Presentation on theme: "Win the Cyberwar on Mobile Banking and Payments"— Presentation transcript:
1 Win the Cyberwar on Mobile Banking and Payments Jeff FuBangcle Security – SecNeo Ltd.
2 You Probably Already Know About Mobile Banking ThreatsBut you might not know there’s an entire illegal industry dedicated to mobile banking.Do you know what keys Cybercriminals have?How they steal money from Android App?
3 2013 Malware Threats on Mobile 2013:143,211 New malwares3,905,502 Malicious installation packagesFor the 259 new malware families on Q3, 2013In total:Approximately 10,000,000 uniquemalicious installation packages
4 Malware Threats on Android 2013Malware Threats on Android2013Android remains a prime target for malicious attacks % of all malware detected in 2013 targeted this platform, confirming both the popularity of this mobile OS and the vulnerability of its architecture.
5 Malware Target Mobile Banking 2013Malware Target Mobile Banking20132013 The number of mobile banking malwareThe cyber industry of mobile malware is becoming more focused on making profits more effectively.I.e., mobile phishing, theft of credit card information, money transfers from bank cards to mobile phones and from phones to the criminals’ e-wallets.2013 was marked by a rapid rise in the number of Android banking Trojans.
6 The Geography of Mobile Threats 2013Country% of all attacked unique users1Russia40.34%2India7.90%3Vietnam3.96%4Ukraine3.84%5United Kingdom3.42%6Germany3.20%7Kazakhstan2.88%8USA2.13%9Malaysia2.12%10Iran2.01%Countries where users face the greatest risk of mobile malware infection (the percentage of all attacked unique users)
7 Mobile Banking Virus-Svpeng Svpeng detected by Kaspersky as Trojan-SMS.AndroidOS.Svpeng.ACollects phone informationSteals voice call SMS messagesSteals money from the victim’s bank accountSteals logins and passwords to online banking accountsSteals bank card information (the number, the expiry date, CVC2/CVV2) ,
8 My App Is Already Safe Enough My app is good designed, I considered all the potential risks. My app is good programed by senior engineers. My app is completely tested, all the bug is fixed. My app is published to the Google Market. My customers installed the official released Apps.Yes, I believe you have doneall what you can doBut your App is still in danger
9 Tampering and Reverse-engineering Attacks Attack MethodSolutionBypass Integrity protection and verificationNoSteal source code and security logicRepacking the App and conducting fraudRepacking the App and inserting malware codeBypass the local security controlMove security control to server sideGet the symmetric encryption password and decryption local dataUse asymmetric encryption
10 Dynamic Injection and Hijack Attack Attack MethodSolutionDynamic memory injection attack to modify transaction informationNoDynamic components hook attack get account ID, passwordUI hijack attack to get user inputKeyboard hijack attack to get user inputMAN-IN-THE-MOBILE attackMAN-IN-THE-MIDDLE attack
11 Dynamic injection Demo Hacker injected the payment componentsHacker intercepted the transaction data before it is encryptedHacker modified the account ID and user nameThe money is transferred to hacker’s accountHacker tamper the invoice message or SMS and changed them back to original transaction account and user name
12 Root Cause for All These Attacks Integrity protection failure of Mobile Banking App is the root cause for the most attacks.Static integrity protection failureDynamic integrity protection failureWe need to make sure:The App used by the customers is not tamped and repackedThe App is always running the same as designedThe information in the App can not be accessed and modifiedAll the security logic can not be bypassed
13 Financial App Protection The leading App Security Provider in the world2013In past 3 years, Bangcle provides services to:100+ Financial and e-Payment Apps500+ Business App developersOur security products covered more than 300,000,000 smart devicesFinancial AppIntegrity ProtectionFinancial AppRuntime ProtectionFinancial AppData Protection
14 Join our WorkshopEnable Enterprise-grade Security into your Mobile AppsSchedule: March 19, 4:00 PM ~ 4:45 PMJoin us to get more detail information about Bangcle Mobile Banking Security Solution