293 Synivers Mobile Banking

download 293 Synivers Mobile Banking

of 30

Transcript of 293 Synivers Mobile Banking

  • 8/8/2019 293 Synivers Mobile Banking

    1/30

    2009

    Javelin

    Strategy

    &

    Research

    All

    Rights

    Reserved

    TheStateofMobileSecurityinBanking

    andFinancialTransactions

    Conductedby

    JavelinStrategy&Research

    September2009

  • 8/8/2019 293 Synivers Mobile Banking

    2/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 2

    Overview

    Manyfinancialinstitutionsarenowincorporatingmobilebankingandfinancialservicesasakeycomponentof

    theirgrowthstrategy,anduseofthemobilephonetoconductbankingandfinancialservicestaskscontinuesto

    riseamongearlyadopters. However,amongthemajorityofconsumers,securitythreatsaremostcommonly

    listedastheprimaryreasonfornottryingmobilebanking.Thiswhitepaperwillattempttotechnicallyaddress

    theselargelyunfoundedconsumersecurityfearswhilehelpingtolayaroadmapforfinancialinstitutions

    successfulimplementationofmobilebankingtechnology.

    KeyQuestionsExploredinThisPaper

    Whereistheweakestlinkinthemobilesecuritychain?

    Aremobilesecuritythreatsthesameasonlinethreats?

    Howdodifferentoperatingsystemsonmobiledevicesimpactsecurity?

    Whatarebestpracticestomitigatethreats?

    Ismobileviableasabankingandfinancialserviceschannel,oristherisktoogreat?

    KeyFindings

    Whileconsumerscontinuetoexpressconcernoverusingtheirmobilephonetoconductbankingandfinancial

    servicestransactions,itisafearbornmoreofperceptionthanreality.Therearethreats,butthesecurity

    controlsavailable

    to

    mitigate

    risk

    at

    this

    level

    are

    substantial

    and

    effective.

    However,

    security

    practices

    will

    needtocontinuetoevolveasmoreandmoresmartphonesenterthemarketrunningmoreandmore

    applications,creatinganevergrowingopportunityforsecuritythreats.

  • 8/8/2019 293 Synivers Mobile Banking

    3/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 3

    I.ExecutiveSummary

    Thepurposeofthispaperistoeducatethereaderonthesecuritythreatsandvulnerabilitiesformobile,

    especiallyinthecontextofthefinancialservicesindustry.Thisreporthighlightsthemostpopularstrategiesfor

    deployingmobileservices,includingSMS,clientbasedapplicationsandthemobileWeb,andthebenefitsand

    riskstoeachtypeofservice.

    In2009,mobilephonesarecommonplace:Anestimated86%ofU.S.adultsownone.CurrentlyintheU.S.,

    thereare36millionadultsaccessingmobilebanking.JavelinStrategy&Researchforecaststhatwithinfive

    yearsalmosthalfofallmobilephoneowners(45%)willbereachingfortheirmobilephonestoconductbanking

    chores.

    ManyfinancialorganizationshavechosentodeploymobilebankingviaSMS,clientbasedapplications,orthe

    mobileWeb,eitherindividuallyorincombination. Accordingtothe"2009MobileBankingandSmartphone

    ForecastbyJavelininSeptember2009,thefollowingtablesummarizesthemodalitiesavailableoverthe

    mobilechannel.

    ForAmericanconsumers,twoofthebiggestfactorsinhibitingthegrowthofmobilebankingisthefearofdata

    interceptionbyathirdpartyandlostdevices.Atpresentfearofdatainterceptionarelargelyunfounded,in

    partbecausetheequipmentnecessarytobreakintoamobilenetworkisexpensiveandgenerallynotavailable

    SMS/Text MobileWebDownloadable

    applicationEmbeddedapplication

    100%ofphones

    soldtoday

    95%ofphonessold

    today

    are

    Web

    enabled;

    butmanyrequire

    difficultactivation

    18%havesmartphones

    bestforviewing

    95%ofphones

    soldtodayNotwidelyavailableyet

    FIcarrierindependent FIcarrierindependent

    MayrequireFI

    partnershipswith

    wirelesscarriers

    MayrequireFI

    partnershipswith

    wirelesscarriers,mobile

    handsetvendors

    Relativelylessexpensive

    (dependingonplan)or

    approximately$0.20per

    message

    Requiresunlimited

    dataplan

    Requiresunlimited

    dataplan

    Requiresunlimiteddata

    planandnewphone

    Easytosetupanduse

    formostconsumers

    Fairlyeasytosetupand

    useformostconsumers

    Moredifficult;

    downloadingapplication

    ischallengingformany

    Easiestto

    set

    up

    and

    use

    formostconsumers,but

    availabilitylimited

    2009JavelinStrategy&Research

  • 8/8/2019 293 Synivers Mobile Banking

    4/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 4

    I.ExecutiveSummary

    tocriminalswhomakequickmoneyelsewhere.Mobilemalware,includingviruses,worms,andTrojanhorses,

    areOSspecific.Additionally,themobilechannelisstilltoofragmentedwithtoomanyhandsetsandoperating

    systemsforasinglevirustoclaimwidespreaddamage.Althoughlargescalemobilemalwareisnotyet

    common,therehavebeenseveralspecificviruseswrittenformostofthemajoroperatingsystems.For

    example,theSymbianOShasseenitsfairshareofmobilemalware.

    Unliketraditionalonlinedevices,mobiledevicesfeatureanumberofwaystocommunicatewithother

    devicesandwiththeInternet.Bluetoothhasbecomestandard,althoughinmostinstancesitisdisabledby

    default.USBsandmobilememorycardsarevectorsthatposemoreofariskonthemobiledevicethanan

    onlinePC,becausepeoplearemorelikelytotradeMP3,ringtones,andmediafilesthisway.Therearealso

    possiblebutunlikelyrisksfromovertheair(OTA)programming,whichcouldrewritethefirmwareonamobile

    device.Likeonline,themobilechannel,particularlythemobileWeb,mustcontendwithphishingandmanin

    themiddleattacks.Inaddition,there'ssmishing(phishingconductedoverSMS)andvishing(phishing

    conductedoverthevoicechannel).

    Mobilefinancialservicesarestillintheirearlydays,sothisimmaturemarketislessattractivetocriminalswho

    canrealizemoreprofitfromtheonlinechannel.Onefactorfuelingthegrowthinmobilebankingistherecent

    increasein

    customer

    service

    plans

    that

    offer

    unlimited

    text

    and/or

    data,

    which

    allows

    for

    downloaded

    banking

    andfinancialservicesapplications.Whilethisisgoodforthecustomerwhochoosestoreceiveaccount

    informationinthisway,itisalsobadforthecustomerbecauseattackerscanalsosendmorespam,whichcan

    leadtophishingandintroductionofmalwareontothemobiledevice.

    Atthemobilegateway,attackerscouldpotentiallyvieworinterceptSMSmessageswhiletheyareintheclear

    astheytravelacrossthenetwork,althoughthisriskisminimal.Insiderscouldplacesniffersonthenetwork,

    however,thisrequiresexpensiveequipmentonbehalfoftheattacker.

    Mobilethreatsaren't,however,limitedtothevariousmobilecommunicationschannels.Ifahandsetisever

    lost,the

    experience

    is

    much

    like

    losing

    your

    credit

    card

    or

    wallet:

    Valuable

    information

    could

    be

    compromised.

    Foranenterprise,thiscouldincludeintellectualproperty.Foranindividual,itcouldincludeinformationto

    accessbankaccountsaswellasecommerceandhealthcaresites.Thisisoneareawheresecuresoftware

    developmentpracticescouldhelp,limitingtheamountofdatacollectedbythehandset,and/orsecurely

    removinganydataoncetheapplicationisclosed.

    Finally,thisreportincludesabestpracticessectionandaglossarycoveringmanyofthetermsused.

  • 8/8/2019 293 Synivers Mobile Banking

    5/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 5

    II.TheMobileEcosystem

    Whentalkingaboutthemobileecosystem,thefirstlineofdefense(andoftentheweakestlinkinthesecurity

    chainaswell)isthemobileuser.Usersarelargelyresponsibleforphysicalsecurity(protectionagainstloss),

    authentication,andmaintainingthesecurityoftheoperatingsystemandapplications(downloadingonlyfrom

    responsibleparties).Customersaren'tresponsibleforimplementingthesecurityfeatures;that'sthejobofthe

    bankortheserviceprovider.Becausethreatsandvulnerabilitiescanexistinallservicelayersandwithevery

    player,appropriatesafeguardsmustbeconsideredinalloftheseplacesaswell. Themobilenetworkoperators

    (MNOs)thatmanagethenetworkareresponsiblefornetworksecurityandsignalingsecurity(whichisthe

    channelused

    by

    SMS

    and

    USSD).

    Aggregators

    also

    play

    arole

    in

    network

    security

    because

    they

    act

    as

    intermediariesbetweencontentprovidersandthemobilenetworkoperators.

    Eachlayerofthestackhastobesecure.Thismayseemobvious,butitiscomplicatedbythefactthatdifferent

    players"own"securityfordifferentlylayersinthestack.Forexample,thehandsetmanufacturerownssecurity

    forthehandsetandtheoperatingsystem(OS),buttheplatformvendorownsthesecurityfortheapplication.

    Sincethelayersinteract,thevendorshavetointeractaswellinordertofullysecurethemobileecosystemand

    financialtransactionsconductedinthatecosystem.

  • 8/8/2019 293 Synivers Mobile Banking

    6/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 6

    II.TheMobileEcosystem

    2.1.0.TheStakeholdersforMobile

    Atthetopofthestackisthecustomer.Thecustomeristheenduser(orconsumer)whopurchasesthemobile

    handsetandtheserviceplanandultimatelydownloadsanyapplicationsaddedtothedevice. Theapplications

    vendorincludesfinancialsolutionsvendorsandtheFIs.

    Fuelingthegrowthofmobilebankingistherecentincreaseincustomerserviceplansthatofferunlimitedtext

    and/ordata.

    Thenextlevelofthestackistheserviceprovider.Theserviceprovideristhewirelesscarrierormobilenetwork

    operator(MNO),which,intheUnitedStates,includesVerizon,AT&T,TMobile,andSprint,aswellasanumber

    ofsmallerplayers.TheMNOisthepartythathasalicensewithinacountrytoallocateacertainbandwidthof

    theradiospectrumtocellularcommunications.

    Justbelowtheserviceprovideristheplatformvendor.Theplatformvendor(forexample,Tyfone,MCom,

    ClairMail)isthepartythatdevelopstheserver(andsometimesclient)softwareusedbythebanktoprovide

    mobilebankingservicestothecustomer.ThisincludescompanieslikeSyniverseTechnologies,whichactsasan

    SMSaggregator,workingwithboththemobilenetworksandthefinancialinstitutions.

    6%

    15%

    17%

    25%

    38%

    0% 10% 20% 30% 40% 50%

    Unlimited data only

    Unlimited text only

    None, I use a p repaid/disposablephone

    Both unlimited data and text

    Under contract, with neither unlimiteddata nor text

    Q22: What type of wireless plan (data and text)do you currently use? (Select one only)

    July 2009,n = 3,000Base: All consumers with mobile phones.

    2009 Javelin Strategy & Research

  • 8/8/2019 293 Synivers Mobile Banking

    7/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 7

    II.TheMobileEcosystem

    Finally,there'sthehandsetmanufacturer,whichisresponsibleforthehardwareusedaswellas in

    cooperationwiththeMNO theunderlyingoperatingsystem.IntheUnitedStates,thisincludesMicrosoft,

    Symbian,Apple,Google,andLinux.ThesamehardwareandOSusedbydifferentcarrierscanbeconfigured

    differently,oftentoaccommodatethespecificneedsofthecarrier.

    2.2.0.TheMobileServicesStack

    Sincethecustomerisatthetopofthestack,educationisn'tenough;thereisalsotheissueofcontrol. Often

    thecustomerisnotgivenenoughcontroloverhisorhersecurityonthemobiledeviceevenwhengreater

    controlisavailable.Customizationcanbefoundatvariouslevelsbeneaththecustomer. Theseinclude:

    Theapplicationlayercanbeeitherembeddedonthehandsetordownloadedfromthecarrier'ssite,or

    makeuseofthemobilebrowser.

    MobiledevicetransportlayerincludesHTTPandTCP/IPfromtheonlineworld,alongwithWireless

    ApplicationProtocol(commonlyreferredtoasWAP),ShortMessageService(SMS),USSD,Bluetooth,and,althoughtechnicallynotamessagetransport,OTA(OverTheAir).Thesearedesignedtointeract

    withtheInternetorserviceproviderwithoutbeingconnectedphysicallytoanetwork.

    ThewirelessnetworkcanbeeitherGlobalSystemforMobilecommunications(GSM)orcodedivision

    multipleaccess(CDMA).

    There'salsotheoperatingsystemplatform,whichistightlyproscribedbythehandset'sresources.

    Andfinally,there'sthehandset,ofwhichtherearemanyvariationsonthemarkettoday.

  • 8/8/2019 293 Synivers Mobile Banking

    8/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 8

    III.MobileSecurity

    Whilemobilesecurityissimilartoonlinesecurity,itisnotidentical.Likeonlinesecurity,themobilechannel

    mustcontendwithphishing,malware,andmaninthemiddleattacks.Inaddition,there'ssmishing(phishing

    conductedoverSMS)andvishing(phishingconductedovervoicechannel). Despitethesethreats,ifsecured

    properly,themobilechannelisoneofthesafest.Whatdoessecuringitproperlymean?Itmeansimplementing

    securitycontrolsthattakeadvantageoftheinnatesecuritystrengthswithinmobile.Ifthisisn'tdone,mobileis

    nomoresecure,andprobablylesssecure,thanotherchannels.

    Forthemoment,thethreatlandscapeisfavorabletomobiledevices.Therearemanyreasonsforthis.One,

    mobilefinancialservicesarestillintheirearlydays.Consumeradoptionat18%isntfullyrealizedandmobile

    bankingservicesarentyetfullyfunctional,e.g.,theyoftendontincludethecapabilitytomovemoney.This

    immaturemarketislessattractivetocriminalswhocanrealizemoreprofitfromtheonlinechannel.Another

    mitigatingfactoristhediversityofoperatingsystems,withnoonedominantOS.Fornowthediversityof

    mobilehandsetsandplatformsmakesitharderforcriminalstowritemalware.Bycontrast,writingaWindows

    based32bitmalwareapplicationallowsthecriminaltohitroughly90%oftheonlinePCmarket.Thiswill

    changeinthecomingyears,withincreasingmarketsharebytheAppleiPhoneandasfinancialinstitutionsoffer

    fullerbankingfunctionalityviathemobilechannel.

    3.1.1.Mobiles

    Dissimilarity

    to

    Online

    Oneareawheremobileisdissimilartoonlineisapplications.Onthemobilethereisgreaterlikelihoodthat

    applicationsaredigitallysigned,meaningthevendorhassubmittedthemtotheplatformvendorforapproval.

    However,thisisntthecaseforAndroid,becauseitisopensource,whichposesasecurityconcernbecause

    thereisnoapprovingauthorityfordeveloperstopostapplicationstotheplatform.So,forexample,acriminal

    mightpostabogusmobilebankingapp,whichwasreallyapieceofmalware.

    Applicationsoncertainmobiledevicesalsorunwithinsandboxes,whichisolatethecodewithinthe

    environment,withlimitedrights.Themobileplatformallowsforremotedevicemanagement,withtheability

    toterminate

    an

    application

    or

    even

    the

    entire

    device

    ifit

    is

    reported

    lost

    or

    stolen

    something

    that

    is

    not

    commonwithonlineapplications.

    3.2.1.MobilesStrengthsandWeaknesses

    Aswithanycommunicationschannel,therearerelativestrengthsandweaknessestomobiledevices.

    Amongthestrengths,mobiledeviceistopofmindwithmobiledevicecustomers.Ifacustomerleaveshome

    forworkinthemorningwithoutamobiledevice,orwithoutawallet,whichoneisheorshemostlikelyto

  • 8/8/2019 293 Synivers Mobile Banking

    9/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 9

    III.MobileSecurity

    discovermissingfirst?Ifthehandsetiseverlostorcompromised,itcanberemotelydeactivatedbythecarrier.

    Additionally,particularapplicationscanbedeactivatedfromtheserverortheentiredevicecanberemote

    wiped. Currently,forexample,enterprisebasedBlackBerrysandsomemobilebankingplatformvendorsoffer

    thisfeature.Thishelpsmitigatethefactthathandsetsareeasilylostorstolen:Javelinresearchshows19%of

    mobilephoneownershavehadahandsetlostorstolen.

    Themobilechannelalsohasthefastestreactionspeedtoemergingfraud.Becausepeoplearemorelikelyto

    havetheirmobiledeviceswiththem24/7,theyaremorelikelytoberesponsivetoafraudalertfromtheir

    financialinstitution.Ratherthanwaituntiltheendofthemonthtoreviewtheirpaperstatementforsignsof

    unusualactivity,customerscanbenotifiedbytheirfinancialinstitutionwithinhourseitherviaSMSorpushe

    mail.Furthermore,thismethod"deputizesthecustomer,"involvingthemdirectlyinsecuringtheirfinancial

    accounts.Javelinresearchshows80%ofallconsumersbelievethisresponsibilityshouldbesharedbetween

    consumersandtheirfinancialinstitutions.Thistranslatestotimesavedbetweenwhenthefraudisfirst

    instigatedandwhenitisdetected.Criminalsusetimetotheiradvantage,andmobilehasthepotentialtotake

    thetimeadvantageaway.(Consumerselfdetectionresultsinaperiodofmisusethataverages56daysless

    thannotificationbyanoutsideinstitution.)

    Likepersonal

    computers,

    mobile

    devices

    can

    be

    used

    as

    an

    authentication

    factor.

    Authentication

    can

    be

    based

    onsomethingyouhave,somethingyouknow,orsomethingyouare.Themobilehandsetbecomes

    "somethingyouhave."Butcurrentlythetypicalmobiledeviceislesspersonalizedthanthetypicalpersonal

    computer,makingnativedevicerecognitionlessreliable.Onemethodtoincreasesecurityistodownloada

    tokenontothemobiledevicethatwillbecomeitsuniqueidentifier.Anothermethodistocontractwiththe

    wirelesscarriernetworktoidentifythedevice.

    Becauseconsumerscarrytheirmobilephoneswiththem24/7,theycanbeusedtoreplaceonetimepassword

    generatinghardwaretokens.Softwarebasedonetimepassword(OTP)tokensmakemoresense,notonly

    becausetheyaremoreconvenienttocarryfortheconsumer,andgreatlyincreasesecurity,butalsobecause

    thesoftwarecanberedeployedlessexpensivelyovertheair.Latestdevelopmentstowatchforinclude

    softwarethatinputstheOTPautomaticallyintothepasswordfield,thwartingkeyloggingmalwareand

    increasingeaseofuse.However,notallhandsetshavetheprocessorandmemoryrequiredtogenerateOTPs.

    Atthemomentthereisnodominantmobileoperatingsystemorhandsetvendor.Itishardertowritemobile

    malwarethanonlinemalware.Similarly,itwillbemoredifficulttoeducateendusersbecausesecurityvendors

    willhavetoproducedifferentantimalwaresolutionsforeachvariationofOSandhardware.

  • 8/8/2019 293 Synivers Mobile Banking

    10/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 10

    III.MobileSecurity

    MobileplatformsandhandsetsdoincludetheuseofPINsforpoweronandidletimeouts(screensaver)

    recovery.However,thesearenotenabledbydefault.UseofapoweronPINorpasswordisauserchoicethat

    cannotbeenforcedfromtheserver.Thiswillrequireeducationtoinformenduserstothevalueofsetting

    theseprotections.

    Finally,thecontrollednatureofthemobilenetworksmakesthemsomewhatsaferthantheInternetbecause

    therearesteephardwarecostsforattackerstogainaccesstomobilenetworks.

    Amongmobiles

    weaknesses

    is

    data

    stored

    on

    the

    handset.

    If

    the

    mobile

    banking

    application

    is

    well

    written,

    it

    shouldnotstoresensitivedatainthefirstplace,sothisriskcanbemitigatedbyusingsecuresoftware

    developmentpractices.Additionally,storedusernamesandpasswords,whichmayconvenientlyallowforquick

    access,needtobeadequatelyprotectedagainstunauthorizedthirdpartyaccess,especiallytosuchaccountsas

    financialandmedicalservices.

    Strengths Weakness

    MobileHandset Alwayspresentwithcustomer Maystoreusername,password,andpersonaldata

    Canbeusedasanauthentication

    factor

    APINcanbeusedtolockthemobile

    device

    MostPINlocksarenotenabledby

    default

    Onetimepasswords(OTP)canbe

    generatedonthemobiledevice

    Notallmobiledeviceshavethe

    processorandmemoryrequiredfor

    OTPgeneration

    MobileOperatingSystem(OS)NodominantOSmeansthe

    likelihoodofmalwareisless.

    NodominantOSmeansitisharder

    toobtainantimalwaresoftware

    MobileNetwork Steephardwarecostsrequiredforattacks

  • 8/8/2019 293 Synivers Mobile Banking

    11/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 11

    III.MobileSecurity

    3.3.1.CustomerPerceptions

    Whatarethebiggestfactorsinhibitingthegrowthofmobilebankingtoday?Forconsumers,security

    consistentlyremainsoneofthebiggeststumblingblockstomobileadoption,althoughusageofthechannel

    seemstoallaysomeofthesefears.Nonetheless,almosthalfofmobilebankerscitesecurityastheirmain

    concern(47%).

    Mobilebankingrequiressecuritytosupportwirelesstransactionsonmultiplelevels:

    Themobiledeviceitself

    Thesecurityoftheparticularbankingapplicationthatmayberunfromthedevice

    Securingofthedatastoredonthemobilephone

    Securingorencryptingthedatatransmittedovertheair

    Authenticationofthecustomerisneededtoguaranteethatalegitimateandauthorizedcustomeris

    performingthetransaction;authenticationofthedeviceguaranteesthatthetransactionisoccurringoveran

    authorizedmobiledevice.Finally,authenticationofthefinancialinstitutiontothecustomerhelpsavoid

    phishingscamsandotherattacks.

    SecurityIs

    the

    Sticking

    Point

    for

    Consumer

    Adoption

    14%

    1%

    3%

    4%

    5%

    6%

    8%

    9%

    10%

    34%

    42%

    44%

    0% 10% 20% 30% 40% 50%

    Other, please specify

    I don't have a formal banking relationship

    Set up process to register accounts

    My bank offers it but I don't have access to it

    New technology, it may not work correctly

    Potential limitations in wireless plans

    It is not offered by my bank or c redit union

    Dropped or lost telecommunicationsconnections

    Cost or hidden fees from my bank for usingthe service

    The cost of data access on my wireless plan

    Security of mobile banking

    I don't see the value of mobile banking

    Q6: You indicated you do not use mobile banking. For whatreasons do you not use mobile banking? (select up to three)

    July 2009, n=2,396Base: All consumers with mobile who

    do not use mobile banking. 2009 Javelin Strategy & Research

  • 8/8/2019 293 Synivers Mobile Banking

    12/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 12

    III.MobileSecurity

    Withsecurityasakeydriverofconsumeracceptanceandgrowthofthechannel,itmustbegiventoppriorityin

    productandmarketingbudgetsformobilefinancialservices.Fortunately,forbothfinancialinstitutionsand

    consumers,themobilechannelcanincreasebankingsecurityifitisdeployedcorrectly:Usersareabletotrack

    theirfinancialinformationinrealtimefrompracticallyanywhereintheworld.Frequentselfmonitoringof

    accountsisaneffectivewayforconsumerstodetectfraudulenttransactionsandactivities.Textmessagealerts

    allowuserstoreceiveregularupdatesonaccountactivity,addinganotherlevelofsecurity.HalfofU.S.consumers

    believethattextmessagealertssenttotheirmobilehandsetsisaneffectivewaytofightfraud.

    Unfortunately,many

    myths

    abound

    about

    mobile

    security.

    Manycustomerfearsaboutmobilesecurityturnouttobeunfounded.Forexample,customersfrequentlycitethe

    interceptionofdatabyathirdparty(73%)asoneoftheirtopsecurityconcernswithmobilebanking.While

    mobilemalwaredoesexist,theriskofhavingamobilephonecallremotelyaccessedisalmostnonexistent.

    Nonetheless,oncesufficientnumbersofconsumersarebankingonthemobilechannel,itwillbecomealarger

    targetforhackers.MobileWebanddedicatedmobileapplicationsaresubjecttomaninthemiddleattacks,in

    whichtheattackerinterceptsdatabetweenthecustomerandthefinancialinstitution.TheWebbrowseris

    subjecttomaninthebrowserattacks,inwhichthesessioninterceptionisdonebyaTrojanhorseasopposedto

    ahumanbeing.WhileevenSMScanbespoofedorcompromised,customereducationcanbeeffective,asin

    otherchannels,

    to

    mitigate

    the

    risk.

    HackersGainingAccesstoMobilePhoneIsTopSecurityFear

    4%

    39%

    54%

    68%

    73%

    0% 20% 40% 60% 80%

    Other, please specify

    Viruses or spyware on my phone

    Losing my phone or having myphone stolen

    Someone intercepting thewireless signal

    Hackers gaining access to myphone remotely

    Q35: You mentioned that security was on e of your topconcerns with mobile banking, what security aspectsare you most concerned with? (Select up to three)

    March 2008, n = 702Base: Respondents with mobile banking security concerns.

    2008 Javelin Strategy & Research

  • 8/8/2019 293 Synivers Mobile Banking

    13/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 13

    III.MobileSecurity

    3.4.1.Threats,VulnerabilitiesandCountermeasures

    Mobilephishingtakesmanydifferentforms.ThemostcommonformusedtodaymakesuseofSMS(smishing),

    theuseofSMStospreadphonyURLs,andVoIP(vishing),theuseoftelephonenumberstoleadvictimsto

    bogusvoiceservices(suchasIVR)thatfoolvictimsintobelievingthey'retalkingwiththeirfinancialinstitution.

    AttackersoftensendfraudulentSMSmessagestolargevolumesofusers,attemptingtogainprivate

    information.MobilephishingcanaffectSMSorWebbasedbankingwhenmessagesincludeaURLoraphone

    number.Uponcallingaphonenumber,ausermayinteractwithanactualpersonoravoicemailsystem,both

    ofwhichriskexposingthatuser'spersonalinformation.

    3.4.2.BroadThreats

    Broadthreatsinthemobilechannelincludeunauthorizedaccesstoservicesorsensitivedata.Malicious

    hackinganddamagetothedevice,denialofserviceattacks,andWebbasedattackshavemoreorlessthe

    samethreatprofileonthemobileasPCs.Mobilesmalwareiscurrentlyplatformspecific,withonlyaveryfew

    examplesofcrossplatformmalwaretodate.Becauseofvariouscontrolsonthemobiledevice,mobile

    malwaretodaystillrequiresuserinteraction.Thatmaynotbetruewithmorerobustmobileoperatingsystems

    inthefuture.

    Mobilevirusesareoneareawhereusereducationisaneffectivemitigation.Thefragmentationofthehandset,

    browser,OSandcarriermarketsmakesithardtodesignaneffective"onemessagefitsalldevices"education

    campaign,althoughattheendofthisreportwedooffersomebestpractices.

    Javelinbelievesthatcurrentthreattomobilebankingislow.Therearemanyuniquedevices,browsersand

    operatingsystems,whichmakesitdifficultforattackerstotargetlargeswathsofcustomers.Itisalsooneof

    thereasonsmostofthemobilevirusestodayarewrittenfortheSymbianOS,whichisthemostprevalent

    mobileOSintheworld.Javelinbelievesthatthelackofcrediblethreatstofinancialdatamaybeduetothe

    newnessofthefinancialofferingsonmobile.

    3.4.3.0Handset

    Unfortunately,thecustomermaybecomefrustratedwith"toomuchsecurity"whenusingeitherthehandset

    ortheapplicationsecurityfeatures.Thecustomermaythenchosetodisablethemoratleasttrytodisable

    them.Thebestsecurityfeaturesmarryconveniencewithsafety:Forexample,anencryptedhandsetmayallow

    aconsumertoanswercertainphonecallswithoutloggingin.

  • 8/8/2019 293 Synivers Mobile Banking

    14/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 14

    III.MobileSecurity

    Inotherpartsoftheworld,specificallyJapanandSouthKorea,mobilebankingonGSMnetworkshasbeenin

    useforseveralyears.Despiteitswidespreaduse,theknownfraudinmobilebankinginPacificAsiahasbeen

    low.Onefeaturethatcontributestothelowfraudratesisthelinkingofdevicesthroughhardwarechipsand

    bankaccounts.Thehardwarelinkstheuser'sbankaccounttoaspecificmobiledevicesothatonlythatspecific

    devicecanconducttransactions.ThiscanbedonebyOTAprovisioningoftheSIMorbyuseofasmartcard.Itis

    slightlymoreexpensivetodeployonCDMAnetworks.

    3.4.3.1MemoryCards

    Theuse

    of

    memory

    cards

    with

    the

    handset

    could

    be

    problematic.

    In

    2004,

    amobile

    virus

    known

    as

    SkullsusedinfectedmemorycardstoinfectSymbianSeries60devices.SkullsisaTrojanhorsethat

    arrivesasaninstallerforanormalapplication.Skullsthenoverwritesexistingapplications(except

    thoserequiredtocommunicate),renderingthemuseless.Itreplacesmobiledesktopiconswith

    imagesofskulls.Someofthe30plusvariantsalsoinstallothermobilemalwareontothephone.

    3.4.3.2Downloads

    Theclientsideenvironmentincludestheapplicationsdownloadedandinstalledonthedevice.These

    canbesignedbyeitherthecarrierorthefinancialinstitution.Oftentheapplicationsaresandboxed

    onthedevice.Themostsecurechoiceforfinancialinstitutionsisnottosendsensitivedatatothe

    handsetatall.Thenextbestistodeleteitattheendofeachsession,orifsensitivedataisstoredon

    the

    handset,

    to

    encrypt

    the

    data.

    3.4.3.3Applications

    Enterprisesandcommercialsoftwaredevelopersshouldemploysecuresoftwaredevelopmentbest

    practices.Despitetherigoroustestingofmobileapplicationsbyvariouscarriersandplatforms,some

    malicioussoftwarehasleakedintotheonlineapplicationstores.Authenticationoftheapplication

    codecouldbeusedtohelpcustomersknowtheyaredownloadingtherealbankingapplication.This

    isaproblemwithopensourcesoftware,suchasthatdesignedforAndroidorLinuxplatforms.Here,

    noonevetstheapplication,unlikeSymbianandApple.

    3.4.3.4MobileBrowsers

    SomeofthemobilebrowsersaresubjecttothesameflawsasPCbrowserssuchasmaliciousscripts,

    manin

    the

    browser

    attacks,

    cross

    site

    site

    scripting

    (XSS),

    and

    cross

    site

    request

    forgery

    (xSRF).

    Althoughtheyhavesmallerfeaturesets,mobilebrowsershavebeensubjecttoattacksinwhich

    unauthorizedcommandsaretransmittedfromausertoaWebsite.Itisdifficulttodeterminethe

    legitimacyofaURLwithamobilebrowser:Thesmallformfactormakesitincapableofdisplayingfull

    URLsoritcantakemanymenustoaccessthesecurityinformationofagivensite.Mostmobile

    browserslacksupportforprotectionsnormallyavailableondesktopsystemssuchasURLfiltering,

    phishingtoolbars,andsecuresocketslayer(SSL)orextendedvalidationsecuresocketslayer(EVSSL)

    certificates.Basedupontheseconcerns,itseemslikelythatusersofmobiledeviceshavean

    increasedriskoffallingvictimtoaphishingattackwhentheysurfwithmobilebrowsers.

  • 8/8/2019 293 Synivers Mobile Banking

    15/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 15

    III.MobileSecurity

    3.4.3.5MobileEmail

    Mobileemailclientsareoftenthesourceofspam,phishingandmalwareintroduction.Forexample,

    criminalsusetheemailtoSMSgatewaysthatallowtheusertosendemailsinsteadofspending

    moneysendingSMSmessages.Inthisway,criminalscansendemailtoallpossibleSMSrecipients.

    Asaresult,SMSgatewayprovidershaverespondedtoabusebyrejectingexcessivenumbersof

    messagesorfraudulentmessages.FilteringisdependentonthecooperationofInternetservice

    providers(ISPs)ratherthandefensivetoolsonmobiledevices.UncooperativeISPscouldcausethis

    networkfilteringtofail.SMSandemailprotocolsallowattackerstosendspoofedmessagesfrom

    falsifiedsourceaddresses.Spoofedemailmessagesaregenerallymorecommonbecauseanyonecan

    operateamailserverandsendemailspam.EmailtoSMSgatewaysareoneoptionthatattackers

    haveabusedinthepasttosendSMSphishingmessages.

    3.4.3.6MobileIM(MIM)

    MobileIM(MIM)issubjecttosimilarthreatsthatarefoundonthePCdesktop.Phishingand

    maliciousURLsaretheproblem.

    Somelegitimatefinancialservicesmaysufferfromuserdoubtanduncertaintyrelatedtosending

    legitimateSMSmessagesbecauseofthepotentialforattackerstosendspoofedmessages.Financial

    organizationsshouldavoidrepeatingthemistakestheymadewithemail,whichhavecausedsome

    toabandoncontactingtheirclientsthroughemailaltogether.Togaintheuserstrust,financial

    serviceprovidersmaychoosetoavoidsendingphonenumbers,SMSnumbersorURLlinks.

    Combiningtheserestrictivemeasureswithusereducationcampaignscanlimittheeffectivenessof

    phishingattacks.

    Encryption

    Client

    VPN

    Cellularinfrastructure

    SMS, carrier, andother gateways

    Bulk SMS providerE-Mail gateway

  • 8/8/2019 293 Synivers Mobile Banking

    16/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 16

    III.MobileSecurity

    3.4.3.7Voice

    Phishersalsooftenspoofthesourceemailaddressandusealargenumberofdifferentphone

    numberstoperformvishing.Vishingisthecriminalpracticeusingsocialengineeringoverthe

    telephonebothlandbasedandmobile.Fraudulentvishingmessagesonthemobilearesimilarto

    vishingattacksonlineandcontainaphonenumberthatavictimcallsuponreceivingthemessage.

    Therearemanyexamplesofvishingattacksthatusevoicemailsystemstostealuserinformation,

    includingbankaccountinformation.InJanuary2008,theFacebookapplication"secretcrush"began

    phishingusersbyrequestingtheirmobilephonenumbersthroughthesocialnetworkingWebsite.

    Subsequently,it

    would

    send

    users

    messages

    from

    apremium

    SMS

    service

    that

    cost

    $6.60

    per

    message,accordingtooneuserafflictedbythescam.Userswhoreplytothepremiumratenumber

    (19944989)receivechargesontheirmobilephonebills.

    3.4.4OperatingSystems

    Educatingusersaboutoperatingsystemfeaturesandencouragingthemnottoinstallsoftwarefromunofficial

    sourcescanhelptomitigatemobilethreats.

    3.4.4.1Symbian

    TheSymbianOS,anopenindustrystandardwiththegreatestglobalmarketshare,hasbeenthemost

    targetedby

    malware

    so

    far.

    The

    best

    known

    of

    these

    is

    the

    Cabir

    worm,

    discovered

    in

    June

    2004.

    The

    CabirwormwasdevelopedasaproofofconceptvirusbyGroup29A(aninternationalgroupof

    programmers)andhasspawnedatleastfifteenvariants.Aproofofconceptvirusisdevelopedby

    programmerstodemonstrateexistingvulnerabilitiesinsoftware,andisoftensenttothe

    manufactureroranantivirusfirm,ratherthanbeingusedmaliciously.Theoriginalwormspreadover

    BluetoothconnectionsonSymbianSeries60mobilephones,arrivingintheinboxasacaribe.sisfile.

    Theuserhastoacceptthefile,anditspreadsslowlybecauseitiscapableofinfectingonlyoneother

    phoneperactivationorreboot.InAugust2004,Mquito,thefirstTrojantotargetSymbian,appeared

    HowVishingWorks

  • 8/8/2019 293 Synivers Mobile Banking

    17/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 17

    III.MobileSecurity

    inanillegalversionofagamebyOjuncalledMosquito.Eachtimethegamewasplayed,theTrojan

    wouldsendapremiumSMSmessage.Inanironictwist,itwasdiscoveredthattheTrojanhadbeen

    placedbythedeveloperOjunitself,withthepremiumSMScallgoingtoOjuntonotifythefirm

    wheneveranillegalversionwasplayedorthegamewasrunonanunregisteredmobilephone.While

    itworkedasplanned,asignificantnumberoflegitimateuserswerealsoaffectedwithpremiumSMS

    charges,soOjunendedupcancellingthepremiumnumberandrereleasingthegamewithoutthe

    Trojan.

    Tocombatmalware,Symbianadoptedadigitalsignatureprogram;allmobileapplicationswould

    haveto

    be

    approved

    by

    Symbian

    before

    they

    could

    be

    installed

    on

    aSymbian

    phone.

    On

    or

    before

    Feb.4,2009,ChinesemobilephoneusersbeganreportinganewvirusthataffectsSymbianS60. All

    codeonS60,thirdedition,mustbesigned,andthisvirusisnoexception;itusesacertificatefrom

    Symbianlicensedto"ShenZhenChenGuangWuXian."Afterauserinstallstheprogram,itspreadsto

    otherusersbysendingSMSmessagesthatcontainURLsforuserstodownloadandinstallthecode.

    The"SexyView"virusattemptstopersuaderecipientstodownloadandinstallaSymbianInstallerfile

    (SISX)attheURL,butitdoesnotuseanyexploitstoinstallsuchfilesautomatically.Suchmistakes

    showthelimitationsofplatformdownloadstoresorsignatureprograms.

    3.4.4.2Windows

    InthelucrativeU.S.market,Windowsmobilehasheldaslimleadinusernumbers,makingitatarget

    as

    well.

    WinCE.Duts,

    discovered

    in

    July

    2004,

    is

    another

    proof

    of

    concept

    virus

    developed

    by

    Group

    29aformobiledevicesrunningunderWindowsCEforpocketPCs.Whileitrequiresuserconfirmation

    todownload,Dutscaninfectmobiledevicesviaemail,mobileWeb,andthroughthesynchronization

    orBluetoothprotocols.

    ArrivinginSeptember2005,Cardtrapisthefirstknowncrossplatformvirus,inwhichthemaingoalis

    toinfecttheusersPC.Cardtrapisdisguisedasaninstallerforanormalprogram,butonceits

    accepted,itinstallsothermaliciouscodesandcorruptsexistingapplications.Whenthephones

    infectedmemorycard(multimediacardorEdrive)isinsertedintothePCinanattempttoremove

    thevirusonthephone,maliciouscode(e.g.,worms,Trojans,backdoors)istransferredtothePC,

    amongthemavirusthatdisablessecurityonthePC.

    Inearly

    2008,

    anew

    WinCE

    Trojan

    called

    InfoJack

    insidiously

    appeared

    inside

    legitimate

    installer

    packageslikeGoogleMapsasanoption.ThisTrojandisablesWindowsmobilesecuritysothatother

    unaccreditedapplicationscanbeinstalledwithoutpermission.Itthensendstheserialnumber,

    operatingsysteminformation,andotherdatatoaWebsiteinChina.Inearly2009,HTCdevices

    runningWindowsMobile6andWindowsMobile6.1werepronetoadirectorytransversal

    vulnerabilityinBluetoothOBEXFTPservice.Directorytraversalallowsanattackertoexploit

    inadequatesecuritytoinputfilenames,allowingsoftwaretoaccessfilesthatarenotsupposedtobe

  • 8/8/2019 293 Synivers Mobile Banking

    18/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 18

    III.MobileSecurity

    accessible.Successfulexploitationallowsanattackertolistdirectoriesandwriteorreadfilesfor

    execution.

    3.4.4.3Palm

    Palm,althoughhavingasmallerfootprintworldwide,isnotimmunetovulnerabilities.In2009,Palm

    issuedupdatesforitsnewPalmPremodel.Amongtheissuesaddressedwasadenialofservicewhen

    auserclickedoverlongURLs(greaterthan4,063characters).Attackerscouldhavedistributedan

    exploitforthisthroughemail,MIM,orSMS.

    3.4.4.4iPhone

    AtBlackHatUSA2009,researchersshowedhowonecoulduseamaliciousSMSmessagetoshut

    downtheComCenterintheAppleiPhone.TheattackwouldnotonlydisableSMS,butalsoWiFiand

    3Gserviceonthedevice.Applehassincefixedthisparticularvulnerability.Theresearcherswerealso

    abletoperformsimilarattacksonGoogleAndroid,andWindowsMobile.Theresearchershadnotyet

    hadthetimetostudythePalmPre.

    3.4.4.5BlackBerry

    Inearly2009,avulnerabilitywasannouncedthatcouldallowcriminalstotakecontroloftheservers

    runningBlackBerrysystems.ItworkedbysendingemailswithtaintedattachmentswithinAdobe

    SystemsPDFformat.IfthecustomeropenedoneofthesecompromisedPDFs,itattemptedtoinstall

    malicioussoftwareontheserversothatcriminalscouldthenusethatservertosendspamorsteal

    corporateor

    personal

    data.

    3.4.4.5Android

    InsomewaystheopensourceAndroidplatformismoresecurethanotheroperatingsystems.By

    design,itsOSusesthesandboxapproach,whichisolatescodeinjectedintothebrowserfromother

    partsofthemobilesystem.Thathasn'tstoppedresearchintovulnerabilities.Inearly2009,security

    researcherCharlieMillerdiscoveredawaythatallowscriminalstotakecontrolofthephone'sWeb

    browser.Ifcompromised,thebrowserscredentialsandhistorycouldbevisibletoaremotehacker.

    Nowordonwhetherthisvulnerabilityhasbeenpatched.

    3.4.4.6Linux

    Linuxhasaverysmallfootprintonthemarket,andthuslessincentiveforattack.Afewyearsago,

    Motorola,NEC,

    NTT,

    DoCoMo,

    Panasonic

    Mobile

    Communications,

    Samsung

    Electronics

    and

    VodafonebandedtogethertoformtheLiMofoundation,anindustrygroupdedicatedtoproviding

    thefirstopen,hardwareindependent,LinuxbasedOS.Oneofitspurposesistoseekparticipation

    fromapplicationandmiddlewarevendorsforthenascentoperatingsystem.

    3.4.4.7J2MEmobilephones

    Notreallyanoperatingsystem,Sun'sJava2MicroEdition(J2ME)allowsdeviceswithlimited

    hardwareresources(withaslittleas128KorRAMandprocessorslesspowerfulthandesktop

  • 8/8/2019 293 Synivers Mobile Banking

    19/30

  • 8/8/2019 293 Synivers Mobile Banking

    20/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 20

    III.MobileSecurity

    institution,heorshemightbeabletomasqueradeastheuserandconductimportanttransactions.

    Organizationsshouldavoidrequestingorsendingfullaccountnumbersorotherinformation

    necessaryforanattackertoconducttransactionsthroughemailorSMSmessages.

    3.4.5.5Bluetooth

    Bluetoothisashortrangewirelessprotocolthatincludesapromiscuousfeature.OBEXisdesignedto

    allowBluetoothdevicestodiscoverotherBluetoothdevicesinthearea,thenconnecttothem.While

    itworkswellwhenconnectingawirelessheadsettoamobiledevice,Bluetoothprotocolscanalsobe

    usedtoconnecttoamobiledevicewithunfortunateresultswhenmalwareisinvolved.Bluejacking

    andbluesnarfing

    are

    two

    methods

    in

    which

    an

    attacker

    can

    approach

    avictim,

    connect

    via

    Bluetooth,

    anddialpremiumphonenumbersorcreateadenialofserviceattackwithoutthevictimrealizingit.

    Asaresult,manyphonestodaydisableBluetoothbydefault.Theriskofthisactivityislowbecauseit

    requiresacombinationofBluetoothbeingenabled,physicalproximity,andmaliciousintent.The

    Cabirworm,discussedearlier,wasdiscoveredinJune2004andhasspawnedatleastfifteenvariants.

    TheoriginalwormspreadoverBluetoothconnectionsonSymbianSeries60mobilephones,arriving

    intheinboxasacaribe.sisfile.Theuserhadtoacceptthefile,whichspreadsslowlybecauseitis

    capableofinfectingonlyoneotherphoneperactivationorreboot.TheMabir.Aisalatervariantthat

    spreadsthrougheitherBluetoothorMMSmessaging.ItspreadsbyinterceptingallSMSandMMS

    messaging,thenimmediatelysendinganMMSmessagecontainingthevirustotheinitialsender.The

    recipient,whoassumesthenewinfectedmessageisareplytotheoriginalmessage,mustacceptthe

    downloadbefore

    becoming

    infected.

    Mabir.A,

    like

    the

    original

    Cabir,

    can

    also

    spread

    through

    Bluetooth,searchingforanearbyphonetosendthevirus.TheMMSvariantismoretroubling

    becauseMMSallowsforthevirustobesentovergreaterdistancesandthecostsforMMSmessaging

    ishigher,butthemalwareisstilllimitedtoonephoneperactivationorreboot.Thiswillbeabigger

    threatformobilepaymentsthanformobilebanking.

    3.4.5.6OTA

    Overtheairprogramming(OTA)allowsforovertheairprovisioningoradministrationofnew

    softwareupdatesorfeaturesettings.SomephoneswiththisabilityarelabeledasOTAcapable.OTA

    viaSMSoptimizestheSIMsettingsonamobiledevicetoaccessWAPorMMS.OTAprovidesa

    remotecontrolforserviceandsubscriptionactivation,personalizationorprogrammingofnew

    features.Variousstandardsexist,includingtheOpenMobileAlliance(OMA).

    3.4.5.7USSD

    UnstructuredSupplementaryServiceData(USSD)isarealtimeorinstantmessagingserviceavailable

    onallGSMphones.IfSMSissimilartoemail,thenUSSDissimilartotelnet.Forfinancialinstitutions,

    itisusedtoquerytheavailableaccountbalanceandothersimilarinformation.USSDisnotusedin

    theUnitedStates.

  • 8/8/2019 293 Synivers Mobile Banking

    21/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 21

    III.MobileSecurity

    3.4.6.0Network

    Examplesofanetworkattackwouldincludeinsider(employee)oftheserviceprovideroranattackerwhois

    abletogainaccesstothenetwork.Whilethelikelihoodofanoccurrenceofanattackergainingdirectaccessto

    anetworkseemslow,thereareafewexamplesinwhichinsiderthreatsaffectedmobilephones.In2007,

    VodafoneGreecewashacked.SoftwareextensionsinstalledontheEricssonAXEswitchingequipment

    permittedeavesdroppingongovernmentphonecalls.

    3.4.6.1GSM

    MoreseriousistherecentcrackingoftheencryptionusedonGSMinotherpartsoftheworld,but

    notyetinNorthAmerica.Severalresearchersandorganizationshavepublishedresearchshowing

    howtobreakA5/1andA5/2encryptionalgorithmstointerceptanddecrypttrafficthroughsuch

    encryption. Bothactiveandpassivetechniquesexist;thepassivetechniqueismuchhardertodetect

    becauseitavoidssendinganyadditionaltrafficandonlylistens.Thirdpartiesselldevicessuchasthe

    "PassiveGSMInterceptionSystem(SCL5020),"tospyoncommunicationswhentheyuseweakorno

    encryption(A5/0andA5/2),however,thecosttohackGSMisstillsubstantial.

    3.4.6.2CDMA

    CDMAtransmissionsremainslightlyhardertocrackthanGSMtransmissions.Thatisinpartbecause

    oftheunderlyingCDMAschemathatassignseachtransmitteracode,thenmultiplexesthecodes

    overthe

    same

    channel.

    This

    allows

    the

    system

    to

    handle

    more

    users

    with

    fewer

    cellular

    towers.

    3.5.0.MNOnetwork

    Withtherighttools,acriminalcouldgainaccesstotheMNOnetwork.

    3.5.1.Transport(includinggateways)

    TheWAPgatewayconvertsmessagesfromtheWAPdeviceusingWTLSsentoverthewireless

    networktoSSL/TLStobesentoverthewiredInternettotheserver.AttheWAPgateway,fraudsters

    couldpotentiallyvieworinterceptenterprisetrafficordata,buttherisksofsuchanevent(s)are

    relativelyminimal.WAP2.0,adoptedin2002,isexpectedtohelpbecausethesignalsaresentviaTLS,

    hencenoreasontotranslate,nogaptomitigate.

    3.5.2.Network

    Likeonline,mobileIPnetworksarealsosubjecttodenialofserviceattacks. Inoneattack,acable

    modemwith500Kbpscouldbeusedtosenddatapacketsthatwouldblockaccesstomorethanone

    millionmobiledeviceusers.2Thepacketsthemselveswould:

    Reestablishconnectionsaftertheyhavebeenreleased.Thiswouldcreatecongestionat

    radionetworkcontrollers,therebycausingproblemsforlegitimatesubscribers.

    2http://www.theregister.co.uk/2009/06/08/mobile_dos_threat/

  • 8/8/2019 293 Synivers Mobile Banking

    22/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 22

    III.MobileSecurity

    Preventamobiledevicefromgoingintosleepmode.Thiscouldoverloadthenetworkwith

    extratraffic.

    Placeroguedevicesonanetwork.Thiswouldalsocreatespurioustrafficthatmightbehard

    tolocate.

    Excessiveportscanning.Thiscouldbebothanintendedandunintendedresultof

    connecteddevicesthatareinfectedwithcomputermalware.

    3.5.3.Physical

    Enterprisesshouldconsidermobiledevicemanagementsoftware.Thisallowsenterprisestomanage

    themobile

    device

    remotely,

    as

    well

    as

    wipe

    the

    contents

    should

    the

    handset

    be

    lost

    or

    stolen.

    Such

    softwarealsoallowsforsecureVPNaccesstothecorporatenetworkormailserver.Thesoftware

    shouldworkbothways:protectingthedataonthehandsetshouldthedevicebelostorstolen,and

    protectingthenetworkfrommobileintrusionsviahandsetactivity.

  • 8/8/2019 293 Synivers Mobile Banking

    23/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 23

    IV.SecurityBestPractices

    4.1.1.Bestpractices:General

    SimilartoURLs,mostphonesalsoconvertphonenumbersfromSMSmessagesintolinkstoeasilyplacecalls.

    Financialinstitutionsmayconsiderusingphonecallsasanadditionalverificationtechnique.CallerIDremains

    anunreliablesource,andbettermethods,suchasdevicerecognition,arepreferred.Itishardertotransfer

    transactioninformationoverthephone;therefore,thismethodisnotpreferredforsecondaryverification.

    AnalystsshouldevaluatecriticalSMSservicesforSMSspoofingvulnerabilityandpersistentlogstorage.

    Applicationsmay

    choose

    to

    avoid

    sending

    full

    account

    numbers,

    which

    could

    reveal

    more

    information

    than

    necessary.Whilethereareattacksthatallowtheattackertointerceptmessages,spoofingisanothermore

    likelyproblemthatcouldimpactapplicationswhentheyactuponfraudulentinformation.Applicationscan

    performhandshakesortwofactorauthenticationwithotherprotocolssuchasOTP,emailandtelephone.

    WhileSMShassomethreats,noneofthemaresignificantlymoreriskythanemail,whichmanyfinancial

    institutionsuseforvalidatingtransactions.Inadditiontotheuseradvicetoavoidtrustingfraudulentmessages,

    serviceproviderscanfiltermessages.ThefollowingsectionsdiscusscontrolsavailabletoSMSgateway

    providerstopreventspamandspoofing.

    4.1.2 BestPractices:Handset

    Clientapplicationscanbeoneofthemostsecuremechanismsforconductingcriticaltransactionsbutcouldstill

    containvulnerabilitiesorbesubjecttomobilethreats.Authorshavemorecontrolofnetworkprotocolsand

    optionstouseencryption.Theycandestroytemporarydataandencryptlocallystoredsensitivedata.Critical

    applicationsmayalloworganizationstosupportspecialfunctionalitysuchasprofilingandregisteringadevice

    andverifyingthesystemintegrity.Certainfeaturesmaybeavailablethroughtheoperatingsystemratherthan

    throughacustomdesignedapplication.Whilesuchcontrolispotentiallybeneficial,itrequiresinvestmentin

    multipleoperatingsystemsandplatforms.Maintenanceanddevelopmentcostsmaybehigherthanother

    solutionsandrequiremoresupport.

    4.1.3.BestPractices:Network

    ManyISPsautomaticallyattempttolimitphishingandfraudtomobiledevicesbecausetheybillusersper

    message.ProvidersmaydecidetoblockaknownSMSgatewayproviderbecauseattackerscommonlyusethem

    tosendspamorspoofedmessages.Similarly,SMSserviceprovidersmaymonitormessagecontentsandwork

    withfinancialinstitutionstopreventsuchmessagesfromreachingenddevices.ThecurrentstateofSMS

    filteringcanhelporganizationsthatreachouttoserviceproviderstopreventthreatsatthenetworklevel

  • 8/8/2019 293 Synivers Mobile Banking

    24/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 24

    IV.SecurityBestPractices

    ratherthanatthedevicesthemselves.However,SMSfilteringmayaddlatencyandinvolveregulatory

    requirementsarounddatastorage.

    SeveraloptionsareavailableatSMSandemailgatewaystolimitspam,spoofedmessagesorotherwise

    unwantedmessages.Networkoptionsinclude:

    Enduserblocklists

    Whitelisting

    Contentbaseddetection

    Regularexpressions URLreputation SourceSMS/phonenumber

    Legalaction

    Limitoutgoingspoofedmessages

    ManyofthecontrolstopreventunwantedSMSmessagesarereactiveandfilterincomingoroutgoing

    messages.SomeprovidersallowuserstoblockspecificorganizationsornumbersmanuallythroughanSMSor

    HTTPinterface. TheseapproachesarelessreliablethanSMSgatewaycontrolsbecausetheydependonthe

    usertoblockeachmessageafteritarrivesanddonotpreventspoofedmessages.

    Gatewaysalso

    monitor

    the

    volume

    of

    SMS

    messages

    they

    send

    and

    receive.

    In

    this

    way,

    they

    limit

    fraudulent

    messagesandidentifywhenactorsattempttocontactlargenumbersofinactiverecipients.Contactinginactive

    recipientscanindicateauserwhoissendingmessagestoeverypossiblerecipient.Messagesoriginatingfrom

    premiumnumbersareanothertypeofmessagethatsomeSMSgatewayprovidersmayfilter.Thisprevents

    actorsfromsendingmessagesfrompremiumnumbersbecauseusersincurbillswhentheyreply.

    EmailtoSMSgatewaysalsohavemanycontrolstopreventabuse.Theyacceptmessagesfromemailaccounts

    andforwardthemtoSMSrecipients.TraditionalfilteringtechniquesforemailsuchasSenderPolicy

    Framework,blocklists,openrelaysandmessageattributesareallwaysthatemailtoSMSgatewayslimit

    unwantedSMSmessages.

    SMSgatewaysalsohavetheabilitytoallowknowngoodservicestosendmessages.Financialinstitutionsthat

    useSMSservicescanmakeinformationpublic,whichallowsgatewaystoconfidentlywhitelisttheirservices.

  • 8/8/2019 293 Synivers Mobile Banking

    25/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 25

    IV.SecurityBestPractices

    4.1.3. BestPractices:CustomerSecurityAwareness

    Thetechniquestospreadvirusesandwormsonmobileplatformstodatearelimited.Attackersgenerallydo

    notuseexploitstoinstallmobilemaliciouscodeonphonesbutdependmoreonsocialengineeringorphysical

    accesstoinstallmaliciousprograms.Inthosecases,educatingusersaboutpotentialthreats,operatingsystem

    features,codesigning,andencouragingusersnottoinstallsoftwarefromunofficialsourcescanhelpmitigate

    thethreats.Additionally,usersmustupdatemobilephoneoperatingsystemsandsoftwaretotakeadvantage

    ofthemostrecentsecurityfeaturesthatreducetheirriskofbeingavictimtomaliciousmobilecode.

    Spoofedmessagescouldenticeuserstotakeanunwantedactionorrevealpersonalinformation.Usersshould

    reviewofficialdocumentsshowinghowtheprovidersplantocommunicatewiththemtopreventthemselves

    frombecomingvictimsandtohelpthemidentifyfraudulentmessages.

  • 8/8/2019 293 Synivers Mobile Banking

    26/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 26

    V.Conclusions

    Despitethemovebymanycarrierstoprovideunlimitedtextanddataplans,manycustomersprojecttheir

    bankingexperienceswithphishingandmalwareintheonlinechannelontothemobilechannel.Thatis

    incorrect.Therearesomesignificantdifferences,andsomeadditionalsafeguards,presentinthemobile

    channel.Ifimplemented,themobilechannelcanbesaferthantheonlinechannelforcommerceandfinancial

    transactions.

    Byworkingtogether,thehandsetmanufacturers,operatingsystemvendorsandbrowservendorscanenable

    securityfeaturesanddisableadditionalcontrolsbydefault.Inturn,thenetworkprovidercanworkwiththe

    browserandfinancialservicessoftwarevendorstoensurethatsecurecommunicationscanbeprovided

    betweenclientsandservers.Finally,usereducationisthebestwaytomitigatethethreatofmobileviruses.As

    malwaremovesawayfromrequiringuserinteraction,however,additionalantimalwareprotectionforthe

    mobileonthehandsetmaybenecessary.

    Althoughthemobilethreatlandscaperemainsrelativelyquietcomparedtoitsonlinecousin,thepotentialfor

    fraudtoenterprisesstillexistsintheformofphishing,smishing,andvishing.Here,networkprovidersmay

    decidetoblockaknownSMSproviderbecauseattackerscommonlyusethemtosendspamorspoofed

    messages.

    Additionally,thegrowingadoptionoffullfeaturedsmartphoneswillincreasetherisksofcrosssitescripting

    andcrosssiterequestforgeries,thecurrentbaneoftheonlineworld,asattackersfindnewwaystopushout

    maliciouscommandstomobilebrowsers.Here,useofURLfiltering,phishingtoolbars,andSSLorEVSSL

    certificatesinfuturemobilebrowsersshouldmitigatethisthreat.

  • 8/8/2019 293 Synivers Mobile Banking

    27/30

  • 8/8/2019 293 Synivers Mobile Banking

    28/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 28

    VI.Glossary

    IM:Instantmessaging,aformofrealtimecommunicationovertheInternetbasedontypedtext.

    IVR:Interactivevoiceresponse,atypeofphonetechnologythatallowsacomputertodetectvoiceandtouch

    tonestorelayinformationautomatically.

    Keylogger:Astealthapplicationthatmonitorsandrecordseachkeystrokeausermakes.

    Maninthemiddleattack:Attackthatinterceptslegitimatecommunicationbetweentwoentities,suchasa

    bankandaclient.Whiletheattackerhastheinterceptedcommunication,itcanchangethecommunicationor

    evenredirectittoanewsitethattheattackercontrols.Typically,thetwoentitieshavenoideathemaninthe

    middleexists.

    Maninthebrowserattack:ATrojandesignedtointerceptandmanipulatedataflowingbetweenabrowser

    andasite'ssecurity.MostcommonlytheseTrojansareusedtocommitfinancialfraud.

    MFA:RefertoMultifactorAuthentication.

    MMAP:MobileMessagingAccessProtocol,aprotocolforsendingSMSmessages

    MMS:MultimediaMessagingService,standardforsendingmultimediaobjects(richtext,video,audioand

    images)overwirelesstelephonessimilartoSMS.

    MNO:Mobile

    Network

    Operator,

    also

    known

    as

    carrier

    service

    provider

    or

    wireless

    service

    provider.

    MultifactorAuthentication:Usingatleasttwofactorsforauthorizationforsecurity;e.g.,forfinancial

    institutions;MFAismandatedbytheFFIECforInternetbanking.

    OATH:Accordingtotheorganization,"anindustrywidecollaborationtodevelopanopenreference

    architecturebyleveragingexistingopenstandardsfortheuniversaladoptionofstrongauthentication."

    OTA:Overtheair,thatis,transmittedwirelessly.

    OTP:Onetimepassword;byconstantlyalteringthepassword,theriskofunauthorizedintrusionislessened.

    PKI:PublicKeyInfrastructure,acryptographicsecurekeyexchangetoauthenticateanddownloadanaccount.

    PKIPublicKeyCryptography:Typeofasymmetriccryptographyinwhichthekeyusedforencryptingamessage

    differsfromthedecryptionkey.

    Platform:Hardwarearchitectureorsoftwareframeworkthatallowssoftwaretorun,e.g.,anoperatingsystem

    isaplatform.

    Phishing:Thepracticeofsendingfalseemailsthattypicallylookliketheycamefromalegitimatebusiness,

    requestingprivateinformation,oftenviaaclickthroughtoanotherWebsitethatthecrookhassetuptolook

    legitimate,butwhichisactuallyharvestinginformation.

  • 8/8/2019 293 Synivers Mobile Banking

    29/30

    TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 29

    VI.Glossary

    Pharming:AhackingattackthatredirectsaWebsitestraffictoanother,falseWebsite.

    Pretexting:Theactionofobtainingprivatepersonalinformationunderfalsepretenses,oftendoneoverthe

    phone,usingpriorinformationtogainnewinformation,suchasusinganaccountnumbertogainaSocial

    Securitynumber.

    PSKC:ThestandardizationoftheseedtokenbytheInternetEngineeringTaskForce(IETF),knownasPortable

    SymmetricKeyContainer.Thiswillallowanyvendortoseeditstokenwithanyothervendorsseed.

    Redirects:

    Sending

    users

    to

    a

    Web

    site

    that

    impersonates

    another

    site.

    For

    example,

    making

    main

    pages

    availableundermanydifferentURLshasopenedupredirectvulnerability.URLredirectsareoftenusedin

    phishingattacks.

    SHTTP:SecureHTTP,anextensiontoHTTPprotocolstosendsecurecommunicationsovertheWeb.

    SaaS(SoftwareasaService):AsoftwareapplicationhostedbyanASPandaccessedbyusersoveranetwork,

    oftenemployingasubscriptionorpayperusebusinessmodel.

    SDK(SoftwareDevelopmentKit):Programmingtoolstoallowsoftwareengineerstobuildapplicationsfora

    certaindeviceoroperatingsystem(i.e.mobiledevices,mobiledeviceoperatingsystem).

    SMS(ShortMessagingService):Communicationschannelallowingtheexchangeofshorttextmessages.

    SMSTextBanking: MobilebankingperformedovertheSMStextnetwork,whichisavailableon100%of

    mobilephones,butislimitedto160characters.(AlsoreferredtoasTextBanking/SMSText/SMSBanking.)

    SMTP(SimpleMailTransferProtocol):StandardforemailtransmissionsovertheInternet,textbased

    protocol.

    SSL(SecureSocketsLayer):AnencryptionstandardusedtoprovidesecurecommunicationsovertheInternet

    forapplicationssuchasWebbrowsing,email,instantmessaging,andotherdatatransfers.

    SMPP:ShortMessagePeertoPeerProtocol,astandardforSMSmessaging,whichallowsforpriorityrouting,

    notificationoffailedandsuccessfuldeliveries,andforreturnreceipt.

    SMS:ShortMessagingService,acommunicationsprotocolallowingforshorttextmessagesbetweenmobile

    devices.

    Sniffing:Computersoftwareorhardwarethatinterceptsandlogstrafficpassingoveradigitalnetworkorpart

    ofanetwork.

    SSL:SecureSocketsLayer,encryptsthedatacommunicationslayerformobile,thepredecessortoTLS.

  • 8/8/2019 293 Synivers Mobile Banking

    30/30

    VI.Glossary

    TLS:TransportLayerSecurity,cryptographicprotocolsforsendingmessagesanddataoverthemobileInternet.

    Trojan:ATrojanisaprogramthatperformsillicitactivitywhenitisrun.Itmaybeusedtoobtainpersonal

    informationandallowafraudstertotakecontrolofthecomputerfromaremotesite.

    UDLAPs:UserDefinedLimitsandProhibitions,customerdrivenalertsandprohibitions.

    Vishing:ThepracticeofusingsocialengineeringandVOIPorlandlinetelephoningtoobtainaccesstoprivate

    personaldataforfinancialgain.

    VoIP:Voice

    over

    Internet

    Protocol,

    transmission

    technology

    that

    allows

    for

    delivery

    of

    voice

    over

    the

    Internet.

    VPN:VirtualPrivateNetworksarewheresomeofthelinksbetweennodesarecarriedbywirelessconnections

    orvirtualsystems,suchastheInternet,insteadofbywires.

    WAP(WirelessApplicationProtocol):Anopenstandardforapplicationsonmobiledevicestocommunicate

    withserversovertheInternet.WAPsitesareWebsiteswritteninWML(WirelessMarkupLanguage)and

    accessedviaamobilebrowser.

    WAPSite:SeeBrowserbased.

    WAPGap:AttheWAPgateway,WTLStransmissionsaredecryptedandthenreencryptedasSSL/TLS,exposing

    thedata

    during

    the

    process.

    WML(WirelessMarkupLanguage):BasedonXML(programminglanguageforconvertingdocumentstobe

    viewedovertheinternet),usedforwritingWAPbrowsersites.

    WTLS(WirelessTransportLayerSecurity):ThesecuritylayerofWAP,WTLSenablesencrypted

    communicationsbetweenmobilebrowsersandserversovertheInternet.