Evolution of Mobile Security 063014 - macmember.org Presentation - Evolution of... · • Avoid...

iScan Online | www.iscanonline.com

Evolution of Mobile SecurityMAC$Webinar$,$July$2014

Billy%Austin,%President%&%Co3founder%3%iScan%Online


• Facts: 2013: Greater than 70 billion smart device apps downloaded

• Higher profit: Transaction deposit costs - bank teller 65 cents vs mobile’s 3 cents

• Getting in the Game: Race to get a mobile financial product in the market with little or no security initiative

Mobile Financial Application Boom

1. Wall Street Journal - Lenders place bets on Mobile Banking - 4/9/2016


!,$PAN$Primary'Account'Number

,$PCI$DSS$(Accept$credit$cards)$Cardholder%data%!

,$HIPAA$(Healthcare)$Social%Security%Drivers%License%Credit%Card%Date%of%Birth%&%more…%!

,$NCUA$(Credit$Unions)$Debit%&%Credit%Cards

!$ $ $ $ PII$Personal'Identi5iable'Information

Hackers Target Data


Today, the motive is financial. Organizations of all sizes are at risk, and the commonality is apparent.

Industry Attack Targets


CONFIDENTIAL DATA ‘PII’ Credit Cards, Social Security, Drivers License numbers

CONFIGS Passwords, Screen Savers, Bluetooth, Personal Firewall enabled, Anti-virus settings,

Jailbroken

APPLICATIONS Browsers, Adobe Reader, Adobe Flash, JAVA, Office, Chat, Mail, Banking

OPERATING SYSTEM Buffer Overflows,

Command Injections, Master Key, “Patch

Tuesday”

3

1 2

4

Attack Threat Pillars


• June 25, 2014 - PayPal 2FA Bypass - Removes mobile app login with 2FA as a precaution

• May 21, 2014 - Outlook for Android - Unprotected attachments sdcard/attachments

• May 16, 2014 - LifeLock Wallet data leakage resulting in app removal and 17% decline in stock price

Recent Mobile Pillar Threats


Phishing / SMS Attack

OS & APP VULNERABILITY + UNENCRYPTED PII = DATA BREACH

Breach Scenario #1


Conditional Mobile Attack Vectors

CONFIG

If Bluetooth is Enabled

PII

And stores credit card data

ATTACK

Then run these

Breach Scenario #2


CONFIGURATION + UNENCRYPTED PII = DATA BREACH

CONFIGS Encryption not

Enabled 98%CONFIGS No onscreen

password 53%PII DATA

Store unprotected Credit Card data 10%

LOST / STOLEN

5%

Breach Scenario #2Stolen / Lost Smartphones


Conditional Mobile Attack Vectors

ATTACK

Then use these

Breach Scenario #3

APPS

And serves Ads or built with WebIDE

APPS

If Financial Apps are installed

Webview addJavascriptinte..

or Wateringhole MiTM


Cloud Storage Risks Mobile to & from PC

Default configurations replicate files to devices, exposing partners, family & employees.

Office - Multi-sync & share | Sensitive Data - Deliberate or Accidental

1

Road warrior - Temporary lost/stolen device with Cloud storage - APT

2

Cached documents on SD card in clear text when viewing

3

Becomes trusted pivot point compromising shared connections

4

Breach Scenario #4Cloud Storage Mobile Risk


10 Privacy & Security Tips* Disclaimer - These recommendations are not meant to be an all inclusive list for

combatting cyber crime but rather a good start.


1. Keep OS & Apps up-to-date

2. Set up a Passcode Lock & consider more than 4 digits

3. Enable fraud warning

4. Disable Autofill - reveals your information

5. Clear cookies, history, cache

Mobile Security & Privacy 10 Tips


6. Disable the SMS/Message preview

7. Enable/Turn on SSL for email security

8. Avoid the cool factor - jailbreak & rooted devices

9. Avoid using or clicking apps with in-app advertising links

10. Periodically assess your device for Cyber Attack Pillars (page 5)

Mobile Security & Privacy 10 Tips


Measure Everything and!Test Regularly

If your business accepts payments with smartphones and tablets, it is highly recommended to adhere to the internal PCI DSS requirements.

Mobile applications maybe secure today but at risk tomorrow. Mobile threats are emerging.

Accept Mobile Payments?

Eventually cardholder data gets on the device. Assess for unprotected PAN data to know.

Validate cardholder data

Best practices should incorporate periodic self-assessment or from your PCI vendor.

Quarterly health check

Mobile Payments & PCI DSS


• Storing or transmitting PII / Financial data exposes risk, period.

• Sticking with trusted stores, aid on fighting mobile breaches and attacks

• Avoid financial apps that use a Webview to serve HTML content such as in-app advertising

• Detect, Discover & Remediate threats on all devices, including the smart one in your pocket

Summary Bullets


Questions & Answers

Thank$You$!

Billy$Austin,$$iScan%Online,%Inc.%

[email protected]%

@billyaustintx

Evolution of Mobile Security 063014 - macmember.org Presentation - Evolution of... · • Avoid...

Documents

Transcript of Evolution of Mobile Security 063014 - macmember.org Presentation - Evolution of... · • Avoid...