293 Synivers Mobile Banking
-
Upload
jelson-low -
Category
Documents
-
view
217 -
download
0
Transcript of 293 Synivers Mobile Banking
-
8/8/2019 293 Synivers Mobile Banking
1/30
2009
Javelin
Strategy
&
Research
All
Rights
Reserved
TheStateofMobileSecurityinBanking
andFinancialTransactions
Conductedby
JavelinStrategy&Research
September2009
-
8/8/2019 293 Synivers Mobile Banking
2/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 2
Overview
Manyfinancialinstitutionsarenowincorporatingmobilebankingandfinancialservicesasakeycomponentof
theirgrowthstrategy,anduseofthemobilephonetoconductbankingandfinancialservicestaskscontinuesto
riseamongearlyadopters. However,amongthemajorityofconsumers,securitythreatsaremostcommonly
listedastheprimaryreasonfornottryingmobilebanking.Thiswhitepaperwillattempttotechnicallyaddress
theselargelyunfoundedconsumersecurityfearswhilehelpingtolayaroadmapforfinancialinstitutions
successfulimplementationofmobilebankingtechnology.
KeyQuestionsExploredinThisPaper
Whereistheweakestlinkinthemobilesecuritychain?
Aremobilesecuritythreatsthesameasonlinethreats?
Howdodifferentoperatingsystemsonmobiledevicesimpactsecurity?
Whatarebestpracticestomitigatethreats?
Ismobileviableasabankingandfinancialserviceschannel,oristherisktoogreat?
KeyFindings
Whileconsumerscontinuetoexpressconcernoverusingtheirmobilephonetoconductbankingandfinancial
servicestransactions,itisafearbornmoreofperceptionthanreality.Therearethreats,butthesecurity
controlsavailable
to
mitigate
risk
at
this
level
are
substantial
and
effective.
However,
security
practices
will
needtocontinuetoevolveasmoreandmoresmartphonesenterthemarketrunningmoreandmore
applications,creatinganevergrowingopportunityforsecuritythreats.
-
8/8/2019 293 Synivers Mobile Banking
3/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 3
I.ExecutiveSummary
Thepurposeofthispaperistoeducatethereaderonthesecuritythreatsandvulnerabilitiesformobile,
especiallyinthecontextofthefinancialservicesindustry.Thisreporthighlightsthemostpopularstrategiesfor
deployingmobileservices,includingSMS,clientbasedapplicationsandthemobileWeb,andthebenefitsand
riskstoeachtypeofservice.
In2009,mobilephonesarecommonplace:Anestimated86%ofU.S.adultsownone.CurrentlyintheU.S.,
thereare36millionadultsaccessingmobilebanking.JavelinStrategy&Researchforecaststhatwithinfive
yearsalmosthalfofallmobilephoneowners(45%)willbereachingfortheirmobilephonestoconductbanking
chores.
ManyfinancialorganizationshavechosentodeploymobilebankingviaSMS,clientbasedapplications,orthe
mobileWeb,eitherindividuallyorincombination. Accordingtothe"2009MobileBankingandSmartphone
ForecastbyJavelininSeptember2009,thefollowingtablesummarizesthemodalitiesavailableoverthe
mobilechannel.
ForAmericanconsumers,twoofthebiggestfactorsinhibitingthegrowthofmobilebankingisthefearofdata
interceptionbyathirdpartyandlostdevices.Atpresentfearofdatainterceptionarelargelyunfounded,in
partbecausetheequipmentnecessarytobreakintoamobilenetworkisexpensiveandgenerallynotavailable
SMS/Text MobileWebDownloadable
applicationEmbeddedapplication
100%ofphones
soldtoday
95%ofphonessold
today
are
Web
enabled;
butmanyrequire
difficultactivation
18%havesmartphones
bestforviewing
95%ofphones
soldtodayNotwidelyavailableyet
FIcarrierindependent FIcarrierindependent
MayrequireFI
partnershipswith
wirelesscarriers
MayrequireFI
partnershipswith
wirelesscarriers,mobile
handsetvendors
Relativelylessexpensive
(dependingonplan)or
approximately$0.20per
message
Requiresunlimited
dataplan
Requiresunlimited
dataplan
Requiresunlimiteddata
planandnewphone
Easytosetupanduse
formostconsumers
Fairlyeasytosetupand
useformostconsumers
Moredifficult;
downloadingapplication
ischallengingformany
Easiestto
set
up
and
use
formostconsumers,but
availabilitylimited
2009JavelinStrategy&Research
-
8/8/2019 293 Synivers Mobile Banking
4/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 4
I.ExecutiveSummary
tocriminalswhomakequickmoneyelsewhere.Mobilemalware,includingviruses,worms,andTrojanhorses,
areOSspecific.Additionally,themobilechannelisstilltoofragmentedwithtoomanyhandsetsandoperating
systemsforasinglevirustoclaimwidespreaddamage.Althoughlargescalemobilemalwareisnotyet
common,therehavebeenseveralspecificviruseswrittenformostofthemajoroperatingsystems.For
example,theSymbianOShasseenitsfairshareofmobilemalware.
Unliketraditionalonlinedevices,mobiledevicesfeatureanumberofwaystocommunicatewithother
devicesandwiththeInternet.Bluetoothhasbecomestandard,althoughinmostinstancesitisdisabledby
default.USBsandmobilememorycardsarevectorsthatposemoreofariskonthemobiledevicethanan
onlinePC,becausepeoplearemorelikelytotradeMP3,ringtones,andmediafilesthisway.Therearealso
possiblebutunlikelyrisksfromovertheair(OTA)programming,whichcouldrewritethefirmwareonamobile
device.Likeonline,themobilechannel,particularlythemobileWeb,mustcontendwithphishingandmanin
themiddleattacks.Inaddition,there'ssmishing(phishingconductedoverSMS)andvishing(phishing
conductedoverthevoicechannel).
Mobilefinancialservicesarestillintheirearlydays,sothisimmaturemarketislessattractivetocriminalswho
canrealizemoreprofitfromtheonlinechannel.Onefactorfuelingthegrowthinmobilebankingistherecent
increasein
customer
service
plans
that
offer
unlimited
text
and/or
data,
which
allows
for
downloaded
banking
andfinancialservicesapplications.Whilethisisgoodforthecustomerwhochoosestoreceiveaccount
informationinthisway,itisalsobadforthecustomerbecauseattackerscanalsosendmorespam,whichcan
leadtophishingandintroductionofmalwareontothemobiledevice.
Atthemobilegateway,attackerscouldpotentiallyvieworinterceptSMSmessageswhiletheyareintheclear
astheytravelacrossthenetwork,althoughthisriskisminimal.Insiderscouldplacesniffersonthenetwork,
however,thisrequiresexpensiveequipmentonbehalfoftheattacker.
Mobilethreatsaren't,however,limitedtothevariousmobilecommunicationschannels.Ifahandsetisever
lost,the
experience
is
much
like
losing
your
credit
card
or
wallet:
Valuable
information
could
be
compromised.
Foranenterprise,thiscouldincludeintellectualproperty.Foranindividual,itcouldincludeinformationto
accessbankaccountsaswellasecommerceandhealthcaresites.Thisisoneareawheresecuresoftware
developmentpracticescouldhelp,limitingtheamountofdatacollectedbythehandset,and/orsecurely
removinganydataoncetheapplicationisclosed.
Finally,thisreportincludesabestpracticessectionandaglossarycoveringmanyofthetermsused.
-
8/8/2019 293 Synivers Mobile Banking
5/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 5
II.TheMobileEcosystem
Whentalkingaboutthemobileecosystem,thefirstlineofdefense(andoftentheweakestlinkinthesecurity
chainaswell)isthemobileuser.Usersarelargelyresponsibleforphysicalsecurity(protectionagainstloss),
authentication,andmaintainingthesecurityoftheoperatingsystemandapplications(downloadingonlyfrom
responsibleparties).Customersaren'tresponsibleforimplementingthesecurityfeatures;that'sthejobofthe
bankortheserviceprovider.Becausethreatsandvulnerabilitiescanexistinallservicelayersandwithevery
player,appropriatesafeguardsmustbeconsideredinalloftheseplacesaswell. Themobilenetworkoperators
(MNOs)thatmanagethenetworkareresponsiblefornetworksecurityandsignalingsecurity(whichisthe
channelused
by
SMS
and
USSD).
Aggregators
also
play
arole
in
network
security
because
they
act
as
intermediariesbetweencontentprovidersandthemobilenetworkoperators.
Eachlayerofthestackhastobesecure.Thismayseemobvious,butitiscomplicatedbythefactthatdifferent
players"own"securityfordifferentlylayersinthestack.Forexample,thehandsetmanufacturerownssecurity
forthehandsetandtheoperatingsystem(OS),buttheplatformvendorownsthesecurityfortheapplication.
Sincethelayersinteract,thevendorshavetointeractaswellinordertofullysecurethemobileecosystemand
financialtransactionsconductedinthatecosystem.
-
8/8/2019 293 Synivers Mobile Banking
6/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 6
II.TheMobileEcosystem
2.1.0.TheStakeholdersforMobile
Atthetopofthestackisthecustomer.Thecustomeristheenduser(orconsumer)whopurchasesthemobile
handsetandtheserviceplanandultimatelydownloadsanyapplicationsaddedtothedevice. Theapplications
vendorincludesfinancialsolutionsvendorsandtheFIs.
Fuelingthegrowthofmobilebankingistherecentincreaseincustomerserviceplansthatofferunlimitedtext
and/ordata.
Thenextlevelofthestackistheserviceprovider.Theserviceprovideristhewirelesscarrierormobilenetwork
operator(MNO),which,intheUnitedStates,includesVerizon,AT&T,TMobile,andSprint,aswellasanumber
ofsmallerplayers.TheMNOisthepartythathasalicensewithinacountrytoallocateacertainbandwidthof
theradiospectrumtocellularcommunications.
Justbelowtheserviceprovideristheplatformvendor.Theplatformvendor(forexample,Tyfone,MCom,
ClairMail)isthepartythatdevelopstheserver(andsometimesclient)softwareusedbythebanktoprovide
mobilebankingservicestothecustomer.ThisincludescompanieslikeSyniverseTechnologies,whichactsasan
SMSaggregator,workingwithboththemobilenetworksandthefinancialinstitutions.
6%
15%
17%
25%
38%
0% 10% 20% 30% 40% 50%
Unlimited data only
Unlimited text only
None, I use a p repaid/disposablephone
Both unlimited data and text
Under contract, with neither unlimiteddata nor text
Q22: What type of wireless plan (data and text)do you currently use? (Select one only)
July 2009,n = 3,000Base: All consumers with mobile phones.
2009 Javelin Strategy & Research
-
8/8/2019 293 Synivers Mobile Banking
7/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 7
II.TheMobileEcosystem
Finally,there'sthehandsetmanufacturer,whichisresponsibleforthehardwareusedaswellas in
cooperationwiththeMNO theunderlyingoperatingsystem.IntheUnitedStates,thisincludesMicrosoft,
Symbian,Apple,Google,andLinux.ThesamehardwareandOSusedbydifferentcarrierscanbeconfigured
differently,oftentoaccommodatethespecificneedsofthecarrier.
2.2.0.TheMobileServicesStack
Sincethecustomerisatthetopofthestack,educationisn'tenough;thereisalsotheissueofcontrol. Often
thecustomerisnotgivenenoughcontroloverhisorhersecurityonthemobiledeviceevenwhengreater
controlisavailable.Customizationcanbefoundatvariouslevelsbeneaththecustomer. Theseinclude:
Theapplicationlayercanbeeitherembeddedonthehandsetordownloadedfromthecarrier'ssite,or
makeuseofthemobilebrowser.
MobiledevicetransportlayerincludesHTTPandTCP/IPfromtheonlineworld,alongwithWireless
ApplicationProtocol(commonlyreferredtoasWAP),ShortMessageService(SMS),USSD,Bluetooth,and,althoughtechnicallynotamessagetransport,OTA(OverTheAir).Thesearedesignedtointeract
withtheInternetorserviceproviderwithoutbeingconnectedphysicallytoanetwork.
ThewirelessnetworkcanbeeitherGlobalSystemforMobilecommunications(GSM)orcodedivision
multipleaccess(CDMA).
There'salsotheoperatingsystemplatform,whichistightlyproscribedbythehandset'sresources.
Andfinally,there'sthehandset,ofwhichtherearemanyvariationsonthemarkettoday.
-
8/8/2019 293 Synivers Mobile Banking
8/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 8
III.MobileSecurity
Whilemobilesecurityissimilartoonlinesecurity,itisnotidentical.Likeonlinesecurity,themobilechannel
mustcontendwithphishing,malware,andmaninthemiddleattacks.Inaddition,there'ssmishing(phishing
conductedoverSMS)andvishing(phishingconductedovervoicechannel). Despitethesethreats,ifsecured
properly,themobilechannelisoneofthesafest.Whatdoessecuringitproperlymean?Itmeansimplementing
securitycontrolsthattakeadvantageoftheinnatesecuritystrengthswithinmobile.Ifthisisn'tdone,mobileis
nomoresecure,andprobablylesssecure,thanotherchannels.
Forthemoment,thethreatlandscapeisfavorabletomobiledevices.Therearemanyreasonsforthis.One,
mobilefinancialservicesarestillintheirearlydays.Consumeradoptionat18%isntfullyrealizedandmobile
bankingservicesarentyetfullyfunctional,e.g.,theyoftendontincludethecapabilitytomovemoney.This
immaturemarketislessattractivetocriminalswhocanrealizemoreprofitfromtheonlinechannel.Another
mitigatingfactoristhediversityofoperatingsystems,withnoonedominantOS.Fornowthediversityof
mobilehandsetsandplatformsmakesitharderforcriminalstowritemalware.Bycontrast,writingaWindows
based32bitmalwareapplicationallowsthecriminaltohitroughly90%oftheonlinePCmarket.Thiswill
changeinthecomingyears,withincreasingmarketsharebytheAppleiPhoneandasfinancialinstitutionsoffer
fullerbankingfunctionalityviathemobilechannel.
3.1.1.Mobiles
Dissimilarity
to
Online
Oneareawheremobileisdissimilartoonlineisapplications.Onthemobilethereisgreaterlikelihoodthat
applicationsaredigitallysigned,meaningthevendorhassubmittedthemtotheplatformvendorforapproval.
However,thisisntthecaseforAndroid,becauseitisopensource,whichposesasecurityconcernbecause
thereisnoapprovingauthorityfordeveloperstopostapplicationstotheplatform.So,forexample,acriminal
mightpostabogusmobilebankingapp,whichwasreallyapieceofmalware.
Applicationsoncertainmobiledevicesalsorunwithinsandboxes,whichisolatethecodewithinthe
environment,withlimitedrights.Themobileplatformallowsforremotedevicemanagement,withtheability
toterminate
an
application
or
even
the
entire
device
ifit
is
reported
lost
or
stolen
something
that
is
not
commonwithonlineapplications.
3.2.1.MobilesStrengthsandWeaknesses
Aswithanycommunicationschannel,therearerelativestrengthsandweaknessestomobiledevices.
Amongthestrengths,mobiledeviceistopofmindwithmobiledevicecustomers.Ifacustomerleaveshome
forworkinthemorningwithoutamobiledevice,orwithoutawallet,whichoneisheorshemostlikelyto
-
8/8/2019 293 Synivers Mobile Banking
9/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 9
III.MobileSecurity
discovermissingfirst?Ifthehandsetiseverlostorcompromised,itcanberemotelydeactivatedbythecarrier.
Additionally,particularapplicationscanbedeactivatedfromtheserverortheentiredevicecanberemote
wiped. Currently,forexample,enterprisebasedBlackBerrysandsomemobilebankingplatformvendorsoffer
thisfeature.Thishelpsmitigatethefactthathandsetsareeasilylostorstolen:Javelinresearchshows19%of
mobilephoneownershavehadahandsetlostorstolen.
Themobilechannelalsohasthefastestreactionspeedtoemergingfraud.Becausepeoplearemorelikelyto
havetheirmobiledeviceswiththem24/7,theyaremorelikelytoberesponsivetoafraudalertfromtheir
financialinstitution.Ratherthanwaituntiltheendofthemonthtoreviewtheirpaperstatementforsignsof
unusualactivity,customerscanbenotifiedbytheirfinancialinstitutionwithinhourseitherviaSMSorpushe
mail.Furthermore,thismethod"deputizesthecustomer,"involvingthemdirectlyinsecuringtheirfinancial
accounts.Javelinresearchshows80%ofallconsumersbelievethisresponsibilityshouldbesharedbetween
consumersandtheirfinancialinstitutions.Thistranslatestotimesavedbetweenwhenthefraudisfirst
instigatedandwhenitisdetected.Criminalsusetimetotheiradvantage,andmobilehasthepotentialtotake
thetimeadvantageaway.(Consumerselfdetectionresultsinaperiodofmisusethataverages56daysless
thannotificationbyanoutsideinstitution.)
Likepersonal
computers,
mobile
devices
can
be
used
as
an
authentication
factor.
Authentication
can
be
based
onsomethingyouhave,somethingyouknow,orsomethingyouare.Themobilehandsetbecomes
"somethingyouhave."Butcurrentlythetypicalmobiledeviceislesspersonalizedthanthetypicalpersonal
computer,makingnativedevicerecognitionlessreliable.Onemethodtoincreasesecurityistodownloada
tokenontothemobiledevicethatwillbecomeitsuniqueidentifier.Anothermethodistocontractwiththe
wirelesscarriernetworktoidentifythedevice.
Becauseconsumerscarrytheirmobilephoneswiththem24/7,theycanbeusedtoreplaceonetimepassword
generatinghardwaretokens.Softwarebasedonetimepassword(OTP)tokensmakemoresense,notonly
becausetheyaremoreconvenienttocarryfortheconsumer,andgreatlyincreasesecurity,butalsobecause
thesoftwarecanberedeployedlessexpensivelyovertheair.Latestdevelopmentstowatchforinclude
softwarethatinputstheOTPautomaticallyintothepasswordfield,thwartingkeyloggingmalwareand
increasingeaseofuse.However,notallhandsetshavetheprocessorandmemoryrequiredtogenerateOTPs.
Atthemomentthereisnodominantmobileoperatingsystemorhandsetvendor.Itishardertowritemobile
malwarethanonlinemalware.Similarly,itwillbemoredifficulttoeducateendusersbecausesecurityvendors
willhavetoproducedifferentantimalwaresolutionsforeachvariationofOSandhardware.
-
8/8/2019 293 Synivers Mobile Banking
10/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 10
III.MobileSecurity
MobileplatformsandhandsetsdoincludetheuseofPINsforpoweronandidletimeouts(screensaver)
recovery.However,thesearenotenabledbydefault.UseofapoweronPINorpasswordisauserchoicethat
cannotbeenforcedfromtheserver.Thiswillrequireeducationtoinformenduserstothevalueofsetting
theseprotections.
Finally,thecontrollednatureofthemobilenetworksmakesthemsomewhatsaferthantheInternetbecause
therearesteephardwarecostsforattackerstogainaccesstomobilenetworks.
Amongmobiles
weaknesses
is
data
stored
on
the
handset.
If
the
mobile
banking
application
is
well
written,
it
shouldnotstoresensitivedatainthefirstplace,sothisriskcanbemitigatedbyusingsecuresoftware
developmentpractices.Additionally,storedusernamesandpasswords,whichmayconvenientlyallowforquick
access,needtobeadequatelyprotectedagainstunauthorizedthirdpartyaccess,especiallytosuchaccountsas
financialandmedicalservices.
Strengths Weakness
MobileHandset Alwayspresentwithcustomer Maystoreusername,password,andpersonaldata
Canbeusedasanauthentication
factor
APINcanbeusedtolockthemobile
device
MostPINlocksarenotenabledby
default
Onetimepasswords(OTP)canbe
generatedonthemobiledevice
Notallmobiledeviceshavethe
processorandmemoryrequiredfor
OTPgeneration
MobileOperatingSystem(OS)NodominantOSmeansthe
likelihoodofmalwareisless.
NodominantOSmeansitisharder
toobtainantimalwaresoftware
MobileNetwork Steephardwarecostsrequiredforattacks
-
8/8/2019 293 Synivers Mobile Banking
11/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 11
III.MobileSecurity
3.3.1.CustomerPerceptions
Whatarethebiggestfactorsinhibitingthegrowthofmobilebankingtoday?Forconsumers,security
consistentlyremainsoneofthebiggeststumblingblockstomobileadoption,althoughusageofthechannel
seemstoallaysomeofthesefears.Nonetheless,almosthalfofmobilebankerscitesecurityastheirmain
concern(47%).
Mobilebankingrequiressecuritytosupportwirelesstransactionsonmultiplelevels:
Themobiledeviceitself
Thesecurityoftheparticularbankingapplicationthatmayberunfromthedevice
Securingofthedatastoredonthemobilephone
Securingorencryptingthedatatransmittedovertheair
Authenticationofthecustomerisneededtoguaranteethatalegitimateandauthorizedcustomeris
performingthetransaction;authenticationofthedeviceguaranteesthatthetransactionisoccurringoveran
authorizedmobiledevice.Finally,authenticationofthefinancialinstitutiontothecustomerhelpsavoid
phishingscamsandotherattacks.
SecurityIs
the
Sticking
Point
for
Consumer
Adoption
14%
1%
3%
4%
5%
6%
8%
9%
10%
34%
42%
44%
0% 10% 20% 30% 40% 50%
Other, please specify
I don't have a formal banking relationship
Set up process to register accounts
My bank offers it but I don't have access to it
New technology, it may not work correctly
Potential limitations in wireless plans
It is not offered by my bank or c redit union
Dropped or lost telecommunicationsconnections
Cost or hidden fees from my bank for usingthe service
The cost of data access on my wireless plan
Security of mobile banking
I don't see the value of mobile banking
Q6: You indicated you do not use mobile banking. For whatreasons do you not use mobile banking? (select up to three)
July 2009, n=2,396Base: All consumers with mobile who
do not use mobile banking. 2009 Javelin Strategy & Research
-
8/8/2019 293 Synivers Mobile Banking
12/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 12
III.MobileSecurity
Withsecurityasakeydriverofconsumeracceptanceandgrowthofthechannel,itmustbegiventoppriorityin
productandmarketingbudgetsformobilefinancialservices.Fortunately,forbothfinancialinstitutionsand
consumers,themobilechannelcanincreasebankingsecurityifitisdeployedcorrectly:Usersareabletotrack
theirfinancialinformationinrealtimefrompracticallyanywhereintheworld.Frequentselfmonitoringof
accountsisaneffectivewayforconsumerstodetectfraudulenttransactionsandactivities.Textmessagealerts
allowuserstoreceiveregularupdatesonaccountactivity,addinganotherlevelofsecurity.HalfofU.S.consumers
believethattextmessagealertssenttotheirmobilehandsetsisaneffectivewaytofightfraud.
Unfortunately,many
myths
abound
about
mobile
security.
Manycustomerfearsaboutmobilesecurityturnouttobeunfounded.Forexample,customersfrequentlycitethe
interceptionofdatabyathirdparty(73%)asoneoftheirtopsecurityconcernswithmobilebanking.While
mobilemalwaredoesexist,theriskofhavingamobilephonecallremotelyaccessedisalmostnonexistent.
Nonetheless,oncesufficientnumbersofconsumersarebankingonthemobilechannel,itwillbecomealarger
targetforhackers.MobileWebanddedicatedmobileapplicationsaresubjecttomaninthemiddleattacks,in
whichtheattackerinterceptsdatabetweenthecustomerandthefinancialinstitution.TheWebbrowseris
subjecttomaninthebrowserattacks,inwhichthesessioninterceptionisdonebyaTrojanhorseasopposedto
ahumanbeing.WhileevenSMScanbespoofedorcompromised,customereducationcanbeeffective,asin
otherchannels,
to
mitigate
the
risk.
HackersGainingAccesstoMobilePhoneIsTopSecurityFear
4%
39%
54%
68%
73%
0% 20% 40% 60% 80%
Other, please specify
Viruses or spyware on my phone
Losing my phone or having myphone stolen
Someone intercepting thewireless signal
Hackers gaining access to myphone remotely
Q35: You mentioned that security was on e of your topconcerns with mobile banking, what security aspectsare you most concerned with? (Select up to three)
March 2008, n = 702Base: Respondents with mobile banking security concerns.
2008 Javelin Strategy & Research
-
8/8/2019 293 Synivers Mobile Banking
13/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 13
III.MobileSecurity
3.4.1.Threats,VulnerabilitiesandCountermeasures
Mobilephishingtakesmanydifferentforms.ThemostcommonformusedtodaymakesuseofSMS(smishing),
theuseofSMStospreadphonyURLs,andVoIP(vishing),theuseoftelephonenumberstoleadvictimsto
bogusvoiceservices(suchasIVR)thatfoolvictimsintobelievingthey'retalkingwiththeirfinancialinstitution.
AttackersoftensendfraudulentSMSmessagestolargevolumesofusers,attemptingtogainprivate
information.MobilephishingcanaffectSMSorWebbasedbankingwhenmessagesincludeaURLoraphone
number.Uponcallingaphonenumber,ausermayinteractwithanactualpersonoravoicemailsystem,both
ofwhichriskexposingthatuser'spersonalinformation.
3.4.2.BroadThreats
Broadthreatsinthemobilechannelincludeunauthorizedaccesstoservicesorsensitivedata.Malicious
hackinganddamagetothedevice,denialofserviceattacks,andWebbasedattackshavemoreorlessthe
samethreatprofileonthemobileasPCs.Mobilesmalwareiscurrentlyplatformspecific,withonlyaveryfew
examplesofcrossplatformmalwaretodate.Becauseofvariouscontrolsonthemobiledevice,mobile
malwaretodaystillrequiresuserinteraction.Thatmaynotbetruewithmorerobustmobileoperatingsystems
inthefuture.
Mobilevirusesareoneareawhereusereducationisaneffectivemitigation.Thefragmentationofthehandset,
browser,OSandcarriermarketsmakesithardtodesignaneffective"onemessagefitsalldevices"education
campaign,althoughattheendofthisreportwedooffersomebestpractices.
Javelinbelievesthatcurrentthreattomobilebankingislow.Therearemanyuniquedevices,browsersand
operatingsystems,whichmakesitdifficultforattackerstotargetlargeswathsofcustomers.Itisalsooneof
thereasonsmostofthemobilevirusestodayarewrittenfortheSymbianOS,whichisthemostprevalent
mobileOSintheworld.Javelinbelievesthatthelackofcrediblethreatstofinancialdatamaybeduetothe
newnessofthefinancialofferingsonmobile.
3.4.3.0Handset
Unfortunately,thecustomermaybecomefrustratedwith"toomuchsecurity"whenusingeitherthehandset
ortheapplicationsecurityfeatures.Thecustomermaythenchosetodisablethemoratleasttrytodisable
them.Thebestsecurityfeaturesmarryconveniencewithsafety:Forexample,anencryptedhandsetmayallow
aconsumertoanswercertainphonecallswithoutloggingin.
-
8/8/2019 293 Synivers Mobile Banking
14/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 14
III.MobileSecurity
Inotherpartsoftheworld,specificallyJapanandSouthKorea,mobilebankingonGSMnetworkshasbeenin
useforseveralyears.Despiteitswidespreaduse,theknownfraudinmobilebankinginPacificAsiahasbeen
low.Onefeaturethatcontributestothelowfraudratesisthelinkingofdevicesthroughhardwarechipsand
bankaccounts.Thehardwarelinkstheuser'sbankaccounttoaspecificmobiledevicesothatonlythatspecific
devicecanconducttransactions.ThiscanbedonebyOTAprovisioningoftheSIMorbyuseofasmartcard.Itis
slightlymoreexpensivetodeployonCDMAnetworks.
3.4.3.1MemoryCards
Theuse
of
memory
cards
with
the
handset
could
be
problematic.
In
2004,
amobile
virus
known
as
SkullsusedinfectedmemorycardstoinfectSymbianSeries60devices.SkullsisaTrojanhorsethat
arrivesasaninstallerforanormalapplication.Skullsthenoverwritesexistingapplications(except
thoserequiredtocommunicate),renderingthemuseless.Itreplacesmobiledesktopiconswith
imagesofskulls.Someofthe30plusvariantsalsoinstallothermobilemalwareontothephone.
3.4.3.2Downloads
Theclientsideenvironmentincludestheapplicationsdownloadedandinstalledonthedevice.These
canbesignedbyeitherthecarrierorthefinancialinstitution.Oftentheapplicationsaresandboxed
onthedevice.Themostsecurechoiceforfinancialinstitutionsisnottosendsensitivedatatothe
handsetatall.Thenextbestistodeleteitattheendofeachsession,orifsensitivedataisstoredon
the
handset,
to
encrypt
the
data.
3.4.3.3Applications
Enterprisesandcommercialsoftwaredevelopersshouldemploysecuresoftwaredevelopmentbest
practices.Despitetherigoroustestingofmobileapplicationsbyvariouscarriersandplatforms,some
malicioussoftwarehasleakedintotheonlineapplicationstores.Authenticationoftheapplication
codecouldbeusedtohelpcustomersknowtheyaredownloadingtherealbankingapplication.This
isaproblemwithopensourcesoftware,suchasthatdesignedforAndroidorLinuxplatforms.Here,
noonevetstheapplication,unlikeSymbianandApple.
3.4.3.4MobileBrowsers
SomeofthemobilebrowsersaresubjecttothesameflawsasPCbrowserssuchasmaliciousscripts,
manin
the
browser
attacks,
cross
site
site
scripting
(XSS),
and
cross
site
request
forgery
(xSRF).
Althoughtheyhavesmallerfeaturesets,mobilebrowsershavebeensubjecttoattacksinwhich
unauthorizedcommandsaretransmittedfromausertoaWebsite.Itisdifficulttodeterminethe
legitimacyofaURLwithamobilebrowser:Thesmallformfactormakesitincapableofdisplayingfull
URLsoritcantakemanymenustoaccessthesecurityinformationofagivensite.Mostmobile
browserslacksupportforprotectionsnormallyavailableondesktopsystemssuchasURLfiltering,
phishingtoolbars,andsecuresocketslayer(SSL)orextendedvalidationsecuresocketslayer(EVSSL)
certificates.Basedupontheseconcerns,itseemslikelythatusersofmobiledeviceshavean
increasedriskoffallingvictimtoaphishingattackwhentheysurfwithmobilebrowsers.
-
8/8/2019 293 Synivers Mobile Banking
15/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 15
III.MobileSecurity
3.4.3.5MobileEmail
Mobileemailclientsareoftenthesourceofspam,phishingandmalwareintroduction.Forexample,
criminalsusetheemailtoSMSgatewaysthatallowtheusertosendemailsinsteadofspending
moneysendingSMSmessages.Inthisway,criminalscansendemailtoallpossibleSMSrecipients.
Asaresult,SMSgatewayprovidershaverespondedtoabusebyrejectingexcessivenumbersof
messagesorfraudulentmessages.FilteringisdependentonthecooperationofInternetservice
providers(ISPs)ratherthandefensivetoolsonmobiledevices.UncooperativeISPscouldcausethis
networkfilteringtofail.SMSandemailprotocolsallowattackerstosendspoofedmessagesfrom
falsifiedsourceaddresses.Spoofedemailmessagesaregenerallymorecommonbecauseanyonecan
operateamailserverandsendemailspam.EmailtoSMSgatewaysareoneoptionthatattackers
haveabusedinthepasttosendSMSphishingmessages.
3.4.3.6MobileIM(MIM)
MobileIM(MIM)issubjecttosimilarthreatsthatarefoundonthePCdesktop.Phishingand
maliciousURLsaretheproblem.
Somelegitimatefinancialservicesmaysufferfromuserdoubtanduncertaintyrelatedtosending
legitimateSMSmessagesbecauseofthepotentialforattackerstosendspoofedmessages.Financial
organizationsshouldavoidrepeatingthemistakestheymadewithemail,whichhavecausedsome
toabandoncontactingtheirclientsthroughemailaltogether.Togaintheuserstrust,financial
serviceprovidersmaychoosetoavoidsendingphonenumbers,SMSnumbersorURLlinks.
Combiningtheserestrictivemeasureswithusereducationcampaignscanlimittheeffectivenessof
phishingattacks.
Encryption
Client
VPN
Cellularinfrastructure
SMS, carrier, andother gateways
Bulk SMS providerE-Mail gateway
-
8/8/2019 293 Synivers Mobile Banking
16/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 16
III.MobileSecurity
3.4.3.7Voice
Phishersalsooftenspoofthesourceemailaddressandusealargenumberofdifferentphone
numberstoperformvishing.Vishingisthecriminalpracticeusingsocialengineeringoverthe
telephonebothlandbasedandmobile.Fraudulentvishingmessagesonthemobilearesimilarto
vishingattacksonlineandcontainaphonenumberthatavictimcallsuponreceivingthemessage.
Therearemanyexamplesofvishingattacksthatusevoicemailsystemstostealuserinformation,
includingbankaccountinformation.InJanuary2008,theFacebookapplication"secretcrush"began
phishingusersbyrequestingtheirmobilephonenumbersthroughthesocialnetworkingWebsite.
Subsequently,it
would
send
users
messages
from
apremium
SMS
service
that
cost
$6.60
per
message,accordingtooneuserafflictedbythescam.Userswhoreplytothepremiumratenumber
(19944989)receivechargesontheirmobilephonebills.
3.4.4OperatingSystems
Educatingusersaboutoperatingsystemfeaturesandencouragingthemnottoinstallsoftwarefromunofficial
sourcescanhelptomitigatemobilethreats.
3.4.4.1Symbian
TheSymbianOS,anopenindustrystandardwiththegreatestglobalmarketshare,hasbeenthemost
targetedby
malware
so
far.
The
best
known
of
these
is
the
Cabir
worm,
discovered
in
June
2004.
The
CabirwormwasdevelopedasaproofofconceptvirusbyGroup29A(aninternationalgroupof
programmers)andhasspawnedatleastfifteenvariants.Aproofofconceptvirusisdevelopedby
programmerstodemonstrateexistingvulnerabilitiesinsoftware,andisoftensenttothe
manufactureroranantivirusfirm,ratherthanbeingusedmaliciously.Theoriginalwormspreadover
BluetoothconnectionsonSymbianSeries60mobilephones,arrivingintheinboxasacaribe.sisfile.
Theuserhastoacceptthefile,anditspreadsslowlybecauseitiscapableofinfectingonlyoneother
phoneperactivationorreboot.InAugust2004,Mquito,thefirstTrojantotargetSymbian,appeared
HowVishingWorks
-
8/8/2019 293 Synivers Mobile Banking
17/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 17
III.MobileSecurity
inanillegalversionofagamebyOjuncalledMosquito.Eachtimethegamewasplayed,theTrojan
wouldsendapremiumSMSmessage.Inanironictwist,itwasdiscoveredthattheTrojanhadbeen
placedbythedeveloperOjunitself,withthepremiumSMScallgoingtoOjuntonotifythefirm
wheneveranillegalversionwasplayedorthegamewasrunonanunregisteredmobilephone.While
itworkedasplanned,asignificantnumberoflegitimateuserswerealsoaffectedwithpremiumSMS
charges,soOjunendedupcancellingthepremiumnumberandrereleasingthegamewithoutthe
Trojan.
Tocombatmalware,Symbianadoptedadigitalsignatureprogram;allmobileapplicationswould
haveto
be
approved
by
Symbian
before
they
could
be
installed
on
aSymbian
phone.
On
or
before
Feb.4,2009,ChinesemobilephoneusersbeganreportinganewvirusthataffectsSymbianS60. All
codeonS60,thirdedition,mustbesigned,andthisvirusisnoexception;itusesacertificatefrom
Symbianlicensedto"ShenZhenChenGuangWuXian."Afterauserinstallstheprogram,itspreadsto
otherusersbysendingSMSmessagesthatcontainURLsforuserstodownloadandinstallthecode.
The"SexyView"virusattemptstopersuaderecipientstodownloadandinstallaSymbianInstallerfile
(SISX)attheURL,butitdoesnotuseanyexploitstoinstallsuchfilesautomatically.Suchmistakes
showthelimitationsofplatformdownloadstoresorsignatureprograms.
3.4.4.2Windows
InthelucrativeU.S.market,Windowsmobilehasheldaslimleadinusernumbers,makingitatarget
as
well.
WinCE.Duts,
discovered
in
July
2004,
is
another
proof
of
concept
virus
developed
by
Group
29aformobiledevicesrunningunderWindowsCEforpocketPCs.Whileitrequiresuserconfirmation
todownload,Dutscaninfectmobiledevicesviaemail,mobileWeb,andthroughthesynchronization
orBluetoothprotocols.
ArrivinginSeptember2005,Cardtrapisthefirstknowncrossplatformvirus,inwhichthemaingoalis
toinfecttheusersPC.Cardtrapisdisguisedasaninstallerforanormalprogram,butonceits
accepted,itinstallsothermaliciouscodesandcorruptsexistingapplications.Whenthephones
infectedmemorycard(multimediacardorEdrive)isinsertedintothePCinanattempttoremove
thevirusonthephone,maliciouscode(e.g.,worms,Trojans,backdoors)istransferredtothePC,
amongthemavirusthatdisablessecurityonthePC.
Inearly
2008,
anew
WinCE
Trojan
called
InfoJack
insidiously
appeared
inside
legitimate
installer
packageslikeGoogleMapsasanoption.ThisTrojandisablesWindowsmobilesecuritysothatother
unaccreditedapplicationscanbeinstalledwithoutpermission.Itthensendstheserialnumber,
operatingsysteminformation,andotherdatatoaWebsiteinChina.Inearly2009,HTCdevices
runningWindowsMobile6andWindowsMobile6.1werepronetoadirectorytransversal
vulnerabilityinBluetoothOBEXFTPservice.Directorytraversalallowsanattackertoexploit
inadequatesecuritytoinputfilenames,allowingsoftwaretoaccessfilesthatarenotsupposedtobe
-
8/8/2019 293 Synivers Mobile Banking
18/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 18
III.MobileSecurity
accessible.Successfulexploitationallowsanattackertolistdirectoriesandwriteorreadfilesfor
execution.
3.4.4.3Palm
Palm,althoughhavingasmallerfootprintworldwide,isnotimmunetovulnerabilities.In2009,Palm
issuedupdatesforitsnewPalmPremodel.Amongtheissuesaddressedwasadenialofservicewhen
auserclickedoverlongURLs(greaterthan4,063characters).Attackerscouldhavedistributedan
exploitforthisthroughemail,MIM,orSMS.
3.4.4.4iPhone
AtBlackHatUSA2009,researchersshowedhowonecoulduseamaliciousSMSmessagetoshut
downtheComCenterintheAppleiPhone.TheattackwouldnotonlydisableSMS,butalsoWiFiand
3Gserviceonthedevice.Applehassincefixedthisparticularvulnerability.Theresearcherswerealso
abletoperformsimilarattacksonGoogleAndroid,andWindowsMobile.Theresearchershadnotyet
hadthetimetostudythePalmPre.
3.4.4.5BlackBerry
Inearly2009,avulnerabilitywasannouncedthatcouldallowcriminalstotakecontroloftheservers
runningBlackBerrysystems.ItworkedbysendingemailswithtaintedattachmentswithinAdobe
SystemsPDFformat.IfthecustomeropenedoneofthesecompromisedPDFs,itattemptedtoinstall
malicioussoftwareontheserversothatcriminalscouldthenusethatservertosendspamorsteal
corporateor
personal
data.
3.4.4.5Android
InsomewaystheopensourceAndroidplatformismoresecurethanotheroperatingsystems.By
design,itsOSusesthesandboxapproach,whichisolatescodeinjectedintothebrowserfromother
partsofthemobilesystem.Thathasn'tstoppedresearchintovulnerabilities.Inearly2009,security
researcherCharlieMillerdiscoveredawaythatallowscriminalstotakecontrolofthephone'sWeb
browser.Ifcompromised,thebrowserscredentialsandhistorycouldbevisibletoaremotehacker.
Nowordonwhetherthisvulnerabilityhasbeenpatched.
3.4.4.6Linux
Linuxhasaverysmallfootprintonthemarket,andthuslessincentiveforattack.Afewyearsago,
Motorola,NEC,
NTT,
DoCoMo,
Panasonic
Mobile
Communications,
Samsung
Electronics
and
VodafonebandedtogethertoformtheLiMofoundation,anindustrygroupdedicatedtoproviding
thefirstopen,hardwareindependent,LinuxbasedOS.Oneofitspurposesistoseekparticipation
fromapplicationandmiddlewarevendorsforthenascentoperatingsystem.
3.4.4.7J2MEmobilephones
Notreallyanoperatingsystem,Sun'sJava2MicroEdition(J2ME)allowsdeviceswithlimited
hardwareresources(withaslittleas128KorRAMandprocessorslesspowerfulthandesktop
-
8/8/2019 293 Synivers Mobile Banking
19/30
-
8/8/2019 293 Synivers Mobile Banking
20/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 20
III.MobileSecurity
institution,heorshemightbeabletomasqueradeastheuserandconductimportanttransactions.
Organizationsshouldavoidrequestingorsendingfullaccountnumbersorotherinformation
necessaryforanattackertoconducttransactionsthroughemailorSMSmessages.
3.4.5.5Bluetooth
Bluetoothisashortrangewirelessprotocolthatincludesapromiscuousfeature.OBEXisdesignedto
allowBluetoothdevicestodiscoverotherBluetoothdevicesinthearea,thenconnecttothem.While
itworkswellwhenconnectingawirelessheadsettoamobiledevice,Bluetoothprotocolscanalsobe
usedtoconnecttoamobiledevicewithunfortunateresultswhenmalwareisinvolved.Bluejacking
andbluesnarfing
are
two
methods
in
which
an
attacker
can
approach
avictim,
connect
via
Bluetooth,
anddialpremiumphonenumbersorcreateadenialofserviceattackwithoutthevictimrealizingit.
Asaresult,manyphonestodaydisableBluetoothbydefault.Theriskofthisactivityislowbecauseit
requiresacombinationofBluetoothbeingenabled,physicalproximity,andmaliciousintent.The
Cabirworm,discussedearlier,wasdiscoveredinJune2004andhasspawnedatleastfifteenvariants.
TheoriginalwormspreadoverBluetoothconnectionsonSymbianSeries60mobilephones,arriving
intheinboxasacaribe.sisfile.Theuserhadtoacceptthefile,whichspreadsslowlybecauseitis
capableofinfectingonlyoneotherphoneperactivationorreboot.TheMabir.Aisalatervariantthat
spreadsthrougheitherBluetoothorMMSmessaging.ItspreadsbyinterceptingallSMSandMMS
messaging,thenimmediatelysendinganMMSmessagecontainingthevirustotheinitialsender.The
recipient,whoassumesthenewinfectedmessageisareplytotheoriginalmessage,mustacceptthe
downloadbefore
becoming
infected.
Mabir.A,
like
the
original
Cabir,
can
also
spread
through
Bluetooth,searchingforanearbyphonetosendthevirus.TheMMSvariantismoretroubling
becauseMMSallowsforthevirustobesentovergreaterdistancesandthecostsforMMSmessaging
ishigher,butthemalwareisstilllimitedtoonephoneperactivationorreboot.Thiswillbeabigger
threatformobilepaymentsthanformobilebanking.
3.4.5.6OTA
Overtheairprogramming(OTA)allowsforovertheairprovisioningoradministrationofnew
softwareupdatesorfeaturesettings.SomephoneswiththisabilityarelabeledasOTAcapable.OTA
viaSMSoptimizestheSIMsettingsonamobiledevicetoaccessWAPorMMS.OTAprovidesa
remotecontrolforserviceandsubscriptionactivation,personalizationorprogrammingofnew
features.Variousstandardsexist,includingtheOpenMobileAlliance(OMA).
3.4.5.7USSD
UnstructuredSupplementaryServiceData(USSD)isarealtimeorinstantmessagingserviceavailable
onallGSMphones.IfSMSissimilartoemail,thenUSSDissimilartotelnet.Forfinancialinstitutions,
itisusedtoquerytheavailableaccountbalanceandothersimilarinformation.USSDisnotusedin
theUnitedStates.
-
8/8/2019 293 Synivers Mobile Banking
21/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 21
III.MobileSecurity
3.4.6.0Network
Examplesofanetworkattackwouldincludeinsider(employee)oftheserviceprovideroranattackerwhois
abletogainaccesstothenetwork.Whilethelikelihoodofanoccurrenceofanattackergainingdirectaccessto
anetworkseemslow,thereareafewexamplesinwhichinsiderthreatsaffectedmobilephones.In2007,
VodafoneGreecewashacked.SoftwareextensionsinstalledontheEricssonAXEswitchingequipment
permittedeavesdroppingongovernmentphonecalls.
3.4.6.1GSM
MoreseriousistherecentcrackingoftheencryptionusedonGSMinotherpartsoftheworld,but
notyetinNorthAmerica.Severalresearchersandorganizationshavepublishedresearchshowing
howtobreakA5/1andA5/2encryptionalgorithmstointerceptanddecrypttrafficthroughsuch
encryption. Bothactiveandpassivetechniquesexist;thepassivetechniqueismuchhardertodetect
becauseitavoidssendinganyadditionaltrafficandonlylistens.Thirdpartiesselldevicessuchasthe
"PassiveGSMInterceptionSystem(SCL5020),"tospyoncommunicationswhentheyuseweakorno
encryption(A5/0andA5/2),however,thecosttohackGSMisstillsubstantial.
3.4.6.2CDMA
CDMAtransmissionsremainslightlyhardertocrackthanGSMtransmissions.Thatisinpartbecause
oftheunderlyingCDMAschemathatassignseachtransmitteracode,thenmultiplexesthecodes
overthe
same
channel.
This
allows
the
system
to
handle
more
users
with
fewer
cellular
towers.
3.5.0.MNOnetwork
Withtherighttools,acriminalcouldgainaccesstotheMNOnetwork.
3.5.1.Transport(includinggateways)
TheWAPgatewayconvertsmessagesfromtheWAPdeviceusingWTLSsentoverthewireless
networktoSSL/TLStobesentoverthewiredInternettotheserver.AttheWAPgateway,fraudsters
couldpotentiallyvieworinterceptenterprisetrafficordata,buttherisksofsuchanevent(s)are
relativelyminimal.WAP2.0,adoptedin2002,isexpectedtohelpbecausethesignalsaresentviaTLS,
hencenoreasontotranslate,nogaptomitigate.
3.5.2.Network
Likeonline,mobileIPnetworksarealsosubjecttodenialofserviceattacks. Inoneattack,acable
modemwith500Kbpscouldbeusedtosenddatapacketsthatwouldblockaccesstomorethanone
millionmobiledeviceusers.2Thepacketsthemselveswould:
Reestablishconnectionsaftertheyhavebeenreleased.Thiswouldcreatecongestionat
radionetworkcontrollers,therebycausingproblemsforlegitimatesubscribers.
2http://www.theregister.co.uk/2009/06/08/mobile_dos_threat/
-
8/8/2019 293 Synivers Mobile Banking
22/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 22
III.MobileSecurity
Preventamobiledevicefromgoingintosleepmode.Thiscouldoverloadthenetworkwith
extratraffic.
Placeroguedevicesonanetwork.Thiswouldalsocreatespurioustrafficthatmightbehard
tolocate.
Excessiveportscanning.Thiscouldbebothanintendedandunintendedresultof
connecteddevicesthatareinfectedwithcomputermalware.
3.5.3.Physical
Enterprisesshouldconsidermobiledevicemanagementsoftware.Thisallowsenterprisestomanage
themobile
device
remotely,
as
well
as
wipe
the
contents
should
the
handset
be
lost
or
stolen.
Such
softwarealsoallowsforsecureVPNaccesstothecorporatenetworkormailserver.Thesoftware
shouldworkbothways:protectingthedataonthehandsetshouldthedevicebelostorstolen,and
protectingthenetworkfrommobileintrusionsviahandsetactivity.
-
8/8/2019 293 Synivers Mobile Banking
23/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 23
IV.SecurityBestPractices
4.1.1.Bestpractices:General
SimilartoURLs,mostphonesalsoconvertphonenumbersfromSMSmessagesintolinkstoeasilyplacecalls.
Financialinstitutionsmayconsiderusingphonecallsasanadditionalverificationtechnique.CallerIDremains
anunreliablesource,andbettermethods,suchasdevicerecognition,arepreferred.Itishardertotransfer
transactioninformationoverthephone;therefore,thismethodisnotpreferredforsecondaryverification.
AnalystsshouldevaluatecriticalSMSservicesforSMSspoofingvulnerabilityandpersistentlogstorage.
Applicationsmay
choose
to
avoid
sending
full
account
numbers,
which
could
reveal
more
information
than
necessary.Whilethereareattacksthatallowtheattackertointerceptmessages,spoofingisanothermore
likelyproblemthatcouldimpactapplicationswhentheyactuponfraudulentinformation.Applicationscan
performhandshakesortwofactorauthenticationwithotherprotocolssuchasOTP,emailandtelephone.
WhileSMShassomethreats,noneofthemaresignificantlymoreriskythanemail,whichmanyfinancial
institutionsuseforvalidatingtransactions.Inadditiontotheuseradvicetoavoidtrustingfraudulentmessages,
serviceproviderscanfiltermessages.ThefollowingsectionsdiscusscontrolsavailabletoSMSgateway
providerstopreventspamandspoofing.
4.1.2 BestPractices:Handset
Clientapplicationscanbeoneofthemostsecuremechanismsforconductingcriticaltransactionsbutcouldstill
containvulnerabilitiesorbesubjecttomobilethreats.Authorshavemorecontrolofnetworkprotocolsand
optionstouseencryption.Theycandestroytemporarydataandencryptlocallystoredsensitivedata.Critical
applicationsmayalloworganizationstosupportspecialfunctionalitysuchasprofilingandregisteringadevice
andverifyingthesystemintegrity.Certainfeaturesmaybeavailablethroughtheoperatingsystemratherthan
throughacustomdesignedapplication.Whilesuchcontrolispotentiallybeneficial,itrequiresinvestmentin
multipleoperatingsystemsandplatforms.Maintenanceanddevelopmentcostsmaybehigherthanother
solutionsandrequiremoresupport.
4.1.3.BestPractices:Network
ManyISPsautomaticallyattempttolimitphishingandfraudtomobiledevicesbecausetheybillusersper
message.ProvidersmaydecidetoblockaknownSMSgatewayproviderbecauseattackerscommonlyusethem
tosendspamorspoofedmessages.Similarly,SMSserviceprovidersmaymonitormessagecontentsandwork
withfinancialinstitutionstopreventsuchmessagesfromreachingenddevices.ThecurrentstateofSMS
filteringcanhelporganizationsthatreachouttoserviceproviderstopreventthreatsatthenetworklevel
-
8/8/2019 293 Synivers Mobile Banking
24/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 24
IV.SecurityBestPractices
ratherthanatthedevicesthemselves.However,SMSfilteringmayaddlatencyandinvolveregulatory
requirementsarounddatastorage.
SeveraloptionsareavailableatSMSandemailgatewaystolimitspam,spoofedmessagesorotherwise
unwantedmessages.Networkoptionsinclude:
Enduserblocklists
Whitelisting
Contentbaseddetection
Regularexpressions URLreputation SourceSMS/phonenumber
Legalaction
Limitoutgoingspoofedmessages
ManyofthecontrolstopreventunwantedSMSmessagesarereactiveandfilterincomingoroutgoing
messages.SomeprovidersallowuserstoblockspecificorganizationsornumbersmanuallythroughanSMSor
HTTPinterface. TheseapproachesarelessreliablethanSMSgatewaycontrolsbecausetheydependonthe
usertoblockeachmessageafteritarrivesanddonotpreventspoofedmessages.
Gatewaysalso
monitor
the
volume
of
SMS
messages
they
send
and
receive.
In
this
way,
they
limit
fraudulent
messagesandidentifywhenactorsattempttocontactlargenumbersofinactiverecipients.Contactinginactive
recipientscanindicateauserwhoissendingmessagestoeverypossiblerecipient.Messagesoriginatingfrom
premiumnumbersareanothertypeofmessagethatsomeSMSgatewayprovidersmayfilter.Thisprevents
actorsfromsendingmessagesfrompremiumnumbersbecauseusersincurbillswhentheyreply.
EmailtoSMSgatewaysalsohavemanycontrolstopreventabuse.Theyacceptmessagesfromemailaccounts
andforwardthemtoSMSrecipients.TraditionalfilteringtechniquesforemailsuchasSenderPolicy
Framework,blocklists,openrelaysandmessageattributesareallwaysthatemailtoSMSgatewayslimit
unwantedSMSmessages.
SMSgatewaysalsohavetheabilitytoallowknowngoodservicestosendmessages.Financialinstitutionsthat
useSMSservicescanmakeinformationpublic,whichallowsgatewaystoconfidentlywhitelisttheirservices.
-
8/8/2019 293 Synivers Mobile Banking
25/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 25
IV.SecurityBestPractices
4.1.3. BestPractices:CustomerSecurityAwareness
Thetechniquestospreadvirusesandwormsonmobileplatformstodatearelimited.Attackersgenerallydo
notuseexploitstoinstallmobilemaliciouscodeonphonesbutdependmoreonsocialengineeringorphysical
accesstoinstallmaliciousprograms.Inthosecases,educatingusersaboutpotentialthreats,operatingsystem
features,codesigning,andencouragingusersnottoinstallsoftwarefromunofficialsourcescanhelpmitigate
thethreats.Additionally,usersmustupdatemobilephoneoperatingsystemsandsoftwaretotakeadvantage
ofthemostrecentsecurityfeaturesthatreducetheirriskofbeingavictimtomaliciousmobilecode.
Spoofedmessagescouldenticeuserstotakeanunwantedactionorrevealpersonalinformation.Usersshould
reviewofficialdocumentsshowinghowtheprovidersplantocommunicatewiththemtopreventthemselves
frombecomingvictimsandtohelpthemidentifyfraudulentmessages.
-
8/8/2019 293 Synivers Mobile Banking
26/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 26
V.Conclusions
Despitethemovebymanycarrierstoprovideunlimitedtextanddataplans,manycustomersprojecttheir
bankingexperienceswithphishingandmalwareintheonlinechannelontothemobilechannel.Thatis
incorrect.Therearesomesignificantdifferences,andsomeadditionalsafeguards,presentinthemobile
channel.Ifimplemented,themobilechannelcanbesaferthantheonlinechannelforcommerceandfinancial
transactions.
Byworkingtogether,thehandsetmanufacturers,operatingsystemvendorsandbrowservendorscanenable
securityfeaturesanddisableadditionalcontrolsbydefault.Inturn,thenetworkprovidercanworkwiththe
browserandfinancialservicessoftwarevendorstoensurethatsecurecommunicationscanbeprovided
betweenclientsandservers.Finally,usereducationisthebestwaytomitigatethethreatofmobileviruses.As
malwaremovesawayfromrequiringuserinteraction,however,additionalantimalwareprotectionforthe
mobileonthehandsetmaybenecessary.
Althoughthemobilethreatlandscaperemainsrelativelyquietcomparedtoitsonlinecousin,thepotentialfor
fraudtoenterprisesstillexistsintheformofphishing,smishing,andvishing.Here,networkprovidersmay
decidetoblockaknownSMSproviderbecauseattackerscommonlyusethemtosendspamorspoofed
messages.
Additionally,thegrowingadoptionoffullfeaturedsmartphoneswillincreasetherisksofcrosssitescripting
andcrosssiterequestforgeries,thecurrentbaneoftheonlineworld,asattackersfindnewwaystopushout
maliciouscommandstomobilebrowsers.Here,useofURLfiltering,phishingtoolbars,andSSLorEVSSL
certificatesinfuturemobilebrowsersshouldmitigatethisthreat.
-
8/8/2019 293 Synivers Mobile Banking
27/30
-
8/8/2019 293 Synivers Mobile Banking
28/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 28
VI.Glossary
IM:Instantmessaging,aformofrealtimecommunicationovertheInternetbasedontypedtext.
IVR:Interactivevoiceresponse,atypeofphonetechnologythatallowsacomputertodetectvoiceandtouch
tonestorelayinformationautomatically.
Keylogger:Astealthapplicationthatmonitorsandrecordseachkeystrokeausermakes.
Maninthemiddleattack:Attackthatinterceptslegitimatecommunicationbetweentwoentities,suchasa
bankandaclient.Whiletheattackerhastheinterceptedcommunication,itcanchangethecommunicationor
evenredirectittoanewsitethattheattackercontrols.Typically,thetwoentitieshavenoideathemaninthe
middleexists.
Maninthebrowserattack:ATrojandesignedtointerceptandmanipulatedataflowingbetweenabrowser
andasite'ssecurity.MostcommonlytheseTrojansareusedtocommitfinancialfraud.
MFA:RefertoMultifactorAuthentication.
MMAP:MobileMessagingAccessProtocol,aprotocolforsendingSMSmessages
MMS:MultimediaMessagingService,standardforsendingmultimediaobjects(richtext,video,audioand
images)overwirelesstelephonessimilartoSMS.
MNO:Mobile
Network
Operator,
also
known
as
carrier
service
provider
or
wireless
service
provider.
MultifactorAuthentication:Usingatleasttwofactorsforauthorizationforsecurity;e.g.,forfinancial
institutions;MFAismandatedbytheFFIECforInternetbanking.
OATH:Accordingtotheorganization,"anindustrywidecollaborationtodevelopanopenreference
architecturebyleveragingexistingopenstandardsfortheuniversaladoptionofstrongauthentication."
OTA:Overtheair,thatis,transmittedwirelessly.
OTP:Onetimepassword;byconstantlyalteringthepassword,theriskofunauthorizedintrusionislessened.
PKI:PublicKeyInfrastructure,acryptographicsecurekeyexchangetoauthenticateanddownloadanaccount.
PKIPublicKeyCryptography:Typeofasymmetriccryptographyinwhichthekeyusedforencryptingamessage
differsfromthedecryptionkey.
Platform:Hardwarearchitectureorsoftwareframeworkthatallowssoftwaretorun,e.g.,anoperatingsystem
isaplatform.
Phishing:Thepracticeofsendingfalseemailsthattypicallylookliketheycamefromalegitimatebusiness,
requestingprivateinformation,oftenviaaclickthroughtoanotherWebsitethatthecrookhassetuptolook
legitimate,butwhichisactuallyharvestinginformation.
-
8/8/2019 293 Synivers Mobile Banking
29/30
TheStateofMobileSecurityinBankingandFinancialTransactionsSeptember2009 29
VI.Glossary
Pharming:AhackingattackthatredirectsaWebsitestraffictoanother,falseWebsite.
Pretexting:Theactionofobtainingprivatepersonalinformationunderfalsepretenses,oftendoneoverthe
phone,usingpriorinformationtogainnewinformation,suchasusinganaccountnumbertogainaSocial
Securitynumber.
PSKC:ThestandardizationoftheseedtokenbytheInternetEngineeringTaskForce(IETF),knownasPortable
SymmetricKeyContainer.Thiswillallowanyvendortoseeditstokenwithanyothervendorsseed.
Redirects:
Sending
users
to
a
Web
site
that
impersonates
another
site.
For
example,
making
main
pages
availableundermanydifferentURLshasopenedupredirectvulnerability.URLredirectsareoftenusedin
phishingattacks.
SHTTP:SecureHTTP,anextensiontoHTTPprotocolstosendsecurecommunicationsovertheWeb.
SaaS(SoftwareasaService):AsoftwareapplicationhostedbyanASPandaccessedbyusersoveranetwork,
oftenemployingasubscriptionorpayperusebusinessmodel.
SDK(SoftwareDevelopmentKit):Programmingtoolstoallowsoftwareengineerstobuildapplicationsfora
certaindeviceoroperatingsystem(i.e.mobiledevices,mobiledeviceoperatingsystem).
SMS(ShortMessagingService):Communicationschannelallowingtheexchangeofshorttextmessages.
SMSTextBanking: MobilebankingperformedovertheSMStextnetwork,whichisavailableon100%of
mobilephones,butislimitedto160characters.(AlsoreferredtoasTextBanking/SMSText/SMSBanking.)
SMTP(SimpleMailTransferProtocol):StandardforemailtransmissionsovertheInternet,textbased
protocol.
SSL(SecureSocketsLayer):AnencryptionstandardusedtoprovidesecurecommunicationsovertheInternet
forapplicationssuchasWebbrowsing,email,instantmessaging,andotherdatatransfers.
SMPP:ShortMessagePeertoPeerProtocol,astandardforSMSmessaging,whichallowsforpriorityrouting,
notificationoffailedandsuccessfuldeliveries,andforreturnreceipt.
SMS:ShortMessagingService,acommunicationsprotocolallowingforshorttextmessagesbetweenmobile
devices.
Sniffing:Computersoftwareorhardwarethatinterceptsandlogstrafficpassingoveradigitalnetworkorpart
ofanetwork.
SSL:SecureSocketsLayer,encryptsthedatacommunicationslayerformobile,thepredecessortoTLS.
-
8/8/2019 293 Synivers Mobile Banking
30/30
VI.Glossary
TLS:TransportLayerSecurity,cryptographicprotocolsforsendingmessagesanddataoverthemobileInternet.
Trojan:ATrojanisaprogramthatperformsillicitactivitywhenitisrun.Itmaybeusedtoobtainpersonal
informationandallowafraudstertotakecontrolofthecomputerfromaremotesite.
UDLAPs:UserDefinedLimitsandProhibitions,customerdrivenalertsandprohibitions.
Vishing:ThepracticeofusingsocialengineeringandVOIPorlandlinetelephoningtoobtainaccesstoprivate
personaldataforfinancialgain.
VoIP:Voice
over
Internet
Protocol,
transmission
technology
that
allows
for
delivery
of
voice
over
the
Internet.
VPN:VirtualPrivateNetworksarewheresomeofthelinksbetweennodesarecarriedbywirelessconnections
orvirtualsystems,suchastheInternet,insteadofbywires.
WAP(WirelessApplicationProtocol):Anopenstandardforapplicationsonmobiledevicestocommunicate
withserversovertheInternet.WAPsitesareWebsiteswritteninWML(WirelessMarkupLanguage)and
accessedviaamobilebrowser.
WAPSite:SeeBrowserbased.
WAPGap:AttheWAPgateway,WTLStransmissionsaredecryptedandthenreencryptedasSSL/TLS,exposing
thedata
during
the
process.
WML(WirelessMarkupLanguage):BasedonXML(programminglanguageforconvertingdocumentstobe
viewedovertheinternet),usedforwritingWAPbrowsersites.
WTLS(WirelessTransportLayerSecurity):ThesecuritylayerofWAP,WTLSenablesencrypted
communicationsbetweenmobilebrowsersandserversovertheInternet.