SlideShare a Scribd company logo

Mobility & Security Technology Risk Considerations

Robert Brown
Robert Brown

Credit Union Information Security Professional Association (CUISPA) 2009 Presentation

Technology
1 of 34
Download to read offline
Mobility & Security Technology Risk Considerations Robert J. Brown Director, Information Security WesCorp
Introductions My background and role at WesCorp 2
Discussion Topics Mobile Growth Trends Internal Mobile Usage Mobile Banking Security 3
Mobile Growth Trends
Terminology • SmartPhone - PC-like functionality from a handheld device - Larger screens, more memory/storage - Some with advanced browsers - iPod Touch, iPhone, Android, PSP, BlackBerry • Communication Services - SMS - Short Message Service (text) - MMS - Multimedia Message Service (text+WAP) - WAP - Wireless Application Protocol 5
• Traditionalists (b. 1925-1943) - “Schedule an appointment” • Baby Boomers (b. 1944-1962) - “If my door is open, knock and ask if you can come in” • Generation X (b. 1963-1981) - “Check my cubicle to see if I’m there” • Millenials (b. 1982-2000) - “Door, what door?” Generational Trends 6 Traditionalists Millenials Gen X Boomers 55 million 80 million 46 million 75 million
Increasing Wireless Speeds 7 0K 4,000K 8,000K 12,000K 16,000K 1G 2G 2.5G 3G 3.5G Analog Voice Only Digital Voice + Limited Data (under 20Kbps) Digital Voice + Data (under 90Kbps) “EDGE” Digital Voice + Data (under 3Mbps) Digital Voice + Data (under 14.4Mbps) HSDPA
Mobile Growth Trends • AdMob Mobile Metrics - Smartphones 33% of total requests in December, up from 22% in May - iPhone OS share exceeds RIM+Windows Mobile combined - iPhone generated 48% of SmartPhone requests in December, up from 9% in May - Android has 2% market share after 2 months 8 Source: AdMob Mobile Metrics 12/08
Smartphone OS Share in US 9 0% 25% 50% 75% 100% May June July Aug Sep Oct Nov Dec Symbian iPhone RIM Windows Palm Hiptop Android Source: AdMob Mobile Metrics 12/08
Top Handset Models 10 Mfr Device % of Requests Browser Apple iPhone 16.2% WebKit (Full) Apple iPod Touch 7.1% WebKit (Full) Motorola RAZR V3 6.4% WAP 2 Motorola KRZR K1c 3.7% WAP 2 Motorola Z6m 3.4% WAP 2 Motorola W385 3.0% WAP 2 RIM BlackBerry 8300 2.8% WAP 2 RIM BlackBerry 8100 2.5% WAP 2 Palm Centro 2.5% WAP 2 Samsung R450 1.8% WAP 2 Samsung R210 1.8% WAP 2 Samsung M800 1.8% WAP 2 LG LX260 1.7% WAP 2 Kyocera K24 1.6% WAP 2 Samsung R430 1.4% WAP 2 Danger Sidekick II 1.3% WAP 2 Samsung R410 1.0% WAP 2 Sony PSP 1.0% WAP 2 LG CU720 0.9% WAP 2 HTC Dream (Android) 0.8% WebKit (Full) 24.1% support a “Real” Browser Source: AdMob Mobile Metrics 12/08
• Members - Millenial generation - Large population quick to adopt technology - Reduced concerns regarding security, privacy • Wireless data speeds increasing - 3G/3.5G, EVDO • SmartPhone adoption is growing very quickly - iPhone, Android, Blackberry Storm • Internet experience is superior from SmartPhones • Internal users and Members will continue driving demand for smart devices with higher network speeds Quick Conclusions 11
Internal Mobile Usage
• Enhanced Communication - Real-time e-mail, calendar, contacts - Text messaging - Instant messaging - Mobile access to content and information - Personal - audio/video/browsing - Information synchronization and storage Business Drivers 13
Mobile Threats vs. Risks 14 Threat Risk Impact Device loss or theft Loss of confidential info Multiple wireless channels (wifi) Loss of credentials, device integrity Malware / virus Loss of credentials, device integrity Interception / MITM Loss of credentials User awareness Increased time between compromise and action SPAM, Phish, SMiSh Annoyance, monetary loss, fraud
Internal Risk Considerations • Data Storage - large capacity (16GB+) - Documents, Contacts (passwords) • Browsers - Stored cookies, credentials, passwords • Software - Third-party applications • Content - Video, audio, legal considerations, sharing 15
iPhone • Requires iTunes to synchronize data - Consumer-oriented audio/video - Synchronization of data - Sharing of music libraries via Bonjour • Centralized vs. decentralized control - Security and management features require ActiveSync Server / Exchange • Remote wipe, password controls, inactivity timeouts • Policies? 16
• Relationship Manager (RM) Mobile - Browser-based iPhone target - Real-time access to WesCorp rates - CRM profiles of WesCorp Member - Creation of call reports directly on-device - Certificate purchase - Access to WesCorp commentary, webinars, podcasts - No NPPI, single-factor auth WesCorp Mobile Application 17
Quick Conclusions • Expect organizational pressure for new devices and smartphones (if you haven’t seen it yet) • Saying “no” at the Corporate level will not deter individual purchase and use in the workplace • Smartphones require re-thinking of both policy and enterprise support models • Think about data loss prevention, remote wipe, passwords, remote access, WiFi vs. carrier network access 18
Mobile Banking Security
• Reduced call volumes • Reduced fraud • Increased “stickiness” • Attract new Members - Millenials • Member Demand - Better devices, network speeds - Review balances quickly (in store) - Search for surcharge-free ATMs - Research checks or payment clearance - Alerts for overdraft, fraud, payment due Business Drivers 20
• Multiple deployment approaches - SMS - WAP Browser (1.x, 2.x) - “Full” Browser - Thick-client or local application (iPhone) - Carrier-dependent, carrier-agnostic Deployment Approaches 21
Mobile Application Challenges • Member perception of security • Difficulty of data entry on mobile platform • Varying size of screen on devices • Slower speed of network connection • “Lost” icon for downloaded applications • Phishing - via e-mail, SMS, or other method • Significant costs based on existing deployment models 22
Features vs. Risks 23 Service RO / RW NPPI PAN Authentication Required Checking/Savings/Loan Balance RO DEPENDS NO Single-factor Credit Card Balance RO DEPENDS YES Single-factor Recent Transactions RO DEPENDS NO Single-factor Historical Search / Check Status RO DEPENDS NO Single-factor Alert - Overdraft, Threshold RO DEPENDS NO Single-factor Bill Schedule / Duedate Review RO DEPENDS NO Single-factor Currency Rates, ATM Locator RO NO NO None Transfer Between Accounts RW DEPENDS NO Dual-factor Stop Check RW DEPENDS NO Dual-factor Domestic / International ACH RW YES NO Dual-factor Change Alerts RW NO NO Dual-factor Pay or Schedule Bill RW NO NO Dual-factor Create/Update Billpay Vendor RW NO NO Dual-factor Order Checks RW NO NO Dual-factor Disable Credit Card RW YES YES Dual-factor Personalize Settings RW NO NO Dual-factor
SMS • Extremely wide deployment • No application to install or configure • No browser required • Easy to use • High adoption rate among existing phone users 24
SMS Risk Issues • No encryption • Authentication is difficult - FI to Member - think SMiShing - Member to FI • Intersections with web banking, phone banking - How hard is it to change your cell number on file with your CU? 25
WAP • Wireless Application Protocol - 1.X - Avoid. Requires MITM for encryption. - Push - Mostly on top of SMS, pushes content messages - WAP 2.X - Current standard, similar to “full” browser • TCP/IP, end-to-end HTTP and TLS • Cipher suites, cert formats, signing algorithms • XHTML + WAP CSS • Backwards compatible 26
WAP Risk Issues • Cookies - Stored on-device - Some gateways cause cookies to never expire - Limits for number of cookies stored - Domain cookies, secure flag 27 • Read the AT&T WAP 2.0 Guide
“Full” Browser • Welcome to WebKit - iPhone, iPod Touch, Android, Palm Pre, Nokia S60 - Passes Acid 2 test for compatibility - JavaScript, CSS, AJAX • Flash - Flash Lite - Limited US availability (LG, Motorola, Nokia, Samsung) 28
“Full” Browser Risk Issues • Authentication - Cached credentials (username, password) - Cookies and expiration - Certificate acceptance and storage - Backup/restore to desktop - target of traditional malware? • Almost anything else a PC/Mac browser would be vulnerable to 29
Client Application • Ultimate in control - Authentication, authorization, accounting • More branding opportunities • Better device integration - Click-to-call - Maps / pindrop 30
Client Application Risk Issues • Locally stored information - Credentials, cached account information? • Upgrade cycle - Application integrity - Management of varying devices, software versions • Connectivity - Intermediate proxies 31
Deployment Considerations • Regardless of platform, think anti-fraud - Why is a user all of a sudden transferring funds to Russia? - Why is the source IP for a user coming from another country? - Why did the cell phone number change? - Why did the type of phone used change? 32
Quick Conclusions • There is no one right answer • Think through services from multiple perspectives - What transactions will be supported and the relative risk - What delivery channels will be supported (SMS, WAP) • Mixed-mode - auth via one channel, content via another - How an attacker could break your system • Interfaces between mobile, phone, ATM, branch, teller - How can this enhance a Red Flags / anti-fraud 33
Thank You Robert Brown Director, Information Security, WesCorp 909-394-6393, rbrown@wescorp.org LinkedIn, Facebook, and www.robertjbrown.com Reference Materials at www.robertjbrown.com

Recommended

Session810 ken huang
Session810 ken huangSession810 ken huang
Session810 ken huangKen Huang
 
Massages, Beaches, & Wi-Fi at Dan Hotel
Massages, Beaches, & Wi-Fi at Dan HotelMassages, Beaches, & Wi-Fi at Dan Hotel
Massages, Beaches, & Wi-Fi at Dan Hotel4ipnet
 
Voxeo Summit Day 2 - Securing customer interactions
Voxeo Summit Day 2 - Securing customer interactionsVoxeo Summit Day 2 - Securing customer interactions
Voxeo Summit Day 2 - Securing customer interactionsVoxeo Corp
 
What to Expect from a Mobile Banking Solution? (Whitepaper)
What to Expect from a Mobile Banking Solution? (Whitepaper)What to Expect from a Mobile Banking Solution? (Whitepaper)
What to Expect from a Mobile Banking Solution? (Whitepaper)Thinksoft Global
 
WIFI HOTSPOT SOFTWARE - HOTEL WIFI SOLUTIONS
WIFI HOTSPOT SOFTWARE - HOTEL WIFI SOLUTIONSWIFI HOTSPOT SOFTWARE - HOTEL WIFI SOLUTIONS
WIFI HOTSPOT SOFTWARE - HOTEL WIFI SOLUTIONSWispot
 
OmniSource_ppt_2011_7-2 (2)(1)
OmniSource_ppt_2011_7-2 (2)(1)OmniSource_ppt_2011_7-2 (2)(1)
OmniSource_ppt_2011_7-2 (2)(1)Andrea Colombetti
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" mycroftinc
 
Transparent Smartphone Spying
Transparent Smartphone SpyingTransparent Smartphone Spying
Transparent Smartphone SpyingGeorgia Weidman
 

Recommended

Session810 ken huang
Session810 ken huangSession810 ken huang
Session810 ken huangKen Huang
 
Massages, Beaches, & Wi-Fi at Dan Hotel
Massages, Beaches, & Wi-Fi at Dan HotelMassages, Beaches, & Wi-Fi at Dan Hotel
Massages, Beaches, & Wi-Fi at Dan Hotel4ipnet
 
Voxeo Summit Day 2 - Securing customer interactions
Voxeo Summit Day 2 - Securing customer interactionsVoxeo Summit Day 2 - Securing customer interactions
Voxeo Summit Day 2 - Securing customer interactionsVoxeo Corp
 
What to Expect from a Mobile Banking Solution? (Whitepaper)
What to Expect from a Mobile Banking Solution? (Whitepaper)What to Expect from a Mobile Banking Solution? (Whitepaper)
What to Expect from a Mobile Banking Solution? (Whitepaper)Thinksoft Global
 
WIFI HOTSPOT SOFTWARE - HOTEL WIFI SOLUTIONS
WIFI HOTSPOT SOFTWARE - HOTEL WIFI SOLUTIONSWIFI HOTSPOT SOFTWARE - HOTEL WIFI SOLUTIONS
WIFI HOTSPOT SOFTWARE - HOTEL WIFI SOLUTIONSWispot
 
OmniSource_ppt_2011_7-2 (2)(1)
OmniSource_ppt_2011_7-2 (2)(1)OmniSource_ppt_2011_7-2 (2)(1)
OmniSource_ppt_2011_7-2 (2)(1)Andrea Colombetti
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" mycroftinc
 
Transparent Smartphone Spying
Transparent Smartphone SpyingTransparent Smartphone Spying
Transparent Smartphone SpyingGeorgia Weidman
 
Gemalto Le Mobile 2.0 Edition 2009
Gemalto Le Mobile 2.0 Edition 2009Gemalto Le Mobile 2.0 Edition 2009
Gemalto Le Mobile 2.0 Edition 2009servicesmobiles.fr
 
Mobile computing
Mobile computingMobile computing
Mobile computingamellia27
 
The Future Of Cell Phones In The Business
The Future Of Cell Phones In The BusinessThe Future Of Cell Phones In The Business
The Future Of Cell Phones In The Businesskaribear
 
How to successfully implement a secure mobile strategy
How to successfully implement a secure mobile strategyHow to successfully implement a secure mobile strategy
How to successfully implement a secure mobile strategyVASCO Data Security
 
2015 do's and don't of hotel technology
2015 do's and don't of hotel technology2015 do's and don't of hotel technology
2015 do's and don't of hotel technologyXn Hotel Systems Ltd
 
Group1 Ss08 Smartphones
Group1 Ss08 SmartphonesGroup1 Ss08 Smartphones
Group1 Ss08 SmartphonesKalun Leung
 
Ofer Sheinkin -- GoNext for CMVT User Forum 3
Ofer Sheinkin -- GoNext for CMVT User Forum 3Ofer Sheinkin -- GoNext for CMVT User Forum 3
Ofer Sheinkin -- GoNext for CMVT User Forum 3Ofer Sheinkin
 
Orden calendario escolar_curso_2011-2012[1]
Orden calendario escolar_curso_2011-2012[1]Orden calendario escolar_curso_2011-2012[1]
Orden calendario escolar_curso_2011-2012[1]ampaelsol
 
Configuración dns
Configuración dnsConfiguración dns
Configuración dnsJuan Mishquero
 
EMF Neutralizers
EMF Neutralizers EMF Neutralizers
EMF Neutralizers emfneutralizers
 
MBA - Máster Universitario en Dirección de Empresas
MBA - Máster Universitario en Dirección de EmpresasMBA - Máster Universitario en Dirección de Empresas
MBA - Máster Universitario en Dirección de Empresasmigarzab
 
Raabta: Low-cost Video Conferencing for the Developing World
Raabta: Low-cost Video Conferencing for the Developing WorldRaabta: Low-cost Video Conferencing for the Developing World
Raabta: Low-cost Video Conferencing for the Developing WorldZubair Nabi
 
ประกาศรายชื่อผู้มีสิทธิ์สอบครูผู้ช่วย ภาค ค. สังกัดสำนักงานคณะกรรมการการอาชี...
ประกาศรายชื่อผู้มีสิทธิ์สอบครูผู้ช่วย ภาค ค. สังกัดสำนักงานคณะกรรมการการอาชี...ประกาศรายชื่อผู้มีสิทธิ์สอบครูผู้ช่วย ภาค ค. สังกัดสำนักงานคณะกรรมการการอาชี...
ประกาศรายชื่อผู้มีสิทธิ์สอบครูผู้ช่วย ภาค ค. สังกัดสำนักงานคณะกรรมการการอาชี...Totsaporn Inthanin
 
MENA Games Conference 2015
MENA Games Conference 2015MENA Games Conference 2015
MENA Games Conference 2015Daniel Inn
 
Boletin cursos diseño Academia Integral
Boletin cursos diseño Academia IntegralBoletin cursos diseño Academia Integral
Boletin cursos diseño Academia IntegralBuscoCursosGratis.com
 
Jhonier torres ripoll
Jhonier torres ripollJhonier torres ripoll
Jhonier torres ripolljhoniertorres
 
Dac decolombia
Dac decolombiaDac decolombia
Dac decolombia7161213
 
Características del realismo social en novela
Características del realismo social en novelaCaracterísticas del realismo social en novela
Características del realismo social en novelaandreso17
 
El resumen pp
El resumen ppEl resumen pp
El resumen ppCarmen Saldana
 
Experiencias exitosas de buen gobierno en la región piura
Experiencias exitosas de buen gobierno en la región piuraExperiencias exitosas de buen gobierno en la región piura
Experiencias exitosas de buen gobierno en la región piuraAlexander Rojas García
 
EasyVista - Software para Gestión de TI
EasyVista - Software para Gestión de TIEasyVista - Software para Gestión de TI
EasyVista - Software para Gestión de TIArturo Martínez González
 
IKEA- El poder de la infancia
IKEA- El poder de la infanciaIKEA- El poder de la infancia
IKEA- El poder de la infanciaIKEA España
 

More Related Content

What's hot

Gemalto Le Mobile 2.0 Edition 2009
Gemalto Le Mobile 2.0 Edition 2009Gemalto Le Mobile 2.0 Edition 2009
Gemalto Le Mobile 2.0 Edition 2009servicesmobiles.fr
 
Mobile computing
Mobile computingMobile computing
Mobile computingamellia27
 
The Future Of Cell Phones In The Business
The Future Of Cell Phones In The BusinessThe Future Of Cell Phones In The Business
The Future Of Cell Phones In The Businesskaribear
 
How to successfully implement a secure mobile strategy
How to successfully implement a secure mobile strategyHow to successfully implement a secure mobile strategy
How to successfully implement a secure mobile strategyVASCO Data Security
 
2015 do's and don't of hotel technology
2015 do's and don't of hotel technology2015 do's and don't of hotel technology
2015 do's and don't of hotel technologyXn Hotel Systems Ltd
 
Group1 Ss08 Smartphones
Group1 Ss08 SmartphonesGroup1 Ss08 Smartphones
Group1 Ss08 SmartphonesKalun Leung
 
Ofer Sheinkin -- GoNext for CMVT User Forum 3
Ofer Sheinkin -- GoNext for CMVT User Forum 3Ofer Sheinkin -- GoNext for CMVT User Forum 3
Ofer Sheinkin -- GoNext for CMVT User Forum 3Ofer Sheinkin
 

What's hot (7)

Gemalto Le Mobile 2.0 Edition 2009
Gemalto Le Mobile 2.0 Edition 2009Gemalto Le Mobile 2.0 Edition 2009
Gemalto Le Mobile 2.0 Edition 2009
 
Mobile computing
Mobile computingMobile computing
Mobile computing
 
The Future Of Cell Phones In The Business
The Future Of Cell Phones In The BusinessThe Future Of Cell Phones In The Business
The Future Of Cell Phones In The Business
 
How to successfully implement a secure mobile strategy
How to successfully implement a secure mobile strategyHow to successfully implement a secure mobile strategy
How to successfully implement a secure mobile strategy
 
2015 do's and don't of hotel technology
2015 do's and don't of hotel technology2015 do's and don't of hotel technology
2015 do's and don't of hotel technology
 
Group1 Ss08 Smartphones
Group1 Ss08 SmartphonesGroup1 Ss08 Smartphones
Group1 Ss08 Smartphones
 
Ofer Sheinkin -- GoNext for CMVT User Forum 3
Ofer Sheinkin -- GoNext for CMVT User Forum 3Ofer Sheinkin -- GoNext for CMVT User Forum 3
Ofer Sheinkin -- GoNext for CMVT User Forum 3
 

Viewers also liked

Orden calendario escolar_curso_2011-2012[1]
Orden calendario escolar_curso_2011-2012[1]Orden calendario escolar_curso_2011-2012[1]
Orden calendario escolar_curso_2011-2012[1]ampaelsol
 
MBA - Máster Universitario en Dirección de Empresas
MBA - Máster Universitario en Dirección de EmpresasMBA - Máster Universitario en Dirección de Empresas
MBA - Máster Universitario en Dirección de Empresasmigarzab
 
Raabta: Low-cost Video Conferencing for the Developing World
Raabta: Low-cost Video Conferencing for the Developing WorldRaabta: Low-cost Video Conferencing for the Developing World
Raabta: Low-cost Video Conferencing for the Developing WorldZubair Nabi
 
ประกาศรายชื่อผู้มีสิทธิ์สอบครูผู้ช่วย ภาค ค. สังกัดสำนักงานคณะกรรมการการอาชี...
ประกาศรายชื่อผู้มีสิทธิ์สอบครูผู้ช่วย ภาค ค. สังกัดสำนักงานคณะกรรมการการอาชี...ประกาศรายชื่อผู้มีสิทธิ์สอบครูผู้ช่วย ภาค ค. สังกัดสำนักงานคณะกรรมการการอาชี...
ประกาศรายชื่อผู้มีสิทธิ์สอบครูผู้ช่วย ภาค ค. สังกัดสำนักงานคณะกรรมการการอาชี...Totsaporn Inthanin
 
MENA Games Conference 2015
MENA Games Conference 2015MENA Games Conference 2015
MENA Games Conference 2015Daniel Inn
 
Boletin cursos diseño Academia Integral
Boletin cursos diseño Academia IntegralBoletin cursos diseño Academia Integral
Boletin cursos diseño Academia IntegralBuscoCursosGratis.com
 
Jhonier torres ripoll
Jhonier torres ripollJhonier torres ripoll
Jhonier torres ripolljhoniertorres
 
Dac decolombia
Dac decolombiaDac decolombia
Dac decolombia7161213
 
Características del realismo social en novela
Características del realismo social en novelaCaracterísticas del realismo social en novela
Características del realismo social en novelaandreso17
 
Experiencias exitosas de buen gobierno en la región piura
Experiencias exitosas de buen gobierno en la región piuraExperiencias exitosas de buen gobierno en la región piura
Experiencias exitosas de buen gobierno en la región piuraAlexander Rojas García
 
IKEA- El poder de la infancia
IKEA- El poder de la infanciaIKEA- El poder de la infancia
IKEA- El poder de la infanciaIKEA España
 
Investigacion uniremington
Investigacion uniremingtonInvestigacion uniremington
Investigacion uniremingtonBiby Ortiz
 
Closing the gap: The disconnect between marketing technology and business value
Closing the gap: The disconnect between marketing technology and business valueClosing the gap: The disconnect between marketing technology and business value
Closing the gap: The disconnect between marketing technology and business valueBrandwatch
 
La Casa del Capitán Quesada, Al César lo que es del César
La Casa del Capitán Quesada, Al César lo que es del CésarLa Casa del Capitán Quesada, Al César lo que es del César
La Casa del Capitán Quesada, Al César lo que es del CésarÁngel RQ
 
S.c. code of regulations chapter 35 board of cosmetology
S.c. code of regulations chapter 35 board of cosmetologyS.c. code of regulations chapter 35 board of cosmetology
S.c. code of regulations chapter 35 board of cosmetologyalhefney
 

Viewers also liked (20)

Orden calendario escolar_curso_2011-2012[1]
Orden calendario escolar_curso_2011-2012[1]Orden calendario escolar_curso_2011-2012[1]
Orden calendario escolar_curso_2011-2012[1]
 
Configuración dns
Configuración dnsConfiguración dns
Configuración dns
 
EMF Neutralizers
EMF Neutralizers EMF Neutralizers
EMF Neutralizers
 
MBA - Máster Universitario en Dirección de Empresas
MBA - Máster Universitario en Dirección de EmpresasMBA - Máster Universitario en Dirección de Empresas
MBA - Máster Universitario en Dirección de Empresas
 
Raabta: Low-cost Video Conferencing for the Developing World
Raabta: Low-cost Video Conferencing for the Developing WorldRaabta: Low-cost Video Conferencing for the Developing World
Raabta: Low-cost Video Conferencing for the Developing World
 
ประกาศรายชื่อผู้มีสิทธิ์สอบครูผู้ช่วย ภาค ค. สังกัดสำนักงานคณะกรรมการการอาชี...
ประกาศรายชื่อผู้มีสิทธิ์สอบครูผู้ช่วย ภาค ค. สังกัดสำนักงานคณะกรรมการการอาชี...ประกาศรายชื่อผู้มีสิทธิ์สอบครูผู้ช่วย ภาค ค. สังกัดสำนักงานคณะกรรมการการอาชี...
ประกาศรายชื่อผู้มีสิทธิ์สอบครูผู้ช่วย ภาค ค. สังกัดสำนักงานคณะกรรมการการอาชี...
 
MENA Games Conference 2015
MENA Games Conference 2015MENA Games Conference 2015
MENA Games Conference 2015
 
Boletin cursos diseño Academia Integral
Boletin cursos diseño Academia IntegralBoletin cursos diseño Academia Integral
Boletin cursos diseño Academia Integral
 
Jhonier torres ripoll
Jhonier torres ripollJhonier torres ripoll
Jhonier torres ripoll
 
Dac decolombia
Dac decolombiaDac decolombia
Dac decolombia
 
Características del realismo social en novela
Características del realismo social en novelaCaracterísticas del realismo social en novela
Características del realismo social en novela
 
El resumen pp
El resumen ppEl resumen pp
El resumen pp
 
Experiencias exitosas de buen gobierno en la región piura
Experiencias exitosas de buen gobierno en la región piuraExperiencias exitosas de buen gobierno en la región piura
Experiencias exitosas de buen gobierno en la región piura
 
EasyVista - Software para Gestión de TI
EasyVista - Software para Gestión de TIEasyVista - Software para Gestión de TI
EasyVista - Software para Gestión de TI
 
IKEA- El poder de la infancia
IKEA- El poder de la infanciaIKEA- El poder de la infancia
IKEA- El poder de la infancia
 
Investigacion uniremington
Investigacion uniremingtonInvestigacion uniremington
Investigacion uniremington
 
Closing the gap: The disconnect between marketing technology and business value
Closing the gap: The disconnect between marketing technology and business valueClosing the gap: The disconnect between marketing technology and business value
Closing the gap: The disconnect between marketing technology and business value
 
Surfrut
SurfrutSurfrut
Surfrut
 
La Casa del Capitán Quesada, Al César lo que es del César
La Casa del Capitán Quesada, Al César lo que es del CésarLa Casa del Capitán Quesada, Al César lo que es del César
La Casa del Capitán Quesada, Al César lo que es del César
 
S.c. code of regulations chapter 35 board of cosmetology
S.c. code of regulations chapter 35 board of cosmetologyS.c. code of regulations chapter 35 board of cosmetology
S.c. code of regulations chapter 35 board of cosmetology
 

Similar to Mobility & Security Technology Risk Considerations

ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectivePragati Rai
 
Securing hand held computing devices
Securing hand held computing devicesSecuring hand held computing devices
Securing hand held computing devicesjraja01
 
Cisco Mobility - IBM & IDC event
Cisco Mobility - IBM & IDC eventCisco Mobility - IBM & IDC event
Cisco Mobility - IBM & IDC eventMatteo Masi
 
Mobile Commerce meets the Real World - Mobile Ticketing
Mobile Commerce meets the Real World - Mobile TicketingMobile Commerce meets the Real World - Mobile Ticketing
Mobile Commerce meets the Real World - Mobile TicketingMasabi
 
What is your Mobile App Strategy?
What is your Mobile App Strategy?What is your Mobile App Strategy?
What is your Mobile App Strategy?ROAMData
 
Security and Authentication at a Low Cost
Security and Authentication at a Low CostSecurity and Authentication at a Low Cost
Security and Authentication at a Low CostDonald Malloy
 
Hotspot 2.0 - Concept and Challenges
Hotspot 2.0 - Concept and ChallengesHotspot 2.0 - Concept and Challenges
Hotspot 2.0 - Concept and ChallengesDr. Mazlan Abbas
 
Modern Applications Demand Network Analytics
Modern Applications Demand Network AnalyticsModern Applications Demand Network Analytics
Modern Applications Demand Network AnalyticsPluribus Networks
 
Digital Transformation through Open Software Defined Infrastructure
Digital Transformation through Open Software Defined InfrastructureDigital Transformation through Open Software Defined Infrastructure
Digital Transformation through Open Software Defined InfrastructureOpen Networking Summit
 
Transcending the Limits of Legacy eCommerce Solutions
Transcending the Limits of Legacy eCommerce SolutionsTranscending the Limits of Legacy eCommerce Solutions
Transcending the Limits of Legacy eCommerce SolutionsMozu
 
Managing & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengManaging & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengKnowledge Group
 
Future of Mobile Banking System
Future of Mobile Banking SystemFuture of Mobile Banking System
Future of Mobile Banking SystemSyed Shujat Ali
 
Internet of things
Internet of things Internet of things
Internet of things gule mariam
 
Telcos in Generation C Era
Telcos in Generation C EraTelcos in Generation C Era
Telcos in Generation C EraIoana Serban
 
Masabi Cx O Telecoms Strategy conference
Masabi Cx O Telecoms Strategy conferenceMasabi Cx O Telecoms Strategy conference
Masabi Cx O Telecoms Strategy conferenceMasabi
 
New Business Opportunities: Small Cells and Wholesale DAS
New Business Opportunities: Small Cells and Wholesale DAS New Business Opportunities: Small Cells and Wholesale DAS
New Business Opportunities: Small Cells and Wholesale DAS Ilissa Miller
 
Oath appsec sf 2015 dem rev. 2
Oath appsec sf 2015 dem rev. 2Oath appsec sf 2015 dem rev. 2
Oath appsec sf 2015 dem rev. 2Donald Malloy
 

Similar to Mobility & Security Technology Risk Considerations (20)

Wireless Banking
Wireless BankingWireless Banking
Wireless Banking
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 
Securing hand held computing devices
Securing hand held computing devicesSecuring hand held computing devices
Securing hand held computing devices
 
Cisco Mobility - IBM & IDC event
Cisco Mobility - IBM & IDC eventCisco Mobility - IBM & IDC event
Cisco Mobility - IBM & IDC event
 
Mobile Commerce meets the Real World - Mobile Ticketing
Mobile Commerce meets the Real World - Mobile TicketingMobile Commerce meets the Real World - Mobile Ticketing
Mobile Commerce meets the Real World - Mobile Ticketing
 
What is your Mobile App Strategy?
What is your Mobile App Strategy?What is your Mobile App Strategy?
What is your Mobile App Strategy?
 
Security and Authentication at a Low Cost
Security and Authentication at a Low CostSecurity and Authentication at a Low Cost
Security and Authentication at a Low Cost
 
Hotspot 2.0 - Concept and Challenges
Hotspot 2.0 - Concept and ChallengesHotspot 2.0 - Concept and Challenges
Hotspot 2.0 - Concept and Challenges
 
AIRLIFT
AIRLIFTAIRLIFT
AIRLIFT
 
Modern Applications Demand Network Analytics
Modern Applications Demand Network AnalyticsModern Applications Demand Network Analytics
Modern Applications Demand Network Analytics
 
Digital Transformation through Open Software Defined Infrastructure
Digital Transformation through Open Software Defined InfrastructureDigital Transformation through Open Software Defined Infrastructure
Digital Transformation through Open Software Defined Infrastructure
 
Transcending the Limits of Legacy eCommerce Solutions
Transcending the Limits of Legacy eCommerce SolutionsTranscending the Limits of Legacy eCommerce Solutions
Transcending the Limits of Legacy eCommerce Solutions
 
Managing & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengManaging & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee Seng
 
Future of Mobile Banking System
Future of Mobile Banking SystemFuture of Mobile Banking System
Future of Mobile Banking System
 
Internet of things
Internet of things Internet of things
Internet of things
 
Telcos in Generation C Era
Telcos in Generation C EraTelcos in Generation C Era
Telcos in Generation C Era
 
Masabi Cx O Telecoms Strategy conference
Masabi Cx O Telecoms Strategy conferenceMasabi Cx O Telecoms Strategy conference
Masabi Cx O Telecoms Strategy conference
 
New Business Opportunities: Small Cells and Wholesale DAS
New Business Opportunities: Small Cells and Wholesale DAS New Business Opportunities: Small Cells and Wholesale DAS
New Business Opportunities: Small Cells and Wholesale DAS
 
Oath appsec sf 2015 dem rev. 2
Oath appsec sf 2015 dem rev. 2Oath appsec sf 2015 dem rev. 2
Oath appsec sf 2015 dem rev. 2
 

Recently uploaded

How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 

Recently uploaded (20)

How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 

Mobility & Security Technology Risk Considerations

  • 1. Mobility & Security Technology Risk Considerations Robert J. Brown Director, Information Security WesCorp
  • 3. Discussion Topics Mobile Growth Trends Internal Mobile Usage Mobile Banking Security 3
  • 5. Terminology • SmartPhone - PC-like functionality from a handheld device - Larger screens, more memory/storage - Some with advanced browsers - iPod Touch, iPhone, Android, PSP, BlackBerry • Communication Services - SMS - Short Message Service (text) - MMS - Multimedia Message Service (text+WAP) - WAP - Wireless Application Protocol 5
  • 6. • Traditionalists (b. 1925-1943) - “Schedule an appointment” • Baby Boomers (b. 1944-1962) - “If my door is open, knock and ask if you can come in” • Generation X (b. 1963-1981) - “Check my cubicle to see if I’m there” • Millenials (b. 1982-2000) - “Door, what door?” Generational Trends 6 Traditionalists Millenials Gen X Boomers 55 million 80 million 46 million 75 million
  • 7. Increasing Wireless Speeds 7 0K 4,000K 8,000K 12,000K 16,000K 1G 2G 2.5G 3G 3.5G Analog Voice Only Digital Voice + Limited Data (under 20Kbps) Digital Voice + Data (under 90Kbps) “EDGE” Digital Voice + Data (under 3Mbps) Digital Voice + Data (under 14.4Mbps) HSDPA
  • 8. Mobile Growth Trends • AdMob Mobile Metrics - Smartphones 33% of total requests in December, up from 22% in May - iPhone OS share exceeds RIM+Windows Mobile combined - iPhone generated 48% of SmartPhone requests in December, up from 9% in May - Android has 2% market share after 2 months 8 Source: AdMob Mobile Metrics 12/08
  • 9. Smartphone OS Share in US 9 0% 25% 50% 75% 100% May June July Aug Sep Oct Nov Dec Symbian iPhone RIM Windows Palm Hiptop Android Source: AdMob Mobile Metrics 12/08
  • 10. Top Handset Models 10 Mfr Device % of Requests Browser Apple iPhone 16.2% WebKit (Full) Apple iPod Touch 7.1% WebKit (Full) Motorola RAZR V3 6.4% WAP 2 Motorola KRZR K1c 3.7% WAP 2 Motorola Z6m 3.4% WAP 2 Motorola W385 3.0% WAP 2 RIM BlackBerry 8300 2.8% WAP 2 RIM BlackBerry 8100 2.5% WAP 2 Palm Centro 2.5% WAP 2 Samsung R450 1.8% WAP 2 Samsung R210 1.8% WAP 2 Samsung M800 1.8% WAP 2 LG LX260 1.7% WAP 2 Kyocera K24 1.6% WAP 2 Samsung R430 1.4% WAP 2 Danger Sidekick II 1.3% WAP 2 Samsung R410 1.0% WAP 2 Sony PSP 1.0% WAP 2 LG CU720 0.9% WAP 2 HTC Dream (Android) 0.8% WebKit (Full) 24.1% support a “Real” Browser Source: AdMob Mobile Metrics 12/08
  • 11. • Members - Millenial generation - Large population quick to adopt technology - Reduced concerns regarding security, privacy • Wireless data speeds increasing - 3G/3.5G, EVDO • SmartPhone adoption is growing very quickly - iPhone, Android, Blackberry Storm • Internet experience is superior from SmartPhones • Internal users and Members will continue driving demand for smart devices with higher network speeds Quick Conclusions 11
  • 13. • Enhanced Communication - Real-time e-mail, calendar, contacts - Text messaging - Instant messaging - Mobile access to content and information - Personal - audio/video/browsing - Information synchronization and storage Business Drivers 13
  • 14. Mobile Threats vs. Risks 14 Threat Risk Impact Device loss or theft Loss of confidential info Multiple wireless channels (wifi) Loss of credentials, device integrity Malware / virus Loss of credentials, device integrity Interception / MITM Loss of credentials User awareness Increased time between compromise and action SPAM, Phish, SMiSh Annoyance, monetary loss, fraud
  • 15. Internal Risk Considerations • Data Storage - large capacity (16GB+) - Documents, Contacts (passwords) • Browsers - Stored cookies, credentials, passwords • Software - Third-party applications • Content - Video, audio, legal considerations, sharing 15
  • 16. iPhone • Requires iTunes to synchronize data - Consumer-oriented audio/video - Synchronization of data - Sharing of music libraries via Bonjour • Centralized vs. decentralized control - Security and management features require ActiveSync Server / Exchange • Remote wipe, password controls, inactivity timeouts • Policies? 16
  • 17. • Relationship Manager (RM) Mobile - Browser-based iPhone target - Real-time access to WesCorp rates - CRM profiles of WesCorp Member - Creation of call reports directly on-device - Certificate purchase - Access to WesCorp commentary, webinars, podcasts - No NPPI, single-factor auth WesCorp Mobile Application 17
  • 18. Quick Conclusions • Expect organizational pressure for new devices and smartphones (if you haven’t seen it yet) • Saying “no” at the Corporate level will not deter individual purchase and use in the workplace • Smartphones require re-thinking of both policy and enterprise support models • Think about data loss prevention, remote wipe, passwords, remote access, WiFi vs. carrier network access 18
  • 20. • Reduced call volumes • Reduced fraud • Increased “stickiness” • Attract new Members - Millenials • Member Demand - Better devices, network speeds - Review balances quickly (in store) - Search for surcharge-free ATMs - Research checks or payment clearance - Alerts for overdraft, fraud, payment due Business Drivers 20
  • 21. • Multiple deployment approaches - SMS - WAP Browser (1.x, 2.x) - “Full” Browser - Thick-client or local application (iPhone) - Carrier-dependent, carrier-agnostic Deployment Approaches 21
  • 22. Mobile Application Challenges • Member perception of security • Difficulty of data entry on mobile platform • Varying size of screen on devices • Slower speed of network connection • “Lost” icon for downloaded applications • Phishing - via e-mail, SMS, or other method • Significant costs based on existing deployment models 22
  • 23. Features vs. Risks 23 Service RO / RW NPPI PAN Authentication Required Checking/Savings/Loan Balance RO DEPENDS NO Single-factor Credit Card Balance RO DEPENDS YES Single-factor Recent Transactions RO DEPENDS NO Single-factor Historical Search / Check Status RO DEPENDS NO Single-factor Alert - Overdraft, Threshold RO DEPENDS NO Single-factor Bill Schedule / Duedate Review RO DEPENDS NO Single-factor Currency Rates, ATM Locator RO NO NO None Transfer Between Accounts RW DEPENDS NO Dual-factor Stop Check RW DEPENDS NO Dual-factor Domestic / International ACH RW YES NO Dual-factor Change Alerts RW NO NO Dual-factor Pay or Schedule Bill RW NO NO Dual-factor Create/Update Billpay Vendor RW NO NO Dual-factor Order Checks RW NO NO Dual-factor Disable Credit Card RW YES YES Dual-factor Personalize Settings RW NO NO Dual-factor
  • 24. SMS • Extremely wide deployment • No application to install or configure • No browser required • Easy to use • High adoption rate among existing phone users 24
  • 25. SMS Risk Issues • No encryption • Authentication is difficult - FI to Member - think SMiShing - Member to FI • Intersections with web banking, phone banking - How hard is it to change your cell number on file with your CU? 25
  • 26. WAP • Wireless Application Protocol - 1.X - Avoid. Requires MITM for encryption. - Push - Mostly on top of SMS, pushes content messages - WAP 2.X - Current standard, similar to “full” browser • TCP/IP, end-to-end HTTP and TLS • Cipher suites, cert formats, signing algorithms • XHTML + WAP CSS • Backwards compatible 26
  • 27. WAP Risk Issues • Cookies - Stored on-device - Some gateways cause cookies to never expire - Limits for number of cookies stored - Domain cookies, secure flag 27 • Read the AT&T WAP 2.0 Guide
  • 28. “Full” Browser • Welcome to WebKit - iPhone, iPod Touch, Android, Palm Pre, Nokia S60 - Passes Acid 2 test for compatibility - JavaScript, CSS, AJAX • Flash - Flash Lite - Limited US availability (LG, Motorola, Nokia, Samsung) 28
  • 29. “Full” Browser Risk Issues • Authentication - Cached credentials (username, password) - Cookies and expiration - Certificate acceptance and storage - Backup/restore to desktop - target of traditional malware? • Almost anything else a PC/Mac browser would be vulnerable to 29
  • 30. Client Application • Ultimate in control - Authentication, authorization, accounting • More branding opportunities • Better device integration - Click-to-call - Maps / pindrop 30
  • 31. Client Application Risk Issues • Locally stored information - Credentials, cached account information? • Upgrade cycle - Application integrity - Management of varying devices, software versions • Connectivity - Intermediate proxies 31
  • 32. Deployment Considerations • Regardless of platform, think anti-fraud - Why is a user all of a sudden transferring funds to Russia? - Why is the source IP for a user coming from another country? - Why did the cell phone number change? - Why did the type of phone used change? 32
  • 33. Quick Conclusions • There is no one right answer • Think through services from multiple perspectives - What transactions will be supported and the relative risk - What delivery channels will be supported (SMS, WAP) • Mixed-mode - auth via one channel, content via another - How an attacker could break your system • Interfaces between mobile, phone, ATM, branch, teller - How can this enhance a Red Flags / anti-fraud 33
  • 34. Thank You Robert Brown Director, Information Security, WesCorp 909-394-6393, rbrown@wescorp.org LinkedIn, Facebook, and www.robertjbrown.com Reference Materials at www.robertjbrown.com