Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2013-15 1 COMP 2410 – Networked Information Systems SC3 – Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U.

Published byScott Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright 2013-15 1 COMP 2410 – Networked Information Systems SC3 – Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U."— Presentation transcript:

1 Copyright 2013-15 1 COMP 2410 – Networked Information Systems SC3 – Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U. and U.N.S.W. http://www.rogerclarke.com/II/NIS2410.html#L6 http://www.rogerclarke.com/II/NIS2410-6 {.ppt,.pdf} ANU RSCS, 2 April 2015

2 Copyright 2013-15 2 Neworked Information Systems The Applications Layer 1.Application Architectures.1Master-Slave Architecture.2Client-Server Architecture Cloud Computing.3Peer-to-Peer (P2P) Architecture 2.Categories of Networked Application.1Mobile Computing.2Web 2.0 and Social Media 3. Networked Info Systems Security.1Security of Info and I.T..2Malware and Other Attacks.3Mobile Security

3 Copyright 2013-15 3 1. Mobile Devices 'Any device that provides users with the capacity to participate in Transactions with Adjacent and Remote devices by Wireless Means' Nomadic / Untethered Portables Mobiles / Smartphones Handheld Computing Devices PDAs, games machines, music-players, 'converged' / multi-function devices, Tablets esp. iPad but now many followers Processing Capabilities in Other 'Form Factors' Credit-cards, RFID and NFC tags, subcutaneous chips Wearable Computing Devices Watches, finger-rings, spectacles, key-rings, necklaces, bracelets, anklets, body-piercings... chip implants

4 Copyright 2013-15 4 Wireless Comms Wide Area Networks – Satellite (Geosynch; Low-Orbit) GS is Large footprint, very high latency (c. 2 secs) Fixed-Wireless/Line-of-Sight –802.16 (WiMAX) '08 TD-LTE/LTE-TDD '12 (3-10 km per cell, high-capacity per user, local monopoly?, trees!) Wide Area Networks – Cellular (50m to 10km cell-radius, with increasing capacity per user, particularly 3G onwards) 1G – Analogue Cellular, e.g. AMPS, TACS 2G – Digital Cellular, e.g. GSM, CDMA 3G – GSM/GPRS/EDGE, CDMA2000, UMTS/HSPA 4G – LTE, deployed / deploying Local Area Networks – ‘WiFi’ (10-100 m radius) primarily IEEE 802.11x, where x=a,b,g,n Personal Area Networks (1-10 metres) – Bluetooth? Infra-red? Contactless Cards / RFID Tags / NFC Chips (1-10cm radius)

5 Copyright 2013-15 5 Mobile Usage Messaging – synch and asynch, 1-1 and m-n Email, Chat/IM, Voice, Video,... Content Access Open Web, Search Semi-Closed Wall-Postings Organisational Data Content Preparation / Publishing Formal Docs, Informal Postings /  -blogging Open, Corporate, Personal Transactions Application Forms to Government Agencies, Purchases, Payments, Internet Banking,...

6 Copyright 2013-15 6 Mobile Usage Messaging – synch and asynch, 1-1 and m-n Email, Chat/IM, Voice, Video,... Content Access Open Web, Search Semi-Closed Wall-Postings Organisational Data Content Preparation / Publishing Formal Docs, Informal Postings /  -blogging Open, Corporate, Personal Transactions Application Forms to Government Agencies, Purchases, Payments, Internet Banking,...

7 Copyright 2013-15 7 Mobile Security Agenda 1.Mobile Devices, Comms, Usage 2.Case Studies A.Contactless Chip Payment B.Location and Tracking 3.Application of the Security Model 4.What Do We Do About It?

8 Copyright 2013-15 8 2.Case Study A – Contactless Chip Payment RFID / NFC chip embedded in card Wireless operation, up to 5cm from a terminal Visa Paywave and MasterCard PayPass Up to $100 (cf. original $25)

9 Copyright 2013-15 9 Contactless Chip-Cards as Payment Devices RFID / NFC chip embedded in card Wireless operation, up to 5cm from a terminal Visa Paywave and MasterCard PayPass Up to $100 and $35 resp. (cf. original $25) Presence of chip in card is not human-visible, but Logo / Brand may be visible No choice whether it's activated No choice about the threshold Operation of chip in card is not human-apparent No action required when within 5cm range, i.e. automatic payment No receipt becomes the norm? Used as Cr-Card: Unauthenticated auto-lending Used as Dr-Card: PIN-less charge to bank account

10 Copyright 2013-15 10 Authentication – None / A Non-Secret / / For Higher-Value Transactions Only / Always [ UK RingGo Parking Payment Scheme – last 4 digits] Act of Consent – None / Unclear / Clear [ e.g. Tap the Pad in Response to Display of Amount Due] Notification – None / Audio / Display [ If 'None', surreptitious payment extraction is feasible] Receipt / Voucher – None / Option or Online / Y [ Octopus, Toll-Roads, UK RingGo Parking Payment Scheme] Key Safeguards for Chip Payment Schemes

11 Copyright 2013-15 11 Authentication – None / A Non-Secret (but Yes, for Transactions >$100 Only) Act of Consent – None? / Unclear? / Clear? If the card is within 5cm of a device, whether seen or not But the 'consent' is by whoever possesses the card Notification – None? / Audio? / Display? If 'None', then enables surreptitious payment extraction Receipt / Voucher – None? / Option? / Y? Are These Safeguards in Place for Visa PayWave and MCard Paypass?

12 Copyright 2013-15 12 2.Case Study B – Location and Tracking Location is Inherent to Mobile Technologies Insufficient capacity to broadcast all traffic in all cells The network needs to know the cell each mobile is in Mobiles send registration messages to base-station(s) Even if nominally switched off or placed on standby

13 Copyright 2013-15 13 2.Case Study B – Location and Tracking Location is Inherent to the Technology Insufficient capacity to broadcast all traffic in all cells The network needs to know the cell each mobile is in Mobiles send registration messages to base-station(s) Even if nominally switched off or placed on standby What's Being Tracked? The SIM-card, an identifier of the device, e.g. IMSI The mobile-phone id, an entifier of the device, e.g. IMEI The person the SIM-card and/or mobile-phone is registered to (and may be required by law to be so) Most handsets have one SIM-card, and one user

14 Copyright 2013-15 14 The Precision of Handset Location Intrinsically, the Cell-Size: 1km-10km radius for non-CBD Cells c. 100m radius for Wifi & CBD Cells Potentially much more fine-grained: Directional Analysis Differential Signal Analysis Triangulation Self-Reporting of GPS coordinates

15 Copyright 2013-15 15 Handset Location – Accuracy and Reliability Directional Analysis The Case of the Cabramatta Murder Conviction Differential Signal Analysis A Wide Array of Error-Factors Triangulation Multiple Transceivers Multiple Error-Factors Self-Reporting of GPS coordinates Highly situation-dependent, and unknown Dependent on US largesse, ‘operational requirements’

16 Copyright 2013-15 16 The Primary Geolocation Technologies http://www.rogerclarke.com/DV/LTMD.html

17 Copyright 2013-15 17 Location and Tracking Some Scenarios Arresting a crook Investigating the proximity of suspect to crime-scene Targeting an enemy Being accused of association with another person Having your association with a person discovered Being targeted by a marketer...... who knows a great deal about you Being monitored by your partner, or your next date Being targeted by an enemy Being found by a fan, stalker, abusive ex-partner

18 Copyright 2013-15 18 3.Application of the Security Model to Mobile Usage Messaging – synch and asynch, 1-1 and m-n Email, Chat/IM, Voice, Video,... Content Access Open Web, Search Semi-Closed Wall-Postings Organisational Data Content Preparation / Publishing Formal Docs, Informal Postings /  -blogging Open, Corporate, Personal Transactions Application Forms to Government Agencies, Purchases, Payments, Internet Banking,...

19 Copyright 2013-15 19 http://www.rogerclarke.com/ EC/PBAR.html#App1 Conventional IT Security Model

20 Copyright 2013-15 20 The Harm Aspect Injury to Persons Damage to Property Loss of Value of an Asset Breach of Personal Data Security, or Privacy more generally Financial Loss Inconvenience and Consequential Costs arising from Identity Fraud (very common) Serious Inconvenience and Consequential Costs arising from Identity Theft (very rare) Loss of Reputation and Confidence

21 Copyright 2013-15 21 The Vulnerability Aspect The Environment Physical Surroundings Organisational Context Social Engineering The Device Hardware, Systems Software Applications Server-Driven Apps (ActiveX, Java, AJAX) The Device's Functions: Known, Unknown, Hidden Software Installation Software Activation Communications Transaction Partners Data Transmission Intrusions Malware Vectors Malware Payloads Hacking, incl. Backdoors, Botnets

22 Copyright 2013-15 22 Threat Aspects – Third-Party, Within the System (Who else can get at you, where, and how?) Points-of-Trans'n Physical Observation Coercion Points-of-Trans'n Electronic Rogue Devices Rogue Transactions Keystroke Loggers Private Key Reapers Comms Network Interception Decryption Man-in-the-Middle Attacks Points-of-Processing Rogue Employee Rogue Company Error

23 Copyright 2013-15 23 Threat Aspects – Third-Party, Within the Device Physical Intrusion Social Engineering Confidence Tricks Phishing Masquerade Abuse of Privilege Hardware Software Data Electronic Intrusion Interception Cracking / ‘Hacking’ Bugs Trojans Backdoors Masquerade Distributed Denial of Service (DDOS) Infiltration by Software with a Payload

24 Copyright 2013-15 24 Threat Aspects – Second-Party Situations of Threat Banks Telcos / Mobile Phone Providers Toll-Road eTag Providers Intermediaries Devices Safeguards Terms of Contract Risk Allocation Enforceability Consumer Rights

25 Copyright 2013-15 25 Key Threat / Vulnerability Combinations re Mobile Payments Unauthorised Conduct of Transactions Interference with Legitimate Transactions Acquisition of Identity Authenticators e.g. Cr-Card Details (card-number as identifier, plus the associated identity authenticators) e.g. Username (identifier) plus Password/PIN/ Passphrase/Private Signing Key (id authenticator) e.g. Biometrics capture and comparison

26 Copyright 2013-15 26 4.What Do We Do About It? Consumers Organisations Corporate Devices BYOD

27 Copyright 2013-15 27 The Status of Consumer Protection EFT Code of Conduct – longstanding, phased out ePayments Code – wef 30 March 2013 http://www.asic.gov.au/asic/asic.nsf/byheadline/ePayments- Code?openDocument Soft regulation of such things as receipts, risk apportionment, complaints, privacy,... The banks have sought to weaken the protections (In NZ they succeeded, but were beaten back by the tide of public opinion, and withdrew the changes) The Code's provisions apply to contactless-card transactions – but with a lot of 'buts'

28 Copyright 2013-15 28 The Absolute-Minimum Security Safeguards 1.Physical Safeuguards 2.Access Control 3.Malware Detection and Eradication 4.Patching Procedures 5.Firewalls 6.Incident Management Processes 7.Logging 8.Backup and Recovery Plans, Procedures 9.Training 10.Responsibility http://www.xamax.com.au/EC/ISInfo.pdf

29 Copyright 2013-15 29 Beyond the Absolute-Minimum Safeguards Risk Asssessment, leading to at least some of: 11.Data Communications Encryption 12.Data Storage Encryption 13.Vulnerability Testing 14.Standard Operating Environments 15.Application Whitelisting 16.Device Authentication and Authorisation 17.Use of Virtual Private Networks 18.Intrusion Detection and Prevention 19.User Authentication 20.Firewall Configurations, Outbound http://www.xamax.com.au/EC/ISInfo.pdf

30 Copyright 2013-15 30 Mobile Security Agenda 1.Mobile Devices, Comms, Usage 2.Case Studies A.Contactless Chip Payment B.Location and Tracking 3.Application of the Security Model 4.What Do We Do About It?

31 Copyright 2013-15 31 Neworked Information Systems The Applications Layer 1.Application Architectures.1Master-Slave Architecture.2Client-Server Architecture Cloud Computing.3Peer-to-Peer (P2P) Architecture 2.Categories of Networked Application.1Mobile Computing.2Web 2.0 and Social Media 3.Networked Info Systems Security.1Security of Info and I.T..2Malware and Other Attacks.3Mobile Security

32 Copyright 2013-15 32 COMP 2410 – Networked Information Systems SC3 – Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U. and U.N.S.W. http://www.rogerclarke.com/II/NIS2410.html#L6 http://www.rogerclarke.com/II/NIS2410-6 {.ppt,.pdf} ANU RSCS, 2 April 2015

Download ppt "Copyright 2013-15 1 COMP 2410 – Networked Information Systems SC3 – Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U."

Similar presentations

A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong Kong, Cyberspace.

A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong Kong, Cyberspace.
Copyright 2008-12 1 COMP 3410 – I.T. in Electronic Commerce eSecurity Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U.

Copyright COMP 3410 – I.T. in Electronic Commerce eSecurity Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U.
Copyright, 1995-2006 1 The Malware Menagerie Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce.

Copyright, The Malware Menagerie Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce.
Copyright, 1995-2007 1 Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong.

Copyright, Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong.
Copyright, 1995-2004 1 Issues from Internet Technologies 1 – Internet Connected Devices Roger Clarke, Xamax Consultancy, Canberra Visiting Prof/Fellow,

Copyright, Issues from Internet Technologies 1 – Internet Connected Devices Roger Clarke, Xamax Consultancy, Canberra Visiting Prof/Fellow,
Copyright 2008-11 1 A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science at.

Copyright A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science at.
POSSIBLE THREATS TO DATA

POSSIBLE THREATS TO DATA
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Ethics, Privacy and Information Security

Ethics, Privacy and Information Security
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
Copyright, 1995-2007 1 Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong.

Copyright, Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems Privacy, Security, and Ethics Chapter 9.

Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems Privacy, Security, and Ethics Chapter 9.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
2 An Overview of Telecommunications and Networks Telecommunications: the _________ transmission of signals for communications (home net) (home net)

2 An Overview of Telecommunications and Networks Telecommunications: the _________ transmission of signals for communications (home net) (home net)
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
FIT3105 Security and Identity Management Lecture 1.

FIT3105 Security and Identity Management Lecture 1.

Similar presentations

Ads by Google