Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in a Mobile App World - A Payments Perspective James Sellwood 6 th Sept 2014.

Similar presentations

Presentation on theme: "Security in a Mobile App World - A Payments Perspective James Sellwood 6 th Sept 2014."— Presentation transcript:

1 Security in a Mobile App World - A Payments Perspective James Sellwood 6 th Sept 2014

2 About Me Electronic Payments Consultant  Credit Cards  Terminals  Contactless / NFC / HCE Security Consultant  Payment Systems  Mobile RHUL ISG  Alumni (MSc '12)  Part-time Student (PhD '1x) Information Security Research  Android  Access Control

3 Presentation Overview Payments' use of software  Past, present and imminent The mobile app world's impact on:  Requirements  Development  Testing  Risk  Security

4 What this is My personal view & understanding Example based Generalised & simplified Comparative UK biased (but not UK specific)

5 What this is NOT Employer or client endorsed Comment (+/-) about any brand shown Providing answers The entire story  Historically  Technologically  Geographically

6 Usage of Payment Cards & Banking Services A selective history, highlighting changes in: usability, risks & security

7 Embossing static data

8 Magnetic Stripe static data

9 Magnetic Stripe Improve speed of transaction Degradation (slow) Automated Entry  No mistyping / miscopying of card details No carbon paper copy of card details

10 ATM software

11 ATM Greater availability  Outside bank opening hours  Unattended locations Cardholder attacks Isolated system Two-factor authentication  Online PIN

12 Contact Chip software dynamic data secure chip

13 Contact Chip Active participation in transaction  Dynamic data creation  Offline transaction approval  Offline PIN verification  Issuer scripting at POS Hardware-based secure storage & processing protects  Application logic  Cryptographic keys

14 Online Banking software

15 Online Banking Greater availability  Any physical location Variety of PC-specific threats Device fingerprinting Authentication  Passwords  Two-factor authentication

16 Contactless Chip chip-and-pin-the-future-of-credit-cards.html software dynamic data secure chip contactless

17 Contactless Chip Improve speed of transaction  No dip  Faster data exchange  No PIN verification (low-value) Proximal data access  Privacy Should remain in control of cardholder

18 Dual Interface Chip software dynamic data secure chip contactless

19 Dual Interface Chip Flexibility of both contactless and contact  Speed and convenience  Issuer scripting at POS Amount and velocity limits... then revert to contact, reset counters and then carry on as before

20 Stickers software dynamic data secure chip contactless

21 Stickers No need to carry a card  Stick it to what you like (e.g. something you carry regularly) Limited ways to update counters Amount and velocity limits... then decline

22 Mobile Banking (App) Blackberry-app-for-bank-transfers software protection open distribution data connection

23 Mobile Banking (App) No need to have access to a PC  You already carry a smartphone – apparently Variety of mobile-specific threats Device fingerprinting as well as user authentication

24 Mobile (NFC) android-4-4-kitk/ software dynamic data secure chip contactless data connection

25 Mobile (NFC) No need to carry a card  Do need NFC capable smartphone (even more attractive target) Mobile network provides non POS-based communications channel  Issuer scripting wherever data available User interface allows user control  Activate / deactivate  Passcode: every transaction / high-value

26 Mobile (HCE) contactless open distribution software dynamic data software protection data connection

27 Mobile (HCE) Wider availability  Easier (cheaper) issuance  Less interoperability restrictions No hardware-based secure element Limited transaction data on device with limited validity period  Short-lived keys  Risk informed approach

28 Impact of the Mobile App World

29 Mobile App Requirements Identification (device / app / customer) Authentication (device / customer) Authorization (request) Confidentiality (customer data / keys) Integrity (request) Availability (service) Auditing (everything)

30 Development (mobile versus pre-mobile) Less niche knowledge required Less technological constraints Wider choice of supporting libraries Significant volume of information available online Demand for fast paced, iterative product improvement Frequent API change

31 Testing (mobile versus pre-mobile) Generic testing frameworks available More features to test More security frameworks now part of the product (rather than underlying architecture) More iterations to be tested Cannot now test all the possible component combinations

32 Risk (mobile versus pre-mobile) More information available to inform decision making Cardholder owned device with no provenance Base security architecture may be weaker Less experienced development teams and proliferation of “code by Google”

33 Security (mobile versus pre-mobile) Modern interfaces Graded responses or temporary restrictions More information-driven More reliant on active monitoring Application code open to malicious evaluation Many more endpoints, particularly ones accessed by untrusted nodes

34 Closing Thoughts Risk landscapes change  Good / Bad  Advancement / Bug  Business / Outsider Not (as) secure versus secure enough Financial versus reputational loss More data is only useful if you can interpret and act on it

35 Questions

Download ppt "Security in a Mobile App World - A Payments Perspective James Sellwood 6 th Sept 2014."

Similar presentations

Ads by Google