Mobile Commerce: A Security Perspective
-
Upload
pragati-ogal-rai -
Category
Mobile
-
view
278 -
download
4
Transcript of Mobile Commerce: A Security Perspective
![Page 1: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/1.jpg)
Mobile Commerce: A Security Perspective
Pragati Ogal RaiChief Technology Evangelist, PayPal
Inc. @pragatiogal
![Page 2: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/2.jpg)
2
• Author of “Android Application Security Essentials”
• 2014 Zinnov Thought Leadership Award
• Mobile Developer Relations, PayPal North America
• 15+ Years Industry Experience
• Mobile, Android, Security, Payments and Commerce
@pragatiogal
www.slideshare.net/pragatiogal
www.linkedin.com/in/pragati
My Ego Slide!
![Page 3: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/3.jpg)
Mobile commerce is worth US$230 billion
Asia represents almost half of the market
M-Commerce will reach US$700 billion in 2017
http://www.digi-capital.com
![Page 4: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/4.jpg)
Agenda
M-commerce defined
M-commerce ecosystem
End-to-end security
How does it affect me?
![Page 5: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/5.jpg)
M-Commerce defined!
![Page 6: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/6.jpg)
Commerce
www.123rf.comwww.jaipuronline.in
![Page 7: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/7.jpg)
Traditional e-commerce
telegraph.co.uk
![Page 8: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/8.jpg)
Today’s Technology Trends
Global Social
Mobile Local
DigitalService & delivery
![Page 9: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/9.jpg)
Mobile Commerce
Promotions & coupons
Mobile commerce
Payments
Location-based services
In-store research
Self-scanning & self-checkout
Social commerce
Loyalty
Mobile shopping lists
![Page 10: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/10.jpg)
M-Commerce Ecosystem
![Page 11: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/11.jpg)
Infrastructure
Clients Merchants
M-commerce Ecosystem
![Page 12: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/12.jpg)
Disconnected: Off-line m-commerce
• Disconnected
• Privacy
• Integrity of State
![Page 13: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/13.jpg)
Partial Connectivity
Infrastructure Centric Model Merchant Centric Model
Client Centric Model
![Page 14: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/14.jpg)
Partial Connectivity: Security Analysis
End to end security
Privacy
Client-merchant identification
Communication authentication
More points of attack
![Page 15: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/15.jpg)
Full Connectivity
• End to end security
![Page 16: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/16.jpg)
Challenges of m-commerce?
New market players and dynamics
Limitations of client devices
Portability
Pervasive computing
Location aware devices
Merchant machines
Standardization & approvals
Too many expectations
Biggest challenge? End-to-end security
![Page 17: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/17.jpg)
End-to-end Security
![Page 18: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/18.jpg)
Mobile Security StackM
ob
ile S
ecu
rity
Sta
ck Application
Operating System
Device Hardware
Infrastructure/ Network
• Each layer takes care of
it’s own security
• Each layer depends upon
lower layer for security
• Transition between the
layers can cause attacks
![Page 19: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/19.jpg)
Infrastructure/ Network LayerM
ob
ile S
ecu
rity
Sta
ck
Application
Operating System
Device Hardware
Infrastructure/ Network
• Third party networks
• GSM, CDMA, SMS, WAP,
GPS…
• Usually security breach at
this layer is device
agnostic
![Page 20: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/20.jpg)
Breaking GSM
https://srlabs.de/decrypting_gsm/
• GnuRadio is included in recent Linux distributions
• Airprobe: git clone git://git.gnumonks.org/airprobe.git
• Kraken: git clone git://git.srlabs.de/kraken.git
• Kraken uses rainbow tables available through Bittorrent
![Page 21: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/21.jpg)
Device Hardware Layer
Consumer Electronics Devices
Some CEDs are Connected
Computing capability + runs software
Smartphones, tablets, mobile PoS
device, parking meter, vending
machine
Flaw in chip design affects all
hardware based on that chip
Mobile
Secu
rity
Sta
ck
Application
Operating System
Device Hardware
Infrastructure/ Network
![Page 22: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/22.jpg)
Device Hardware
http://gadgetian.com/44495/google-lg-nexus-4-4g-lte-chip-inside-ifixit/
![Page 23: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/23.jpg)
Device Security: Example
Brought to light by user "alephzain" on mobile developer forum XDA Developers, the user claims that the flaw potentially affects Samsung devices that use Exynos processor models 4210 and 4412, specific examples including the Samsung Galaxy S2 and Samsung Galaxy Note 2 which use the dual core, fourth-generation Exynos chips.
"The good news is we can easily obtain root on these devices and the bad is there is no control over it.
Ram dump, kernel code injection and others could be possible via app installation from Play Store. It certainly exists many ways to do that but Samsung give an easy way to exploit. This security hole is dangerous and expose phone to malicious apps.
Exploitation with native C and JNI could be easily feasible."
http://www.zdnet.com/security-flaw-found-in-samsung-handsets-tablets-7000008880/
![Page 24: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/24.jpg)
Operating System LayerM
obile
Secu
rity
S
tack
Application
Device Hardware
Operating System
Infrastructure/ Network
• Android, iOS, Symbian, Windows,
J2ME
• Flaws are most common and are
easily exploited
• Compromises security of
applications
• Flaw affects entire revision of
software
• Patches and security fixes are
common
![Page 25: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/25.jpg)
Android Software Stack
• Permission based
application model
• Linux kernel based process
sandboxing
![Page 26: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/26.jpg)
OS Security: Example
http://www.androidpolice.com/2011/05/17/security-vulnerability-in-most-versions-of-android-allows-attackers-to-steal-your-login-credentials/
Android 2.3.3 and below …..
When you login to an account, an authToken is stored locally on your device for 14 days, allowing you to re-access the service without hassle. Unfortunately, tokens are transferred through an unencrypted channel, so they can easily be intercepted. Once intercepted, the attacker can login to the account associated with the authToken without question.
• Don’t use public Wi-
fi!
• Patched in 2.3.4 and
Honeycomb
![Page 27: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/27.jpg)
Application LayerM
obile
Secu
rity
Sta
ck Application
Operating System
Hardware
Infrastructure/ Network
• Your applications, system
applications, applications you
install
• Coding flaws, exploiting a hole in
OS
• Buffer overflows, data leakage,
custom crypto algorithms,
hardcoded values
![Page 28: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/28.jpg)
Malicious App Examples
Android
Repackaged Apps on Play
posing as TempleRun and
Glu Mobile
Lovetrap: Trojan, sends SMS
Nickispy: Trojan, steals info
Geinimi: Botnet, follows
orders from remote server,
send sensitive info back
iPhone
Trojan sends out contact list
to server
Handy Light: secret
tethering utility
![Page 29: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/29.jpg)
TrustZone: Trusted Execution Environment
www.arm.com
• Two domains: Normal &
Secure
• Implemented as SoC
• Security extensions to
processor
• Trusted OS
• Virtualization
![Page 30: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/30.jpg)
How does it affect me?
![Page 31: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/31.jpg)
Do NOT trust the mobile ecosystem!
Mob
ile S
ecu
rity
Sta
ck Application
Operating System
Hardware
Infrastructure/Network
Only this is in your
control !
![Page 32: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/32.jpg)
Get to know the PCI standard. Period.
![Page 33: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/33.jpg)
PCI Standard Council
Independent organization
PCI PTS approved add-on devices
PA DSS approved applications
Working with mobile vendors for further solutions around mobile payments
Develop common set of payment standards
– PCI-DSS v2.0
– PCA-DSS
– PCI-PTN
– PCI-P2PE
![Page 34: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/34.jpg)
PCI-DSS V2.0
Build and maintain a secure network
Protect cardholder data
Regularly test and monitor networks
Maintain an InfoSec policy
Maintain vulnerability management program
Implement strong access control measures
![Page 35: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/35.jpg)
Encrypt sensitive data at rest and transit
microsoft.com
![Page 36: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/36.jpg)
Avoid storing sensitive data on device
![Page 37: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/37.jpg)
Use OS security features
Lifehacker.com
![Page 38: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/38.jpg)
Authenticate your users
Statetechmagazine.com
![Page 39: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/39.jpg)
Authorized access to user data
www.123rf.com
![Page 40: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/40.jpg)
Use your crypto tools
www.catalogs.com
![Page 41: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/41.jpg)
Identity is a challenge
www.interactiveinsightsgroup.com
![Page 42: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/42.jpg)
Look beyond the hype
www.mashable.com
![Page 43: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/43.jpg)
Summary
M-commerce is a complex space
Understand what mobile means for your business
Identify assets/ threats
Analyze technology being used
Be aware of emerging standards
Use OS security features, crypto tools, identity and
authorization
![Page 44: Mobile Commerce: A Security Perspective](https://reader035.fdocuments.net/reader035/viewer/2022062514/557ddb98d8b42a124f8b4ee7/html5/thumbnails/44.jpg)
Pragati Ogal Rai
@pragatiogal
http://www.slideshare.net/pragatiogal
Thank You!