Security in a Mobile App World – A Payments Perspective
advertisement
Security in a Mobile App World A Payments Perspective James Sellwood 6th Sept 2014 About Me Electronic Payments Consultant Credit Cards Terminals Contactless / NFC / HCE Security Consultant Payment Systems Mobile RHUL ISG Alumni (MSc '12) Part-time Student (PhD '1x) Information Security Research Android Access Control Presentation Overview Payments' use of software Past, present and imminent The mobile app world's impact on: Requirements Development Testing Risk Security What this is My personal view & understanding Example based Generalised & simplified Comparative UK biased (but not UK specific) What this is NOT Employer or client endorsed Comment (+/-) about any brand shown Providing answers The entire story Historically Technologically Geographically Usage of Payment Cards & Banking Services A selective history, highlighting changes in: usability, risks & security Embossing http://www.theukcardsassociation.org.uk/cards-transactions/card-present-transactions.asp static data Magnetic Stripe http://www.q-card.com/support/magnetic-stripe-card-standards.asp static data Magnetic Stripe Improve speed of transaction Degradation (slow) Automated Entry No mistyping / miscopying of card details No carbon paper copy of card details ATM software http://labby.co.uk/2011/03/decommissioning-a-cash-machine-atm/ ATM Greater availability Outside bank opening hours Unattended locations Cardholder attacks Isolated system Two-factor authentication Online PIN Contact Chip dynamic data software secure chip https://www.cibc.com/ca/credit-cards/dividend-one-mastercard.html Contact Chip Active participation in transaction Dynamic data creation Offline transaction approval Offline PIN verification Issuer scripting at POS Hardware-based secure storage & processing protects Application logic Cryptographic keys Online Banking software https://www.halifax-online.co.uk/personal/logon/login.jsp Online Banking Greater availability Any physical location Variety of PC-specific threats Device fingerprinting Authentication Passwords Two-factor authentication Contactless Chip dynamic data software secure chip contactless http://www.bluestarinc.com/us-en/solutions/security/news/single/news/detail/News/ chip-and-pin-the-future-of-credit-cards.html Contactless Chip Improve speed of transaction No dip Faster data exchange No PIN verification (low-value) Proximal data access Privacy Should remain in control of cardholder Dual Interface Chip dynamic data software secure chip contactless http://www.kinodesign.com/featured-work/barclaycard/07-Card-design-for-life Dual Interface Chip Flexibility of both contactless and contact Speed and convenience Issuer scripting at POS Amount and velocity limits... then revert to contact, reset counters and then carry on as before Stickers dynamic data software secure chip contactless http://allaboutwindowsphone.com/flow/item/14658_Barclaycard_PayTag_sticks_NFC_.php Stickers No need to carry a card Stick it to what you like (e.g. something you carry regularly) Limited ways to update counters Amount and velocity limits... then decline Mobile Banking (App) software software protection http://www.computerweekly.com/news/2240105562/RBS-and-Natwest-launch-nativeBlackberry-app-for-bank-transfers open distribution data connection Mobile Banking (App) No need to have access to a PC You already carry a smartphone – apparently Variety of mobile-specific threats Device fingerprinting as well as user authentication Mobile (NFC) dynamic data software secure chip contactless http://www.engadget.com/2014/03/14/google-wallets-tap-to-pay-feature-will-requireandroid-4-4-kitk/ data connection Mobile (NFC) No need to carry a card Mobile network provides non POS-based communications channel Do need NFC capable smartphone (even more attractive target) Issuer scripting wherever data available User interface allows user control Activate / deactivate Passcode: every transaction / high-value Mobile (HCE) dynamic data software software protection contactless open distribution http://nfctimes.com/news/capital-one-reveals-reasons-quitting-isis-early-role-promoting-hce data connection Mobile (HCE) Wider availability Easier (cheaper) issuance Less interoperability restrictions No hardware-based secure element Limited transaction data on device with limited validity period Short-lived keys Risk informed approach Impact of the Mobile App World Mobile App Requirements Identification (device / app / customer) Authentication (device / customer) Authorization (request) Confidentiality (customer data / keys) Integrity (request) Availability (service) Auditing (everything) Development (mobile versus pre-mobile) Less niche knowledge required Less technological constraints Wider choice of supporting libraries Significant volume of information available online Demand for fast paced, iterative product improvement Frequent API change Testing (mobile versus pre-mobile) Generic testing frameworks available More features to test More security frameworks now part of the product (rather than underlying architecture) More iterations to be tested Cannot now test all the possible component combinations Risk (mobile versus pre-mobile) More information available to inform decision making Cardholder owned device with no provenance Base security architecture may be weaker Less experienced development teams and proliferation of “code by Google” Security (mobile versus pre-mobile) Modern interfaces Graded responses or temporary restrictions More information-driven More reliant on active monitoring Application code open to malicious evaluation Many more endpoints, particularly ones accessed by untrusted nodes Closing Thoughts Risk landscapes change Good / Bad Advancement / Bug Business / Outsider Not (as) secure versus secure enough Financial versus reputational loss More data is only useful if you can interpret and act on it Questions
