GEMALTO E-BANKING SECURITY

Mobile Journey in Financial Security

Zoltan Szalai Presales Technical Consultant

Footer, 20xx-xx-xx 2 Footer, 20xx-xx-xx 2

Mobile Security Landscape

Footer, 20xx-xx-xx 3

Factors that Discourage Non-users from Mobile Banking

Mobile Phone can be lost/stolen easily

It’s not secure

Vocalink survey on 10’000 adults in UK, February 2013

I don’t trust mobile network/carriers

Gemalto eBanking 4

Reason why People like Mobile Banking

Vocalink survey on 10’000 adults in UK, February 2013

It’s secure !

Mobile Banking Evolution

5

1st Generation

• View Balances

• Simple contact information

• Transfers to own accounts

2nd Generation

• P2P Payment

• Bill Payment

• Transfers to external accounts

• PFM

• View all bank products

• etc.

3rd Generation

• Transfers to International accounts

• Future PFM / prediction

• Manage all banks products

• Mobile Wallet and mCommerce

• Targeted offers

• Loyalty

• etc.

Mapa Research Mobile Banking report on 67 banks, June 2013

Can be done with Simple Login

Gemalto eBanking

Requires improved authentication

Alternative security solutions

2012/2013Q1 Malwares SOURCE: F-Secure

New Malwares on

Android New Malwares on

iOS

Android is the Platform of choice for hackers:

- Highest Market share (79% in Q3 2013)

- Opened model allowing download from third party

stores

- Weak control on Application published on Google

Play

- Possibility to grant many rights to an application

374

1

2

New Malware on

Windows phone

7

SMS OTP is Under Numerous Threats

Gemalto eBanking

2010 2011 2012 2013

Zitmo Zeus

in the Mobile

Spitmo SpyEye

in the Mobile

Citmo Carberp

in the Mobile

Eurograbber Attack Based on Zitmo 36M€ Stolen

Perkele

Based on Zitmo

Derived from a PC Trojan First Malware as a Service

The Software Based Approach

Let’s be Clear on the Objective

Provide best in class software based security

Always be one step ahead of hackers: SMS malwares are still pretty basic

Never forget that we can’t pretend to the same level of security as a hardware based component so we can’t never say we’re done

9 Gemalto eBanking

Allow end users to confidently use

their mobile phone to secure their

Browser based access

PC and Tablet (browser) Banking

Integrate a 2FA component within the

mobile banking application itself and

definitely get rid of static credentials

Mobile and Tablet (Native app) Banking

10 Gemalto eBanking

Traditional Development Way

We roughly know what we need to take care of (the secret keys) and imagine a

protection

Develop

Functional tests (hackers will do the security

check)

How to Acheive Good Security without a Hardware Secure Element?

11 Gemalto eBanking

Secure Software Development Life Cycle

Define a Threat Model List the sensitive assets List the possible attack vectors, play the hacker

Design a software security architecture to close the doors to the identified possible attacks

Validate this architecture with External Reviewers

Develop

Audit the final solution to validate : The secure design was properly implemented No security holes are discovered

How to Acheive Good Security without a Hardware Secure Element?

12 Gemalto eBanking

How to Acheive Good Security without a Hardware Secure Element? (the $1MM question)

It’s also a matter of gathering the good teams and experts

You can’t succeed alone

Development team embedding security

minded developers

Neutral and independent Mobile

security experts

Internal Security Lab providing world

class cryptographic analyses

Main Security Features

Secure Software Container with Multi-layer Encryption:

PIN encryption, preventing all Brute Force and After Theft attacks

Environment data encryption

Proprietary encryption using platforms specific tools

Standard database encryption

13 Gemalto eBanking

Device Fingerprinting

Collect information linked to physical device, operating System, MNO or app publisher

Provide an anti-cloning feature

Secure PIN Pad

Relieve the Mobile Banking/token application from managing the PIN security

Developed to provide protection against key and screen logger

Main Security Features

Secure Proprietary Mobile Provisioning Protocol

SSL cannot always be trusted (BEAST, CRIME, bad CA)

Provides a proven and uniform protection on all platforms against Man-in-the-Middle and Denial of Service

Provides an end-to-end protection

14 Gemalto eBanking

Advanced Jailbreak and Rooting Detection

Jailbreak and rooting are the first entry door to malware installation

It removes all protections provided by the Operating System

We detect all type of Jailbreaks/Rooting and also defeat cloaking tools like xCon or HideMyRoot

Is it the Same to Protect eBanking and mBanking?

15 Gemalto eBanking

Indeed, using a Mobile phone in addition to a PC or Tablet brings a second channel in the equation, making an attack more difficult

This is true but we should not forget that:

For Mobile Banking the first objective is to replace static password by a 2FA component, as secure as possible

We learned from recent SMS OTP attacks that when hackers have infected your PC they find ways to infect as well the mobile phone you use to secure this PC

The Secure Element Dilemma

Our Headache

17 Gemalto eBanking

Reach

I want to access all mobile platforms and all users without restriction

Security

I want the most secure solution (simple right?)

Convenience

I don’t want the user experience to be impacted, mobile needs to stay a convenient channel

Control

I want to be in control of the solution

Secure Elements vs. Software

18 Gemalto eBanking

Reach Control

Security Conve

nience

S/W

Reach Control

Security Conve

nience

SIM

Reach Control

Security Conve

nience

Contactless

Reach Control

Security Conve

nience

BT

Reach Control

Security Conve

nience

TEE

What Can we Conclude?

19 Gemalto eBanking

None of the Secure Elements can satisfy all our needs today

Solution Needed that:

Supports multiple Secure Elements in the most transparent way

Combines a good software base security to fill the gap for non-equipped users

Dynamically adapts the risk to the level of security of the device

It will be a progressive approach:

Start by securing most sensitive transactions and users (corporate and wealth)

Then switch Secure Element equipped users

What Can we Conclude?

20 Gemalto eBanking

Software remains a very good solution for short/mid term:

Best reach and convenience

Real attacks against Mobile Applications does not exist yet in real life;

We are still ahead of hackers

But only under the condition that:

We maintain the best security over time with permanent threat monitoring

We have the next step with Secure Elements planned and ready to integrate already deployed solutions

˃ zoltan.szalai@gemalto.com