Embed Size (px)
DESCRIPTION
Citation preview
The Top Issues in Mobile
Payments Fraud JIM PITTS, BITS
CATHY DAVIS, COMERICA BANK
AL PASCUAL, JAVELIN STRATEGY & RESEARCH
CECILIA HOYT, WELLS FARGO & COMPANY
MARCH 11, 2013
Agenda
• Mobile Payments Overview
• BITS Threat Assessment
- The Process
- Threats & Vulnerabilities
- Controls and Ratings
- Analysis, Mitigations & Recommendations
• Fraud Risk and Mitigation Strategies:
- Defining Risks
- Analyzing Attacks
- Challenges
- Countermeasures
• Regulatory Outlook
• Future of Mobile Banking and Mobile Payments
2
Click to edit Master title style
The Mobile Channel Already Represents
More Than 6% of Total Online Retail Purchases
Traditional and Mobile Online Retail Payments Market Size, 2012
3
Total U.S. Online Retail Purchases: $317.9 Billion
Total Traditional Online Retail Payments $297.6 Billion
Total Mobile* Online Retail Payments
$20.3 Billion
© 2012 Javelin Strategy & Research*Mobile refers to "mobile devices," including feature phone, smartphone, tablet, etc.
Click to edit Master title style
Mobile Purchasers Are More Than Twice
as Likely to Conduct Mobile Banking
4
64%
36%
Mobile banked past 12 months Not mobile banked past 12 months
All Mobile Consumers
Mobile Purchasers
27%
73%
All Mobile Consumers
Q7: Please indicate the last time you conducted each of the following activities: Mobile Banking Q34: Please indicate the last time you made a purchase via your mobile device using each of
the methods listed. Mobile Browser or app.
June 2012, n = 962Base: All mobile consumers,
mobile consumers who have made a mobile purchase in the past 12 months
© 2012 Javelin Strategy & Research
Click to edit Master title style
Smartphone Owners Are Overwhelmingly
Willing to Use Mobile Antivirus/Antimalware and Data Encryption Services
5
5%4%
27%
27%
37%
Not at all willing Somewhat unwilling Neutral Somewhat willing Very willing
June 2012, n = 1779Base: Smartphone owners.
© 2012 Javelin Strategy & Research
Q23: On a scale of 1-5, please rate your willingness to use the following products or services. Antivirus or anti-malware software on your mobile device
% of smartphone owners
Willingness to Use Mobile Antivirus/Antimalware
Willing to Use Mobile Data Encryption Services
% of smartphone owners
5%3%
24%
29%
39%
Click to edit Master title style
Geolocation Users and Mobile Bankers Find
Geolocation More Effective and Easy to Use
6
-17%
-12%
-8%
-22%
-18%
-12%
28%
43%
67%
23%
37%
60%
30% 20% 10% 0% 10% 20% 30% 40% 50% 60% 70% 80%
All consumers
Mobile bankers
Geo-location users
All consumers
Mobile bankers
Geo-location users
Ease
of U
seEf
fect
iven
ess
Percent of Consumers
Not effective/not easy to use Effective/easy to use
Q37. In your opinion, how effective are each of the following methods at protecting your information when you are banking?: Image you previously selected is always displayed at login Q38. In your opinion, how effective are each of the following methods at protecting
your information when you are banking? Image you previously selected is always displayed at login
August 2012, n= 3,000, 820, 347Base: All consumers, mobile bankers,
geolocation users.© 2012 Javelin Strategy & Research
Safety Is the Top Concern Among
Consumers Unlikely to Make Contactless
Payments
7
3%
13%
17%
18%
46%
51%
0% 10% 20% 30% 40% 50% 60%
Other, please specify
I am worried merchants that I usually shop with will not accept contactless payment options
I don’t know how or where to get a contactless card or device
I don’t know how to use a contactless card or device
I see no benefit to contactless payments
I do not think it is a safe form of payment
Q50: You responded that you are not likely to use a contactless payment card or a contactless payment option on your mobile phone or other device. Please select the reasons why. (Select up to three)
October 2012, n= 3,217Base: All consumers unlikely to use contactless cards.
© 2012 Javelin Strategy & Research
% of consumers
Click to edit Master title style
Visa, PayPal Most Trusted Brands
for Financial Information
Consumer Security Ratings of Brand Most Trusted with Financial Information
8
2%
2%
4%
5%
5%
5%
6%
7%
10%
11%
15%
17%
17%
17%
17%
23%
28%
0% 5% 10% 15% 20% 25% 30%
Sprint
U.S. Bank
AT&T
Apple
Verizon
Citibank
Discover
Amazon
Wells Fargo
Bank of America
MasterCard
Chase Bank
American Express
PayPal
Visa
Percent of Consumers
Q60: Which of the following companies would you trust most with your financial information?
December 2011, n=5,878Base: All consumers.
© 2012 Javelin Strategy & Research
Click to edit Master title style
Gang of Four Languish
While Visa and PayPal Lead
Consumer Ratings of Brand Best at Protecting Private Information
9
2%
3%
4%
5%
6%
7%
7%
8%
12%
13%
13%
15%
16%
19%
20%
26%
31%
0% 5% 10% 15% 20% 25% 30% 35%
Sprint
U.S. Bank
Citibank
Apple
AT&T
Verizon
Discover
Amazon
Wells Fargo
Chase Bank
Bank of America
American Express
MasterCard
PayPal
Visa
Percent of Consumers
Q61: Which of the following companies do you believe wouldbe best at protecting your private information such as SSN, passwords, date of birth, etc.?
December 2011, n=5,878Base: All consumers.
© 2012 Javelin Strategy & Research
BITS Mobile Threat Assessment Working
Group
• Threat assessment approach and methodology are consistent with NIST
guidelines1
• Risk is the net negative impact of the exercise of a vulnerability, considering
both the probability and impact of the occurrence.
• The Mobile Threat Assessment is used to review the extent of potential
threats and the associated risk created by the existence of the threats.
10 1 Threat assessment methodology is based on NIST SP 800-30 “Risk Management Guide for Information Technology Systems” (refer to pages 8 – 26)
BITS Mobile Threat Assessment
Approach
Threat Categorization
• Identify applicable threat categories for Mobile threats
• Document categories and threat segments
Threat Identification
•Identity the threat sources which are the methods targeted at the intentional exploitation of a vulnerability
• Identify the threats which are the potential for a threat-source to intentionally exploit a specific vulnerability
• Create threat scenarios (as needed )as visual representations of potential threats
Vulnerabilities Assessment
• Develop a list of potential vulnerabilities that could be exploited by potential threat-sources
• Vulnerabilities are potential flaws or weaknesses in procedures, design, proposed implementation or internal controls that could be exploited
Controls Inventory &
Analysis
• Analyze internal preventative and detective controls that have been implemented, or are planned for implementation, to minimize or eliminate the likelihood or probability of noted threats exploiting identified vulnerabilities
• Identify potential control gaps or weaknesses
Control Ratings
• Determine the impact of and the likelihood that potential vulnerabilities will be exploited in the threat environment
• Prioritize and weigh risks
• Identify areas for immediate improvement and long term mitigation
Controls Recommendations
& Mitigation Planning
• Document existing controls that can limit exposure to identified threat scenarios and risks
•Document weaknesses and control gaps
• Discuss threat assessment results with the leadership and stakeholders to determine if short and long term risk mitigation strategies and plans need to be put in place
• Document threat assessment reviews and approvals
• Repeat process annually or more frequently based on the risk assessment requirements and applicable regulatory guidance
Core steps in the assessment process:
Identify risks, assess controls, determine if gaps exist, then define plans for any remediation required
1 2 3 4 5 6
BITS Mobile Threat Categorization
# Category Name Threat Description
1 Malware Targeting Mobile Platforms
Malicious software such as viruses, Trojan horses, spyware, and malicious active content. Viruses are a threat to the peripheral device exposure or utilizing infected device to attack other devices. Spyware can be used to eavesdrop, impersonate, or remotely control a compromised device or user.
2 Mobile Spoofing A malicious person or program could misrepresent as another in order to acquire sensitive personal information.
3 Weak Fraud Controls Lack of adequate monitoring, detection, or prevention technology could lead to fraud losses.
4 Infected Applications Application downloads containing malicious software
5 Web Browser Attacks Exploitation of malicious web applications to steal credentials, perform fraudulent transactions, or compromise information.
6 Marketplace Certification Misrepresentation of branding or stealing legitimate branding
7
SMS Redirection, SMS Hijack or SMS Exploit Forwarding
An SMS message can be used to redirect a mobile web browser to a malicious website; call forwarding can be used to fraudulently bypass authentication; fraudsters can subscribe a mobile number to a premium text number service to send messages to and from the numbers.
8 Vendor Breach Compromise of a vendor’s infrastructure could result in the loss of confidential information (now includes Carriers).
9 Transport/ Protocol Gap Weakness in network or transport layer could allow eavesdropping or takeover
10 User Device Control Mobile device could be lost, stolen or inappropriately borrowed or misused
11 Platform Specific Attacks Utilization of known platform specific weaknesses to perpetrate malicious activities
12 Device Specific Attacks Utilization of known device specific weaknesses to perpetrate malicious activities (add to break out SIM Card vulnerabilities)
13 Rogue Applications Fake applications placed in application stores for download that are usually trojanized copies of legitimate applications. The applications are used to harvest credentials and steal data.
1
# Mobile Threat
Vulnerability Description & Examples Likelihood Trend Impact Detailed Rationale
2 Mobile Spoofing
Description: A malicious person or program could misrepresent as another in order to acquire sensitive personal information. Examples include: SMS Spoofing/Smishing: A phishing attempt sent
via SMS (Short Message Service) or text message to a mobile phone or device. This tactic is also referred to as smishing, which is a combination of SMS and phishing. The purpose of text message phishing is the same as traditional email phishing: convince recipients to share their sensitive or personal information.
Vishing: Also know as voice phishing, this tactic is a phishing attempt made through a telephone call, fax or voice message. In one scenario, messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher and provided by a Voice over IP service) was dialed, prompts told users to enter their account numbers and PIN. Vishing sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization.
Medium Increasing Low Impact rating was predominantly low with a split of several responders into a medium rating. Spoofing targets are a small group, targeted phishing is migrating to mobile. At this point, good controls are in place by the carriers to prevent spoofing for accountability purposes. Most assessment respondents said they are not seeing or hearing about this in their environment. Have not yet heard this is widespread, so cannot assess impact or likelihood as high, although suspect just as in Automatic Number Identification spoofing or phishing it will increase as the fraud catches on.
13
BITS Mobile Vulnerability Assessment
Assessment results included input from multiple financial institutions of varying size and
maturity in their mobile offerings.
2 3
Control Name Effectiveness Rating
(1-5) Importance Rating
(1-5) Overall Rating
(Low, Medium, High)
Detective Controls
Mobile Fraud Detection (Alerts, Out Sorts, Day 2 Reports)
3.3 3.7 Medium (7.0)
Device-Specific Patching Processes 3.2 3.3 Medium (6.5)
Application Stores/Marketplace Monitoring
3.5 3.3 Medium (6.8)
Application Take-Down Processes (Rogue Apps)
3.4 3.3 Medium (6.7)
Remote Device Wipe/Remote Device Lock 3.9 3.5 Medium (7.4)
Vendor Review Processes 3.3 3.2 Medium (6.5)
Vendor Contracts, Vendor Review Processes, Shared Liability
3.0 3.3 Medium (6.3)
Consumer Education 2.9 3.4 Medium (6.3)
Identity/Brand Management Controls & Processes
3.3 3.5 Medium (6.8)
14
BITS Controls Inventory and Ratings 4 5
Partial list of controls that were reviewed during the assessment and controls ratings
applied during the review process.
Aggregate Mitigating Controls Aggregate Effectiveness
Rating (1-5) Aggregate Importance
Rating (1-5) Overall Rating
(Low, Medium, High)
Identified Mobile Threats & Vulnerabilities
Malware Targeting Mobile Platforms
• Multi-factor authentication (mobile & online banking)
• App store development validation • Applications sandboxing • User authentication and login • Store sensitive information off device • Mobile malware detection • Out of band verification controls • Device settings controls • Consumer education
4.16 3.33 Medium (7.49)
Mobile Spoofing • Multi-factor authentication (mobile & online banking)
• Secure transport protocols • Mobile fraud detection • Device/IP verification • Authentication history of clients’
transactions • Consumer education • A symbol or way for a person to know
when they are at a “safe” place to provide information from their devices
4.33 4.60 High (8.93)
15
BITS Aggregated Controls Ratings 4 5
To provide a view of Mobile layered security, the controls were aggregated and rated as a
group. This proved to be an effective communication tool for debriefs with leadership teams
looking for a holistic perspective on mobile risk mitigation.
16
# Identified Mobile Threat / Vulnerability Description
Control Gaps / Weaknesses Description Short Term Risk Mitigation
Potential Long Term Risk Mitigation
2 Mobile Spoofing A malicious person or program could misrepresent as another in order to acquire sensitive personal information
Mobile Tech Maturity Issues
Monitoring Capability Shortfalls
Developmental Oversight
3rd Party Security Competitive Integrity
Issues Device Accessibility Restrictive Policy Authentication
Compromise Geo-location Spoofing
Multifactor authentication (Mobile & Online) banking
Device/IP verification
Secure transport protocols Mobile fraud detection Consumer education Anomaly detection
3 Inadequate Fraud Controls
Lack of adequate monitoring, detection, or prevention technology could enable or allow undetected or unauthorized access, unauthorized transactions, and/or fraud losses
Mobile Tech Maturity Issues
Monitoring Capability Shortfalls
Developmental Oversight
3rd Party Security Competitive Integrity
Issues Restrictive Policy
Multifactor authentication (Mobile & Online) banking
Device/IP verification
Secure transport protocols Mobile fraud detection Consumer education Transaction Limits
BITS Recommendations & Mitigation
Planning
BITS Fraud Scenario Development
Mobile Security Threat Categories
• Malware Targeting Mobile
Platforms
• Mobile Spoofing
• Inadequate Mobile Fraud Controls
• Infected Applications
• Web Browser Attacks
• Marketplace Misrepresentation
• SMS Redirection – Hijack or Exploit Forwarding
• Vendor Breach
• Transport or Protocol Gaps
• User Device Management
• Platform Specific Attacks
• Device Specific Attacks
• Rogue Applications
Fraud Scenarios
• Malware Attack
• Phishing/Smishing/Vishing
• Account Take Over/ID Theft
• Impersonation/Hijacking
• System Breach
• Browser Attacks
• Marketplace Misrepresentation
Criminal Activity
BITS Fraud Risk Scenario – Malware Attack Money Movement: DDA
DDA
Threat Type: Malware targeting mobile platforms
Scenario: Use of malicious software or applications (MITM, ZITMO, Trojans, spyware) to hijack, impersonate,
steal credentials, or other to support fraudulent crime.
Exposure: Theft of private information or credentials to gain access to account assets
Likelihood: Medium Impact: Medium
Applies to:
OLB
Mobile
Fraud Concerns
Control gaps
Fraud Controls
• Application Sandboxing • Mobile malware detection • Store sensitive information off
device
•Customer clicks on a link which then infects their mobile device with a virus
1. Customer Mobile device
Infected
•Customer logs into Online Banking (OLB) using infected mobile device
•Customer Prompted to provide Mobile Number in addition to Username and Password
•Fraudster key logs information
2. Compromised Credentials
•SMS Message sent to Fraudster
•Customer Prompted to download fraudulent applications
•Fraudster now has control of OLB and Mobile device; can re-direct SMS Text
3. Account Takeover
•Fraudster gains unauthorized access
4. Funds transfer
•Fraudster issues money movement on behalf of the customer
5. Funds removal
Eavesdropping
Multi factor authentication
Competitive Integrity issues
Criminal proficiency
Device accessibility
Application labeling
18
Impersonation
• Virus, Trojan, spyware, active content
• Peripheral device exposure
Authentication compromise
Remotely control device or user
•Device settings controls •App store development Validation • Consumer education
•User authentication and login •Out of band verification controls
• Application distribution practices • 3rd party security • Anti virus sandboxing
Developmental oversight Infected devices Mobile anti virus issues
19
• 08/04/10 - Existing DDA and Savings accounts. Customer does not have any online accts.
•Customer impacted by malware
1. Open New Account
•08/05/10 Online access suspended due to security question failure
•08/05/10 Password change
•08/06/10 Phone number maintenance; Security Questions and online statement activated on victim’s profile
•08/06/10 victim’s accounts enrolled for Mobile Banking
•08/06/10 Criminal adds his account as an inter customer transfer payee
2. Account Maintenance
Activities
•Between 08/13/10 to 08/30/10 criminal conducts 32 mobile inter customer transfer unauthorized transactions and transfers $20,594 from the victim’s account into criminals own savings account
•Criminal then moves funds from his savings account into his newly opened DDA
3. Funds Transfer
•08/06/10 –Criminal drains the new DDA account via ATM withdrawals and debit card purchases
4. Funds removal
•09/04/10 - Victim visits a branch and reports unauthorized transactions
5. Notification
Criminal Activity
BITS Sample Fraud Scenario:
Account Takeover (Mobile Transfer) Money Movement:
DDA DDA
Threat Type: Criminal compromises victim’s online account and conducts multiple inter-customer transfers
from victim’s DDA/SAV accounts into his newly established SAV/DDA accounts, and withdraws the funds via
ATM withdraws and debit card purchases.
Exposure: Account takeover via compromised credentials, money movement
Likelihood: Low Impact: Low Loss Amount: Confidential
Applies to:
Mobile
transfers
Fraud Concerns
Control gaps
Fraud Controls
Confidential
Confidential
Confidential
Confidential Confidential Confidential Confidential
Confidential Confidential Confidential
Confidential Confidential Confidential Confidential Confidential
BITS Advisory: Mobile Banking and
Payment Application Vulnerabilities
Existing Security
Vulnerabilities
• Imposter Applications
• Account Aggregation Applications
• Rogue Applications
Recommended Mitigation
Strategies
• Search regularly (i.e. daily or weekly) for
applications utilizing your financial
institution’s brand.
• Market the availability of the official
financial institution mobile
application(s).
• Provide consumers with tips on securely
providing financial information via
mobile applications.
• If an application violates copyright or
contains malware, file a complaint
through the store’s support site.
20
Regulation Today, and Tomorrow
Existing Regulations
• FFIEC Existing Applicable Guidance
• FTC Consumer Privacy and Protections
• Impact of New Regulations
- Truth in Lending/Reg Z
- Patriot Act, Bank EFT Act/Reg E
- Secrecy Act, AML Reqs
- Gramm-Leach-Bliley
- UCC Article 4A and NACHA Rules
- State money Transmitter and Services Laws
- Dodd-Frank
• Future Oversight
- CFPB
- ANSI
- ISO
21
Mobile Standards & Guidelines
• PCI Mobile Payment Acceptance Security Guidelines:
- Prevent account data from being intercepted when entered into a mobile
device
- Prevent account data from compromise while processed or stored within
the mobile device
- Prevent account data from interception upon transmission out of the
mobile device
• NIST 800-124, NIST 800-164
• NTIA Mobile Transparency Code of Conduct for Mobile Applications
• Geo-location Privacy and Surveillance Act
22
BITS Layered Security for Mobile
23
Consumer EducationDevice Identificaiton
Mobile Malware DetectionNetwork Security AssessmentProtocol/Security Standards
Consumer EducationSecurity Standards
Threat Information Sharing
Emerging Financial Services Oversight
Code Analysis and ReviewsSecure Transport ProtocolsRemote Device Wipe/Lock
Protocol/Security StandardsApplication Sandboxing
Secure Code ChecklistsCode Analysis and Reviews
Transaction LimitsOut of Band Verification
Multi-Factor Authentication
Security AwarenessDevice Hardening
Compliance MonitoringSecure Browsing
Network Security ControlsDevice/OS Integrity Monitoring
Data Segregation and EncryptRemote Wipe/Device Lock
Application SandboxingAsset Management and Patching
Multi-factor Authentication Secure Transport Protocol
Consumer EducationCode Analysis and Reviews
Out of Band VerificationServer Side Security Controls
Network Security Controls
Fraud Detection
Anomaly Detection
Transaction LimitsSecure Transport Protocol
Device IdentificationMulti-factor AuthenticationSecure Transport Protocols
Financial Institution
3. Mobile Financial Services6. BYOD or Enterprise Mobile Devices
ConsumersConsumersEnterprise Workforce
Enterprise Workforce
Application Developers
Device Manufacturers
Regulatory Entities
Cellular Service Providers
4. Secure Software Development
COMPLIANCE
POLICY
PROCESS
SECURE INFRASTRUCTURE
5. Secu
re H
ardware
Deve
lopment
1. Trusted Communications2. R
egulatio
n and Complia
nce
Thank You!
Questions?
24
