SlideShare una empresa de Scribd logo

Mobile Commerce: A Security Perspective

Descargar como PPTX, PDF
Pragati Rai
Pragati Rai
Móvil
1 de 44
Mobile Commerce: A Security Perspective Pragati Ogal Rai Chief Technology Evangelist, PayPal Inc. @pragatiogal
My Ego Slide! • Author of “Android Application Security Essentials” • 2014 Zinnov Thought Leadership Award • Mobile Developer Relations, PayPal North America • 15+ Years Industry Experience • Mobile, Android, Security, Payments and Commerce Pragati.Rai@paypal.com @pragatiogal www.slideshare.net/pragatiogal www.linkedin.com/in/pragati 2
Mobile commerce is worth US$230 billion M-Commerce will reach US$700 billion in 2017 Asia represents almost half of the market http://www.digi-capital.com
Agenda  M-commerce defined  M-commerce ecosystem  End-to-end security  How does it affect me?
M-Commerce defined!
Commerce www.123rf.com www.jaipuronline.in
Traditional e-commerce telegraph.co.uk
Today’s Technology Trends Global Social Mobile Local Digital Service & delivery
Mobile Commerce Promotions & coupons Mobile commerce Payments Location-based services In-store research Self-scanning & self-checkout Social commerce Loyalty Mobile shopping lists
M-Commerce Ecosystem
M-commerce Ecosystem Clients Merchants Infrastructure
Disconnected: Off-line m-commerce • Disconnected • Privacy • Integrity of State
Partial Connectivity Infrastructure Centric Model Merchant Centric Model Client Centric Model
Partial Connectivity: Security Analysis  End to end security  Privacy  Client-merchant identification  Communication authentication  More points of attack
Full Connectivity • End to end security
Challenges of m-commerce?  New market players and dynamics  Limitations of client devices  Portability  Pervasive computing  Location aware devices  Merchant machines  Standardization & approvals  Too many expectations Biggest challenge? End-to-end security
End-to-end Security
Mobile Security Stack Mobile Security Stack Application Operating System Device Hardware Infrastructure/ Network • Each layer takes care of it’s own security • Each layer depends upon lower layer for security • Transition between the layers can cause attacks
Infrastructure/ Network Layer Mobile Security Stack Application Operating System Device Hardware Infrastructure/ Network • Third party networks • GSM, CDMA, SMS, WAP, GPS… • Usually security breach at this layer is device agnostic
Breaking GSM https://srlabs.de/decrypting_gsm/ • GnuRadio is included in recent Linux distributions • Airprobe: git clone git://git.gnumonks.org/airprobe.git • Kraken: git clone git://git.srlabs.de/kraken.git • Kraken uses rainbow tables available through Bittorrent
Device Hardware Layer  Consumer Electronics Devices  Some CEDs are Connected  Computing capability + runs software  Smartphones, tablets, mobile PoS device, parking meter, vending machine  Flaw in chip design affects all hardware based on that chip Mobile Security Stack Application Operating System Device Hardware Infrastructure/ Network
Device Hardware http://gadgetian.com/44495/google-lg-nexus-4-4g-lte-chip-inside-ifixit/
Device Security: Example Brought to light by user "alephzain" on mobile developer forum XDA Developers, the user claims that the flaw potentially affects Samsung devices that use Exynos processor models 4210 and 4412, specific examples including the Samsung Galaxy S2 and Samsung Galaxy Note 2 which use the dual core, fourth-generation Exynos chips. "The good news is we can easily obtain root on these devices and the bad is there is no control over it. Ram dump, kernel code injection and others could be possible via app installation from Play Store. It certainly exists many ways to do that but Samsung give an easy way to exploit. This security hole is dangerous and expose phone to malicious apps. Exploitation with native C and JNI could be easily feasible." http://www.zdnet.com/security-flaw-found-in-samsung-handsets-tablets-7000008880/
Operating System Layer Mobile Security Stack Application Operating System Device Hardware Infrastructure/ Network • Android, iOS, Symbian, Windows, J2ME • Flaws are most common and are easily exploited • Compromises security of applications • Flaw affects entire revision of software • Patches and security fixes are common
Android Software Stack • Permission based application model • Linux kernel based process sandboxing
OS Security: Example Android 2.3.3 and below ….. When you login to an account, an authToken is stored locally on your device for 14 days, allowing you to re-access the service without hassle. Unfortunately, tokens are transferred through an unencrypted channel, so they can easily be intercepted. Once intercepted, the attacker can login to the account associated with the authToken without question. http://www.androidpolice.com/2011/05/17/security-vulnerability-in-most-versions-of-android-allows-attackers-to-steal- your-login-credentials/ • Don’t use public Wi-fi! • Patched in 2.3.4 and Honeycomb
Application Layer Mobile Security Stack Application Operating System Hardware Infrastructure/ Network • Your applications, system applications, applications you install • Coding flaws, exploiting a hole in OS • Buffer overflows, data leakage, custom crypto algorithms, hardcoded values
Malicious App Examples Android  Repackaged Apps on Play posing as TempleRun and Glu Mobile  Lovetrap: Trojan, sends SMS  Nickispy: Trojan, steals info  Geinimi: Botnet, follows orders from remote server, send sensitive info back iPhone  Trojan sends out contact list to server  Handy Light: secret tethering utility
TrustZone: Trusted Execution Environment • Two domains: Normal & Secure • Implemented as SoC • Security extensions to www.arm.com processor • Trusted OS • Virtualization
How does it affect me?
Mobile Security Stack Application Operating System Hardware Infrastructure/Network Do NOT trust the mobile ecosystem! Only this is in your control !
Get to know the PCI standard. Period.
PCI Standard Council  Independent organization  PCI PTS approved add-on devices  PA DSS approved applications  Working with mobile vendors for further solutions around mobile payments  Develop common set of payment standards – PCI-DSS v2.0 – PCA-DSS – PCI-PTN – PCI-P2PE
PCI-DSS V2.0  Build and maintain a secure network  Protect cardholder data  Regularly test and monitor networks  Maintain an InfoSec policy  Maintain vulnerability management program  Implement strong access control measures
Encrypt sensitive data at rest and transit microsoft.com
Avoid storing sensitive data on device
Use OS security features Lifehacker.com
Authenticate your users Statetechmagazine.com
Authorized access to user data www.123rf.com
Use your crypto tools www.catalogs.com
Identity is a challenge www.interactiveinsightsgroup.com
Look beyond the hype www.mashable.com
Summary  M-commerce is a complex space  Understand what mobile means for your business  Identify assets/ threats  Analyze technology being used  Be aware of emerging standards  Use OS security features, crypto tools, identity and authorization
Pragati Ogal Rai @pragatiogal http://www.slideshare.net/pragatiogal Thank You!

Recomendados

Hard problems in mobile commerce
Hard problems in mobile commerceHard problems in mobile commerce
Hard problems in mobile commercePragati Rai
 
Mobile commerce
Mobile commerceMobile commerce
Mobile commercesarah hamed
 
Mobile commerce
Mobile commerceMobile commerce
Mobile commerceNayan Khanpara
 
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting SeriousThe Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting SeriousIBM Security
 
Internet threats and its effect on E-commerce
Internet threats and its effect on E-commerceInternet threats and its effect on E-commerce
Internet threats and its effect on E-commerceVipin Subhash
 
Mobile Payments Framework
Mobile Payments FrameworkMobile Payments Framework
Mobile Payments FrameworkLakshmana Kattula
 
Mobile Payments
Mobile PaymentsMobile Payments
Mobile PaymentsSudhakar Mishra
 
Future of m commerce services in india
Future of m commerce services in indiaFuture of m commerce services in india
Future of m commerce services in indiaHiMangi PatEl
 

Recomendados

Hard problems in mobile commerce
Hard problems in mobile commerceHard problems in mobile commerce
Hard problems in mobile commercePragati Rai
 
Mobile commerce
Mobile commerceMobile commerce
Mobile commercesarah hamed
 
Mobile commerce
Mobile commerceMobile commerce
Mobile commerceNayan Khanpara
 
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting SeriousThe Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting SeriousIBM Security
 
Internet threats and its effect on E-commerce
Internet threats and its effect on E-commerceInternet threats and its effect on E-commerce
Internet threats and its effect on E-commerceVipin Subhash
 
Mobile Payments Framework
Mobile Payments FrameworkMobile Payments Framework
Mobile Payments FrameworkLakshmana Kattula
 
Mobile Payments
Mobile PaymentsMobile Payments
Mobile PaymentsSudhakar Mishra
 
Future of m commerce services in india
Future of m commerce services in indiaFuture of m commerce services in india
Future of m commerce services in indiaHiMangi PatEl
 
MIS 11 M-Commerce
MIS 11 M-CommerceMIS 11 M-Commerce
MIS 11 M-CommerceTushar B Kute
 
Payment Systems Business Model & The Way Forward
Payment Systems Business Model & The Way ForwardPayment Systems Business Model & The Way Forward
Payment Systems Business Model & The Way Forwardcatmahir
 
The Mobile Commerce Impact – From Characteristics to Implementation
The Mobile Commerce Impact – From Characteristics to ImplementationThe Mobile Commerce Impact – From Characteristics to Implementation
The Mobile Commerce Impact – From Characteristics to ImplementationZoyabennet
 
Mobile Banking Security Risks and Consequences iovation2015
Mobile Banking Security Risks and Consequences iovation2015Mobile Banking Security Risks and Consequences iovation2015
Mobile Banking Security Risks and Consequences iovation2015TransUnion
 
Ch 08 mobile commerce
Ch 08 mobile commerceCh 08 mobile commerce
Ch 08 mobile commercenaielofar
 
Payment industry trends and opportunity
Payment industry trends and opportunityPayment industry trends and opportunity
Payment industry trends and opportunityDebasis Chakraborty
 
Mobile Payment Analysis
Mobile Payment AnalysisMobile Payment Analysis
Mobile Payment AnalysisStomar
 
Transformation of the Electronic Payments Industry - Strategies for Growth
Transformation of the Electronic Payments Industry - Strategies for GrowthTransformation of the Electronic Payments Industry - Strategies for Growth
Transformation of the Electronic Payments Industry - Strategies for Growthfrancisfoo
 
MOBILE COMMERCE
MOBILE COMMERCEMOBILE COMMERCE
MOBILE COMMERCEAnamika Pundir
 
IoT and the Payments Industry
IoT and the Payments IndustryIoT and the Payments Industry
IoT and the Payments IndustryMichael Navarrete
 
E banking
E bankingE banking
E bankingfemymoni
 
M commerce ppt
M commerce pptM commerce ppt
M commerce pptSantosh Kumar
 
m - commerce
m - commercem - commerce
m - commerceSakthivel R
 
Cost and Features to Develop e-wallet Mobile App
Cost and Features to Develop e-wallet Mobile AppCost and Features to Develop e-wallet Mobile App
Cost and Features to Develop e-wallet Mobile AppTarun Nagar
 
Challenges and issues of mCommerce - ecommerce solution provider
Challenges and issues of mCommerce - ecommerce solution providerChallenges and issues of mCommerce - ecommerce solution provider
Challenges and issues of mCommerce - ecommerce solution providerVineela Kanapala
 
Outsmarting the Smart City
Outsmarting the Smart CityOutsmarting the Smart City
Outsmarting the Smart CityPriyanka Aash
 
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...Priyanka Aash
 
Fintech Simplified
Fintech SimplifiedFintech Simplified
Fintech SimplifiediHashmi ...
 
What is your Mobile App Strategy?
What is your Mobile App Strategy?What is your Mobile App Strategy?
What is your Mobile App Strategy?ROAMData
 
LTTC Presentation April 2014
LTTC Presentation April 2014LTTC Presentation April 2014
LTTC Presentation April 2014RedChip Companies, Inc.
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Unit-3.pptx
Unit-3.pptxUnit-3.pptx
Unit-3.pptxRamya Nellutla
 

Más contenido relacionado

La actualidad más candente

Payment Systems Business Model & The Way Forward
Payment Systems Business Model & The Way ForwardPayment Systems Business Model & The Way Forward
Payment Systems Business Model & The Way Forwardcatmahir
 
The Mobile Commerce Impact – From Characteristics to Implementation
The Mobile Commerce Impact – From Characteristics to ImplementationThe Mobile Commerce Impact – From Characteristics to Implementation
The Mobile Commerce Impact – From Characteristics to ImplementationZoyabennet
 
Mobile Banking Security Risks and Consequences iovation2015
Mobile Banking Security Risks and Consequences iovation2015Mobile Banking Security Risks and Consequences iovation2015
Mobile Banking Security Risks and Consequences iovation2015TransUnion
 
Ch 08 mobile commerce
Ch 08 mobile commerceCh 08 mobile commerce
Ch 08 mobile commercenaielofar
 
Payment industry trends and opportunity
Payment industry trends and opportunityPayment industry trends and opportunity
Payment industry trends and opportunityDebasis Chakraborty
 
Mobile Payment Analysis
Mobile Payment AnalysisMobile Payment Analysis
Mobile Payment AnalysisStomar
 
Transformation of the Electronic Payments Industry - Strategies for Growth
Transformation of the Electronic Payments Industry - Strategies for GrowthTransformation of the Electronic Payments Industry - Strategies for Growth
Transformation of the Electronic Payments Industry - Strategies for Growthfrancisfoo
 
IoT and the Payments Industry
IoT and the Payments IndustryIoT and the Payments Industry
IoT and the Payments IndustryMichael Navarrete
 
Cost and Features to Develop e-wallet Mobile App
Cost and Features to Develop e-wallet Mobile AppCost and Features to Develop e-wallet Mobile App
Cost and Features to Develop e-wallet Mobile AppTarun Nagar
 
Challenges and issues of mCommerce - ecommerce solution provider
Challenges and issues of mCommerce - ecommerce solution providerChallenges and issues of mCommerce - ecommerce solution provider
Challenges and issues of mCommerce - ecommerce solution providerVineela Kanapala
 
Outsmarting the Smart City
Outsmarting the Smart CityOutsmarting the Smart City
Outsmarting the Smart CityPriyanka Aash
 
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...Priyanka Aash
 
Fintech Simplified
Fintech SimplifiedFintech Simplified
Fintech SimplifiediHashmi ...
 
What is your Mobile App Strategy?
What is your Mobile App Strategy?What is your Mobile App Strategy?
What is your Mobile App Strategy?ROAMData
 

La actualidad más candente (20)

MIS 11 M-Commerce
MIS 11 M-CommerceMIS 11 M-Commerce
MIS 11 M-Commerce
 
Payment Systems Business Model & The Way Forward
Payment Systems Business Model & The Way ForwardPayment Systems Business Model & The Way Forward
Payment Systems Business Model & The Way Forward
 
The Mobile Commerce Impact – From Characteristics to Implementation
The Mobile Commerce Impact – From Characteristics to ImplementationThe Mobile Commerce Impact – From Characteristics to Implementation
The Mobile Commerce Impact – From Characteristics to Implementation
 
Mobile Banking Security Risks and Consequences iovation2015
Mobile Banking Security Risks and Consequences iovation2015Mobile Banking Security Risks and Consequences iovation2015
Mobile Banking Security Risks and Consequences iovation2015
 
Ch 08 mobile commerce
Ch 08 mobile commerceCh 08 mobile commerce
Ch 08 mobile commerce
 
Payment industry trends and opportunity
Payment industry trends and opportunityPayment industry trends and opportunity
Payment industry trends and opportunity
 
Mobile Payment Analysis
Mobile Payment AnalysisMobile Payment Analysis
Mobile Payment Analysis
 
Transformation of the Electronic Payments Industry - Strategies for Growth
Transformation of the Electronic Payments Industry - Strategies for GrowthTransformation of the Electronic Payments Industry - Strategies for Growth
Transformation of the Electronic Payments Industry - Strategies for Growth
 
MOBILE COMMERCE
MOBILE COMMERCEMOBILE COMMERCE
MOBILE COMMERCE
 
IoT and the Payments Industry
IoT and the Payments IndustryIoT and the Payments Industry
IoT and the Payments Industry
 
E banking
E bankingE banking
E banking
 
M commerce ppt
M commerce pptM commerce ppt
M commerce ppt
 
m - commerce
m - commercem - commerce
m - commerce
 
Cost and Features to Develop e-wallet Mobile App
Cost and Features to Develop e-wallet Mobile AppCost and Features to Develop e-wallet Mobile App
Cost and Features to Develop e-wallet Mobile App
 
Challenges and issues of mCommerce - ecommerce solution provider
Challenges and issues of mCommerce - ecommerce solution providerChallenges and issues of mCommerce - ecommerce solution provider
Challenges and issues of mCommerce - ecommerce solution provider
 
Outsmarting the Smart City
Outsmarting the Smart CityOutsmarting the Smart City
Outsmarting the Smart City
 
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...
 
Fintech Simplified
Fintech SimplifiedFintech Simplified
Fintech Simplified
 
What is your Mobile App Strategy?
What is your Mobile App Strategy?What is your Mobile App Strategy?
What is your Mobile App Strategy?
 
LTTC Presentation April 2014
LTTC Presentation April 2014LTTC Presentation April 2014
LTTC Presentation April 2014
 

Similar a Mobile Commerce: A Security Perspective

ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Hacking your Connected Car: What you need to know NOW
Hacking your Connected Car: What you need to know NOWHacking your Connected Car: What you need to know NOW
Hacking your Connected Car: What you need to know NOWKapil Kanugo
 
Countering Cybersecurity Risk in Today's IoT World
Countering Cybersecurity Risk in Today's IoT WorldCountering Cybersecurity Risk in Today's IoT World
Countering Cybersecurity Risk in Today's IoT WorldBrad Nicholas
 
IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...
IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...
IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...IRJET Journal
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013Petr Dvorak
 
Bolstering the security of iiot applications – how to go about it
Bolstering the security of iiot applications – how to go about it Bolstering the security of iiot applications – how to go about it
Bolstering the security of iiot applications – how to go about it Moon Technolabs Pvt. Ltd.
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application PlatformNugroho Gito
 
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca BarbaEvolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca BarbaAngeloluca Barba
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52Felipe Prado
 
Embracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and CentrifyEmbracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and CentrifySumana Mehta
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0Javier Gonzalez
 
Securing 3-Mode Mobile Banking
Securing 3-Mode Mobile BankingSecuring 3-Mode Mobile Banking
Securing 3-Mode Mobile BankingJay McLaughlin
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
 
System Z Mainframe Security For An Enterprise
System Z Mainframe Security For An EnterpriseSystem Z Mainframe Security For An Enterprise
System Z Mainframe Security For An EnterpriseJim Porell
 
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015Paul F. Roberts
 

Similar a Mobile Commerce: A Security Perspective (20)

ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Unit-3.pptx
Unit-3.pptxUnit-3.pptx
Unit-3.pptx
 
Hacking your Connected Car: What you need to know NOW
Hacking your Connected Car: What you need to know NOWHacking your Connected Car: What you need to know NOW
Hacking your Connected Car: What you need to know NOW
 
Countering Cybersecurity Risk in Today's IoT World
Countering Cybersecurity Risk in Today's IoT WorldCountering Cybersecurity Risk in Today's IoT World
Countering Cybersecurity Risk in Today's IoT World
 
IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...
IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...
IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity Slides
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
 
Bolstering the security of iiot applications – how to go about it
Bolstering the security of iiot applications – how to go about it Bolstering the security of iiot applications – how to go about it
Bolstering the security of iiot applications – how to go about it
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application Platform
 
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca BarbaEvolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52
 
Embracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and CentrifyEmbracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and Centrify
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0
 
Securing 3-Mode Mobile Banking
Securing 3-Mode Mobile BankingSecuring 3-Mode Mobile Banking
Securing 3-Mode Mobile Banking
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
17-Android.pptx
17-Android.pptx17-Android.pptx
17-Android.pptx
 
System Z Mainframe Security For An Enterprise
System Z Mainframe Security For An EnterpriseSystem Z Mainframe Security For An Enterprise
System Z Mainframe Security For An Enterprise
 
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
 

Más de Pragati Rai

Be Your Own Technology Brand Ambassador
Be Your Own Technology Brand AmbassadorBe Your Own Technology Brand Ambassador
Be Your Own Technology Brand AmbassadorPragati Rai
 
Mobile Payments revolution
Mobile Payments revolutionMobile Payments revolution
Mobile Payments revolutionPragati Rai
 
Android securitybyexample
Android securitybyexampleAndroid securitybyexample
Android securitybyexamplePragati Rai
 
From java to android a security analysis
From java to android a security analysisFrom java to android a security analysis
From java to android a security analysisPragati Rai
 
The basics of mobile payments
The basics of mobile paymentsThe basics of mobile payments
The basics of mobile paymentsPragati Rai
 
Java & The Android Stack: A Security Analysis
Java & The Android Stack: A Security AnalysisJava & The Android Stack: A Security Analysis
Java & The Android Stack: A Security AnalysisPragati Rai
 
How are mobile devices changing face of payments?
How are mobile devices changing face of payments?How are mobile devices changing face of payments?
How are mobile devices changing face of payments?Pragati Rai
 
Mobile payments 101
Mobile payments 101Mobile payments 101
Mobile payments 101Pragati Rai
 
Enhancing your mobile commerce apps with eBay Inc.
Enhancing your mobile commerce apps with eBay Inc.Enhancing your mobile commerce apps with eBay Inc.
Enhancing your mobile commerce apps with eBay Inc.Pragati Rai
 
New Security Considerations for Mobile Commerce
New Security Considerations for Mobile CommerceNew Security Considerations for Mobile Commerce
New Security Considerations for Mobile CommercePragati Rai
 
Amphion Forum: Understanding Android Secuity
Amphion Forum: Understanding Android SecuityAmphion Forum: Understanding Android Secuity
Amphion Forum: Understanding Android SecuityPragati Rai
 
Understanding Mobile payments
Understanding Mobile paymentsUnderstanding Mobile payments
Understanding Mobile paymentsPragati Rai
 
Mobile Ecosystem
Mobile EcosystemMobile Ecosystem
Mobile EcosystemPragati Rai
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 

Más de Pragati Rai (14)

Be Your Own Technology Brand Ambassador
Be Your Own Technology Brand AmbassadorBe Your Own Technology Brand Ambassador
Be Your Own Technology Brand Ambassador
 
Mobile Payments revolution
Mobile Payments revolutionMobile Payments revolution
Mobile Payments revolution
 
Android securitybyexample
Android securitybyexampleAndroid securitybyexample
Android securitybyexample
 
From java to android a security analysis
From java to android a security analysisFrom java to android a security analysis
From java to android a security analysis
 
The basics of mobile payments
The basics of mobile paymentsThe basics of mobile payments
The basics of mobile payments
 
Java & The Android Stack: A Security Analysis
Java & The Android Stack: A Security AnalysisJava & The Android Stack: A Security Analysis
Java & The Android Stack: A Security Analysis
 
How are mobile devices changing face of payments?
How are mobile devices changing face of payments?How are mobile devices changing face of payments?
How are mobile devices changing face of payments?
 
Mobile payments 101
Mobile payments 101Mobile payments 101
Mobile payments 101
 
Enhancing your mobile commerce apps with eBay Inc.
Enhancing your mobile commerce apps with eBay Inc.Enhancing your mobile commerce apps with eBay Inc.
Enhancing your mobile commerce apps with eBay Inc.
 
New Security Considerations for Mobile Commerce
New Security Considerations for Mobile CommerceNew Security Considerations for Mobile Commerce
New Security Considerations for Mobile Commerce
 
Amphion Forum: Understanding Android Secuity
Amphion Forum: Understanding Android SecuityAmphion Forum: Understanding Android Secuity
Amphion Forum: Understanding Android Secuity
 
Understanding Mobile payments
Understanding Mobile paymentsUnderstanding Mobile payments
Understanding Mobile payments
 
Mobile Ecosystem
Mobile EcosystemMobile Ecosystem
Mobile Ecosystem
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 

Último

9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7Pooja Nehwal
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceanilsa9823
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Pooja Nehwal
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceanilsa9823
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRnishacall1
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPsychicRuben LoveSpells
 

Último (7)

9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
 

Mobile Commerce: A Security Perspective

  • 1. Mobile Commerce: A Security Perspective Pragati Ogal Rai Chief Technology Evangelist, PayPal Inc. @pragatiogal
  • 2. My Ego Slide! • Author of “Android Application Security Essentials” • 2014 Zinnov Thought Leadership Award • Mobile Developer Relations, PayPal North America • 15+ Years Industry Experience • Mobile, Android, Security, Payments and Commerce Pragati.Rai@paypal.com @pragatiogal www.slideshare.net/pragatiogal www.linkedin.com/in/pragati 2
  • 3. Mobile commerce is worth US$230 billion M-Commerce will reach US$700 billion in 2017 Asia represents almost half of the market http://www.digi-capital.com
  • 4. Agenda  M-commerce defined  M-commerce ecosystem  End-to-end security  How does it affect me?
  • 8. Today’s Technology Trends Global Social Mobile Local Digital Service & delivery
  • 9. Mobile Commerce Promotions & coupons Mobile commerce Payments Location-based services In-store research Self-scanning & self-checkout Social commerce Loyalty Mobile shopping lists
  • 11. M-commerce Ecosystem Clients Merchants Infrastructure
  • 12. Disconnected: Off-line m-commerce • Disconnected • Privacy • Integrity of State
  • 13. Partial Connectivity Infrastructure Centric Model Merchant Centric Model Client Centric Model
  • 14. Partial Connectivity: Security Analysis  End to end security  Privacy  Client-merchant identification  Communication authentication  More points of attack
  • 15. Full Connectivity • End to end security
  • 16. Challenges of m-commerce?  New market players and dynamics  Limitations of client devices  Portability  Pervasive computing  Location aware devices  Merchant machines  Standardization & approvals  Too many expectations Biggest challenge? End-to-end security
  • 18. Mobile Security Stack Mobile Security Stack Application Operating System Device Hardware Infrastructure/ Network • Each layer takes care of it’s own security • Each layer depends upon lower layer for security • Transition between the layers can cause attacks
  • 19. Infrastructure/ Network Layer Mobile Security Stack Application Operating System Device Hardware Infrastructure/ Network • Third party networks • GSM, CDMA, SMS, WAP, GPS… • Usually security breach at this layer is device agnostic
  • 20. Breaking GSM https://srlabs.de/decrypting_gsm/ • GnuRadio is included in recent Linux distributions • Airprobe: git clone git://git.gnumonks.org/airprobe.git • Kraken: git clone git://git.srlabs.de/kraken.git • Kraken uses rainbow tables available through Bittorrent
  • 21. Device Hardware Layer  Consumer Electronics Devices  Some CEDs are Connected  Computing capability + runs software  Smartphones, tablets, mobile PoS device, parking meter, vending machine  Flaw in chip design affects all hardware based on that chip Mobile Security Stack Application Operating System Device Hardware Infrastructure/ Network
  • 23. Device Security: Example Brought to light by user "alephzain" on mobile developer forum XDA Developers, the user claims that the flaw potentially affects Samsung devices that use Exynos processor models 4210 and 4412, specific examples including the Samsung Galaxy S2 and Samsung Galaxy Note 2 which use the dual core, fourth-generation Exynos chips. "The good news is we can easily obtain root on these devices and the bad is there is no control over it. Ram dump, kernel code injection and others could be possible via app installation from Play Store. It certainly exists many ways to do that but Samsung give an easy way to exploit. This security hole is dangerous and expose phone to malicious apps. Exploitation with native C and JNI could be easily feasible." http://www.zdnet.com/security-flaw-found-in-samsung-handsets-tablets-7000008880/
  • 24. Operating System Layer Mobile Security Stack Application Operating System Device Hardware Infrastructure/ Network • Android, iOS, Symbian, Windows, J2ME • Flaws are most common and are easily exploited • Compromises security of applications • Flaw affects entire revision of software • Patches and security fixes are common
  • 25. Android Software Stack • Permission based application model • Linux kernel based process sandboxing
  • 26. OS Security: Example Android 2.3.3 and below ….. When you login to an account, an authToken is stored locally on your device for 14 days, allowing you to re-access the service without hassle. Unfortunately, tokens are transferred through an unencrypted channel, so they can easily be intercepted. Once intercepted, the attacker can login to the account associated with the authToken without question. http://www.androidpolice.com/2011/05/17/security-vulnerability-in-most-versions-of-android-allows-attackers-to-steal- your-login-credentials/ • Don’t use public Wi-fi! • Patched in 2.3.4 and Honeycomb
  • 27. Application Layer Mobile Security Stack Application Operating System Hardware Infrastructure/ Network • Your applications, system applications, applications you install • Coding flaws, exploiting a hole in OS • Buffer overflows, data leakage, custom crypto algorithms, hardcoded values
  • 28. Malicious App Examples Android  Repackaged Apps on Play posing as TempleRun and Glu Mobile  Lovetrap: Trojan, sends SMS  Nickispy: Trojan, steals info  Geinimi: Botnet, follows orders from remote server, send sensitive info back iPhone  Trojan sends out contact list to server  Handy Light: secret tethering utility
  • 29. TrustZone: Trusted Execution Environment • Two domains: Normal & Secure • Implemented as SoC • Security extensions to www.arm.com processor • Trusted OS • Virtualization
  • 30. How does it affect me?
  • 31. Mobile Security Stack Application Operating System Hardware Infrastructure/Network Do NOT trust the mobile ecosystem! Only this is in your control !
  • 32. Get to know the PCI standard. Period.
  • 33. PCI Standard Council  Independent organization  PCI PTS approved add-on devices  PA DSS approved applications  Working with mobile vendors for further solutions around mobile payments  Develop common set of payment standards – PCI-DSS v2.0 – PCA-DSS – PCI-PTN – PCI-P2PE
  • 34. PCI-DSS V2.0  Build and maintain a secure network  Protect cardholder data  Regularly test and monitor networks  Maintain an InfoSec policy  Maintain vulnerability management program  Implement strong access control measures
  • 35. Encrypt sensitive data at rest and transit microsoft.com
  • 36. Avoid storing sensitive data on device
  • 37. Use OS security features Lifehacker.com
  • 38. Authenticate your users Statetechmagazine.com
  • 39. Authorized access to user data www.123rf.com
  • 40. Use your crypto tools www.catalogs.com
  • 41. Identity is a challenge www.interactiveinsightsgroup.com
  • 42. Look beyond the hype www.mashable.com
  • 43. Summary  M-commerce is a complex space  Understand what mobile means for your business  Identify assets/ threats  Analyze technology being used  Be aware of emerging standards  Use OS security features, crypto tools, identity and authorization
  • 44. Pragati Ogal Rai @pragatiogal http://www.slideshare.net/pragatiogal Thank You!

Notas del editor

  1. Disconnected Double Spending Credentials checking Updates Privacy Integrity of State