Protecting the Future of Mobile Payments !

Jonathan LeBlanc !Twitter: @jcleblanc !Book: http://bit.ly/iddatasecurity!

Trust Zones & Account Security !

Building Shortcuts !

Browser Fingerprinting !https://panopticlick.eff.org/ !

Using Location Data !

Phone Identification? !

Device Fingerprinting !

//------------- !//Build Info: http://developer.android.com/reference/android/os/Build.html !//------------- !!System.getProperty("os.version"); //os version !android.os.Build.DEVICE //device !android.os.Build.MODEL //model !android.os.Build.VERSION.SDK_INT //sdk version of the framework !android.os.Build.SERIAL //hardware serial number, if available !

Retrieving Build Information for Android Device !

Getting Paired Devices? !

//fetch all bonded bluetooth devices !Set<BluetoothDevice> pairedDevices = mBluetoothAdapter.getBondedDevices(); !!//if devices found, fetch name and MAC address for each !if (pairedDevices.size() > 0){ ! for (BluetoothDevice device : pairedDevices){ ! //Device Name - device.getName() ! //Device MAC address - device.getAddress() ! } !} !

Get all Bluetooth Paired Devices: Android!

Hardware Prototyping !

Asynchronous Cryptography: Securing an Insecure Channel !

Multi-User Environment !

//create private key in private.key!openssl genrsa -out private.key 2048 !!//create public key in public.pem!openssl rsa -in private.key -outform PEM -pubout -out public.pem!

Generating Public / Private Keys!

var fs = require('fs'); !var path = require('path'); !var ursa = require('ursa'); !var mkdirp = require('mkdirp'); !!//make direction and generate private / public keys for sender / receiver !var rootpath = './keys'; !makekeys(rootpath, 'sender'); !makekeys(rootpath, 'receiver'); !

Package Instantiation and Directory Creation!

function makekeys(rootpath, subpath){ ! try { ! mkdirp.sync(path.join(rootpath, subpath)); ! } catch (err) { ! console.error(err); ! } ! ! var key = ursa.generatePrivateKey(); ! var privatepem = key.toPrivatePem(); ! var publicpem = key.toPublicPem() ! ! try { ! fs.writeFileSync(path.join(rootpath, subpath, 'private.pem'), privatepem, 'ascii'); ! fs.writeFileSync(path.join(rootpath, subpath, 'public.pem'), publicpem, 'ascii'); ! } catch (err) { ! console.error(err); ! } !} !

Key and Directory Creation!

//generate required keys!var senderprivkey = ursa.createPrivateKey( ! fs.readFileSync(path.join(rootpath, 'sender', 'private.pem'))); !var recipientpubkey = ursa.createPublicKey( ! fs.readFileSync(path.join(rootpath, 'receiver', 'public.pem')));!!//prepare JSON message to send !var msg = { 'user':'Nikola Tesla', ! 'address':'W 40th St, New York, NY 10018', ! 'state':'active' }; ! !msg = JSON.stringify(msg); !!//encrypt with recipient public key, and sign with sender private key !var encrypted = recipientpubkey.encrypt(msg, 'utf8', 'base64'); !var signed = senderprivkey.hashAndSign('sha256', encrypted, 'utf8', 'base64'); !

Preparing Message, Encrypting, and Signing!

//generate required keys!var senderpubkey = ursa.createPublicKey( ! fs.readFileSync(path.join(rootpath, 'sender', 'public.pem'))); !var recipientprivkey = ursa.createPrivateKey( ! fs.readFileSync(path.join(rootpath, 'receiver', 'private.pem'))); !!//verify message with sender private key !bufferedmsg = new Buffer(encrypted); !if (!senderpubkey.hashAndVerify('sha256', bufferedmsg, signed, 'base64')){ ! throw new Error("invalid signature"); !} else { ! //decrypt message with recipient private key ! var decryptedmsg = recipientprivkey.decrypt(encrypted, 'base64', 'utf8'); !! //-------- ! //message verified and decrypted ! //-------- !} !!

Decrypting, and Verifying Message!

Card Tokenization !

Credit Card Tokenization!

Credit Card Information !Address Information !

Card Holder Name !

... !

7e29c5c48f44755598dec3549155ad66f1af4671091353be4c4d7694d71dc866  

Mobile Payments Landscape !

Thank You! !!Slides: http://slideshare.net/jcleblanc!

Jonathan LeBlanc !Twitter: @jcleblanc !Book: http://bit.ly/iddatasecurity!