Security in a Mobile App World – A Payments Perspective
Download
Report
Transcript Security in a Mobile App World – A Payments Perspective
Security in a Mobile App World A Payments Perspective
James Sellwood
6th Sept 2014
About Me
Electronic Payments
Consultant
Credit Cards
Terminals
Contactless /
NFC / HCE
Security Consultant
Payment Systems
Mobile
RHUL ISG
Alumni
(MSc '12)
Part-time Student
(PhD '1x)
Information Security
Research
Android
Access
Control
Presentation Overview
Payments' use of software
Past, present and imminent
The mobile app world's impact on:
Requirements
Development
Testing
Risk
Security
What this is
My personal view & understanding
Example based
Generalised & simplified
Comparative
UK biased (but not UK specific)
What this is NOT
Employer or client endorsed
Comment (+/-) about any brand shown
Providing answers
The entire story
Historically
Technologically
Geographically
Usage of Payment Cards & Banking Services
A selective history, highlighting
changes in: usability, risks & security
Embossing
http://www.theukcardsassociation.org.uk/cards-transactions/card-present-transactions.asp
static data
Magnetic Stripe
http://www.q-card.com/support/magnetic-stripe-card-standards.asp
static data
Magnetic Stripe
Improve speed of transaction
Degradation (slow)
Automated Entry
No mistyping / miscopying of card details
No carbon paper copy of card details
ATM
software
http://labby.co.uk/2011/03/decommissioning-a-cash-machine-atm/
ATM
Greater availability
Outside bank opening hours
Unattended locations
Cardholder attacks
Isolated system
Two-factor authentication
Online PIN
Contact Chip
dynamic data
software
secure chip
https://www.cibc.com/ca/credit-cards/dividend-one-mastercard.html
Contact Chip
Active participation in transaction
Dynamic data creation
Offline transaction approval
Offline PIN verification
Issuer scripting at POS
Hardware-based secure storage &
processing protects
Application logic
Cryptographic keys
Online Banking
software
https://www.halifax-online.co.uk/personal/logon/login.jsp
Online Banking
Greater availability
Any physical location
Variety of PC-specific threats
Device fingerprinting
Authentication
Passwords
Two-factor authentication
Contactless Chip
dynamic data
software
secure chip
contactless
http://www.bluestarinc.com/us-en/solutions/security/news/single/news/detail/News/
chip-and-pin-the-future-of-credit-cards.html
Contactless Chip
Improve speed of transaction
No dip
Faster data exchange
No PIN verification (low-value)
Proximal data access
Privacy
Should remain in control of cardholder
Dual Interface Chip
dynamic data
software
secure chip
contactless
http://www.kinodesign.com/featured-work/barclaycard/07-Card-design-for-life
Dual Interface Chip
Flexibility of both contactless and contact
Speed and convenience
Issuer scripting at POS
Amount and velocity limits...
then revert to contact, reset counters and
then carry on as before
Stickers
dynamic data
software
secure chip
contactless
http://allaboutwindowsphone.com/flow/item/14658_Barclaycard_PayTag_sticks_NFC_.php
Stickers
No need to carry a card
Stick it to what you like
(e.g. something you carry regularly)
Limited ways to update counters
Amount and velocity limits...
then decline
Mobile Banking (App)
software
software
protection
http://www.computerweekly.com/news/2240105562/RBS-and-Natwest-launch-nativeBlackberry-app-for-bank-transfers
open
distribution
data
connection
Mobile Banking (App)
No need to have access to a PC
You already carry a smartphone –
apparently
Variety of mobile-specific threats
Device fingerprinting as well as user
authentication
Mobile (NFC)
dynamic data
software
secure chip
contactless
http://www.engadget.com/2014/03/14/google-wallets-tap-to-pay-feature-will-requireandroid-4-4-kitk/
data
connection
Mobile (NFC)
No need to carry a card
Mobile network provides non POS-based
communications channel
Do need NFC capable smartphone
(even more attractive target)
Issuer scripting wherever data available
User interface allows user control
Activate / deactivate
Passcode: every transaction / high-value
Mobile (HCE)
dynamic data
software
software
protection
contactless
open
distribution
http://nfctimes.com/news/capital-one-reveals-reasons-quitting-isis-early-role-promoting-hce
data
connection
Mobile (HCE)
Wider availability
Easier (cheaper) issuance
Less interoperability restrictions
No hardware-based secure element
Limited transaction data on device with
limited validity period
Short-lived keys
Risk informed approach
Impact of the Mobile App World
Mobile App Requirements
Identification (device / app / customer)
Authentication (device / customer)
Authorization (request)
Confidentiality (customer data / keys)
Integrity (request)
Availability (service)
Auditing (everything)
Development
(mobile versus pre-mobile)
Less niche knowledge required
Less technological constraints
Wider choice of supporting libraries
Significant volume of information available
online
Demand for fast paced, iterative product
improvement
Frequent API change
Testing
(mobile versus pre-mobile)
Generic testing frameworks available
More features to test
More security frameworks now part of the
product (rather than underlying
architecture)
More iterations to be tested
Cannot now test all the possible component
combinations
Risk
(mobile versus pre-mobile)
More information available to inform
decision making
Cardholder owned device with no
provenance
Base security architecture may be weaker
Less experienced development teams and
proliferation of “code by Google”
Security
(mobile versus pre-mobile)
Modern interfaces
Graded responses or temporary restrictions
More information-driven
More reliant on active monitoring
Application code open to malicious
evaluation
Many more endpoints, particularly ones
accessed by untrusted nodes
Closing Thoughts
Risk landscapes change
Good / Bad
Advancement / Bug
Business / Outsider
Not (as) secure versus secure enough
Financial versus reputational loss
More data is only useful if you can interpret
and act on it
Questions