Mobility & Security Technology Risk Considerations

Robert J. Brown

Director, Information Security WesCorp

Introductions

My background and role at WesCorp

2

Discussion Topics

Mobile Growth TrendsInternal Mobile Usage

Mobile Banking Security

3

Mobile Growth Trends

Terminology

• SmartPhone- PC-like functionality from a handheld device- Larger screens, more memory/storage- Some with advanced browsers- iPod Touch, iPhone, Android, PSP, BlackBerry

• Communication Services- SMS - Short Message Service (text)- MMS - Multimedia Message Service (text+WAP)- WAP - Wireless Application Protocol

5

• Traditionalists (b. 1925-1943)- “Schedule an appointment”

• Baby Boomers (b. 1944-1962)- “If my door is open, knock and ask if you

can come in”

• Generation X (b. 1963-1981)- “Check my cubicle to see if I’m there”

• Millenials (b. 1982-2000)- “Door, what door?”

Generational Trends

6

Traditionalists

Millenials

Gen X

Boomers

55 million

80 million

46 million

75 million

Increasing Wireless Speeds

7

0K

4,000K

8,000K

12,000K

16,000K

1G 2G 2.5G 3G 3.5G

Analog Voice Only

DigitalVoice +

Limited Data(under 20Kbps)

DigitalVoice +

Data(under 90Kbps)

“EDGE”

DigitalVoice +

Data(under 3Mbps)

DigitalVoice +

Data(under 14.4Mbps)

HSDPA

Mobile Growth Trends

• AdMob Mobile Metrics- Smartphones 33% of total requests in December, up

from 22% in May- iPhone OS share exceeds RIM+Windows Mobile

combined- iPhone generated 48% of SmartPhone requests in

December, up from 9% in May- Android has 2% market share after 2 months

8

Source: AdMob Mobile Metrics 12/08

Smartphone OS Share in US

9

0%

25%

50%

75%

100%

May June July Aug Sep Oct Nov Dec

SymbianiPhoneRIMWindowsPalmHiptopAndroid

Source: AdMob Mobile Metrics 12/08

Top Handset Models

10

Mfr Device % of Requests Browser

Apple iPhone 16.2% WebKit (Full)

Apple iPod Touch 7.1% WebKit (Full)

Motorola RAZR V3 6.4% WAP 2

Motorola KRZR K1c 3.7% WAP 2

Motorola Z6m 3.4% WAP 2

Motorola W385 3.0% WAP 2

RIM BlackBerry 8300 2.8% WAP 2

RIM BlackBerry 8100 2.5% WAP 2

Palm Centro 2.5% WAP 2

Samsung R450 1.8% WAP 2

Samsung R210 1.8% WAP 2

Samsung M800 1.8% WAP 2

LG LX260 1.7% WAP 2

Kyocera K24 1.6% WAP 2

Samsung R430 1.4% WAP 2

Danger Sidekick II 1.3% WAP 2

Samsung R410 1.0% WAP 2

Sony PSP 1.0% WAP 2

LG CU720 0.9% WAP 2

HTC Dream (Android) 0.8% WebKit (Full)

24.1% support a “Real” Browser

Source: AdMob Mobile Metrics 12/08

• Members - Millenial generation- Large population quick to adopt technology- Reduced concerns regarding security, privacy

• Wireless data speeds increasing- 3G/3.5G, EVDO

• SmartPhone adoption is growing very quickly- iPhone, Android, Blackberry Storm

• Internet experience is superior from SmartPhones• Internal users and Members will continue driving

demand for smart devices with higher network speeds

Quick Conclusions

11

Internal Mobile Usage

• Enhanced Communication- Real-time e-mail, calendar, contacts- Text messaging- Instant messaging- Mobile access to content and information- Personal - audio/video/browsing- Information synchronization and storage

Business Drivers

13

Mobile Threats vs. Risks

14

Threat Risk Impact

Device loss or theft Loss of confidential infoMultiple wireless channels (wifi)

Loss of credentials, device integrity

Malware / virus Loss of credentials, device integrity

Interception / MITM Loss of credentialsUser awareness Increased time between compromise

and actionSPAM, Phish, SMiSh

Annoyance, monetary loss, fraud

Internal Risk Considerations

• Data Storage - large capacity (16GB+)- Documents, Contacts (passwords)

• Browsers- Stored cookies, credentials, passwords

• Software- Third-party applications

• Content- Video, audio, legal considerations, sharing

15

iPhone

• Requires iTunes to synchronize data- Consumer-oriented audio/video- Synchronization of data- Sharing of music libraries via Bonjour

• Centralized vs. decentralized control- Security and management features require ActiveSync

Server / Exchange• Remote wipe, password controls, inactivity timeouts

• Policies?16

• Relationship Manager (RM) Mobile- Browser-based iPhone target- Real-time access to WesCorp rates- CRM profiles of WesCorp Member- Creation of call reports directly on-device- Certificate purchase- Access to WesCorp commentary, webinars, podcasts- No NPPI, single-factor auth

WesCorp Mobile Application

17

Quick Conclusions

• Expect organizational pressure for new devices and smartphones (if you haven’t seen it yet)

• Saying “no” at the Corporate level will not deter individual purchase and use in the workplace

• Smartphones require re-thinking of both policy and enterprise support models

• Think about data loss prevention, remote wipe, passwords, remote access, WiFi vs. carrier network access

18

Mobile Banking Security

• Reduced call volumes• Reduced fraud• Increased “stickiness”• Attract new Members - Millenials• Member Demand

- Better devices, network speeds- Review balances quickly (in store)- Search for surcharge-free ATMs- Research checks or payment clearance- Alerts for overdraft, fraud, payment due

Business Drivers

20

• Multiple deployment approaches- SMS- WAP Browser (1.x, 2.x)- “Full” Browser- Thick-client or local application (iPhone)- Carrier-dependent, carrier-agnostic

Deployment Approaches

21

Mobile Application Challenges

• Member perception of security• Difficulty of data entry on mobile platform• Varying size of screen on devices• Slower speed of network connection• “Lost” icon for downloaded applications• Phishing - via e-mail, SMS, or other method• Significant costs based on existing deployment

models

22

Features vs. Risks

23

Service RO / RW NPPI PAN Authentication Required

Checking/Savings/Loan Balance RO DEPENDS NO Single-factor

Credit Card Balance RO DEPENDS YES Single-factor

Recent Transactions RO DEPENDS NO Single-factor

Historical Search / Check Status RO DEPENDS NO Single-factor

Alert - Overdraft, Threshold RO DEPENDS NO Single-factor

Bill Schedule / Duedate Review RO DEPENDS NO Single-factor

Currency Rates, ATM Locator RO NO NO None

Transfer Between Accounts RW DEPENDS NO Dual-factor

Stop Check RW DEPENDS NO Dual-factor

Domestic / International ACH RW YES NO Dual-factor

Change Alerts RW NO NO Dual-factor

Pay or Schedule Bill RW NO NO Dual-factor

Create/Update Billpay Vendor RW NO NO Dual-factor

Order Checks RW NO NO Dual-factor

Disable Credit Card RW YES YES Dual-factor

Personalize Settings RW NO NO Dual-factor

SMS

• Extremely wide deployment• No application to install or configure• No browser required• Easy to use• High adoption rate among existing phone

users

24

SMS Risk Issues

• No encryption• Authentication is difficult

- FI to Member - think SMiShing- Member to FI

• Intersections with web banking, phone banking- How hard is it to change your cell number on file with

your CU?

25

WAP

• Wireless Application Protocol- 1.X - Avoid. Requires MITM for encryption.- Push - Mostly on top of SMS, pushes content messages- WAP 2.X - Current standard, similar to “full” browser

• TCP/IP, end-to-end HTTP and TLS• Cipher suites, cert formats, signing algorithms• XHTML + WAP CSS• Backwards compatible

26

WAP Risk Issues

• Cookies- Stored on-device- Some gateways

cause cookies to never expire

- Limits for number of cookies stored

- Domain cookies, secure flag

27

• Read the AT&T WAP 2.0 Guide

“Full” Browser

• Welcome to WebKit- iPhone, iPod Touch, Android, Palm Pre, Nokia S60- Passes Acid 2 test for compatibility- JavaScript, CSS, AJAX

• Flash- Flash Lite- Limited US availability (LG, Motorola, Nokia,

Samsung)

28

“Full” Browser Risk Issues

• Authentication- Cached credentials (username, password)- Cookies and expiration- Certificate acceptance and storage- Backup/restore to desktop - target of traditional

malware?

• Almost anything else a PC/Mac browser would be vulnerable to

29

Client Application

• Ultimate in control- Authentication, authorization, accounting

• More branding opportunities• Better device integration

- Click-to-call- Maps / pindrop

30

Client Application Risk Issues

• Locally stored information- Credentials, cached account information?

• Upgrade cycle- Application integrity- Management of varying devices, software

versions

• Connectivity- Intermediate proxies

31

Deployment Considerations

• Regardless of platform, think anti-fraud- Why is a user all of a sudden transferring funds to

Russia?- Why is the source IP for a user coming from another

country?- Why did the cell phone number change?- Why did the type of phone used change?

32

Quick Conclusions

• There is no one right answer• Think through services from multiple

perspectives- What transactions will be supported and the relative

risk- What delivery channels will be supported (SMS, WAP)

• Mixed-mode - auth via one channel, content via another- How an attacker could break your system

• Interfaces between mobile, phone, ATM, branch, teller- How can this enhance a Red Flags / anti-fraud 33

Thank You

Robert Brown Director, Information Security, WesCorp

909-394-6393, rbrown@wescorp.org LinkedIn, Facebook, and www.robertjbrown.com

Reference Materials at www.robertjbrown.com