5. Terminology
• SmartPhone
- PC-like functionality from a handheld device
- Larger screens, more memory/storage
- Some with advanced browsers
- iPod Touch, iPhone, Android, PSP, BlackBerry
• Communication Services
- SMS - Short Message Service (text)
- MMS - Multimedia Message Service (text+WAP)
- WAP - Wireless Application Protocol
5
6. • Traditionalists (b. 1925-1943)
- “Schedule an appointment”
• Baby Boomers (b. 1944-1962)
- “If my door is open, knock and ask if you
can come in”
• Generation X (b. 1963-1981)
- “Check my cubicle to see if I’m there”
• Millenials (b. 1982-2000)
- “Door, what door?”
Generational Trends
6
Traditionalists
Millenials
Gen X
Boomers
55 million
80 million
46 million
75 million
7. Increasing Wireless Speeds
7
0K
4,000K
8,000K
12,000K
16,000K
1G 2G 2.5G 3G 3.5G
Analog
Voice Only
Digital
Voice +
Limited Data
(under 20Kbps)
Digital
Voice +
Data
(under 90Kbps)
“EDGE”
Digital
Voice +
Data
(under 3Mbps)
Digital
Voice +
Data
(under 14.4Mbps)
HSDPA
8. Mobile Growth Trends
• AdMob Mobile Metrics
- Smartphones 33% of total requests in December, up
from 22% in May
- iPhone OS share exceeds RIM+Windows Mobile
combined
- iPhone generated 48% of SmartPhone requests in
December, up from 9% in May
- Android has 2% market share after 2 months
8
Source: AdMob Mobile Metrics 12/08
9. Smartphone OS Share in US
9
0%
25%
50%
75%
100%
May June July Aug Sep Oct Nov Dec
Symbian
iPhone
RIM
Windows
Palm
Hiptop
Android
Source: AdMob Mobile Metrics 12/08
10. Top Handset Models
10
Mfr Device % of Requests Browser
Apple iPhone 16.2% WebKit (Full)
Apple iPod Touch 7.1% WebKit (Full)
Motorola RAZR V3 6.4% WAP 2
Motorola KRZR K1c 3.7% WAP 2
Motorola Z6m 3.4% WAP 2
Motorola W385 3.0% WAP 2
RIM BlackBerry 8300 2.8% WAP 2
RIM BlackBerry 8100 2.5% WAP 2
Palm Centro 2.5% WAP 2
Samsung R450 1.8% WAP 2
Samsung R210 1.8% WAP 2
Samsung M800 1.8% WAP 2
LG LX260 1.7% WAP 2
Kyocera K24 1.6% WAP 2
Samsung R430 1.4% WAP 2
Danger Sidekick II 1.3% WAP 2
Samsung R410 1.0% WAP 2
Sony PSP 1.0% WAP 2
LG CU720 0.9% WAP 2
HTC Dream (Android) 0.8% WebKit (Full)
24.1%
support
a “Real”
Browser
Source: AdMob Mobile Metrics 12/08
11. • Members - Millenial generation
- Large population quick to adopt technology
- Reduced concerns regarding security, privacy
• Wireless data speeds increasing
- 3G/3.5G, EVDO
• SmartPhone adoption is growing very quickly
- iPhone, Android, Blackberry Storm
• Internet experience is superior from SmartPhones
• Internal users and Members will continue driving
demand for smart devices with higher network speeds
Quick Conclusions
11
13. • Enhanced Communication
- Real-time e-mail, calendar, contacts
- Text messaging
- Instant messaging
- Mobile access to content and information
- Personal - audio/video/browsing
- Information synchronization and storage
Business Drivers
13
14. Mobile Threats vs. Risks
14
Threat Risk Impact
Device loss or theft Loss of confidential info
Multiple wireless
channels (wifi)
Loss of credentials, device integrity
Malware / virus Loss of credentials, device integrity
Interception / MITM Loss of credentials
User awareness Increased time between compromise
and action
SPAM, Phish,
SMiSh
Annoyance, monetary loss, fraud
16. iPhone
• Requires iTunes to synchronize data
- Consumer-oriented audio/video
- Synchronization of data
- Sharing of music libraries via Bonjour
• Centralized vs. decentralized control
- Security and management features require ActiveSync
Server / Exchange
• Remote wipe, password controls, inactivity timeouts
• Policies?
16
17. • Relationship Manager (RM) Mobile
- Browser-based iPhone target
- Real-time access to WesCorp rates
- CRM profiles of WesCorp Member
- Creation of call reports directly on-device
- Certificate purchase
- Access to WesCorp commentary, webinars, podcasts
- No NPPI, single-factor auth
WesCorp Mobile Application
17
18. Quick Conclusions
• Expect organizational pressure for new devices and
smartphones (if you haven’t seen it yet)
• Saying “no” at the Corporate level will not deter
individual purchase and use in the workplace
• Smartphones require re-thinking of both policy and
enterprise support models
• Think about data loss prevention, remote wipe,
passwords, remote access, WiFi vs. carrier network
access
18
22. Mobile Application Challenges
• Member perception of security
• Difficulty of data entry on mobile platform
• Varying size of screen on devices
• Slower speed of network connection
• “Lost” icon for downloaded applications
• Phishing - via e-mail, SMS, or other method
• Significant costs based on existing deployment
models
22
23. Features vs. Risks
23
Service RO / RW NPPI PAN Authentication Required
Checking/Savings/Loan Balance RO DEPENDS NO Single-factor
Credit Card Balance RO DEPENDS YES Single-factor
Recent Transactions RO DEPENDS NO Single-factor
Historical Search / Check Status RO DEPENDS NO Single-factor
Alert - Overdraft, Threshold RO DEPENDS NO Single-factor
Bill Schedule / Duedate Review RO DEPENDS NO Single-factor
Currency Rates, ATM Locator RO NO NO None
Transfer Between Accounts RW DEPENDS NO Dual-factor
Stop Check RW DEPENDS NO Dual-factor
Domestic / International ACH RW YES NO Dual-factor
Change Alerts RW NO NO Dual-factor
Pay or Schedule Bill RW NO NO Dual-factor
Create/Update Billpay Vendor RW NO NO Dual-factor
Order Checks RW NO NO Dual-factor
Disable Credit Card RW YES YES Dual-factor
Personalize Settings RW NO NO Dual-factor
24. SMS
• Extremely wide deployment
• No application to install or configure
• No browser required
• Easy to use
• High adoption rate among existing phone
users
24
25. SMS Risk Issues
• No encryption
• Authentication is difficult
- FI to Member - think SMiShing
- Member to FI
• Intersections with web banking, phone
banking
- How hard is it to change your cell number on file with
your CU?
25
26. WAP
• Wireless Application Protocol
- 1.X - Avoid. Requires MITM for encryption.
- Push - Mostly on top of SMS, pushes content messages
- WAP 2.X - Current standard, similar to “full” browser
• TCP/IP, end-to-end HTTP and TLS
• Cipher suites, cert formats, signing algorithms
• XHTML + WAP CSS
• Backwards compatible
26
27. WAP Risk Issues
• Cookies
- Stored on-device
- Some gateways
cause cookies to
never expire
- Limits for number
of cookies stored
- Domain cookies,
secure flag
27
• Read the AT&T WAP 2.0 Guide
28. “Full” Browser
• Welcome to WebKit
- iPhone, iPod Touch, Android, Palm Pre, Nokia S60
- Passes Acid 2 test for compatibility
- JavaScript, CSS, AJAX
• Flash
- Flash Lite
- Limited US availability (LG, Motorola, Nokia,
Samsung)
28
29. “Full” Browser Risk Issues
• Authentication
- Cached credentials (username, password)
- Cookies and expiration
- Certificate acceptance and storage
- Backup/restore to desktop - target of traditional
malware?
• Almost anything else a PC/Mac browser
would be vulnerable to
29
30. Client Application
• Ultimate in control
- Authentication, authorization, accounting
• More branding opportunities
• Better device integration
- Click-to-call
- Maps / pindrop
30
32. Deployment Considerations
• Regardless of platform, think anti-fraud
- Why is a user all of a sudden transferring funds to
Russia?
- Why is the source IP for a user coming from another
country?
- Why did the cell phone number change?
- Why did the type of phone used change?
32
33. Quick Conclusions
• There is no one right answer
• Think through services from multiple
perspectives
- What transactions will be supported and the relative
risk
- What delivery channels will be supported (SMS, WAP)
• Mixed-mode - auth via one channel, content via another
- How an attacker could break your system
• Interfaces between mobile, phone, ATM, branch, teller
- How can this enhance a Red Flags / anti-fraud 33
34. Thank You
Robert Brown
Director, Information Security, WesCorp
909-394-6393, rbrown@wescorp.org
LinkedIn, Facebook, and www.robertjbrown.com
Reference Materials at www.robertjbrown.com