mobile journey in financial security - ceesca research mobile banking report on 67 banks, june 2013...
TRANSCRIPT
GEMALTO E-BANKING SECURITY
Mobile Journey in Financial Security
Zoltan Szalai Presales Technical Consultant
Footer, 20xx-xx-xx 3
Factors that Discourage Non-users from Mobile Banking
Mobile Phone can be lost/stolen easily
It’s not secure
Vocalink survey on 10’000 adults in UK, February 2013
I don’t trust mobile network/carriers
Gemalto eBanking 4
Reason why People like Mobile Banking
Vocalink survey on 10’000 adults in UK, February 2013
It’s secure !
Mobile Banking Evolution
5
1st Generation
• View Balances
• Simple contact information
• Transfers to own accounts
2nd Generation
• P2P Payment
• Bill Payment
• Transfers to external accounts
• PFM
• View all bank products
• etc.
3rd Generation
• Transfers to International accounts
• Future PFM / prediction
• Manage all banks products
• Mobile Wallet and mCommerce
• Targeted offers
• Loyalty
• etc.
Mapa Research Mobile Banking report on 67 banks, June 2013
Can be done with Simple Login
Gemalto eBanking
Requires improved authentication
Alternative security solutions
2012/2013Q1 Malwares SOURCE: F-Secure
New Malwares on
Android New Malwares on
iOS
Android is the Platform of choice for hackers:
- Highest Market share (79% in Q3 2013)
- Opened model allowing download from third party
stores
- Weak control on Application published on Google
Play
- Possibility to grant many rights to an application
374
1
2
New Malware on
Windows phone
7
SMS OTP is Under Numerous Threats
Gemalto eBanking
2010 2011 2012 2013
Zitmo Zeus
in the Mobile
Spitmo SpyEye
in the Mobile
Citmo Carberp
in the Mobile
Eurograbber Attack Based on Zitmo 36M€ Stolen
Perkele
Based on Zitmo
Derived from a PC Trojan First Malware as a Service
Let’s be Clear on the Objective
Provide best in class software based security
Always be one step ahead of hackers: SMS malwares are still pretty basic
Never forget that we can’t pretend to the same level of security as a hardware based component so we can’t never say we’re done
9 Gemalto eBanking
Allow end users to confidently use
their mobile phone to secure their
Browser based access
PC and Tablet (browser) Banking
Integrate a 2FA component within the
mobile banking application itself and
definitely get rid of static credentials
Mobile and Tablet (Native app) Banking
10 Gemalto eBanking
Traditional Development Way
We roughly know what we need to take care of (the secret keys) and imagine a
protection
Develop
Functional tests (hackers will do the security
check)
How to Acheive Good Security without a Hardware Secure Element?
11 Gemalto eBanking
Secure Software Development Life Cycle
Define a Threat Model List the sensitive assets List the possible attack vectors, play the hacker
Design a software security architecture to close the doors to the identified possible attacks
Validate this architecture with External Reviewers
Develop
Audit the final solution to validate : The secure design was properly implemented No security holes are discovered
How to Acheive Good Security without a Hardware Secure Element?
12 Gemalto eBanking
How to Acheive Good Security without a Hardware Secure Element? (the $1MM question)
It’s also a matter of gathering the good teams and experts
You can’t succeed alone
Development team embedding security
minded developers
Neutral and independent Mobile
security experts
Internal Security Lab providing world
class cryptographic analyses
Main Security Features
Secure Software Container with Multi-layer Encryption:
PIN encryption, preventing all Brute Force and After Theft attacks
Environment data encryption
Proprietary encryption using platforms specific tools
Standard database encryption
13 Gemalto eBanking
Device Fingerprinting
Collect information linked to physical device, operating System, MNO or app publisher
Provide an anti-cloning feature
Secure PIN Pad
Relieve the Mobile Banking/token application from managing the PIN security
Developed to provide protection against key and screen logger
Main Security Features
Secure Proprietary Mobile Provisioning Protocol
SSL cannot always be trusted (BEAST, CRIME, bad CA)
Provides a proven and uniform protection on all platforms against Man-in-the-Middle and Denial of Service
Provides an end-to-end protection
14 Gemalto eBanking
Advanced Jailbreak and Rooting Detection
Jailbreak and rooting are the first entry door to malware installation
It removes all protections provided by the Operating System
We detect all type of Jailbreaks/Rooting and also defeat cloaking tools like xCon or HideMyRoot
Is it the Same to Protect eBanking and mBanking?
15 Gemalto eBanking
Indeed, using a Mobile phone in addition to a PC or Tablet brings a second channel in the equation, making an attack more difficult
This is true but we should not forget that:
For Mobile Banking the first objective is to replace static password by a 2FA component, as secure as possible
We learned from recent SMS OTP attacks that when hackers have infected your PC they find ways to infect as well the mobile phone you use to secure this PC
Our Headache
17 Gemalto eBanking
Reach
I want to access all mobile platforms and all users without restriction
Security
I want the most secure solution (simple right?)
Convenience
I don’t want the user experience to be impacted, mobile needs to stay a convenient channel
Control
I want to be in control of the solution
Secure Elements vs. Software
18 Gemalto eBanking
Reach Control
Security Conve
nience
S/W
Reach Control
Security Conve
nience
SIM
Reach Control
Security Conve
nience
Contactless
Reach Control
Security Conve
nience
BT
Reach Control
Security Conve
nience
TEE
What Can we Conclude?
19 Gemalto eBanking
None of the Secure Elements can satisfy all our needs today
Solution Needed that:
Supports multiple Secure Elements in the most transparent way
Combines a good software base security to fill the gap for non-equipped users
Dynamically adapts the risk to the level of security of the device
It will be a progressive approach:
Start by securing most sensitive transactions and users (corporate and wealth)
Then switch Secure Element equipped users
What Can we Conclude?
20 Gemalto eBanking
Software remains a very good solution for short/mid term:
Best reach and convenience
Real attacks against Mobile Applications does not exist yet in real life;
We are still ahead of hackers
But only under the condition that:
We maintain the best security over time with permanent threat monitoring
We have the next step with Secure Elements planned and ready to integrate already deployed solutions