Vivastream, profile picture
Uploaded byVivastream
2,487 views

The Top Issues in Mobile Payments Fraud

The document discusses mobile payments fraud and security issues. It provides an overview of mobile payments and analyzes threats and vulnerabilities. It then discusses fraud risk and mitigation strategies, and the regulatory outlook for mobile banking and payments. Key points include that mobile payments already represent over 6% of online retail purchases, and smartphone owners are willing to use security services like antivirus and data encryption. Major brands like Visa and PayPal are most trusted with financial information. The document uses a methodology based on NIST guidelines to assess threats and vulnerabilities, rate controls, and make recommendations to address control gaps and long-term risks.

Embed presentation

Downloaded 124 times
The Top Issues in Mobile Payments Fraud JIM PITTS, BITS CATHY DAVIS, COMERICA BANK AL PASCUAL, JAVELIN STRATEGY & RESEARCH CECILIA HOYT, WELLS FARGO & COMPANY MARCH 11, 2013
Agenda • Mobile Payments Overview • BITS Threat Assessment - The Process - Threats & Vulnerabilities - Controls and Ratings - Analysis, Mitigations & Recommendations • Fraud Risk and Mitigation Strategies: - Defining Risks - Analyzing Attacks - Challenges - Countermeasures • Regulatory Outlook • Future of Mobile Banking and Mobile Payments 2
The Mobile Channel Already Represents More Than 6% of Total Online Retail Purchases Traditional and Mobile Online Retail Payments Market Size, 2012 Total U.S. Online Retail Purchases: $317.9 Billion Total Mobile* Online Retail Payments $20.3 Billion Click to edit Master title Online Total Traditional style Retail Payments $297.6 Billion *Mobile refers to "mobile devices," including feature 3 phone, smartphone, tablet, etc. © 2012 Javelin Strategy & Research
Mobile Purchasers Are More Than Twice as Likely to Conduct Mobile Banking All Mobile Consumers Mobile Purchasers All Mobile Consumers 27% 36% 64% 73% Click to edit Master title style Mobile banked past 12 months Not mobile banked past 12 months June 2012, n = 962 Q7: Please indicate the last time you conducted each of the Base: All mobile consumers, following activities: Mobile Banking Q34: Please indicate the last mobile consumers who have made a time you made a purchase via your mobile device using each of mobile purchase in the past 12 months the methods listed. Mobile Browser or app. © 2012 Javelin Strategy & Research 4
Smartphone Owners Are Overwhelmingly Willing to Use Mobile Antivirus/Antimalware and Data Encryption Services Willingness to Use Mobile Willing to Use Mobile Data Antivirus/Antimalware Encryption Services 5% 5% 4% 3% 37% 39% 24% 27% Click to edit Master title style 27% 29% % of smartphone owners % of smartphone owners Not at all willing Somewhat unwilling Neutral Somewhat willing Very willing Q23: On a scale of 1-5, please rate your willingness to use June 2012, n = 1779 the following products or services. Antivirus or anti-malware Base: Smartphone owners. software on your mobile device © 2012 Javelin Strategy & Research 5
Geolocation Users and Mobile Bankers Find Geolocation More Effective and Easy to Use Geo-location users -12% 60% Effectiveness Mobile bankers -18% 37% All consumers -22% 23% Geo-location users -8% 67% Ease of Use Mobile bankers -12% 43% All consumers Click to -17% 28%Master title style edit 30% 20% 10% 0% 10% 20% 30% 40% 50% 60% 70% 80% Percent of Consumers Not effective/not easy to use Effective/easy to use Q37. In your opinion, how effective are each of the following methods at protecting your information when you are banking?: Image you previously selected is always displayed at August 2012, n= 3,000, 820, 347 login Q38. In your opinion, how effective are each of the following methods at protecting Base: All consumers, mobile bankers, your information when you are banking? Image you previously selected is always displayed at geolocation users. login © 2012 Javelin Strategy & Research 6
Safety Is the Top Concern Among Consumers Unlikely to Make Contactless Payments I do not think it is a safe form of payment 51% I see no benefit to contactless payments 46% I don’t know how to use a contactless card or device 18% I don’t know how or where to get a contactless card or 17% device I am worried merchants that I usually shop with will not 13% accept contactless payment options Other, please specify 3% 0% 10% 20% 30% 40% 50% 60% % of consumers Q50: You responded that you are not likely to use a contactless payment October 2012, n= 3,217 card or a contactless payment option on your mobile phone or other Base: All consumers unlikely to use contactless cards. device. Please select the reasons why. (Select up to three) © 2012 Javelin Strategy & Research 7
Visa, PayPal Most Trusted Brands for Financial Information Consumer Security Ratings of Brand Most Trusted with Financial Information Visa 28% PayPal 23% American Express 17% Chase Bank 17% MasterCard 17% Bank of America 17% Wells Fargo 15% Amazon 11% Discover 10% Citibank 7% Verizon 6% Apple AT&T Click to edit Master title style 5% 5% U.S. Bank 5% Google 4% Sprint 2% Facebook 2% 0% 5% 10% 15% 20% 25% 30% Percent of Consumers December 2011, n=5,878 Q60: Which of the following companies would you Base: All consumers. trust most with your financial information? © 2012 Javelin Strategy & Research 8
Gang of Four Languish While Visa and PayPal Lead Consumer Ratings of Brand Best at Protecting Private Information Visa 31% PayPal 26% MasterCard 20% American Express 19% Bank of America 16% Chase Bank 15% Wells Fargo 13% Amazon 13% Discover 12% Verizon 8% AT&T 7% Apple 7% Citibank Click to edit Master title style 6% Google 5% U.S. Bank 4% Facebook 3% Sprint 2% 0% 5% 10% 15% 20% 25% 30% 35% Percent of Consumers Q61: Which of the following companies do you believe would December 2011, n=5,878 be best at protecting your private information such as SSN, Base: All consumers. passwords, date of birth, etc.? © 2012 Javelin Strategy & Research 9
BITS Mobile Threat Assessment Working Group • Threat assessment approach and methodology are consistent with NIST guidelines1 • Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and impact of the occurrence. • The Mobile Threat Assessment is used to review the extent of potential threats and the associated risk created by the existence of the threats. 1 Threat assessment methodology is based on NIST SP 800-30 “Risk Management Guide for Information Technology Systems” (refer to pages 8 – 26) 10
BITS Mobile Threat Assessment Approach Core steps in the assessment process: 1 2 3 4 5 6 Controls Controls Threat Threat Vulnerabilities Control Recommendations Inventory & Categorization Identification Assessment Ratings & Mitigation Analysis Planning • Identify applicable threat •Identity the threat • Develop a list of potential • Analyze internal • Determine the impact of • Document existing controls that categories for Mobile sources which are the vulnerabilities that could preventative and and the likelihood that can limit exposure to identified threats methods targeted at the be exploited by potential detective controls that potential vulnerabilities threat scenarios and risks • Document categories and intentional exploitation threat-sources have been implemented, will be exploited in the •Document weaknesses and threat segments of a vulnerability • Vulnerabilities are or are planned for threat environment control gaps • Identify the threats potential flaws or implementation, to • Prioritize and weigh risks • Discuss threat assessment which are the potential weaknesses in procedures, minimize or eliminate the • Identify areas for results with the leadership and for a threat-source to design, proposed likelihood or probability of immediate improvement stakeholders to determine if intentionally exploit a implementation or noted threats exploiting and long term mitigation short and long term risk specific vulnerability internal controls that identified vulnerabilities mitigation strategies and plans • Create threat scenarios could be exploited • Identify potential control need to be put in place (as needed )as visual gaps or weaknesses • Document threat assessment representations of reviews and approvals potential threats • Repeat process annually or more frequently based on the risk assessment requirements and applicable regulatory guidance Identify risks, assess controls, determine if gaps exist, then define plans for any remediation required
BITS Mobile Threat Categorization 1 # Category Name Threat Description Malicious software such as viruses, Trojan horses, spyware, and malicious active content. Viruses are a Malware Targeting 1 threat to the peripheral device exposure or utilizing infected device to attack other devices. Spyware can Mobile Platforms be used to eavesdrop, impersonate, or remotely control a compromised device or user. A malicious person or program could misrepresent as another in order to acquire sensitive personal 2 Mobile Spoofing information. 3 Weak Fraud Controls Lack of adequate monitoring, detection, or prevention technology could lead to fraud losses. 4 Infected Applications Application downloads containing malicious software Exploitation of malicious web applications to steal credentials, perform fraudulent transactions, or 5 Web Browser Attacks compromise information. 6 Marketplace Certification Misrepresentation of branding or stealing legitimate branding SMS Redirection, SMS An SMS message can be used to redirect a mobile web browser to a malicious website; call forwarding can 7 Hijack or SMS Exploit be used to fraudulently bypass authentication; fraudsters can subscribe a mobile number to a premium Forwarding text number service to send messages to and from the numbers. Compromise of a vendor’s infrastructure could result in the loss of confidential information (now includes 8 Vendor Breach Carriers). 9 Transport/ Protocol Gap Weakness in network or transport layer could allow eavesdropping or takeover 10 User Device Control Mobile device could be lost, stolen or inappropriately borrowed or misused 11 Platform Specific Attacks Utilization of known platform specific weaknesses to perpetrate malicious activities Utilization of known device specific weaknesses to perpetrate malicious activities (add to break out SIM 12 Device Specific Attacks Card vulnerabilities) Fake applications placed in application stores for download that are usually trojanized copies of legitimate 13 Rogue Applications applications. The applications are used to harvest credentials and steal data.
BITS Mobile Vulnerability Assessment 2 3 Assessment results included input from multiple financial institutions of varying size and maturity in their mobile offerings. Mobile # Vulnerability Description & Examples Likelihood Trend Impact Detailed Rationale Threat 2 Mobile Description: Medium Increasing Low Impact rating was Spoofing A malicious person or program could misrepresent as predominantly low with a split another in order to acquire sensitive personal of several responders into a information. medium rating. Spoofing Examples include: targets are a small group,  SMS Spoofing/Smishing: A phishing attempt sent targeted phishing is migrating to via SMS (Short Message Service) or text message to mobile. a mobile phone or device. This tactic is also referred to as smishing, which is a combination of SMS and At this point, good controls are phishing. The purpose of text message phishing is in place by the carriers to the same as traditional email phishing: convince prevent spoofing for recipients to share their sensitive or personal accountability purposes. information.  Vishing: Also know as voice phishing, this tactic is a Most assessment respondents phishing attempt made through a telephone call, fax said they are not seeing or or voice message. In one scenario, messages that hearing about this in their claimed to be from a bank told users to dial a phone environment. Have not yet number regarding problems with their bank heard this is widespread, so accounts. Once the phone number (owned by the cannot assess impact or phisher and provided by a Voice over IP service) was likelihood as high, although dialed, prompts told users to enter their account suspect just as in Automatic numbers and PIN. Vishing sometimes uses fake Number Identification spoofing caller-ID data to give the appearance that calls come or phishing it will increase as the from a trusted organization. fraud catches on. 13
BITS Controls Inventory and Ratings 4 5 Partial list of controls that were reviewed during the assessment and controls ratings applied during the review process. Effectiveness Rating Importance Rating Overall Rating Control Name (1-5) (1-5) (Low, Medium, High) Detective Controls Mobile Fraud Detection (Alerts, Out 3.3 3.7 Medium (7.0) Sorts, Day 2 Reports) Device-Specific Patching Processes 3.2 3.3 Medium (6.5) Application Stores/Marketplace 3.5 3.3 Medium (6.8) Monitoring Application Take-Down Processes (Rogue 3.4 3.3 Medium (6.7) Apps) Remote Device Wipe/Remote Device Lock 3.9 3.5 Medium (7.4) Vendor Review Processes 3.3 3.2 Medium (6.5) Vendor Contracts, Vendor Review 3.0 3.3 Medium (6.3) Processes, Shared Liability Consumer Education 2.9 3.4 Medium (6.3) Identity/Brand Management Controls & 3.3 3.5 Medium (6.8) Processes 14
BITS Aggregated Controls Ratings 4 5 To provide a view of Mobile layered security, the controls were aggregated and rated as a group. This proved to be an effective communication tool for debriefs with leadership teams looking for a holistic perspective on mobile risk mitigation. Aggregate Effectiveness Aggregate Importance Overall Rating Aggregate Mitigating Controls Rating (1-5) Rating (1-5) (Low, Medium, High) Identified Mobile Threats & Vulnerabilities Malware • Multi-factor authentication (mobile & online banking) 4.16 3.33 Medium (7.49) Targeting Mobile • App store development validation Platforms • Applications sandboxing • User authentication and login • Store sensitive information off device • Mobile malware detection • Out of band verification controls • Device settings controls • Consumer education Mobile Spoofing • Multi-factor authentication (mobile & online banking) 4.33 4.60 High (8.93) • Secure transport protocols • Mobile fraud detection • Device/IP verification • Authentication history of clients’ transactions • Consumer education • A symbol or way for a person to know when they are at a “safe” place to provide information from their devices 15
BITS Recommendations & Mitigation Planning Identified Mobile Threat Control Gaps / Potential Long Term Risk # / Vulnerability Description Weaknesses Description Short Term Risk Mitigation Mitigation 2 Mobile Spoofing A malicious person or  Mobile Tech Maturity  Multifactor authentication  Secure transport protocols program could Issues (Mobile & Online) banking  Mobile fraud detection misrepresent as another  Monitoring Capability  Device/IP verification  Consumer education in order to acquire Shortfalls  Anomaly detection sensitive personal  Developmental information Oversight  3rd Party Security  Competitive Integrity Issues  Device Accessibility  Restrictive Policy  Authentication Compromise  Geo-location Spoofing 3 Inadequate Fraud Lack of adequate  Mobile Tech Maturity  Multifactor authentication  Secure transport protocols Controls monitoring, detection, or Issues (Mobile & Online) banking  Mobile fraud detection prevention technology  Monitoring Capability  Device/IP verification  Consumer education could enable or allow Shortfalls  Transaction Limits undetected or  Developmental unauthorized access, Oversight unauthorized transactions,  3rd Party Security and/or fraud losses  Competitive Integrity Issues  Restrictive Policy 16
BITS Fraud Scenario Development Mobile Security Threat Fraud Scenarios Categories • Malware Targeting Mobile • Malware Attack Platforms • Phishing/Smishing/Vishing • Mobile Spoofing • Inadequate Mobile Fraud Controls • Account Take Over/ID Theft • Infected Applications • Impersonation/Hijacking • Web Browser Attacks • System Breach • Marketplace Misrepresentation • SMS Redirection – Hijack or Exploit • Browser Attacks Forwarding • Marketplace Misrepresentation • Vendor Breach • Transport or Protocol Gaps • User Device Management • Platform Specific Attacks • Device Specific Attacks • Rogue Applications
BITS Fraud Risk Scenario – Malware Attack  Threat Type: Malware targeting mobile platforms Applies to: Money Movement: DDA  Scenario: Use of malicious software or applications (MITM, ZITMO, Trojans, spyware) to hijack, impersonate,  OLB  DDA steal credentials, or other to support fraudulent crime.  Mobile  Exposure: Theft of private information or credentials to gain access to account assets  Likelihood: Medium Impact: Medium Criminal Activity 2. Compromised Credentials 4. Funds •Fraudster issues •SMS Message sent to money movement on Fraudster transfer behalf of the •Customer clicks on a customer •Customer logs into Online •Customer Prompted to link which then infects •Fraudster gains Banking (OLB) using download fraudulent their mobile device infected mobile device applications unauthorized access with a virus •Customer Prompted to •Fraudster now has control provide Mobile Number in of OLB and Mobile device; addition to Username and can re-direct SMS Text 1. Customer Password Mobile device •Fraudster key logs 5. Funds Infected information removal 3. Account Takeover Fraud Concerns • Virus, Trojan, spyware, active  Eavesdropping content • Peripheral device exposure  Remotely control device or user  Impersonation Fraud Controls •Device settings controls • Application Sandboxing •User authentication and login  Multi factor authentication •App store development • Mobile malware detection •Out of band verification controls Validation • Store sensitive information off • Consumer education device Control gaps  Competitive Integrity issues  Authentication compromise Developmental oversight • Application distribution practices  Criminal proficiency  Infected devices • 3rd party security Mobile anti virus issues  Device accessibility • Anti virus sandboxing  Application labeling 18
BITS Sample Fraud Scenario: Account Takeover (Mobile Transfer)  Threat Type: Criminal compromises victim’s online account and conducts multiple inter-customer transfers Applies to: Money Movement: from victim’s DDA/SAV accounts into his newly established SAV/DDA accounts, and withdraws the funds via  Mobile DDA  DDA ATM withdraws and debit card purchases. transfers  Exposure: Account takeover via compromised credentials, money movement  Likelihood: Low Impact: Low Loss Amount: Confidential 2. Account Maintenance Criminal Activity Activities •08/05/10 Online access suspended due to security question failure •Between 08/13/10 to 08/30/10 criminal conducts 32 mobile 4. Funds removal •08/05/10 Password change inter customer transfer • 08/04/10 - Existing DDA and •08/06/10 Phone number unauthorized transactions and maintenance; Security Questions •09/04/10 - Victim visits a Savings accounts. Customer transfers $20,594 from the •08/06/10 –Criminal drains and online statement activated on branch and reports does not have any online victim’s account into criminals the new DDA account via victim’s profile unauthorized transactions accts. own savings account ATM withdrawals and debit •Customer impacted by •08/06/10 victim’s accounts •Criminal then moves funds card purchases malware enrolled for Mobile Banking from his savings account into 5. Notification •08/06/10 Criminal adds his his newly opened DDA 1. Open New Account account as an inter customer transfer payee 3. Funds Transfer Fraud Concerns  Confidential  Confidential  Confidential  Confidential  Confidential Fraud Controls  Confidential  Confidential  Confidential  Confidential  Confidential Control gaps  Confidential  Confidential  Confidential  Confidential  Confidential 19
BITS Advisory: Mobile Banking and Payment Application Vulnerabilities Existing Security Recommended Mitigation Vulnerabilities Strategies • Imposter Applications • Search regularly (i.e. daily or weekly) for applications utilizing your financial • Account Aggregation Applications institution’s brand. • Rogue Applications • Market the availability of the official financial institution mobile application(s). • Provide consumers with tips on securely providing financial information via mobile applications. • If an application violates copyright or contains malware, file a complaint through the store’s support site. 20
Regulation Today, and Tomorrow Existing Regulations • FFIEC Existing Applicable Guidance • FTC Consumer Privacy and Protections • Impact of New Regulations - Truth in Lending/Reg Z - Patriot Act, Bank EFT Act/Reg E - Secrecy Act, AML Reqs - Gramm-Leach-Bliley - UCC Article 4A and NACHA Rules - State money Transmitter and Services Laws - Dodd-Frank • Future Oversight - CFPB - ANSI - ISO 21
Mobile Standards & Guidelines • PCI Mobile Payment Acceptance Security Guidelines: - Prevent account data from being intercepted when entered into a mobile device - Prevent account data from compromise while processed or stored within the mobile device - Prevent account data from interception upon transmission out of the mobile device • NIST 800-124, NIST 800-164 • NTIA Mobile Transparency Code of Conduct for Mobile Applications • Geo-location Privacy and Surveillance Act 22
BITS Layered Security for Mobile Cellular Service Regulatory Providers Entities Protocol/Security Standards Emerging Financial Services ce Network Security Assessment Oversight an 1. Mobile Malware Detection Threat Information Sharing pli T ru om Device Identificaiton Security Standards st ed dC Consumer Education Consumer Education Co an m n m tio un ula ic at g io Re ns 2. PROCESS Remote Wipe/Device Lock Fraud Detection Data Segregation and Encrypt COMPLIANCE Secure Transport Protocols Secure Transport Protocol Multi-factor Authentication Multi-factor Authentication Device Identification Asset Management and Patching Secure Transport Protocol Application Sandboxing Transaction Limits 6. BYOD or Enterprise Mobile Devices Financial 3. Mobile Financial Services Device/OS Integrity Monitoring Institution Network Security Controls Network Security Controls Server Side Security Controls Secure Browsing Out of Band Verification Enterprise Enterprise Compliance Monitoring POLICY Code Analysis and Reviews Device Hardening Consumer Education Workforce Workforce Security Awareness SECURE INFRASTRUCTURE Anomaly Detection Consumers Consumers t 4. en m Se lop c ur ve eSo De ftw re wa ar Application Sandboxing Multi-Factor Authentication e rd De Protocol/Security Standards Out of Band Verification Ha ve Remote Device Wipe/Lock Transaction Limits e lop ur Secure Transport Protocols Code Analysis and Reviews c m Se en Code Analysis and Reviews Secure Code Checklists 5. t Device Application Manufacturers Developers 23
Thank You! Questions? 24

More Related Content

PDF
Banking on The Future of Mobile.
byConrad Lisco
 
PPT
Mobile Payments Review - June 2013
byDavid Miller
 
PDF
Brett King Presents The Future of Banking
byBackbase
 
PDF
The future of mobile banking
byCuscal
 
PDF
Compete Financial Services: Mobile Money
byamainecompete
 
PPTX
Mobile Banking: The New American Addiction
byNTT DATA Consulting, Inc.
 
PDF
Banking On Mobile - Getting Ready for 2016
bySwrve_Inc
 
PDF
Mobile Payment Security Trends for the Future
byFirst American Payment Systems
 
Banking on The Future of Mobile.
byConrad Lisco
 
Mobile Payments Review - June 2013
byDavid Miller
 
Brett King Presents The Future of Banking
byBackbase
 
The future of mobile banking
byCuscal
 
Compete Financial Services: Mobile Money
byamainecompete
 
Mobile Banking: The New American Addiction
byNTT DATA Consulting, Inc.
 
Banking On Mobile - Getting Ready for 2016
bySwrve_Inc
 
Mobile Payment Security Trends for the Future
byFirst American Payment Systems
 

What's hot

PDF
Banking on mobile
byOptimal Usability
 
PDF
Mobile Money Business Models
byNetHopeOrg
 
PDF
121010_Mobile Banking & Payments for Emerging Asia Summit 2012_Reviewing Grow...
byspirecorporate
 
PDF
Banking Disruption in Financial Services: Threats and Opportunities
byDogTelligent
 
PPTX
Different MFS Model practice
byHasibur Rahman
 
PPT
Mobile Payment Value chain and Business Models
byStomar
 
PPTX
MBA Best Mobile Banking Presentation
byrajpatelplantemoran
 
PDF
Payments in Indonesia 2014
byNitin Mittal
 
PDF
[Industry Report] Indonesia Mobile games
byPhuong Vu
 
PPTX
A Roadmap for Mass Adoption of e-Payments in the Philippines
byJohn Owens
 
PDF
Indonesia Digital Transformation Outlook Briefing 2016
byMastel Indonesia
 
PDF
The Future of Mobile Banking: Building a Customer Experience That Starts and ...
byMichael McEvoy
 
PPTX
Reach Your Target Audiences, Strategies and Technologies in Mobile Advertising
byVivastream
 
PDF
Security Report of Top 100 Mobile Banking Apps - APAC
byAppknox
 
PDF
Accenture Distribution and Agency Management Survey: Reimagining insurance di...
byAccenture Insurance
 
PPTX
Gcit 1015 (section 2)
byHiuLaamChan1
 
PPTX
Mobile Wallet Future in Bangladesh
byHasibur Rahman
 
PDF
Tecnologías emergentes y la evolución continua de los pagos electrónicos en l...
byAsociación de Marketing Bancario Argentino
 
PDF
Mobile Wallets: Are We There Yet?
byNTT DATA Consulting, Inc.
 
PDF
Payment Industry Trends for 2016
byFirst American Payment Systems
 
Banking on mobile
byOptimal Usability
 
Mobile Money Business Models
byNetHopeOrg
 
121010_Mobile Banking & Payments for Emerging Asia Summit 2012_Reviewing Grow...
byspirecorporate
 
Banking Disruption in Financial Services: Threats and Opportunities
byDogTelligent
 
Different MFS Model practice
byHasibur Rahman
 
Mobile Payment Value chain and Business Models
byStomar
 
MBA Best Mobile Banking Presentation
byrajpatelplantemoran
 
Payments in Indonesia 2014
byNitin Mittal
 
[Industry Report] Indonesia Mobile games
byPhuong Vu
 
A Roadmap for Mass Adoption of e-Payments in the Philippines
byJohn Owens
 
Indonesia Digital Transformation Outlook Briefing 2016
byMastel Indonesia
 
The Future of Mobile Banking: Building a Customer Experience That Starts and ...
byMichael McEvoy
 
Reach Your Target Audiences, Strategies and Technologies in Mobile Advertising
byVivastream
 
Security Report of Top 100 Mobile Banking Apps - APAC
byAppknox
 
Accenture Distribution and Agency Management Survey: Reimagining insurance di...
byAccenture Insurance
 
Gcit 1015 (section 2)
byHiuLaamChan1
 
Mobile Wallet Future in Bangladesh
byHasibur Rahman
 
Tecnologías emergentes y la evolución continua de los pagos electrónicos en l...
byAsociación de Marketing Bancario Argentino
 
Mobile Wallets: Are We There Yet?
byNTT DATA Consulting, Inc.
 
Payment Industry Trends for 2016
byFirst American Payment Systems
 

Viewers also liked

PDF
Philippines Fintech Startup Report
byChristian König
 
PDF
Security issues in_mobile_payment
byProf. Dr. K. Adisesha
 
PDF
Mobile wallet presentation
byJoseph Frisz
 
PDF
Banking and Modern Payments System Security Analysis
byCSCJournals
 
PPT
Mobile Payment fraud & risk assessment
byStefano Maria De' Rossi
 
PPTX
Mobile payments: A history of [in]security
byCanadianCIO (IT World Canada)
 
PDF
Mobile Wallet Features
byMikhail Miroshnichenko
 
PDF
The business end of mobile ad fraud - Eric Seufert
byEric Seufert
 
PDF
Mobile Financial Services for the Next Billion Customers - Mobile Payments Se...
byMenekse Gencer
 
Philippines Fintech Startup Report
byChristian König
 
Security issues in_mobile_payment
byProf. Dr. K. Adisesha
 
Mobile wallet presentation
byJoseph Frisz
 
Banking and Modern Payments System Security Analysis
byCSCJournals
 
Mobile Payment fraud & risk assessment
byStefano Maria De' Rossi
 
Mobile payments: A history of [in]security
byCanadianCIO (IT World Canada)
 
Mobile Wallet Features
byMikhail Miroshnichenko
 
The business end of mobile ad fraud - Eric Seufert
byEric Seufert
 
Mobile Financial Services for the Next Billion Customers - Mobile Payments Se...
byMenekse Gencer
 

Similar to The Top Issues in Mobile Payments Fraud

PDF
Credit Suisse Group Financial Services Forum
byQuarterlyEarningsReports3
 
PPTX
Mobile Banking
byArthur Lok Jack Graduate School of Business, The University of the West Indies
 
PPT
Mobile Banking Trends
byZSL Mobile
 
PDF
Blueprint-for-SecuringMobileBankingApplications-Whitepaper
byBenjamin Wyrick
 
PPTX
Disruption, mobile and financial services
byNadya Powell
 
PPTX
Key Bank Case Competition
byClient228
 
PPTX
Mobile banking 2012
byAgency Management Institute
 
PDF
Compete Financial Services: Mobile Banking
byamainecompete
 
PDF
Engagement Banking: Building Relationships Through Online and Mobile
byMichael McEvoy
 
PDF
Mobility in Banking
by[x]cube LABS
 
PDF
Diebold Consulting Branch Transformation Florida Bankers Convention 2012
byChris Gill
 
PPTX
Opportunities for disruption in Financial Services (with a mobile focus)
byNadya.Powell
 
PDF
HPMC12: ABN Amro Multi channel transformation and the boost of mobile
byAccenture the Netherlands
 
PDF
Mapa research crosschannelexperiencesreport-brochure-mar14
byMapa International Limited
 
PDF
Investor Economics - "How should banks develop business with post-secondary s...
byRyan Kam
 
PPT
Smg interns summer 2010 financial services 8.5.10
byedwardrevis
 
PDF
Mobile and Alternative Payments in the U.S., 3rd Edition
byReportsnReports
 
PPTX
M Banking- Take the Money With You
bySabbir Mahmud
 
PDF
Fiserv Consumer Trends Survey
byFiserv
 
PDF
Redefining Convenience with Mobile Banking
byAman Narain
 
Credit Suisse Group Financial Services Forum
byQuarterlyEarningsReports3
 
Mobile Banking
byArthur Lok Jack Graduate School of Business, The University of the West Indies
 
Mobile Banking Trends
byZSL Mobile
 
Blueprint-for-SecuringMobileBankingApplications-Whitepaper
byBenjamin Wyrick
 
Disruption, mobile and financial services
byNadya Powell
 
Key Bank Case Competition
byClient228
 
Mobile banking 2012
byAgency Management Institute
 
Compete Financial Services: Mobile Banking
byamainecompete
 
Engagement Banking: Building Relationships Through Online and Mobile
byMichael McEvoy
 
Mobility in Banking
by[x]cube LABS
 
Diebold Consulting Branch Transformation Florida Bankers Convention 2012
byChris Gill
 
Opportunities for disruption in Financial Services (with a mobile focus)
byNadya.Powell
 
HPMC12: ABN Amro Multi channel transformation and the boost of mobile
byAccenture the Netherlands
 
Mapa research crosschannelexperiencesreport-brochure-mar14
byMapa International Limited
 
Investor Economics - "How should banks develop business with post-secondary s...
byRyan Kam
 
Smg interns summer 2010 financial services 8.5.10
byedwardrevis
 
Mobile and Alternative Payments in the U.S., 3rd Edition
byReportsnReports
 
M Banking- Take the Money With You
bySabbir Mahmud
 
Fiserv Consumer Trends Survey
byFiserv
 
Redefining Convenience with Mobile Banking
byAman Narain
 

More from Vivastream

PDF
EY Global Consumer Banking Survey
byVivastream
 
PDF
Automation for RDC and Mobile
byVivastream
 
PDF
Automation Services
byVivastream
 
PDF
Accura XV
byVivastream
 
PDF
Tcap
byVivastream
 
PPT
SQA
byVivastream
 
PDF
Next Generation Recognition Solutions
byVivastream
 
PDF
EY Global Consumer Banking Survey 2014
byVivastream
 
PDF
Exchange Solutions Datasheet_Customer Engagement Roadmap
byVivastream
 
PDF
EY Smart Commerce Report
byVivastream
 
PDF
Exchange Solutions Datasheet_Ecommerce
byVivastream
 
PDF
Breaking Up is Hard to Do: Small Businesses’ Love Affair with Checks
byVivastream
 
PDF
Serano
byVivastream
 
PDF
Company Overview
byVivastream
 
PDF
Healthcare Payments Automation Center
byVivastream
 
PDF
APEX
byVivastream
 
PPTX
Jeeva jessf
byVivastream
 
TXT
Test
byVivastream
 
PDF
Vivastream Poster
byVivastream
 
PDF
Vivastream Poster
byVivastream
 
EY Global Consumer Banking Survey
byVivastream
 
Automation for RDC and Mobile
byVivastream
 
Automation Services
byVivastream
 
Accura XV
byVivastream
 
Tcap
byVivastream
 
SQA
byVivastream
 
Next Generation Recognition Solutions
byVivastream
 
EY Global Consumer Banking Survey 2014
byVivastream
 
Exchange Solutions Datasheet_Customer Engagement Roadmap
byVivastream
 
EY Smart Commerce Report
byVivastream
 
Exchange Solutions Datasheet_Ecommerce
byVivastream
 
Breaking Up is Hard to Do: Small Businesses’ Love Affair with Checks
byVivastream
 
Serano
byVivastream
 
Company Overview
byVivastream
 
Healthcare Payments Automation Center
byVivastream
 
APEX
byVivastream
 
Jeeva jessf
byVivastream
 
Test
byVivastream
 
Vivastream Poster
byVivastream
 
Vivastream Poster
byVivastream
 

The Top Issues in Mobile Payments Fraud

  • 1.
    The Top Issuesin Mobile Payments Fraud JIM PITTS, BITS CATHY DAVIS, COMERICA BANK AL PASCUAL, JAVELIN STRATEGY & RESEARCH CECILIA HOYT, WELLS FARGO & COMPANY MARCH 11, 2013
  • 2.
    Agenda • Mobile PaymentsOverview • BITS Threat Assessment - The Process - Threats & Vulnerabilities - Controls and Ratings - Analysis, Mitigations & Recommendations • Fraud Risk and Mitigation Strategies: - Defining Risks - Analyzing Attacks - Challenges - Countermeasures • Regulatory Outlook • Future of Mobile Banking and Mobile Payments 2
  • 3.
    The Mobile ChannelAlready Represents More Than 6% of Total Online Retail Purchases Traditional and Mobile Online Retail Payments Market Size, 2012 Total U.S. Online Retail Purchases: $317.9 Billion Total Mobile* Online Retail Payments $20.3 Billion Click to edit Master title Online Total Traditional style Retail Payments $297.6 Billion *Mobile refers to "mobile devices," including feature 3 phone, smartphone, tablet, etc. © 2012 Javelin Strategy & Research
  • 4.
    Mobile Purchasers AreMore Than Twice as Likely to Conduct Mobile Banking All Mobile Consumers Mobile Purchasers All Mobile Consumers 27% 36% 64% 73% Click to edit Master title style Mobile banked past 12 months Not mobile banked past 12 months June 2012, n = 962 Q7: Please indicate the last time you conducted each of the Base: All mobile consumers, following activities: Mobile Banking Q34: Please indicate the last mobile consumers who have made a time you made a purchase via your mobile device using each of mobile purchase in the past 12 months the methods listed. Mobile Browser or app. © 2012 Javelin Strategy & Research 4
  • 5.
    Smartphone Owners AreOverwhelmingly Willing to Use Mobile Antivirus/Antimalware and Data Encryption Services Willingness to Use Mobile Willing to Use Mobile Data Antivirus/Antimalware Encryption Services 5% 5% 4% 3% 37% 39% 24% 27% Click to edit Master title style 27% 29% % of smartphone owners % of smartphone owners Not at all willing Somewhat unwilling Neutral Somewhat willing Very willing Q23: On a scale of 1-5, please rate your willingness to use June 2012, n = 1779 the following products or services. Antivirus or anti-malware Base: Smartphone owners. software on your mobile device © 2012 Javelin Strategy & Research 5
  • 6.
    Geolocation Users andMobile Bankers Find Geolocation More Effective and Easy to Use Geo-location users -12% 60% Effectiveness Mobile bankers -18% 37% All consumers -22% 23% Geo-location users -8% 67% Ease of Use Mobile bankers -12% 43% All consumers Click to -17% 28%Master title style edit 30% 20% 10% 0% 10% 20% 30% 40% 50% 60% 70% 80% Percent of Consumers Not effective/not easy to use Effective/easy to use Q37. In your opinion, how effective are each of the following methods at protecting your information when you are banking?: Image you previously selected is always displayed at August 2012, n= 3,000, 820, 347 login Q38. In your opinion, how effective are each of the following methods at protecting Base: All consumers, mobile bankers, your information when you are banking? Image you previously selected is always displayed at geolocation users. login © 2012 Javelin Strategy & Research 6
  • 7.
    Safety Is theTop Concern Among Consumers Unlikely to Make Contactless Payments I do not think it is a safe form of payment 51% I see no benefit to contactless payments 46% I don’t know how to use a contactless card or device 18% I don’t know how or where to get a contactless card or 17% device I am worried merchants that I usually shop with will not 13% accept contactless payment options Other, please specify 3% 0% 10% 20% 30% 40% 50% 60% % of consumers Q50: You responded that you are not likely to use a contactless payment October 2012, n= 3,217 card or a contactless payment option on your mobile phone or other Base: All consumers unlikely to use contactless cards. device. Please select the reasons why. (Select up to three) © 2012 Javelin Strategy & Research 7
  • 8.
    Visa, PayPal MostTrusted Brands for Financial Information Consumer Security Ratings of Brand Most Trusted with Financial Information Visa 28% PayPal 23% American Express 17% Chase Bank 17% MasterCard 17% Bank of America 17% Wells Fargo 15% Amazon 11% Discover 10% Citibank 7% Verizon 6% Apple AT&T Click to edit Master title style 5% 5% U.S. Bank 5% Google 4% Sprint 2% Facebook 2% 0% 5% 10% 15% 20% 25% 30% Percent of Consumers December 2011, n=5,878 Q60: Which of the following companies would you Base: All consumers. trust most with your financial information? © 2012 Javelin Strategy & Research 8
  • 9.
    Gang of FourLanguish While Visa and PayPal Lead Consumer Ratings of Brand Best at Protecting Private Information Visa 31% PayPal 26% MasterCard 20% American Express 19% Bank of America 16% Chase Bank 15% Wells Fargo 13% Amazon 13% Discover 12% Verizon 8% AT&T 7% Apple 7% Citibank Click to edit Master title style 6% Google 5% U.S. Bank 4% Facebook 3% Sprint 2% 0% 5% 10% 15% 20% 25% 30% 35% Percent of Consumers Q61: Which of the following companies do you believe would December 2011, n=5,878 be best at protecting your private information such as SSN, Base: All consumers. passwords, date of birth, etc.? © 2012 Javelin Strategy & Research 9
  • 10.
    BITS Mobile ThreatAssessment Working Group • Threat assessment approach and methodology are consistent with NIST guidelines1 • Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and impact of the occurrence. • The Mobile Threat Assessment is used to review the extent of potential threats and the associated risk created by the existence of the threats. 1 Threat assessment methodology is based on NIST SP 800-30 “Risk Management Guide for Information Technology Systems” (refer to pages 8 – 26) 10
  • 11.
    BITS Mobile ThreatAssessment Approach Core steps in the assessment process: 1 2 3 4 5 6 Controls Controls Threat Threat Vulnerabilities Control Recommendations Inventory & Categorization Identification Assessment Ratings & Mitigation Analysis Planning • Identify applicable threat •Identity the threat • Develop a list of potential • Analyze internal • Determine the impact of • Document existing controls that categories for Mobile sources which are the vulnerabilities that could preventative and and the likelihood that can limit exposure to identified threats methods targeted at the be exploited by potential detective controls that potential vulnerabilities threat scenarios and risks • Document categories and intentional exploitation threat-sources have been implemented, will be exploited in the •Document weaknesses and threat segments of a vulnerability • Vulnerabilities are or are planned for threat environment control gaps • Identify the threats potential flaws or implementation, to • Prioritize and weigh risks • Discuss threat assessment which are the potential weaknesses in procedures, minimize or eliminate the • Identify areas for results with the leadership and for a threat-source to design, proposed likelihood or probability of immediate improvement stakeholders to determine if intentionally exploit a implementation or noted threats exploiting and long term mitigation short and long term risk specific vulnerability internal controls that identified vulnerabilities mitigation strategies and plans • Create threat scenarios could be exploited • Identify potential control need to be put in place (as needed )as visual gaps or weaknesses • Document threat assessment representations of reviews and approvals potential threats • Repeat process annually or more frequently based on the risk assessment requirements and applicable regulatory guidance Identify risks, assess controls, determine if gaps exist, then define plans for any remediation required
  • 12.
    BITS Mobile ThreatCategorization 1 # Category Name Threat Description Malicious software such as viruses, Trojan horses, spyware, and malicious active content. Viruses are a Malware Targeting 1 threat to the peripheral device exposure or utilizing infected device to attack other devices. Spyware can Mobile Platforms be used to eavesdrop, impersonate, or remotely control a compromised device or user. A malicious person or program could misrepresent as another in order to acquire sensitive personal 2 Mobile Spoofing information. 3 Weak Fraud Controls Lack of adequate monitoring, detection, or prevention technology could lead to fraud losses. 4 Infected Applications Application downloads containing malicious software Exploitation of malicious web applications to steal credentials, perform fraudulent transactions, or 5 Web Browser Attacks compromise information. 6 Marketplace Certification Misrepresentation of branding or stealing legitimate branding SMS Redirection, SMS An SMS message can be used to redirect a mobile web browser to a malicious website; call forwarding can 7 Hijack or SMS Exploit be used to fraudulently bypass authentication; fraudsters can subscribe a mobile number to a premium Forwarding text number service to send messages to and from the numbers. Compromise of a vendor’s infrastructure could result in the loss of confidential information (now includes 8 Vendor Breach Carriers). 9 Transport/ Protocol Gap Weakness in network or transport layer could allow eavesdropping or takeover 10 User Device Control Mobile device could be lost, stolen or inappropriately borrowed or misused 11 Platform Specific Attacks Utilization of known platform specific weaknesses to perpetrate malicious activities Utilization of known device specific weaknesses to perpetrate malicious activities (add to break out SIM 12 Device Specific Attacks Card vulnerabilities) Fake applications placed in application stores for download that are usually trojanized copies of legitimate 13 Rogue Applications applications. The applications are used to harvest credentials and steal data.
  • 13.
    BITS Mobile VulnerabilityAssessment 2 3 Assessment results included input from multiple financial institutions of varying size and maturity in their mobile offerings. Mobile # Vulnerability Description & Examples Likelihood Trend Impact Detailed Rationale Threat 2 Mobile Description: Medium Increasing Low Impact rating was Spoofing A malicious person or program could misrepresent as predominantly low with a split another in order to acquire sensitive personal of several responders into a information. medium rating. Spoofing Examples include: targets are a small group,  SMS Spoofing/Smishing: A phishing attempt sent targeted phishing is migrating to via SMS (Short Message Service) or text message to mobile. a mobile phone or device. This tactic is also referred to as smishing, which is a combination of SMS and At this point, good controls are phishing. The purpose of text message phishing is in place by the carriers to the same as traditional email phishing: convince prevent spoofing for recipients to share their sensitive or personal accountability purposes. information.  Vishing: Also know as voice phishing, this tactic is a Most assessment respondents phishing attempt made through a telephone call, fax said they are not seeing or or voice message. In one scenario, messages that hearing about this in their claimed to be from a bank told users to dial a phone environment. Have not yet number regarding problems with their bank heard this is widespread, so accounts. Once the phone number (owned by the cannot assess impact or phisher and provided by a Voice over IP service) was likelihood as high, although dialed, prompts told users to enter their account suspect just as in Automatic numbers and PIN. Vishing sometimes uses fake Number Identification spoofing caller-ID data to give the appearance that calls come or phishing it will increase as the from a trusted organization. fraud catches on. 13
  • 14.
    BITS Controls Inventoryand Ratings 4 5 Partial list of controls that were reviewed during the assessment and controls ratings applied during the review process. Effectiveness Rating Importance Rating Overall Rating Control Name (1-5) (1-5) (Low, Medium, High) Detective Controls Mobile Fraud Detection (Alerts, Out 3.3 3.7 Medium (7.0) Sorts, Day 2 Reports) Device-Specific Patching Processes 3.2 3.3 Medium (6.5) Application Stores/Marketplace 3.5 3.3 Medium (6.8) Monitoring Application Take-Down Processes (Rogue 3.4 3.3 Medium (6.7) Apps) Remote Device Wipe/Remote Device Lock 3.9 3.5 Medium (7.4) Vendor Review Processes 3.3 3.2 Medium (6.5) Vendor Contracts, Vendor Review 3.0 3.3 Medium (6.3) Processes, Shared Liability Consumer Education 2.9 3.4 Medium (6.3) Identity/Brand Management Controls & 3.3 3.5 Medium (6.8) Processes 14
  • 15.
    BITS Aggregated ControlsRatings 4 5 To provide a view of Mobile layered security, the controls were aggregated and rated as a group. This proved to be an effective communication tool for debriefs with leadership teams looking for a holistic perspective on mobile risk mitigation. Aggregate Effectiveness Aggregate Importance Overall Rating Aggregate Mitigating Controls Rating (1-5) Rating (1-5) (Low, Medium, High) Identified Mobile Threats & Vulnerabilities Malware • Multi-factor authentication (mobile & online banking) 4.16 3.33 Medium (7.49) Targeting Mobile • App store development validation Platforms • Applications sandboxing • User authentication and login • Store sensitive information off device • Mobile malware detection • Out of band verification controls • Device settings controls • Consumer education Mobile Spoofing • Multi-factor authentication (mobile & online banking) 4.33 4.60 High (8.93) • Secure transport protocols • Mobile fraud detection • Device/IP verification • Authentication history of clients’ transactions • Consumer education • A symbol or way for a person to know when they are at a “safe” place to provide information from their devices 15
  • 16.
    BITS Recommendations &Mitigation Planning Identified Mobile Threat Control Gaps / Potential Long Term Risk # / Vulnerability Description Weaknesses Description Short Term Risk Mitigation Mitigation 2 Mobile Spoofing A malicious person or  Mobile Tech Maturity  Multifactor authentication  Secure transport protocols program could Issues (Mobile & Online) banking  Mobile fraud detection misrepresent as another  Monitoring Capability  Device/IP verification  Consumer education in order to acquire Shortfalls  Anomaly detection sensitive personal  Developmental information Oversight  3rd Party Security  Competitive Integrity Issues  Device Accessibility  Restrictive Policy  Authentication Compromise  Geo-location Spoofing 3 Inadequate Fraud Lack of adequate  Mobile Tech Maturity  Multifactor authentication  Secure transport protocols Controls monitoring, detection, or Issues (Mobile & Online) banking  Mobile fraud detection prevention technology  Monitoring Capability  Device/IP verification  Consumer education could enable or allow Shortfalls  Transaction Limits undetected or  Developmental unauthorized access, Oversight unauthorized transactions,  3rd Party Security and/or fraud losses  Competitive Integrity Issues  Restrictive Policy 16
  • 17.
    BITS Fraud ScenarioDevelopment Mobile Security Threat Fraud Scenarios Categories • Malware Targeting Mobile • Malware Attack Platforms • Phishing/Smishing/Vishing • Mobile Spoofing • Inadequate Mobile Fraud Controls • Account Take Over/ID Theft • Infected Applications • Impersonation/Hijacking • Web Browser Attacks • System Breach • Marketplace Misrepresentation • SMS Redirection – Hijack or Exploit • Browser Attacks Forwarding • Marketplace Misrepresentation • Vendor Breach • Transport or Protocol Gaps • User Device Management • Platform Specific Attacks • Device Specific Attacks • Rogue Applications
  • 18.
    BITS Fraud RiskScenario – Malware Attack  Threat Type: Malware targeting mobile platforms Applies to: Money Movement: DDA  Scenario: Use of malicious software or applications (MITM, ZITMO, Trojans, spyware) to hijack, impersonate,  OLB  DDA steal credentials, or other to support fraudulent crime.  Mobile  Exposure: Theft of private information or credentials to gain access to account assets  Likelihood: Medium Impact: Medium Criminal Activity 2. Compromised Credentials 4. Funds •Fraudster issues •SMS Message sent to money movement on Fraudster transfer behalf of the •Customer clicks on a customer •Customer logs into Online •Customer Prompted to link which then infects •Fraudster gains Banking (OLB) using download fraudulent their mobile device infected mobile device applications unauthorized access with a virus •Customer Prompted to •Fraudster now has control provide Mobile Number in of OLB and Mobile device; addition to Username and can re-direct SMS Text 1. Customer Password Mobile device •Fraudster key logs 5. Funds Infected information removal 3. Account Takeover Fraud Concerns • Virus, Trojan, spyware, active  Eavesdropping content • Peripheral device exposure  Remotely control device or user  Impersonation Fraud Controls •Device settings controls • Application Sandboxing •User authentication and login  Multi factor authentication •App store development • Mobile malware detection •Out of band verification controls Validation • Store sensitive information off • Consumer education device Control gaps  Competitive Integrity issues  Authentication compromise Developmental oversight • Application distribution practices  Criminal proficiency  Infected devices • 3rd party security Mobile anti virus issues  Device accessibility • Anti virus sandboxing  Application labeling 18
  • 19.
    BITS Sample FraudScenario: Account Takeover (Mobile Transfer)  Threat Type: Criminal compromises victim’s online account and conducts multiple inter-customer transfers Applies to: Money Movement: from victim’s DDA/SAV accounts into his newly established SAV/DDA accounts, and withdraws the funds via  Mobile DDA  DDA ATM withdraws and debit card purchases. transfers  Exposure: Account takeover via compromised credentials, money movement  Likelihood: Low Impact: Low Loss Amount: Confidential 2. Account Maintenance Criminal Activity Activities •08/05/10 Online access suspended due to security question failure •Between 08/13/10 to 08/30/10 criminal conducts 32 mobile 4. Funds removal •08/05/10 Password change inter customer transfer • 08/04/10 - Existing DDA and •08/06/10 Phone number unauthorized transactions and maintenance; Security Questions •09/04/10 - Victim visits a Savings accounts. Customer transfers $20,594 from the •08/06/10 –Criminal drains and online statement activated on branch and reports does not have any online victim’s account into criminals the new DDA account via victim’s profile unauthorized transactions accts. own savings account ATM withdrawals and debit •Customer impacted by •08/06/10 victim’s accounts •Criminal then moves funds card purchases malware enrolled for Mobile Banking from his savings account into 5. Notification •08/06/10 Criminal adds his his newly opened DDA 1. Open New Account account as an inter customer transfer payee 3. Funds Transfer Fraud Concerns  Confidential  Confidential  Confidential  Confidential  Confidential Fraud Controls  Confidential  Confidential  Confidential  Confidential  Confidential Control gaps  Confidential  Confidential  Confidential  Confidential  Confidential 19
  • 20.
    BITS Advisory: MobileBanking and Payment Application Vulnerabilities Existing Security Recommended Mitigation Vulnerabilities Strategies • Imposter Applications • Search regularly (i.e. daily or weekly) for applications utilizing your financial • Account Aggregation Applications institution’s brand. • Rogue Applications • Market the availability of the official financial institution mobile application(s). • Provide consumers with tips on securely providing financial information via mobile applications. • If an application violates copyright or contains malware, file a complaint through the store’s support site. 20
  • 21.
    Regulation Today, andTomorrow Existing Regulations • FFIEC Existing Applicable Guidance • FTC Consumer Privacy and Protections • Impact of New Regulations - Truth in Lending/Reg Z - Patriot Act, Bank EFT Act/Reg E - Secrecy Act, AML Reqs - Gramm-Leach-Bliley - UCC Article 4A and NACHA Rules - State money Transmitter and Services Laws - Dodd-Frank • Future Oversight - CFPB - ANSI - ISO 21
  • 22.
    Mobile Standards &Guidelines • PCI Mobile Payment Acceptance Security Guidelines: - Prevent account data from being intercepted when entered into a mobile device - Prevent account data from compromise while processed or stored within the mobile device - Prevent account data from interception upon transmission out of the mobile device • NIST 800-124, NIST 800-164 • NTIA Mobile Transparency Code of Conduct for Mobile Applications • Geo-location Privacy and Surveillance Act 22
  • 23.
    BITS Layered Securityfor Mobile Cellular Service Regulatory Providers Entities Protocol/Security Standards Emerging Financial Services ce Network Security Assessment Oversight an 1. Mobile Malware Detection Threat Information Sharing pli T ru om Device Identificaiton Security Standards st ed dC Consumer Education Consumer Education Co an m n m tio un ula ic at g io Re ns 2. PROCESS Remote Wipe/Device Lock Fraud Detection Data Segregation and Encrypt COMPLIANCE Secure Transport Protocols Secure Transport Protocol Multi-factor Authentication Multi-factor Authentication Device Identification Asset Management and Patching Secure Transport Protocol Application Sandboxing Transaction Limits 6. BYOD or Enterprise Mobile Devices Financial 3. Mobile Financial Services Device/OS Integrity Monitoring Institution Network Security Controls Network Security Controls Server Side Security Controls Secure Browsing Out of Band Verification Enterprise Enterprise Compliance Monitoring POLICY Code Analysis and Reviews Device Hardening Consumer Education Workforce Workforce Security Awareness SECURE INFRASTRUCTURE Anomaly Detection Consumers Consumers t 4. en m Se lop c ur ve eSo De ftw re wa ar Application Sandboxing Multi-Factor Authentication e rd De Protocol/Security Standards Out of Band Verification Ha ve Remote Device Wipe/Lock Transaction Limits e lop ur Secure Transport Protocols Code Analysis and Reviews c m Se en Code Analysis and Reviews Secure Code Checklists 5. t Device Application Manufacturers Developers 23
  • 24.
    Thank You! Questions? 24