Mobility & Security Technology Risk Considerations
-
Upload
robert-brown -
Category
Technology
-
view
94 -
download
0
Transcript of Mobility & Security Technology Risk Considerations
![Page 1: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/1.jpg)
Mobility & Security Technology Risk Considerations
Robert J. Brown
Director, Information Security WesCorp
![Page 2: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/2.jpg)
Introductions
My background and role at WesCorp
2
![Page 3: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/3.jpg)
Discussion Topics
Mobile Growth TrendsInternal Mobile Usage
Mobile Banking Security
3
![Page 4: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/4.jpg)
Mobile Growth Trends
![Page 5: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/5.jpg)
Terminology
• SmartPhone- PC-like functionality from a handheld device- Larger screens, more memory/storage- Some with advanced browsers- iPod Touch, iPhone, Android, PSP, BlackBerry
• Communication Services- SMS - Short Message Service (text)- MMS - Multimedia Message Service (text+WAP)- WAP - Wireless Application Protocol
5
![Page 6: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/6.jpg)
• Traditionalists (b. 1925-1943)- “Schedule an appointment”
• Baby Boomers (b. 1944-1962)- “If my door is open, knock and ask if you
can come in”
• Generation X (b. 1963-1981)- “Check my cubicle to see if I’m there”
• Millenials (b. 1982-2000)- “Door, what door?”
Generational Trends
6
Traditionalists
Millenials
Gen X
Boomers
55 million
80 million
46 million
75 million
![Page 7: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/7.jpg)
Increasing Wireless Speeds
7
0K
4,000K
8,000K
12,000K
16,000K
1G 2G 2.5G 3G 3.5G
Analog Voice Only
DigitalVoice +
Limited Data(under 20Kbps)
DigitalVoice +
Data(under 90Kbps)
“EDGE”
DigitalVoice +
Data(under 3Mbps)
DigitalVoice +
Data(under 14.4Mbps)
HSDPA
![Page 8: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/8.jpg)
Mobile Growth Trends
• AdMob Mobile Metrics- Smartphones 33% of total requests in December, up
from 22% in May- iPhone OS share exceeds RIM+Windows Mobile
combined- iPhone generated 48% of SmartPhone requests in
December, up from 9% in May- Android has 2% market share after 2 months
8
Source: AdMob Mobile Metrics 12/08
![Page 9: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/9.jpg)
Smartphone OS Share in US
9
0%
25%
50%
75%
100%
May June July Aug Sep Oct Nov Dec
SymbianiPhoneRIMWindowsPalmHiptopAndroid
Source: AdMob Mobile Metrics 12/08
![Page 10: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/10.jpg)
Top Handset Models
10
Mfr Device % of Requests Browser
Apple iPhone 16.2% WebKit (Full)
Apple iPod Touch 7.1% WebKit (Full)
Motorola RAZR V3 6.4% WAP 2
Motorola KRZR K1c 3.7% WAP 2
Motorola Z6m 3.4% WAP 2
Motorola W385 3.0% WAP 2
RIM BlackBerry 8300 2.8% WAP 2
RIM BlackBerry 8100 2.5% WAP 2
Palm Centro 2.5% WAP 2
Samsung R450 1.8% WAP 2
Samsung R210 1.8% WAP 2
Samsung M800 1.8% WAP 2
LG LX260 1.7% WAP 2
Kyocera K24 1.6% WAP 2
Samsung R430 1.4% WAP 2
Danger Sidekick II 1.3% WAP 2
Samsung R410 1.0% WAP 2
Sony PSP 1.0% WAP 2
LG CU720 0.9% WAP 2
HTC Dream (Android) 0.8% WebKit (Full)
24.1% support a “Real” Browser
Source: AdMob Mobile Metrics 12/08
![Page 11: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/11.jpg)
• Members - Millenial generation- Large population quick to adopt technology- Reduced concerns regarding security, privacy
• Wireless data speeds increasing- 3G/3.5G, EVDO
• SmartPhone adoption is growing very quickly- iPhone, Android, Blackberry Storm
• Internet experience is superior from SmartPhones• Internal users and Members will continue driving
demand for smart devices with higher network speeds
Quick Conclusions
11
![Page 12: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/12.jpg)
Internal Mobile Usage
![Page 13: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/13.jpg)
• Enhanced Communication- Real-time e-mail, calendar, contacts- Text messaging- Instant messaging- Mobile access to content and information- Personal - audio/video/browsing- Information synchronization and storage
Business Drivers
13
![Page 14: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/14.jpg)
Mobile Threats vs. Risks
14
Threat Risk Impact
Device loss or theft Loss of confidential infoMultiple wireless channels (wifi)
Loss of credentials, device integrity
Malware / virus Loss of credentials, device integrity
Interception / MITM Loss of credentialsUser awareness Increased time between compromise
and actionSPAM, Phish, SMiSh
Annoyance, monetary loss, fraud
![Page 15: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/15.jpg)
Internal Risk Considerations
• Data Storage - large capacity (16GB+)- Documents, Contacts (passwords)
• Browsers- Stored cookies, credentials, passwords
• Software- Third-party applications
• Content- Video, audio, legal considerations, sharing
15
![Page 16: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/16.jpg)
iPhone
• Requires iTunes to synchronize data- Consumer-oriented audio/video- Synchronization of data- Sharing of music libraries via Bonjour
• Centralized vs. decentralized control- Security and management features require ActiveSync
Server / Exchange• Remote wipe, password controls, inactivity timeouts
• Policies?16
![Page 17: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/17.jpg)
• Relationship Manager (RM) Mobile- Browser-based iPhone target- Real-time access to WesCorp rates- CRM profiles of WesCorp Member- Creation of call reports directly on-device- Certificate purchase- Access to WesCorp commentary, webinars, podcasts- No NPPI, single-factor auth
WesCorp Mobile Application
17
![Page 18: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/18.jpg)
Quick Conclusions
• Expect organizational pressure for new devices and smartphones (if you haven’t seen it yet)
• Saying “no” at the Corporate level will not deter individual purchase and use in the workplace
• Smartphones require re-thinking of both policy and enterprise support models
• Think about data loss prevention, remote wipe, passwords, remote access, WiFi vs. carrier network access
18
![Page 19: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/19.jpg)
Mobile Banking Security
![Page 20: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/20.jpg)
• Reduced call volumes• Reduced fraud• Increased “stickiness”• Attract new Members - Millenials• Member Demand
- Better devices, network speeds- Review balances quickly (in store)- Search for surcharge-free ATMs- Research checks or payment clearance- Alerts for overdraft, fraud, payment due
Business Drivers
20
![Page 21: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/21.jpg)
• Multiple deployment approaches- SMS- WAP Browser (1.x, 2.x)- “Full” Browser- Thick-client or local application (iPhone)- Carrier-dependent, carrier-agnostic
Deployment Approaches
21
![Page 22: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/22.jpg)
Mobile Application Challenges
• Member perception of security• Difficulty of data entry on mobile platform• Varying size of screen on devices• Slower speed of network connection• “Lost” icon for downloaded applications• Phishing - via e-mail, SMS, or other method• Significant costs based on existing deployment
models
22
![Page 23: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/23.jpg)
Features vs. Risks
23
Service RO / RW NPPI PAN Authentication Required
Checking/Savings/Loan Balance RO DEPENDS NO Single-factor
Credit Card Balance RO DEPENDS YES Single-factor
Recent Transactions RO DEPENDS NO Single-factor
Historical Search / Check Status RO DEPENDS NO Single-factor
Alert - Overdraft, Threshold RO DEPENDS NO Single-factor
Bill Schedule / Duedate Review RO DEPENDS NO Single-factor
Currency Rates, ATM Locator RO NO NO None
Transfer Between Accounts RW DEPENDS NO Dual-factor
Stop Check RW DEPENDS NO Dual-factor
Domestic / International ACH RW YES NO Dual-factor
Change Alerts RW NO NO Dual-factor
Pay or Schedule Bill RW NO NO Dual-factor
Create/Update Billpay Vendor RW NO NO Dual-factor
Order Checks RW NO NO Dual-factor
Disable Credit Card RW YES YES Dual-factor
Personalize Settings RW NO NO Dual-factor
![Page 24: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/24.jpg)
SMS
• Extremely wide deployment• No application to install or configure• No browser required• Easy to use• High adoption rate among existing phone
users
24
![Page 25: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/25.jpg)
SMS Risk Issues
• No encryption• Authentication is difficult
- FI to Member - think SMiShing- Member to FI
• Intersections with web banking, phone banking- How hard is it to change your cell number on file with
your CU?
25
![Page 26: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/26.jpg)
WAP
• Wireless Application Protocol- 1.X - Avoid. Requires MITM for encryption.- Push - Mostly on top of SMS, pushes content messages- WAP 2.X - Current standard, similar to “full” browser
• TCP/IP, end-to-end HTTP and TLS• Cipher suites, cert formats, signing algorithms• XHTML + WAP CSS• Backwards compatible
26
![Page 27: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/27.jpg)
WAP Risk Issues
• Cookies- Stored on-device- Some gateways
cause cookies to never expire
- Limits for number of cookies stored
- Domain cookies, secure flag
27
• Read the AT&T WAP 2.0 Guide
![Page 28: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/28.jpg)
“Full” Browser
• Welcome to WebKit- iPhone, iPod Touch, Android, Palm Pre, Nokia S60- Passes Acid 2 test for compatibility- JavaScript, CSS, AJAX
• Flash- Flash Lite- Limited US availability (LG, Motorola, Nokia,
Samsung)
28
![Page 29: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/29.jpg)
“Full” Browser Risk Issues
• Authentication- Cached credentials (username, password)- Cookies and expiration- Certificate acceptance and storage- Backup/restore to desktop - target of traditional
malware?
• Almost anything else a PC/Mac browser would be vulnerable to
29
![Page 30: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/30.jpg)
Client Application
• Ultimate in control- Authentication, authorization, accounting
• More branding opportunities• Better device integration
- Click-to-call- Maps / pindrop
30
![Page 31: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/31.jpg)
Client Application Risk Issues
• Locally stored information- Credentials, cached account information?
• Upgrade cycle- Application integrity- Management of varying devices, software
versions
• Connectivity- Intermediate proxies
31
![Page 32: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/32.jpg)
Deployment Considerations
• Regardless of platform, think anti-fraud- Why is a user all of a sudden transferring funds to
Russia?- Why is the source IP for a user coming from another
country?- Why did the cell phone number change?- Why did the type of phone used change?
32
![Page 33: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/33.jpg)
Quick Conclusions
• There is no one right answer• Think through services from multiple
perspectives- What transactions will be supported and the relative
risk- What delivery channels will be supported (SMS, WAP)
• Mixed-mode - auth via one channel, content via another- How an attacker could break your system
• Interfaces between mobile, phone, ATM, branch, teller- How can this enhance a Red Flags / anti-fraud 33
![Page 34: Mobility & Security Technology Risk Considerations](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed73051a28abd8688b46a3/html5/thumbnails/34.jpg)
Thank You
Robert Brown Director, Information Security, WesCorp
909-394-6393, [email protected] LinkedIn, Facebook, and www.robertjbrown.com
Reference Materials at www.robertjbrown.com