1. Mobile Security Mobile Commerce USA - November 2009 David Eads, Founder david@MobileStrategyPartners.com +1 (404) 285-4219
2. Background Founder & CEO, Mobile Strategy Partners LLC Help organizations optimize mobile commerce from both a business & tech perspective Perform Risk Assessments as a part of my practice Participated in many IT security reviews throughout my career in ecommerce, mobile commerce Confidential
3. Frozen in fear Security consistently reported as the biggest barrier to mobile banking and mobile commerce usage 47% of non-adopters cite security;73% fear hackers can break into their phones (Tom Wills, Javelin, 12/08 ) Security considered during purchase, implementation Fraud fears limit Mobile Commerce functionality in N. America Few commerce apps with a real checkout process Limited transactional capabilities in mobile banking Mobile payments wheels still spinning (esp. P2P) Attacks follow adoption: Africa was first, hackers will turn to us Phishing seems the most common & effective attack SIM, Mobile phone fraud also related (Absa ‘07) Confidential
4. It’s not what we fear… Mobile Commerce is basically safe, however consumers are still afraid Everyone generally learned lessons of ecommerce 128-bit SSL Multifactor Authentication Phone Disabling features Phone viruses, network hacks rare so far Mobile makes us MORE secure in many ways Balance, Transaction alerts, visibility Confidential
5. … the danger is the unknown Untested defenses are weak defenses Monitoring systems an afterthought Mobile new to Information Security teams Consumer education lacking Unsophisticated users with smart phones Confidential
6. Social trickery Phishing proven effective, likely to continue Phishing often cross-channel Fake call centers, targeted attacks, detailed research URL not visible on mobile browsers, URL shorteners SMS alerts perfect temptation for phishing Shortcode registration limits spoofing, but possible Linking from SMS to web encourages email to web Social networking, mobile convergence amplifies risk Confidential
7. Limited Detection Few organizations monitor for mobile attacks Variety of fraud detection systems exist for ecommerce sites but not optimized for mobile Some adaptable to mobile, mobile requires more(e.g. monitor SMS patterns, web services, mobile web) Security companies yet to fully focus on mobile Recession, limited adoption discourages investment in defensive systems Attacks can happen even if adoption is low! Confidential
8. Unsophisticated Users What happens when my Mom has a smartphone?! Unsophisticated userstoday tend to have unsophisticated phones which provide significant protection Smartphone trend means most phones will be smart My Mother-in-law & Father-in-Law have Blackberries They are more vulnerable via phone than AOL dial-up Damage to unsophisticated users can create major perception problems for the entire industry Confidential
9. Recommendations Continue discouraging SMS, email links to apps Promote, encourage PIN-locking phones Require Multifactor Authentication & don’t bypass it Avoid storing sensitive data on phones Architect mobile systems with security in mind Keep sensitive data out of DMZs Continual penetration testing Mobile-aware fraud detection Confidential
11. Best Practices DO Encourage transactional functionality that drives revenue, like checkout, payments, etc. DO perform a thorough risk assessment with mobile experts starting at the design phase DO continual penetration testing and monitoring DO user experience design to prevent confusion DO require true MFA before transactions, etc. DO provide strong encryption, etc. Confidential
12. Worst Practices DON’T store sensitive data on the phone DON’T encourage linking from SMS messages DON’T let vendor architecture create security risks DON’T display user identifiable information without proper multifactor authentication DON’T do transactions in SMS without authentication from another channel (like voice) DON’T encourage putting sensitive info in SMS Confidential
13. Threat Examples Hacker getting to credit card numbers or other useful identity theft information through a breach in corporate access through mobile connection Phishing attacks to trick users into providing access Phishers then transfer money out of their account Phishers could also potentially manipulate stocks Using identifiable information to gain access Mobile app doesn’t do transactions, but exposes data Thief uses data to gain access to acct. over phone Confidential
Founder & CEO of MSP, focus on optimizing mobile commerce from both biz & tech perspective; participated in a number of security reviews in a variety of verticals; spoken on mobile security, authored whitepaperAs a part of my practice I help companies with risk assessmentsShow of hands – PIN lock on phone? looked at someone else’s phone on a train or plane?(Credent 5/09, 40% don’t lock, 99% have sens. data) http://www.darkreading.com/security/client/showArticle.jhtml?articleID=215901048The real threat isn’t in what people fear, but in other overlooked areas