset may be compromised • Malware attacks tend to scale easily • Is there any hope for mobile software security? Rooting impact public 12
  • 13.
    • Introduction • Attacks •Mitigation • Conclusion Content public 13
  • 14.
    • Software protection •Obfuscation • Tamper proofing • White-Box crypto • Hardware security support • Secure Element • Trusted Execution Environment • Cloud • Secure Element in the cloud • Tokenization • Key rotation / software update Great security requires an effective mix of countermeasures Increased security for mobile apps public 14
  • 15.
    Hurdles to greatsecurity • Awareness • Readiness • Cost • Bugs How can you know the strength of your solution? • Wait for security breach in the field (plug and pray) • Test before you go (evaluation) Perfect security? public 15
  • 16.
    5. Recognition • Independentproof of strengths • Exposure through scheme 6. Quality • Timely address issues • Stay ahead of new threats 1. Validate assumptions • Trust the context? • New threats? 2. Find weaknesses • Known threats addressed? • Implementation flaws? 3. Rate vulnerabilities • Severity • Impact 4. Mitigate issues • Workarounds • Development directions Find your weaknesses before they hurt! Evaluation benefits public 16
  • 17.
    • Riscure isa leading lab, accredited by major schemes • Clients: banks and solution providers • Methodology: o black-box (incl. reverse engineering, hacking style) o white-box (incl. vulnerability analysis of source code) • Workload: 25-40 days (incl. iterations) • Completed and ongoing projects: 4 • Price: Meet you at booth 8 to discuss more… HCE security certification by Riscure public 17
  • 18.
    • Introduction • Attacks •Mitigation • Conclusion Content public 18
  • 19.
    Conclusion 19 • We’re introuble… • Smart phones are not secure platforms • Scalability of malware attacks increases risk • Can HCE be secure? • New concepts are emerging that may enable secure apps • Evaluation can help identify & mitigate risk • Interaction between development and evaluation drives industry best practices • The race is on public
  • 20.
    Riscure North America 550Kearny Street, Suite 330 San Francisco CA 94108 USA Phone: +1 650 646 99 79 inforequest@riscure.com Riscure B.V. Frontier Building, Delftechpark 49 2628 XJ Delft The Netherlands Phone: +31 15 251 40 90 www.riscure.com Contact: Marc Witteman (witteman@riscure.com) Evaluation needed? Visit us at booth 8