PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · •...
Transcript of PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · •...
![Page 1: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/1.jpg)
PICKPOCKETING MWALLETSA guide to looting mobile financial services
Saturday, April 25, 2009
![Page 2: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/2.jpg)
THE GRUGQ
• Info Sec researcher since 1999
• Experience
• Telcoms Info Sec
• Banking Info Sec
• Leads to
• Mobile Financial Security
Saturday, April 25, 2009
![Page 3: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/3.jpg)
MOBILE FINANCIAL APPS
Saturday, April 25, 2009
![Page 4: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/4.jpg)
MOBILE FINANCE STAKEHOLDERS
Saturday, April 25, 2009
![Page 5: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/5.jpg)
MOBILE FINANCE STAKEHOLDERS
• Mobile Service Provider
• Telco Operators
Saturday, April 25, 2009
![Page 6: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/6.jpg)
MOBILE FINANCE STAKEHOLDERS
• Mobile Service Provider
• Telco Operators
• Financial Services Provider
• Financial Institutes
• Banks, etc.
• Telco Operators
Saturday, April 25, 2009
![Page 7: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/7.jpg)
APPLICATIONS
• Mobile Banking
• Operator provides channel to financial service
• Mobile Wallet
• Operator provides financial services
Saturday, April 25, 2009
![Page 8: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/8.jpg)
MOTIVATORS
• Financial Institutions (FI)
• Users configure mobile banking once
• Reduce churn
• Operators
• Increase value of relationship
• Reduce churn
Saturday, April 25, 2009
![Page 9: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/9.jpg)
SECURITY GOALS
• Authenticate the customer
• Provide end-to-end security
• Confidentiality
• Integrity
• Availability
• “At least as secure as an ATM”
Saturday, April 25, 2009
![Page 10: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/10.jpg)
RISKS
Saturday, April 25, 2009
![Page 11: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/11.jpg)
RISKS
• Identity
• Lost / stolen phone
• Financial
• Fraud
• Non-repudiation
Saturday, April 25, 2009
![Page 12: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/12.jpg)
MORE RISKS
• Communications channel
• Monitoring / Sniffing
• Message Injection / Spoofing
• Duplicates
Saturday, April 25, 2009
![Page 13: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/13.jpg)
NOT RISKS (YET?)
• Mobile Malware
• Not prevalent
• Fractured mobile platform landscape
Saturday, April 25, 2009
![Page 14: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/14.jpg)
COMPONENTS
Saturday, April 25, 2009
![Page 15: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/15.jpg)
MOBILE ELEMENTS
• Handset
• Over The Air (OTA)
• Carrier
• Aggregator
• Financial Institution (FI)
Saturday, April 25, 2009
![Page 16: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/16.jpg)
Architecture
Carrier Network
Mobile Handset
Base Station
Internet
Aggregator
FICarrier
8
ELEMENTS
Saturday, April 25, 2009
![Page 17: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/17.jpg)
PLATFORMS
Saturday, April 25, 2009
![Page 18: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/18.jpg)
HANDSET PLATFORMS
• Web Application
• Thick Client
• SIM Card Application (STK)
Saturday, April 25, 2009
![Page 19: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/19.jpg)
WEB APP
Saturday, April 25, 2009
![Page 20: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/20.jpg)
WEB APP
• Easy to deploy
Saturday, April 25, 2009
![Page 21: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/21.jpg)
WEB APP
• Easy to deploy
• Easy to develop
Saturday, April 25, 2009
![Page 22: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/22.jpg)
WEB APP
• Easy to deploy
• Easy to develop
• Cross platform support
Saturday, April 25, 2009
![Page 23: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/23.jpg)
WEB APP
• Easy to deploy
• Easy to develop
• Cross platform support
• Limited control over look and feel
Saturday, April 25, 2009
![Page 24: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/24.jpg)
WEB APP
• Easy to deploy
• Easy to develop
• Cross platform support
• Limited control over look and feel
• Web app security
• SQL injection, XSS
Saturday, April 25, 2009
![Page 25: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/25.jpg)
WEB APP
• Easy to deploy
• Easy to develop
• Cross platform support
• Limited control over look and feel
• Web app security
• SQL injection, XSS
• Slow data link
Saturday, April 25, 2009
![Page 26: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/26.jpg)
WEB APP
• Easy to deploy
• Easy to develop
• Cross platform support
• Limited control over look and feel
• Web app security
• SQL injection, XSS
• Slow data link
• Expensive data plans
Saturday, April 25, 2009
![Page 27: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/27.jpg)
WEB APP
• Easy to deploy
• Easy to develop
• Cross platform support
• Limited control over look and feel
• Web app security
• SQL injection, XSS
• Slow data link
• Expensive data plans
• Subset of phones support browsers
Saturday, April 25, 2009
![Page 28: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/28.jpg)
THICK CLIENT
Saturday, April 25, 2009
![Page 29: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/29.jpg)
THICK CLIENT
• Complete control over look and feel
Saturday, April 25, 2009
![Page 30: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/30.jpg)
THICK CLIENT
• Complete control over look and feel
• Powerful operating environment
Saturday, April 25, 2009
![Page 31: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/31.jpg)
THICK CLIENT
• Complete control over look and feel
• Powerful operating environment
• Easy to develop*
Saturday, April 25, 2009
![Page 32: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/32.jpg)
THICK CLIENT
• Complete control over look and feel
• Powerful operating environment
• Easy to develop*
• Fractured handset platform landscape
Saturday, April 25, 2009
![Page 33: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/33.jpg)
THICK CLIENT
• Complete control over look and feel
• Powerful operating environment
• Easy to develop*
• Fractured handset platform landscape
• Vulnerable to local attacks
Saturday, April 25, 2009
![Page 34: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/34.jpg)
THICK CLIENT
• Complete control over look and feel
• Powerful operating environment
• Easy to develop*
• Fractured handset platform landscape
• Vulnerable to local attacks
• Hard to secure
• Phone developers are not very security aware
Saturday, April 25, 2009
![Page 35: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/35.jpg)
SIM APPLICATION
Saturday, April 25, 2009
![Page 36: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/36.jpg)
SIM APPLICATION
• More secure (potentially)
Saturday, April 25, 2009
![Page 37: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/37.jpg)
SIM APPLICATION
• More secure (potentially)
• Works on all SIM cards
Saturday, April 25, 2009
![Page 38: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/38.jpg)
SIM APPLICATION
• More secure (potentially)
• Works on all SIM cards
• Mature development environment
Saturday, April 25, 2009
![Page 39: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/39.jpg)
SIM APPLICATION
• More secure (potentially)
• Works on all SIM cards
• Mature development environment
• Deployable OTA
Saturday, April 25, 2009
![Page 40: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/40.jpg)
SIM APPLICATION
• More secure (potentially)
• Works on all SIM cards
• Mature development environment
• Deployable OTA
• Secure against malicious phone
Saturday, April 25, 2009
![Page 41: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/41.jpg)
SIM APPLICATION
• More secure (potentially)
• Works on all SIM cards
• Mature development environment
• Deployable OTA
• Secure against malicious phone
• Cumbersome interface
Saturday, April 25, 2009
![Page 42: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/42.jpg)
SIM APPLICATION
• More secure (potentially)
• Works on all SIM cards
• Mature development environment
• Deployable OTA
• Secure against malicious phone
• Cumbersome interface
• Looks terrible
• No multimedia
Saturday, April 25, 2009
![Page 43: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/43.jpg)
SIM APPLICATION
• More secure (potentially)
• Works on all SIM cards
• Mature development environment
• Deployable OTA
• Secure against malicious phone
• Cumbersome interface
• Looks terrible
• No multimedia
• Restricted operating environment
• Low power
• Low memorySaturday, April 25, 2009
![Page 44: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/44.jpg)
MBANKING ARCHITECTURE
• SMS input
• Operator
• HTTP(S) input
• Aggregator
• XML input
• Financial Institution
Saturday, April 25, 2009
![Page 45: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/45.jpg)
MWALLET ARCHITECTURE
• SMS input
• Operator
• HTTP(S) input
• Operator - application
• Database manipulation
Saturday, April 25, 2009
![Page 46: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/46.jpg)
BACKEND PLATFORMS
• Problems
• Lack of verifiable audit trail
• Single entry book keeping
Saturday, April 25, 2009
![Page 47: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/47.jpg)
CONCERNS
Saturday, April 25, 2009
![Page 48: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/48.jpg)
HANDSET CONCERNS
• Identity
• Lost / Stolen
• Monitoring / Spoofing
• Malicious (e.g. hackers)
• Infected (not yet…)
Saturday, April 25, 2009
![Page 49: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/49.jpg)
OTA CONCERNS
• Monitoring
• GSM encryption is cracked
• GSM monitoring equipment < €1000
Saturday, April 25, 2009
![Page 50: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/50.jpg)
OPERATOR CONCERNS
• Monitoring
• SMS processing is unencrypted
• Injection
• Spoofing SMS from SMSC is trivial
Saturday, April 25, 2009
![Page 51: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/51.jpg)
OPERATOR CONCERNS, CONT.
Saturday, April 25, 2009
![Page 52: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/52.jpg)
OPERATOR CONCERNS, CONT.
• Mobile Banking is Value Added Service (VAS)
• Ringtones, wallpaper, $10 tetris clones, all your financial data
Saturday, April 25, 2009
![Page 53: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/53.jpg)
OPERATOR CONCERNS, CONT.
• Mobile Banking is Value Added Service (VAS)
• Ringtones, wallpaper, $10 tetris clones, all your financial data
• Security awareness is limited
• Toll fraud: will this result in revenue leakage?
Saturday, April 25, 2009
![Page 54: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/54.jpg)
OPERATOR CONCERNS
• Poor understanding of financial risk management
Saturday, April 25, 2009
![Page 55: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/55.jpg)
AGGREGATOR
• Monitoring
• Malicious employees
• Other customers
• Injection
• See above.
Saturday, April 25, 2009
![Page 56: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/56.jpg)
FINANCIAL INSTITUTIONS
• Poor understanding of Operator concerns
Saturday, April 25, 2009
![Page 57: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/57.jpg)
RECOMMENDATIONS
Saturday, April 25, 2009
![Page 58: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/58.jpg)
RECOMMENDATIONS
• Identify customers via a unique mFin PIN + phone
• Transmit the PIN hashed with the message data
• Add a unique message ID (timestamp) per customer per request
Saturday, April 25, 2009
![Page 59: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/59.jpg)
• Require customer notification for dangerous operations, e.g. transfers
• Signup process should include in-branch application
• Require secure audit trails for all transactions
Saturday, April 25, 2009
![Page 60: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/60.jpg)
FINANCIAL REGULATIONS
• Require the Carrier to follow financial regulations regarding access and control over the messages
• Require the Aggregator to follow financial regulations regarding access and control over the messages
Saturday, April 25, 2009
![Page 61: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/61.jpg)
• Use an STK application on the handset
• Require code review before it goes live
• Require security reviews over major components of the environment
• Mobile app
• Carrier environment
• Aggregator environment Saturday, April 25, 2009
![Page 62: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/62.jpg)
• Develop a clear customer service management plan for lost / stolen handsets
• Work with the carrier
• Ensure it doesn’t automatically cancel CC/ATM
Saturday, April 25, 2009
![Page 63: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/63.jpg)
ENCRYPTION KEYS
• Manage the encryption keys/certificates used by the application
• Work with the Carrier on SIM keys
• Work with the Aggregator
Saturday, April 25, 2009
![Page 64: PICKPOCKETING MWALLETSconference.hitb.org/hitbsecconf2009dubai/materials/D2T1 - The Grug… · • Mobile Financial Security Saturday, April 25, 2009. MOBILE FINANCIAL APPS Saturday,](https://reader035.fdocuments.us/reader035/viewer/2022071213/6041b80fd2f0c914a40b4c93/html5/thumbnails/64.jpg)
CONCLUSION
• mFin Apps present unique challenges
• Trust relationships with third parties
• Difficult application environments
• No existing “best practices”
• Vendors have immature products
Saturday, April 25, 2009