Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in a Mobile App World - A Payments Perspective James Sellwood 6 th Sept 2014.

Published byCordelia Rose Modified over 9 years ago

Similar presentations

Presentation on theme: "Security in a Mobile App World - A Payments Perspective James Sellwood 6 th Sept 2014."— Presentation transcript:

1 Security in a Mobile App World - A Payments Perspective James Sellwood 6 th Sept 2014

2 About Me Electronic Payments Consultant  Credit Cards  Terminals  Contactless / NFC / HCE Security Consultant  Payment Systems  Mobile RHUL ISG  Alumni (MSc '12)  Part-time Student (PhD '1x) Information Security Research  Android  Access Control

3 Presentation Overview Payments' use of software  Past, present and imminent The mobile app world's impact on:  Requirements  Development  Testing  Risk  Security

4 What this is My personal view & understanding Example based Generalised & simplified Comparative UK biased (but not UK specific)

5 What this is NOT Employer or client endorsed Comment (+/-) about any brand shown Providing answers The entire story  Historically  Technologically  Geographically

6 Usage of Payment Cards & Banking Services A selective history, highlighting changes in: usability, risks & security

7 Embossing http://www.theukcardsassociation.org.uk/cards-transactions/card-present-transactions.asp static data

8 Magnetic Stripe http://www.q-card.com/support/magnetic-stripe-card-standards.asp static data

9 Magnetic Stripe Improve speed of transaction Degradation (slow) Automated Entry  No mistyping / miscopying of card details No carbon paper copy of card details

10 ATM http://labby.co.uk/2011/03/decommissioning-a-cash-machine-atm/ software

11 ATM Greater availability  Outside bank opening hours  Unattended locations Cardholder attacks Isolated system Two-factor authentication  Online PIN

12 Contact Chip https://www.cibc.com/ca/credit-cards/dividend-one-mastercard.html software dynamic data secure chip

13 Contact Chip Active participation in transaction  Dynamic data creation  Offline transaction approval  Offline PIN verification  Issuer scripting at POS Hardware-based secure storage & processing protects  Application logic  Cryptographic keys

14 Online Banking https://www.halifax-online.co.uk/personal/logon/login.jsp software

15 Online Banking Greater availability  Any physical location Variety of PC-specific threats Device fingerprinting Authentication  Passwords  Two-factor authentication

16 Contactless Chip http://www.bluestarinc.com/us-en/solutions/security/news/single/news/detail/News/ chip-and-pin-the-future-of-credit-cards.html software dynamic data secure chip contactless

17 Contactless Chip Improve speed of transaction  No dip  Faster data exchange  No PIN verification (low-value) Proximal data access  Privacy Should remain in control of cardholder

18 Dual Interface Chip http://www.kinodesign.com/featured-work/barclaycard/07-Card-design-for-life software dynamic data secure chip contactless

19 Dual Interface Chip Flexibility of both contactless and contact  Speed and convenience  Issuer scripting at POS Amount and velocity limits... then revert to contact, reset counters and then carry on as before

20 Stickers http://allaboutwindowsphone.com/flow/item/14658_Barclaycard_PayTag_sticks_NFC_.php software dynamic data secure chip contactless

21 Stickers No need to carry a card  Stick it to what you like (e.g. something you carry regularly) Limited ways to update counters Amount and velocity limits... then decline

22 Mobile Banking (App) http://www.computerweekly.com/news/2240105562/RBS-and-Natwest-launch-native- Blackberry-app-for-bank-transfers software protection open distribution data connection

23 Mobile Banking (App) No need to have access to a PC  You already carry a smartphone – apparently Variety of mobile-specific threats Device fingerprinting as well as user authentication

24 Mobile (NFC) http://www.engadget.com/2014/03/14/google-wallets-tap-to-pay-feature-will-require- android-4-4-kitk/ software dynamic data secure chip contactless data connection

25 Mobile (NFC) No need to carry a card  Do need NFC capable smartphone (even more attractive target) Mobile network provides non POS-based communications channel  Issuer scripting wherever data available User interface allows user control  Activate / deactivate  Passcode: every transaction / high-value

26 Mobile (HCE) http://nfctimes.com/news/capital-one-reveals-reasons-quitting-isis-early-role-promoting-hce contactless open distribution software dynamic data software protection data connection

27 Mobile (HCE) Wider availability  Easier (cheaper) issuance  Less interoperability restrictions No hardware-based secure element Limited transaction data on device with limited validity period  Short-lived keys  Risk informed approach

28 Impact of the Mobile App World

29 Mobile App Requirements Identification (device / app / customer) Authentication (device / customer) Authorization (request) Confidentiality (customer data / keys) Integrity (request) Availability (service) Auditing (everything)

30 Development (mobile versus pre-mobile) Less niche knowledge required Less technological constraints Wider choice of supporting libraries Significant volume of information available online Demand for fast paced, iterative product improvement Frequent API change

31 Testing (mobile versus pre-mobile) Generic testing frameworks available More features to test More security frameworks now part of the product (rather than underlying architecture) More iterations to be tested Cannot now test all the possible component combinations

32 Risk (mobile versus pre-mobile) More information available to inform decision making Cardholder owned device with no provenance Base security architecture may be weaker Less experienced development teams and proliferation of “code by Google”

33 Security (mobile versus pre-mobile) Modern interfaces Graded responses or temporary restrictions More information-driven More reliant on active monitoring Application code open to malicious evaluation Many more endpoints, particularly ones accessed by untrusted nodes

34 Closing Thoughts Risk landscapes change  Good / Bad  Advancement / Bug  Business / Outsider Not (as) secure versus secure enough Financial versus reputational loss More data is only useful if you can interpret and act on it

35 Questions

Download ppt "Security in a Mobile App World - A Payments Perspective James Sellwood 6 th Sept 2014."

Similar presentations

European Consumer Summit 2014 On-line and mobile payments Dr Florent Frederix Trust & Security Unit, DG CONNECT, European Commission 1 th of April 2014.

European Consumer Summit 2014 On-line and mobile payments Dr Florent Frederix Trust & Security Unit, DG CONNECT, European Commission 1 th of April 2014.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Government Prepaid Card

Government Prepaid Card
Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.
Ecosystem Scenarios for Cloud-based NFC Payments

Ecosystem Scenarios for Cloud-based NFC Payments
HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.

HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.
S CENARIOS FOR THE F UTURE OF THE C ANADIAN P AYMENTS S YSTEM A UTHENTICATION AND I DENTITY W ORKSHOP N OVEMBER 3, 2010 Greg Wolfond.

S CENARIOS FOR THE F UTURE OF THE C ANADIAN P AYMENTS S YSTEM A UTHENTICATION AND I DENTITY W ORKSHOP N OVEMBER 3, 2010 Greg Wolfond.
1 GP Confidential ©2013 1 GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.

Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
© 2015 Fair Isaac Corporation. Confidential. This presentation is provided for the recipient only and cannot be reproduced or shared without Fair Isaac.

© 2015 Fair Isaac Corporation. Confidential. This presentation is provided for the recipient only and cannot be reproduced or shared without Fair Isaac.
© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.

© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.
The Impact of technology on the delivery of financial services Advancement in technology have had a profound effect on the delivery of financial services.

The Impact of technology on the delivery of financial services Advancement in technology have had a profound effect on the delivery of financial services.
JAIPUR 16 DEC 08 TECHNOLOGY FOR FINANCIAL INCLUSION Indian Institute of Banking & Finance N D RAO.

JAIPUR 16 DEC 08 TECHNOLOGY FOR FINANCIAL INCLUSION Indian Institute of Banking & Finance N D RAO.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
CLXMGCS.ppt Why Smart Cards System Overview Card Architecture Why CardLogix Smart Cards Overview FY 2001.

CLXMGCS.ppt Why Smart Cards System Overview Card Architecture Why CardLogix Smart Cards Overview FY 2001.
Dongyan Wang GlobalPlatform Technical Program Manager

Dongyan Wang GlobalPlatform Technical Program Manager
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
Philip is a subject matter expert in Accenture’s Payment practice with more than 30 years experience across payments, transaction processing, networks,

Philip is a subject matter expert in Accenture’s Payment practice with more than 30 years experience across payments, transaction processing, networks,

Similar presentations

Ads by Google