Embed Size (px)
Citation preview
Copyright2008-12
1
COMP 3410 – I.T. in Electronic Commerce
eSecurityMobile Security
Roger ClarkeXamax Consultancy, Canberra
Visiting Professor, A.N.U. and U.N.S.W.
http://www.rogerclarke.com/EC/ ...ETSecy4 {.html, .ppt}
ANU RSCS, 16 October 2012
Copyright2008-12
2
Mobile Security
Agenda
1. Mobile Technology• Devices• Wireless Comms
2. Mobile Technology Users3. Mobile Payments4. Risk Assessment for Mobile Payments5. Risk Assessment for Contactless Chips
Copyright2008-12
3
1. Mobile Devices 'Any device that provides users with the capacity to
participate in Transactions with Adjacent and Remote devices by Wireless Means'
• Mobiles / Smartphones• Handheld Computing Devices
PDAs, games machines, music-players, 'converged' / multi-function devices,Tablets esp. iPad but now many followers
• Processing Capabilities in Other 'Form Factors'Credit-cards, RFID tags, subcutaneous chips
• Wearable Computing DevicesWatches, finger-rings, key-rings, glasses, necklaces, bracelets, anklets, body-piercings
• ? Nomadic / Untethered PCs
Copyright2008-12
4
Wireless Comms and Mobile Security in 2011
• Wide Area Networks – Satellite• Geosynchronous (2 second latency)• Low-Orbit (Iridium)
• Wide Area Networks – ‘WiMax’ / IEEE 802.16; iBurst• Wide Area Networks – Cellular (0.5 to 20km per cell)
1 – Analogue Cellular, e.g. AMPS, TACS2 – Digital Cellular, e.g. GSM, CDMA3 – GSM/GPRS/EDGE, CDMA2000, UMTS/HSPA4G – LTE, with preliminary versions imminent
• Local Area Networks – ‘WiFi’ / 802.11x (10-100m radius)
• Personal Area Networks – Bluetooth (1-10 m radius)• Contactless Cards / RFID Tags / NFC (1-10cm radius)
Copyright2008-12
5
2. Mobile Technology UsersDimensions of Differentiation
• Education, Income, Wealth• Infrastructure Availability• Technical Capability
Copyright2008-12
6
2. Mobile Technology UsersDimensions of Differentiation
• Education, Income, Wealth• Infrastructure Availability• Technical Capability
• Opportunity-Awareness• Leadership / Followership• Risk-Awareness, Risk-
Aversion
Copyright2008-12
7
2. Mobile Technology UsersDimensions of Differentiation
• Education, Income, Wealth• Infrastructure Availability• Technical Capability
• Opportunity-Awareness• Leadership / Followership• Risk-Awareness, Risk-
Aversion
• Age / 'Generation'
Copyright2008-12
8
The 'Generations' of Computing Consumers
Indicative Indicative Generation Birth-Years Age in 2011Silent / Seniors 1910-45 66-100Baby Boomers – Early 1945-55 56-66Baby Boomers – Late 1955-65 46-56Generation X 1965-80 31-46Generation Y 1980-95 16-31The iGeneration 1995- 0-
16
Copyright2008-12
9
Generational Differences
Baby Boomers (45-65)Handshake/phone, PCs came late, had to adapt to mobile phonesWork is Life, the team discusses / the boss decides, process-oriented
GenXs (30-45)Grew up with PCs, email and mobile phones, hence multi-taskersWork to Have More Life, expect payback from work, product-oriented
GenYs (15-30)Grew up with IM/chat, texting and video-games, strong multi-taskersLife-Work Balance, expect fulfilment from work, highly interactive
iGens (to 15)Growing up with texting, multi-media social networking, networked games, multi-channel immersion / inherent multi-tasking?Life before Work, even more hedonistic, highly (e-)interactive
Copyright2008-12
10
3. Mobile Payments• Commerce
Purchases of physical goods and services, atphysical POS, road tolls (Contactless Chips, NFC)
Copyright2008-12
11
Mobile Payments• Commerce
Purchases of physical goods and services, atphysical POS, road tolls (Contactless Chips, NFC)
• eCommercePurchases of physical goods and servicesat virtual points of sale (Internet, Cellular phone)
Copyright2008-12
12
Mobile Payments• Commerce
Purchases of physical goods and services, atphysical POS, road tolls (Contactless Chips, NFC)
• eCommercePurchases of physical goods and servicesat virtual points of sale (Internet, Cellular phone)
• MCommercePurchases of digital goods and services, such as image, audio and video, and location-specific data
Copyright2008-12
13
Mobile Payments• Commerce
Purchases of physical goods and services, atphysical POS, road tolls (Contactless Chips, NFC)
• eCommercePurchases of physical goods and servicesat virtual points of sale (Internet, Cellular phone)
• MCommercePurchases of digital g&s, such as image, audio and video, and location-specific data
• Consumer-to-Consumer (C2C) Transfers of value between individuals
Copyright2008-12
14
4. Risk Assessment for Mobile Payments
(0) The Mainstream Security Model
(1) The Technical Architecture(2) The Commercial Architecture(3) The Transaction Process Aspect(4) The Harm Aspect(5) The Vulnerability Aspect(6) The Threat Aspects(7) The Safeguards Aspect
Copyright2008-12
15
(0) The Mainstream Security Model
Abstract ThreatsBecome Actual Threatening
Events ,Impinge on Vulnerabilities,
Overcome Safeguards& Cause Harm
Security is a (desirable) condition
in which Harm does not arisebecause Threats are countered
by Safeguards
Technical Architecture
of
Physical Infrastructure
Commercial Architecture
Trans-
action
Process
Security Model
Threats
Safeguards
Vulnerabilities
Harm
Copyright2008-12
16
(1) The Technical ArchitectureIndicative Model
QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.
User
AccessDevice
Personal
Area Network& Router / Proxy
InternetAccess
Provider (IAP)or
TransactionDevice (TD)
NetworkIntermediary
Nodes(Routers /Proxies)
NetworkIntermediary
Nodes(Routers /Proxies)
Gateways
AccessNetworks(Unwired)
Core Networks(Wired, Unwired)
–––––––––––– The Internet –––––––––––
PaymentIntermediaries
PaymentServices
Physical Context
IAP
TD
Copyright2008-12
17
(2) Commercial Architecture
• Customer/Payer• Seller/Payee• Payment Handler• Delivery Handler• Customer Support
Internet Online Trading Protocol (IOTP):
Copyright2008-12
18
(2) Commercial Architecture
• Customer/Payer• Seller/Payee• Payment Handler• Delivery Handler• Customer Support
BUT ALSO ...
• Internet Access Providers (IAPs)• Carriage Service Providers (CSPs)• Commercial Intermediaries, e.g.
Paypal• Transaction Service Providers
e.g. banks and credit-card companies• Payment Services Providers, e.g.
deposit-holders, lenders and insurers• Regulators and complaints bodies
e.g. financial services ombudsmen• Consumer Rights representative
and advocacy organisations• Consumer Segments, e.g. the
mobility-disadvantaged, the sight-impaired, people with limited financial assets
Internet Online Trading Protocol (IOTP):
Copyright2008-12
19
(3) The Transaction Process Aspect
From Herzberg (2003), p. 56
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Copyright2008-12
20
(4) The Harm Aspect• Injury to Persons• Damage to Property• Loss of Value of an Asset
Copyright2008-12
21
(4) The Harm Aspect• Injury to Persons• Damage to Property• Loss of Value of an Asset• Breach of Personal Data Security,
or Privacy more generally• Financial Loss
Copyright2008-12
22
(4) The Harm Aspect• Injury to Persons• Damage to Property• Loss of Value of an Asset• Breach of Personal Data Security,
or Privacy more generally• Financial Loss• Inconvenience and Consequential
Costs arising from Identity Fraud
• Serious Inconvenience and Consequential Costs arising from Identity Theft
• Loss of Reputation and Confidence
Copyright2008-12
23
(5) The Vulnerability Aspect• The Environment
• Physical Surroundings• Organisational Context• Social Engineering
• The Device• Hardware, Systems Software• Applications• Server-Driven Apps
(ActiveX, Java, AJAX, HTML5)• The Device's Functions:
Known, Unknown, Hidden• Software Installation• Software Activation
• Communications• Transaction
Partners• Data Transmission
• Intrusions• Malware Vectors• Malware Payloads• Hacking, incl.
Backdoors, Botnets
Copyright2008-12
24
(5) Threat Aspects – Second-Party• Situations of Threat:
• Banks• Telcos / Mobile Phone Providers• Toll-Road eTag Providers• Intermediaries• Devices
• Safeguards:• Terms of Contract• Risk Allocation• Enforceability• Consumer Rights
Copyright2008-12
25
(6) Threat Aspects – Third-Party, Within-System
(Who else can get at you, where, and how?)
• Points-of-Payment Physical:• Observation• Coercion
• Points-of-Payment Electronic:
• Rogue Devices• Rogue Transactions• Keystroke Loggers• Private Key Reapers
• Network Electronic• Interception• Decryption• Man-in-the-
Middle Attacks• Points-of-Processing
• Rogue Employee• Rogue Company• Error
Copyright2008-12
26
(6) Threat Aspects – Third-Party, Within-Device
• Physical Intrusion• Social Engineering
• Confidence Tricks• Phishing
• Masquerade• Abuse of Privilege
• Hardware• Software• Data
• Electronic Intrusion• Interception• Cracking / ‘Hacking’
• Bugs• Trojans• Backdoors• Masquerade
• Distributed Denialof Service (DDOS)
• Infiltration by Software with a Payload
Copyright2008-12
27
(6) Threat Aspects – Third-Party, Within-Device
Infiltration by Software with a Payload
Software (the ‘Vector’)
• Pre-Installed• User-Installed• Virus• Worm• ...
Payload• Trojan:
• Spyware• Performative• Communicative• Bot / Zombie
• Spyware:• Software Monitor• Adware• Keystroke Logger• ...
Copyright2008-12
28
Key Threat / Vulnerability Combinations
• Unauthorised Conduct of Transactions
• Interference with Legitimate Transactions
Copyright2008-12
29
Key Threat / Vulnerability Combinations
• Unauthorised Conduct of Transactions
• Interference with Legitimate Transactions
• Acquisition of Identity Authenticatorse.g. Cr-Card Details (card-number as identifier, plus the associated identity authenticators)
e.g. Username (identifier) plus Password/PIN/Passphrase/Private Signing Key (id authenticator)
e.g. Biometrics capture and comparison
Copyright2008-12
30
Key Threat / Vulnerability Combinations
• Unauthorised Conduct of Transactions
• Interference with Legitimate Transactions
• Acquisition of Identity Authenticatorse.g. Cr-Card Details (card-number as identifier, plus the associated identity authenticators)e.g. Username (identifier) plus Password/PIN/Passphrase/Private Signing Key (id authenticator)e.g. Biometrics capture and comparison
• Use of a Consumer Device as a Tool in a fraud perpetrated on another party
Copyright2008-12
31
5. Risk Assessment of Contactless Chips
• RFID / NFC chip embedded in card
• Wireless operation, up to 5cm from a terminal
• Visa Paywave and MasterCard PayPass
• Up to $100 (cf. original $25)
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Copyright2008-12
32
Contactless Chip-Cards as Payment Devices
• RFID / NFC chip embedded in card
• Wireless operation, up to 5cm from a terminal
• Visa Paywave and MasterCard PayPass
• Up to $100 and $35 resp. (cf. original $25)
• Presence of chip in card is not human-visible, butLogo / Brand may be visible
• No choice whether it's activated• Operation of chip in card
is not human-apparent• No action required when within
5cm range, i.e. automatic payment
• No receipt is the norm • Used as Cr-Card:
Unauthenticated auto-lending• Used as Dr-Card:
PIN-less charge to bank account
Copyright2008-12
33
• Authentication – None / A Non-Secret // For Higher-Value Transactions Only / AlwaysUK RingGo Parking Payment Scheme – last 4 digits
• Act of Consent – None / Unclear / Cleare.g. Tap the Pad in Response to Display of Fare
• Notification – None / Audio / DisplayIf 'None', then enables surreptitious payment extraction
• Receipt / Voucher – None / Option or Online / YOctopus, Drive-Through eTags for Road-TollsUK RingGo Parking Payment Scheme
Key Safeguards for Chip Payment Schemes
Copyright2008-12
34
• Authentication – None / A Non-Secret (but Yes, for Transactions >$100 Only)
• Act of Consent – None? / Unclear? / Clear?If the card is within 5cm of a device, whether seen or not
• Notification – None? / Audio? / Display?If 'None', then enables surreptitious payment extraction
• Receipt / Voucher – None? / Option? / Y?
Visa PayWave and MCard Paypass
Copyright2008-12
35
The (In)Security Profile ofContactless Chip-Card Payment
Transactions• Non-Authentication, or mere possession:
• presentation of the card within a device's field, when that device is ready to charge money for something
• Vulnerable to card-capture, rogue devices, rogue transactions by legitimate devices, ...
• Relies on:• general levels of honesty among merchants and FIs• (consumer reconciliation is infeasible – no
vouchers, and either very long statements or no statements)
• (fraudulent transactions are obscured)• self-insurance by consumers
Copyright2008-12
36
Key Safeguards Required• Choice of Activation or Not• Two-Sided Device Authentication, i.e.
• by Payee’s Chip of Payer’s Chip• by Payer’s Chip of Payee’s Chip
• Notification to Payer of:• Fact of Payment (e.g. Audio-Ack)• Amount of Payment
• At least one Authenticator• Protection of the Authenticator(s)• A Voucher (Physical and/or Electronic)• Regular Account Reconciliation by
Payers
Copyright2008-12
37
The Status of Consumer Protection
• EFT Code of Conduct – phasing outhttp://www.asic.gov.au/asic/pdflib.nsf/LookupByFileName/EFT-Code-as-amended-from-1-July-2012.pdf
• ePayments Code – phasing in by 30 March 2013http://www.asic.gov.au/asic/asic.nsf/byheadline/ePayments-Code?openDocument
• Soft regulation of such things as receipts, risk apportionment, complaints, privacy, ...
• The banks have sought to weaken the protections (In NZ they succeeded, but were beaten back by the tide of public opinion, and withdrew the changes)
• The Code's provisions apply to contactless-card transactions – but with a lot of 'buts'
Copyright2008-12
38
Payments in the Network EraInitially Wired, Increasingly
Unwired
‘Secure’ Models• ATMs• EFTPOS – Dr Tx• Internet
Banking• Debit Tx
over the Internet
Insecure Models• EFTPOS – Cr Tx• Credit Card Tx
over the Internet(CNP / MOTO)
Highly Insecure Models
• Contactless-Chip/ RFID / NFC
Copyright2008-12
39
Mobile Security
Agenda
1. The Motivation2. Mobile Technology3. Mobile Technology Users4. Mobile Payments5. Risk Assessment for Mobile Payments6. Risk Assessment for Contactless Chips
Copyright2008-12
40
COMP 3410 – I.T. in Electronic Commerce
eSecurityMobile Security
Roger ClarkeXamax Consultancy, Canberra
Visiting Professor, A.N.U. and U.N.S.W.
http://www.rogerclarke.com/EC/ ...ETSecy4 {.html, .ppt}
ANU RSCS, 16 October 2012
