Mobile Strategy Partners Mobile Security

  • View
    573

  • Download
    1

Embed Size (px)

DESCRIPTION

Mobile Security presentation for Mobile Commerce USA conference in San Francisco, November 3, 2009

Text of Mobile Strategy Partners Mobile Security

  • 1. Mobile Security
    Mobile Commerce USA - November 2009
    David Eads, Founder
    david@MobileStrategyPartners.com
    +1 (404) 285-4219

2. Background
Founder & CEO, Mobile Strategy Partners LLC
Help organizations optimize mobile commerce from both a business & tech perspective
Perform Risk Assessments as a part of my practice
Participated in many IT security reviews throughout my career in ecommerce, mobile commerce
Confidential
3. Frozen in fear
Security consistently reported as the biggest barrier to mobile banking and mobile commerce usage
47% of non-adopters cite security;73% fear hackers can break into their phones (Tom Wills, Javelin, 12/08 )
Security considered during purchase, implementation
Fraud fears limit Mobile Commerce functionality in N. America
Few commerce apps with a real checkout process
Limited transactional capabilities in mobile banking
Mobile payments wheels still spinning (esp. P2P)
Attacks follow adoption: Africa was first, hackers will turn to us
Phishing seems the most common & effective attack
SIM, Mobile phone fraud also related (Absa 07)
Confidential
4. Its not what we fear
Mobile Commerce is basically safe, however consumers are still afraid
Everyone generally learned lessons of ecommerce
128-bit SSL
Multifactor Authentication
Phone Disabling features
Phone viruses, network hacks rare so far
Mobile makes us MORE secure in many ways
Balance, Transaction alerts, visibility
Confidential
5. the danger is the unknown
Untested defenses are weak defenses
Monitoring systems an afterthought
Mobile new to Information Security teams
Consumer education lacking
Unsophisticated users with smart phones
Confidential
6. Social trickery
Phishing proven effective, likely to continue
Phishing often cross-channel
Fake call centers, targeted attacks, detailed research
URL not visible on mobile browsers, URL shorteners
SMS alerts perfect temptation for phishing
Shortcode registration limits spoofing, but possible
Linking from SMS to web encourages email to web
Social networking, mobile convergence amplifies risk
Confidential
7. Limited Detection
Few organizations monitor for mobile attacks
Variety of fraud detection systems exist for ecommerce sites but not optimized for mobile
Some adaptable to mobile, mobile requires more(e.g. monitor SMS patterns, web services, mobile web)
Security companies yet to fully focus on mobile
Recession, limited adoption discourages investment in defensive systems
Attacks can happen even if adoption is low!
Confidential
8. Unsophisticated Users
What happens when my Mom has a smartphone?!
Unsophisticated userstoday tend to have unsophisticated phones which provide significant protection
Smartphone trend means most phones will be smart
My Mother-in-law & Father-in-Law have Blackberries
They are more vulnerable via phone thanAOL dial-up
Damage to unsophisticated users can create major perception problems for the entire industry
Confidential
9. Recommendations
Continue discouraging SMS, email links to apps
Promote, encourage PIN-locking phones
Require Multifactor Authentication & dont bypass it
Avoid storing sensitive data on phones
Architect mobile systems with security in mind
Keep sensitive data out of DMZs
Continual penetration testing
Mobile-aware fraud detection
Confidential
10. Additional Slides
Confidential
11. Best Practices
DO Encourage transactional functionality that drives revenue, like checkout, payments, etc.
DO perform a thorough risk assessment with mobile experts starting at the design phase
DO continual penetration testing and monitoring
DO user experience design to prevent confusion
DO require true MFA before transactions, etc.
DO provide strong encryption, etc.
Confidential
12. Worst Practices
DONT store sensitive data on the phone
DONT encourage linking from SMS messages
DONT let vendor architecture create security risks
DONT display user identifiable information without propermultifactor authentication
DONT do transactions in SMS without authentication from another channel (like voice)
DONT encourage putting sensitive info in SMS
Confidential
13. Threat Examples
Hacker getting to credit card numbers or other useful identity theft information through a breach in corporate access through mobile connection
Phishing attacks to trick users into providing access
Phishers then transfer money out of their account
Phishers could also potentially manipulate stocks
Using identifiable information to gain access
Mobile app doesnt do transactions, but exposes data
Thief uses data to gain access to acct. over phone
Confidential
14. Brokerage Examples
Confidential