Evolution of Mobile Security 063014 - macmember.org Presentation - Evolution of... · • Avoid...
Transcript of Evolution of Mobile Security 063014 - macmember.org Presentation - Evolution of... · • Avoid...
iScan Online | www.iscanonline.com
Evolution of Mobile SecurityMAC$Webinar$,$July$2014
Billy%Austin,%President%&%Co3founder%3%iScan%Online
iScan Online | www.iscanonline.com
• Facts: 2013: Greater than 70 billion smart device apps downloaded
• Higher profit: Transaction deposit costs - bank teller 65 cents vs mobile’s 3 cents
• Getting in the Game: Race to get a mobile financial product in the market with little or no security initiative
Mobile Financial Application Boom
1. Wall Street Journal - Lenders place bets on Mobile Banking - 4/9/2016
iScan Online | www.iscanonline.com
!,$PAN$Primary'Account'Number
,$PCI$DSS$(Accept$credit$cards)$Cardholder%data%!
,$HIPAA$(Healthcare)$Social%Security%Drivers%License%Credit%Card%Date%of%Birth%&%more…%!
,$NCUA$(Credit$Unions)$Debit%&%Credit%Cards
!$ $ $ $ PII$Personal'Identi5iable'Information
Hackers Target Data
iScan Online | www.iscanonline.com
Today, the motive is financial. Organizations of all sizes are at risk, and the commonality is apparent.
Industry Attack Targets
iScan Online | www.iscanonline.com
CONFIDENTIAL DATA ‘PII’ Credit Cards, Social Security, Drivers License numbers
CONFIGS Passwords, Screen Savers, Bluetooth, Personal Firewall enabled, Anti-virus settings,
Jailbroken
APPLICATIONS Browsers, Adobe Reader, Adobe Flash, JAVA, Office, Chat, Mail, Banking
OPERATING SYSTEM Buffer Overflows,
Command Injections, Master Key, “Patch
Tuesday”
3
1 2
4
Attack Threat Pillars
iScan Online | www.iscanonline.com
• June 25, 2014 - PayPal 2FA Bypass - Removes mobile app login with 2FA as a precaution
• May 21, 2014 - Outlook for Android - Unprotected attachments sdcard/attachments
• May 16, 2014 - LifeLock Wallet data leakage resulting in app removal and 17% decline in stock price
Recent Mobile Pillar Threats
iScan Online | www.iscanonline.com
Phishing / SMS Attack
OS & APP VULNERABILITY + UNENCRYPTED PII = DATA BREACH
Breach Scenario #1
iScan Online | www.iscanonline.com
Conditional Mobile Attack Vectors
CONFIG
If Bluetooth is Enabled
PII
And stores credit card data
ATTACK
Then run these
Breach Scenario #2
iScan Online | www.iscanonline.com
CONFIGURATION + UNENCRYPTED PII = DATA BREACH
CONFIGS Encryption not
Enabled 98%CONFIGS No onscreen
password 53%PII DATA
Store unprotected Credit Card data 10%
LOST / STOLEN
5%
Breach Scenario #2Stolen / Lost Smartphones
iScan Online | www.iscanonline.com
Conditional Mobile Attack Vectors
ATTACK
Then use these
Breach Scenario #3
APPS
And serves Ads or built with WebIDE
APPS
If Financial Apps are installed
Webview addJavascriptinte..
or Wateringhole MiTM
iScan Online | www.iscanonline.com
Cloud Storage Risks Mobile to & from PC
Default configurations replicate files to devices, exposing partners, family & employees.
Office - Multi-sync & share | Sensitive Data - Deliberate or Accidental
1
Road warrior - Temporary lost/stolen device with Cloud storage - APT
2
Cached documents on SD card in clear text when viewing
3
Becomes trusted pivot point compromising shared connections
4
Breach Scenario #4Cloud Storage Mobile Risk
iScan Online | www.iscanonline.com
10 Privacy & Security Tips* Disclaimer - These recommendations are not meant to be an all inclusive list for
combatting cyber crime but rather a good start.
iScan Online | www.iscanonline.com
1. Keep OS & Apps up-to-date
2. Set up a Passcode Lock & consider more than 4 digits
3. Enable fraud warning
4. Disable Autofill - reveals your information
5. Clear cookies, history, cache
Mobile Security & Privacy 10 Tips
iScan Online | www.iscanonline.com
6. Disable the SMS/Message preview
7. Enable/Turn on SSL for email security
8. Avoid the cool factor - jailbreak & rooted devices
9. Avoid using or clicking apps with in-app advertising links
10. Periodically assess your device for Cyber Attack Pillars (page 5)
Mobile Security & Privacy 10 Tips
iScan Online | www.iscanonline.com
Measure Everything and!Test Regularly
If your business accepts payments with smartphones and tablets, it is highly recommended to adhere to the internal PCI DSS requirements.
Mobile applications maybe secure today but at risk tomorrow. Mobile threats are emerging.
Accept Mobile Payments?
Eventually cardholder data gets on the device. Assess for unprotected PAN data to know.
Validate cardholder data
Best practices should incorporate periodic self-assessment or from your PCI vendor.
Quarterly health check
Mobile Payments & PCI DSS
iScan Online | www.iscanonline.com
• Storing or transmitting PII / Financial data exposes risk, period.
• Sticking with trusted stores, aid on fighting mobile breaches and attacks
• Avoid financial apps that use a Webview to serve HTML content such as in-app advertising
• Detect, Discover & Remediate threats on all devices, including the smart one in your pocket
Summary Bullets
iScan Online | www.iscanonline.com
Questions & Answers
Thank$You$!
Billy$Austin,$$iScan%Online,%Inc.%
@billyaustintx