1. 27.9.2013 - Venezia - ISACA VENICE Chapter
1
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
How to design more
secure online payments
systems: the lesson
learned from the
analysis of security
incidents
Marco Morana
Venezia, 27 settembre 2013
Soluzioni e sicurezza per
applicazioni mobile e
payments
2. 27.9.2013 - Venezia - ISACA VENICE Chapter
2
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
How to design more secure online
payments systems: the lesson learned
from the analysis of security incidents
3. 27.9.2013 - Venezia - ISACA VENICE Chapter
3
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
About Me and This Talk
1. What is my role today? I lead a global team of security
architects and analysts whose responsibility is to secure
engineer mobile applications used by millions of private
clients in several countries in the world. These
applications bear the highest financial and security risks.
3. What are the goals of this talk ? Provide the rationale
for factoring threats and risk analysis in the risk strategy
for mitigation of the security risks of online banking and
payments. Emphasize the importance of adopting a
process for analyzing threats, modeling attacks and
identify countermeasures that an be built into the design
of online and mobile payment applications
2. What is learnt in my career as security technologist?
Today cyber-security risks are business risks, for risk
managers, security auditors, security consultants it is
imperative to be able to analyze threats and translate
technical impact risks to business impacts
4. 27.9.2013 - Venezia - ISACA VENICE Chapter
4
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
What I hope you can learn from my talk..
1. How the cyber-threat landscape has evolved in attack
sophistication and the evolution of the cyver threat actors
2. The lessons CISOs can learn from the security
incident’s post-mortem from publicy disclosed security
incidents, open source intelligence as well as from their own
sources
3. The risk mitigation strategy can be adopted by security
managers to effectively mitigate the risk of cyber threats
and mitigate the technical and business impacts of payment
fraud
4. The tactical risk processes and tools that can be used to
analyze threats, model attacks and design countermeasures
against cyber attacks against online payment systems
5. 27.9.2013 - Venezia - ISACA VENICE Chapter
5
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
Evolution of Cyber-Threats and
Challenges of Securing Emerging
Technologies
6. 27.9.2013 - Venezia - ISACA VENICE Chapter
6
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
The Evolution of Cyber Threat Actors
Time
ThreatSeverity
20001995 2005 2010
Threats: Script Kiddies, Viruses,
Worms
Motives: Notoriety and Fame,
Profit from renting Botnet for
spamming
Attacks: DoS, Buffer Overflow
Exploits, Spamming, Sniffing
Network Traffic, Phishing
emails with viruses
Threats: Fraudsters,
Malware, Trojans
Motives: Identity Theft,
Online and Credit/Debit
Card Fraud
Attacks: SQLi, Sniffing
Wireless Traffic, Session
Hijacking, Phishing,
Vishing, Drive by Download
Threats: Hacktivists,
Cyber crime, Cyber
Espionage,
Fraudsters, Malware
Motives: Political,
Stealing Company
Secrets and Clients
Confidential and
Credit Card
Information for Fraud
Attacks: DDoS,
Defacing, Account
Take Over/Session
Hijacking, SQLi,
Spear Phishing, APT,
RAT
2012
Threats: Basic Intrusions and
Viruses
Motives: Testing and Probing
Systems and Data
Communications
Attacks: Exploiting Absence of
Security Controls, Sniffing Data
Traffic, Defacing
WHAT
NEXT ?
7. 27.9.2013 - Venezia - ISACA VENICE Chapter
7
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
Cyber-attacks still exploit weaknesses in
traditional payment infrastructure
http://abcnews.go.com/GMA/video/cyber-bank-heist-charged-45-million-atm-
heist-19149558
8. 27.9.2013 - Venezia - ISACA VENICE Chapter
8
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
Technology evolution of online payments and
banking applications/technologies
9. 27.9.2013 - Venezia - ISACA VENICE Chapter
9
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
Card Payments and Online Fraud Schemes
Account takeover: hijacking authenticated session for transferring
money to a fraudulent account or making fraudulent purchases
Card non present fraud: online payments and purchases with
stolen credit cards and personal data
Card application fraud: using stolen personal data for opening bank
account and for applying for nee credit/debit cards
Card counterfeiting fraud: validation of stolen credit credit/debit data
(PANs, CVVs, PINs) using online banking web sites for the sake of
counterfeit cards
Card present fraud: criminal approaches a merchant and uses fraudulent
means to pay for it, such as a stolen or counterfeit card made with
credit/debit card data and personal information stolen online
Identity theft fraud: someone assume your identity through social
engineering, phishing for PII with malware/keylogger and man in the
browser to perform a fraud or other criminal act.
Internet fraud: non-delivery of items ordered online and credit and debit
card scams
10. 27.9.2013 - Venezia - ISACA VENICE Chapter
10
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
Statistical Data of Fraud From Online
and Mobile Payments
11. 27.9.2013 - Venezia - ISACA VENICE Chapter
11
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
Fraud and Mobile Risks, Food for Thought
45% of service providers, 40% of card issuers use device identification
for mobile fraud prevention but 55% of merchants can’t detect a
transaction from mobile device (source Kount 2013)
Payment card fraud, phishing attacks and check fraud are the top
three fraud threats financial institutions face in 2013 (source Security
Media Group, faces of Fraud Survey, 2013)
U.K. Identity fraud totalled £3.3 billion in 2012 and affected 27% of the
UK adult population (source National Fraud Authority, June 2013)
Mobile malware increased by 400% in 2012 and Mobile related data
breaches are expected to grow (source Verizon DBIR 2013)
Wire and ACH fraud is on the rise despite the investment anti-fraud
technologies, IP reputation based tools, dual-customer authorization and
customer education (source Security Media Group, faces of Fraud
Survey, 2013)
60% mobile apps don't have a privacy policy notifying consumers which of
their data the apps access (Source: InfoWorld March 2012)
12. 27.9.2013 - Venezia - ISACA VENICE Chapter
12
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
How to Design of Threat Resilient
Online Payment Applications
13. 27.9.2013 - Venezia - ISACA VENICE Chapter
13
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
Adopt a risk mitigation strategy
1. Meet technology security standards and regulations
Payment Card Industry Data Security Standard (PCI-DSS)
Guidelines for authentication (FFIEC-OCC)
Recommendation for the security of online payments (ECB)
General data protection regulation (EU)
2. Conduct a threat and risk assessment
Analyze internet security threats against online payments systems
Assess impacts of online payment fraud (card non present fraud,
phishing attacks, check fraud, mobile payment fraud, internet fraud)
3. Implement security measures
Strong authentication for customers
Transaction monitoring to identify abnormal customer payment patterns
Operational process for authorizing transactions
Customer awareness and education
14. 27.9.2013 - Venezia - ISACA VENICE Chapter
14
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
Examples of Payment Security Standards (ECB,
PCI)
http://www.ecb.europa.eu/pub/pdf/other/recommendatio
nssecurityinternetpaymentsoutcomeofpcfinalversionafterp
c201301en.pdf
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
15. 27.9.2013 - Venezia - ISACA VENICE Chapter
15
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
Threat and Risk Assessment using the Process for
Attack Simulation and Threat Analysis (PASTA™)
16. 27.9.2013 - Venezia - ISACA VENICE Chapter
16
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
Modeling of Account Take Over Attacks
Fraudster
Drive-by Download/
Malicious Ads
Man In The
Browser
Phishing Email,
FaceBook Social
Engineering
Upload Malware on
Vulnerable Site
Attack Victim’s
Vulnerable Browser
Steals Keystrokes
with
Key-logger
Modifies UI
Rendered By The
Browser
Phish User To Click
Link With Malware
Upload Banking
Malware on
Customer’s Pc
Harvest
Confidential Data/
Credentials From
Victim
Steal Digital
Certificates For
Authentication
Sends Stolen Data
to Fraudster’s
Collection Server
Money Transferred
From Mule to
Fraudster
Use Stolen Banking
Credentials/
Challenge C/Q
Remote Access To
Compromised PC
Through Proxy
Logs into Victim’s
Online Bank
Account
Fraudster
Perform Un-
authorized Money
Transfer to Mule
Redirect Users To
Malicious Sites
Delete Cookies
Forcing to Login To
Steal Logins
17. 27.9.2013 - Venezia - ISACA VENICE Chapter
17
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
Threat Model of Mobile Wallet Application
18. 27.9.2013 - Venezia - ISACA VENICE Chapter
18
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
Lesson Learnt From Security Incidents
of Online Payment Systems
19. 27.9.2013 - Venezia - ISACA VENICE Chapter
19
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
Lessons Learnt
2. The attack tools used by threat agents have increased in
sophistication and effectiveness
7. Application threat modeling allows to identify and fix design flaws in
online and mobile applications before these are exploited by threat
agents and become liabilities for the merchants, the card processors
and the banks
1. The threat agents have evolved in motives and capabilities from ego-
driven to value- driven and from isolate actors to organized crime
3. Security incidents today involve compromises of millions of credit
card data records per incident, payment fraud and online fraud
4. New technology for mobile banking and payments increases the
opportunity for attackers to exploit security holes and design flaws
and brings new security challenges for security and risk managers
5. The increase in spending in security measures such as anti-fraud
systems does not always translates in reduced impacts for fraud
6. A different risk mitigation strategy is required that focus on threat
analysis and attack modeling
20. 27.9.2013 - Venezia - ISACA VENICE Chapter
20
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
Domande
21. 27.9.2013 - Venezia - ISACA VENICE Chapter
21
How to design more secure online payments systems: the lesson learned from the analysis of security incidents
Thanks for your Attention
Email me :
Marco (dot) M (dot) Morana (at) Citi (dot) com
Follow me on twitter:@threatmodeling
Preorder the book “Application Threat
Modeling Book, Wiley-Blackwell” on Amazon
http://www.amazon.co.uk/Application-Threat-
Modeling-Marco-Morana/dp/0470500964