SlideShare a Scribd company logo

Mobile Commerce: A Security Perspective

Download as PPTX, PDF
Pragati Rai
Pragati Rai

The document discusses mobile commerce (m-commerce) and security perspectives. It defines m-commerce as commerce conducted on mobile devices, which is growing rapidly and expected to reach $700 billion by 2017. The document outlines the m-commerce ecosystem and various security challenges at each layer from infrastructure to applications. It emphasizes the importance of end-to-end security and compliance with the PCI security standard to help protect users and businesses in the complex mobile commerce space.

Related slideshows

MIS 11 M-Commerce
MIS 11 M-CommerceMIS 11 M-Commerce
MIS 11 M-Commerce
 
Payment Systems Business Model & The Way Forward
Payment Systems Business Model & The Way ForwardPayment Systems Business Model & The Way Forward
Payment Systems Business Model & The Way Forward
 
The Mobile Commerce Impact – From Characteristics to Implementation
The Mobile Commerce Impact – From Characteristics to ImplementationThe Mobile Commerce Impact – From Characteristics to Implementation
The Mobile Commerce Impact – From Characteristics to Implementation
 
1 of 44
Mobile Commerce: A Security Perspective Pragati Ogal Rai Chief Technology Evangelist, PayPal Inc. @pragatiogal
My Ego Slide! • Author of “Android Application Security Essentials” • 2014 Zinnov Thought Leadership Award • Mobile Developer Relations, PayPal North America • 15+ Years Industry Experience • Mobile, Android, Security, Payments and Commerce Pragati.Rai@paypal.com @pragatiogal www.slideshare.net/pragatiogal www.linkedin.com/in/pragati 2
Mobile commerce is worth US$230 billion M-Commerce will reach US$700 billion in 2017 Asia represents almost half of the market http://www.digi-capital.com
Agenda  M-commerce defined  M-commerce ecosystem  End-to-end security  How does it affect me?
M-Commerce defined!
Commerce www.123rf.com www.jaipuronline.in
Traditional e-commerce telegraph.co.uk
Today’s Technology Trends Global Social Mobile Local Digital Service & delivery
Mobile Commerce Promotions & coupons Mobile commerce Payments Location-based services In-store research Self-scanning & self-checkout Social commerce Loyalty Mobile shopping lists
M-Commerce Ecosystem
M-commerce Ecosystem Clients Merchants Infrastructure
Disconnected: Off-line m-commerce • Disconnected • Privacy • Integrity of State
Partial Connectivity Infrastructure Centric Model Merchant Centric Model Client Centric Model
Partial Connectivity: Security Analysis  End to end security  Privacy  Client-merchant identification  Communication authentication  More points of attack
Full Connectivity • End to end security
Challenges of m-commerce?  New market players and dynamics  Limitations of client devices  Portability  Pervasive computing  Location aware devices  Merchant machines  Standardization & approvals  Too many expectations Biggest challenge? End-to-end security
End-to-end Security
Mobile Security Stack Mobile Security Stack Application Operating System Device Hardware Infrastructure/ Network • Each layer takes care of it’s own security • Each layer depends upon lower layer for security • Transition between the layers can cause attacks
Infrastructure/ Network Layer Mobile Security Stack Application Operating System Device Hardware Infrastructure/ Network • Third party networks • GSM, CDMA, SMS, WAP, GPS… • Usually security breach at this layer is device agnostic
Breaking GSM https://srlabs.de/decrypting_gsm/ • GnuRadio is included in recent Linux distributions • Airprobe: git clone git://git.gnumonks.org/airprobe.git • Kraken: git clone git://git.srlabs.de/kraken.git • Kraken uses rainbow tables available through Bittorrent
Device Hardware Layer  Consumer Electronics Devices  Some CEDs are Connected  Computing capability + runs software  Smartphones, tablets, mobile PoS device, parking meter, vending machine  Flaw in chip design affects all hardware based on that chip Mobile Security Stack Application Operating System Device Hardware Infrastructure/ Network
Device Hardware http://gadgetian.com/44495/google-lg-nexus-4-4g-lte-chip-inside-ifixit/
Device Security: Example Brought to light by user "alephzain" on mobile developer forum XDA Developers, the user claims that the flaw potentially affects Samsung devices that use Exynos processor models 4210 and 4412, specific examples including the Samsung Galaxy S2 and Samsung Galaxy Note 2 which use the dual core, fourth-generation Exynos chips. "The good news is we can easily obtain root on these devices and the bad is there is no control over it. Ram dump, kernel code injection and others could be possible via app installation from Play Store. It certainly exists many ways to do that but Samsung give an easy way to exploit. This security hole is dangerous and expose phone to malicious apps. Exploitation with native C and JNI could be easily feasible." http://www.zdnet.com/security-flaw-found-in-samsung-handsets-tablets-7000008880/
Operating System Layer Mobile Security Stack Application Operating System Device Hardware Infrastructure/ Network • Android, iOS, Symbian, Windows, J2ME • Flaws are most common and are easily exploited • Compromises security of applications • Flaw affects entire revision of software • Patches and security fixes are common
Android Software Stack • Permission based application model • Linux kernel based process sandboxing
OS Security: Example Android 2.3.3 and below ….. When you login to an account, an authToken is stored locally on your device for 14 days, allowing you to re-access the service without hassle. Unfortunately, tokens are transferred through an unencrypted channel, so they can easily be intercepted. Once intercepted, the attacker can login to the account associated with the authToken without question. http://www.androidpolice.com/2011/05/17/security-vulnerability-in-most-versions-of-android-allows-attackers-to-steal- your-login-credentials/ • Don’t use public Wi-fi! • Patched in 2.3.4 and Honeycomb
Application Layer Mobile Security Stack Application Operating System Hardware Infrastructure/ Network • Your applications, system applications, applications you install • Coding flaws, exploiting a hole in OS • Buffer overflows, data leakage, custom crypto algorithms, hardcoded values
Malicious App Examples Android  Repackaged Apps on Play posing as TempleRun and Glu Mobile  Lovetrap: Trojan, sends SMS  Nickispy: Trojan, steals info  Geinimi: Botnet, follows orders from remote server, send sensitive info back iPhone  Trojan sends out contact list to server  Handy Light: secret tethering utility
TrustZone: Trusted Execution Environment • Two domains: Normal & Secure • Implemented as SoC • Security extensions to www.arm.com processor • Trusted OS • Virtualization
How does it affect me?
Mobile Security Stack Application Operating System Hardware Infrastructure/Network Do NOT trust the mobile ecosystem! Only this is in your control !
Get to know the PCI standard. Period.
PCI Standard Council  Independent organization  PCI PTS approved add-on devices  PA DSS approved applications  Working with mobile vendors for further solutions around mobile payments  Develop common set of payment standards – PCI-DSS v2.0 – PCA-DSS – PCI-PTN – PCI-P2PE
PCI-DSS V2.0  Build and maintain a secure network  Protect cardholder data  Regularly test and monitor networks  Maintain an InfoSec policy  Maintain vulnerability management program  Implement strong access control measures
Encrypt sensitive data at rest and transit microsoft.com
Avoid storing sensitive data on device
Use OS security features Lifehacker.com
Authenticate your users Statetechmagazine.com
Authorized access to user data www.123rf.com
Use your crypto tools www.catalogs.com
Identity is a challenge www.interactiveinsightsgroup.com
Look beyond the hype www.mashable.com
Summary  M-commerce is a complex space  Understand what mobile means for your business  Identify assets/ threats  Analyze technology being used  Be aware of emerging standards  Use OS security features, crypto tools, identity and authorization
Pragati Ogal Rai @pragatiogal http://www.slideshare.net/pragatiogal Thank You!

More Related Content

Mobile Commerce: A Security Perspective

  • 1. Mobile Commerce: A Security Perspective Pragati Ogal Rai Chief Technology Evangelist, PayPal Inc. @pragatiogal
  • 2. My Ego Slide! • Author of “Android Application Security Essentials” • 2014 Zinnov Thought Leadership Award • Mobile Developer Relations, PayPal North America • 15+ Years Industry Experience • Mobile, Android, Security, Payments and Commerce Pragati.Rai@paypal.com @pragatiogal www.slideshare.net/pragatiogal www.linkedin.com/in/pragati 2
  • 3. Mobile commerce is worth US$230 billion M-Commerce will reach US$700 billion in 2017 Asia represents almost half of the market http://www.digi-capital.com
  • 4. Agenda  M-commerce defined  M-commerce ecosystem  End-to-end security  How does it affect me?
  • 8. Today’s Technology Trends Global Social Mobile Local Digital Service & delivery
  • 9. Mobile Commerce Promotions & coupons Mobile commerce Payments Location-based services In-store research Self-scanning & self-checkout Social commerce Loyalty Mobile shopping lists
  • 11. M-commerce Ecosystem Clients Merchants Infrastructure
  • 12. Disconnected: Off-line m-commerce • Disconnected • Privacy • Integrity of State
  • 13. Partial Connectivity Infrastructure Centric Model Merchant Centric Model Client Centric Model
  • 14. Partial Connectivity: Security Analysis  End to end security  Privacy  Client-merchant identification  Communication authentication  More points of attack
  • 15. Full Connectivity • End to end security
  • 16. Challenges of m-commerce?  New market players and dynamics  Limitations of client devices  Portability  Pervasive computing  Location aware devices  Merchant machines  Standardization & approvals  Too many expectations Biggest challenge? End-to-end security
  • 18. Mobile Security Stack Mobile Security Stack Application Operating System Device Hardware Infrastructure/ Network • Each layer takes care of it’s own security • Each layer depends upon lower layer for security • Transition between the layers can cause attacks
  • 19. Infrastructure/ Network Layer Mobile Security Stack Application Operating System Device Hardware Infrastructure/ Network • Third party networks • GSM, CDMA, SMS, WAP, GPS… • Usually security breach at this layer is device agnostic
  • 20. Breaking GSM https://srlabs.de/decrypting_gsm/ • GnuRadio is included in recent Linux distributions • Airprobe: git clone git://git.gnumonks.org/airprobe.git • Kraken: git clone git://git.srlabs.de/kraken.git • Kraken uses rainbow tables available through Bittorrent
  • 21. Device Hardware Layer  Consumer Electronics Devices  Some CEDs are Connected  Computing capability + runs software  Smartphones, tablets, mobile PoS device, parking meter, vending machine  Flaw in chip design affects all hardware based on that chip Mobile Security Stack Application Operating System Device Hardware Infrastructure/ Network
  • 23. Device Security: Example Brought to light by user "alephzain" on mobile developer forum XDA Developers, the user claims that the flaw potentially affects Samsung devices that use Exynos processor models 4210 and 4412, specific examples including the Samsung Galaxy S2 and Samsung Galaxy Note 2 which use the dual core, fourth-generation Exynos chips. "The good news is we can easily obtain root on these devices and the bad is there is no control over it. Ram dump, kernel code injection and others could be possible via app installation from Play Store. It certainly exists many ways to do that but Samsung give an easy way to exploit. This security hole is dangerous and expose phone to malicious apps. Exploitation with native C and JNI could be easily feasible." http://www.zdnet.com/security-flaw-found-in-samsung-handsets-tablets-7000008880/
  • 24. Operating System Layer Mobile Security Stack Application Operating System Device Hardware Infrastructure/ Network • Android, iOS, Symbian, Windows, J2ME • Flaws are most common and are easily exploited • Compromises security of applications • Flaw affects entire revision of software • Patches and security fixes are common
  • 25. Android Software Stack • Permission based application model • Linux kernel based process sandboxing
  • 26. OS Security: Example Android 2.3.3 and below ….. When you login to an account, an authToken is stored locally on your device for 14 days, allowing you to re-access the service without hassle. Unfortunately, tokens are transferred through an unencrypted channel, so they can easily be intercepted. Once intercepted, the attacker can login to the account associated with the authToken without question. http://www.androidpolice.com/2011/05/17/security-vulnerability-in-most-versions-of-android-allows-attackers-to-steal- your-login-credentials/ • Don’t use public Wi-fi! • Patched in 2.3.4 and Honeycomb
  • 27. Application Layer Mobile Security Stack Application Operating System Hardware Infrastructure/ Network • Your applications, system applications, applications you install • Coding flaws, exploiting a hole in OS • Buffer overflows, data leakage, custom crypto algorithms, hardcoded values
  • 28. Malicious App Examples Android  Repackaged Apps on Play posing as TempleRun and Glu Mobile  Lovetrap: Trojan, sends SMS  Nickispy: Trojan, steals info  Geinimi: Botnet, follows orders from remote server, send sensitive info back iPhone  Trojan sends out contact list to server  Handy Light: secret tethering utility
  • 29. TrustZone: Trusted Execution Environment • Two domains: Normal & Secure • Implemented as SoC • Security extensions to www.arm.com processor • Trusted OS • Virtualization
  • 30. How does it affect me?
  • 31. Mobile Security Stack Application Operating System Hardware Infrastructure/Network Do NOT trust the mobile ecosystem! Only this is in your control !
  • 32. Get to know the PCI standard. Period.
  • 33. PCI Standard Council  Independent organization  PCI PTS approved add-on devices  PA DSS approved applications  Working with mobile vendors for further solutions around mobile payments  Develop common set of payment standards – PCI-DSS v2.0 – PCA-DSS – PCI-PTN – PCI-P2PE
  • 34. PCI-DSS V2.0  Build and maintain a secure network  Protect cardholder data  Regularly test and monitor networks  Maintain an InfoSec policy  Maintain vulnerability management program  Implement strong access control measures
  • 35. Encrypt sensitive data at rest and transit microsoft.com
  • 36. Avoid storing sensitive data on device
  • 37. Use OS security features Lifehacker.com
  • 38. Authenticate your users Statetechmagazine.com
  • 39. Authorized access to user data www.123rf.com
  • 40. Use your crypto tools www.catalogs.com
  • 41. Identity is a challenge www.interactiveinsightsgroup.com
  • 42. Look beyond the hype www.mashable.com
  • 43. Summary  M-commerce is a complex space  Understand what mobile means for your business  Identify assets/ threats  Analyze technology being used  Be aware of emerging standards  Use OS security features, crypto tools, identity and authorization
  • 44. Pragati Ogal Rai @pragatiogal http://www.slideshare.net/pragatiogal Thank You!

Editor's Notes

  1. Disconnected Double Spending Credentials checking Updates Privacy Integrity of State