eSecurity Mobile Security Mobile Security Agenda Mobile Devices by jennyyingdi

VIEWS: 7 PAGES: 10

									             COMP 3410 – I.T. in Electronic Commerce                                           Mobile Security
                               eSecurity                                                            Agenda
                             Mobile Security
                                                                                   1.   Mobile Technology
                               Roger Clarke                                             •   Devices
                          Xamax Consultancy, Canberra                                   •   Wireless Comms
                     Visiting Professor, A.N.U. and U.N.S.W.
                                                                                   2.   Mobile Technology Users
                   http://www.rogerclarke.com/EC/ ...                              3.   Mobile Payments
                          ETSecy4 {.html, .ppt}                                    4.   Risk Assessment for Mobile Payments
                     ANU RSCS, 18 October 2011                                     5.   Risk Assessment for Contactless Chips

Copyright                                                              Copyright
                                                                   1                                                                  2
2008-11                                                                2008-11




                        1.      Mobile Devices                          Wireless Comms and Mobile Security in 2011
 'Any device that provides users with the capacity to participate in   •    Wide Area Networks – Satellite
Transactions with Adjacent and Remote devices by Wireless Means'             • Geosynchronous (2 second latency)
    •       Mobiles / Smartphones                                            • Low-Orbit (Iridium)
    •       Handheld Computing Devices                                 •    Wide Area Networks – ‘WiMax’ / IEEE 802.16; iBurst
            PDAs, games machines, music-players,                       •    Wide Area Networks – Cellular (0.5 to 20km per cell)
            'converged' / multi-function devices,
                                                                             1 – Analogue Cellular, e.g. AMPS, TACS
            Tablets esp. iPad but now many followers
                                                                             2 – Digital Cellular, e.g. GSM, CDMA
    •       Processing Capabilities in Other 'Form Factors'                  3 – GSM/GPRS/EDGE, CDMA2000, UMTS/HSPA
            Credit-cards, RFID tags, subcutaneous chips                      4G – LTE, with preliminary versions imminent
    •       Wearable Computing Devices                                 •    Local Area Networks – ‘WiFi’ / 802.11x (10-100m radius)
            Watches, finger-rings, key-rings, glasses,                 •    Personal Area Networks – Bluetooth (1-10 m radius)
            necklaces, bracelets, anklets, body-piercings
                                                                       •    Contactless Cards / RFID Tags / NFC (1-10cm radius)
    •       ? Nomadic / Untethered PCs
Copyright                                                              Copyright
                                                                   3                                                                  4
2008-11                                                                2008-11
            2. Mobile Technology Users                          2. Mobile Technology Users
            Dimensions of Differentiation                       Dimensions of Differentiation
            •   Education, Income, Wealth                        •   Education, Income, Wealth
            •   Infrastructure Availability                      •   Infrastructure Availability
            •   Technical Capability                             •   Technical Capability

                                                                 •   Opportunity-Awareness
                                                                 •   Leadership / Followership
                                                                 •   Risk-Awareness, Risk-Aversion



Copyright                                           Copyright
                                                5                                                                6
2008-11                                             2008-11




            2. Mobile Technology Users
                                                         The 'Generations' of Computing Consumers
            Dimensions of Differentiation
            •   Education, Income, Wealth                                      Indicative           Indicative
            •   Infrastructure Availability                 Generation         Birth-Years         Age in 2011
            •   Technical Capability                   Silent / Seniors         1910-45               66-100
                                                       Baby Boomers – Early     1945-55               56-66
            •   Opportunity-Awareness                  Baby Boomers – Late      1955-65               46-56
            •   Leadership / Followership              Generation X             1965-80               31-46
                                                       Generation Y             1980-95               16-31
            •   Risk-Awareness, Risk-Aversion
                                                       The iGeneration          1995-                  0-16
            •   Age / 'Generation'

Copyright                                           Copyright
                                                7                                                                8
2008-11                                             2008-11
                   Generational Differences                                                           3.    Mobile Payments
Baby Boomers (45-65)                                                                  •     Commerce
   Handshake/phone, PCs came late, had to adapt to mobile phones                            Purchases of physical goods and services, at
   Work is Life, the team discusses / the boss decides, process-oriented                    physical POS, road tolls (Contactless Chips, NFC)
GenXs (30-45)
   Grew up with PCs, email and mobile phones, hence multi-taskers
   Work to Have More Life, expect payback from work, product-oriented
GenYs (15-30)
   Grew up with IM/chat, texting and video-games, strong multi-taskers
   Life-Work Balance, expect fulfilment from work, highly interactive
iGens (to 15)
   Growing up with texting, multi-media social networking,
   networked games, multi-channel immersion / inherent multi-tasking
   ?Life before Work, even more hedonistic, highly (e-)interactive

Copyright                                                                       Copyright
                                                                            9                                                                      10
2008-11                                                                         2008-11




                         Mobile Payments                                                                   Mobile Payments
      •     Commerce                                                                  •     Commerce
            Purchases of physical goods and services, at                                    Purchases of physical goods and services, at
            physical POS, road tolls (Contactless Chips, NFC)                               physical POS, road tolls (Contactless Chips, NFC)
      •     eCommerce                                                                 •     eCommerce
            Purchases of physical goods and services                                        Purchases of physical goods and services
            at virtual points of sale (Internet, Cellular phone)                            at virtual points of sale (Internet, Cellular phone)
                                                                                      •     MCommerce
                                                                                            Purchases of digital goods and services, such as
                                                                                            image, audio and video, and location-specific data




Copyright                                                                       Copyright
                                                                           11                                                                      12
2008-11                                                                         2008-11
                           Mobile Payments
      •     Commerce                                                                           4. Risk Assessment for Mobile Payments
            Purchases of physical goods and services, at
            physical POS, road tolls (Contactless Chips, NFC)                                                 (0)       The Mainstream Security Model
      •     eCommerce                                                                                         (1)       The Technical Architecture
            Purchases of physical goods and services
            at virtual points of sale (Internet, Cellular phone)                                              (2)       The Commercial Architecture
                                                                                                              (3)       The Transaction Process Aspect
      •     MCommerce
            Purchases of digital g&s, such as image,                                                          (4)       The Harm Aspect
            audio and video, and location-specific data                                                       (5)       The Vulnerability Aspect
                                                                                                              (6)       The Threat Aspects
      •     Consumer-to-Consumer (C2C)
            Transfers of value between individuals                                                            (7)       The Safeguards Aspect

Copyright                                                                               Copyright
                                                                                   13                                                                                                                       14
2008-11                                                                                 2008-11




                                                                                                             (1)         The Technical Architecture
            (0)    The Mainstream Security Model
                                                                                                                           Indicative Model
                                                                                                                          Internet
                                                     Security Model
           Abstract Threats                                                                                               Access
                                                                                                                       Provider (IAP)
  Become Actual Threatening Events ,                     Threats                                                             or
                                                                                                                        Transaction
                                                                                                     User
      Impinge on Vulnerabilities,                      Safeguards                                                       Device (TD)
                                                                                                                                                                                                 Payment
                                                                                                            Access
        Overcome Safeguards                               Harm
                                                                                                            Device
                                                                                                                               IAP
                                                                                                                                                                                                 Services
                                                                                                                                        Network                 Network
           & Cause Harm                                                                                                              Intermediary            Intermediary
                                                      Vulnerabilities                                                          TD                                Nodes
                                                                                                                                         Nodes
                                                                                                                                       (Routers / Gateways     (Routers /
    Security is a (desirable) condition       Commercial Architecture
                                                                                                                                        Proxies)                Proxies)
                                                                                                               Personal
      in which Harm does not arise                                        Trans-
                                                                          action                             Area Network
    because Threats are countered by           Technical Architecture
                                                                         Process                            & Router / Proxy                                                       Payment
                                                                                                                                                                                Intermediaries
                Safeguards                               of
                                               Physical Infrastructure
                                                                                                    Physical Context                  Access
                                                                                                                                     Networks                 Core Networks
                                                                                                                                     (Unwired)               (Wired, Unwired)
                                                                                                                                     –––––––––––– The Internet   –––––––––––


Copyright                                                                               Copyright
                                                                                   15                                                                                                                       16
2008-11                                                                                 2008-11
                  (2)   Commercial Architecture                                   (2)    Commercial Architecture
                                                                                                 •   Internet Access Providers (IAPs)
                                                                                                 •   Carriage Service Providers (CSPs)
    Internet Online Trading                                          Internet Online Trading     •   Commercial Intermediaries, e.g. Paypal
    Protocol (IOTP):                                                 Protocol (IOTP):            •   Transaction Service Providers
    •   Customer/Payer                                               •   Customer/Payer              e.g. banks and credit-card companies
    •   Seller/Payee                                                 •   Seller/Payee            •   Payment Services Providers, e.g.
    •   Payment Handler                                              •   Payment Handler             deposit-holders, lenders and insurers
    •   Delivery Handler                                             •   Delivery Handler        •   Regulators and complaints bodies
                                                                                                     e.g. financial services ombudsmen
    •   Customer Support                                             •   Customer Support
                                                                                                 •   Consumer Rights representative
                                                                                                     and advocacy organisations
                                                                                 BUT ALSO ...
                                                                                                 •   Consumer Segments, e.g. the mobility-
                                                                                                     disadvantaged, the sight-impaired,
                                                                                                     people with limited financial assets

Copyright                                                        Copyright
                                                            17                                                                                18
2008-11                                                          2008-11




                                                                                        (4)     The Harm Aspect
            (3)    The Transaction Process Aspect
                                                                             •   Injury to Persons
                                                                             •   Damage to Property
                                                                             •   Loss of Value of an Asset




Copyright                                                        Copyright
2008-11                       From Herzberg (2003), p. 56   19
                                                                 2008-11
                                                                                                                                              20
                      (4)   The Harm Aspect                                                          (4)   The Harm Aspect
            •   Injury to Persons                                                       •       Injury to Persons
            •   Damage to Property                                                      •       Damage to Property
            •   Loss of Value of an Asset                                               •       Loss of Value of an Asset
            •   Breach of Personal Data Security,                                       •       Breach of Personal Data Security,
                or Privacy more generally                                                       or Privacy more generally
            •   Financial Loss                                                          •       Financial Loss
                                                                                        •       Inconvenience and Consequential Costs
                                                                                                arising from Identity Fraud
                                                                                        •       Serious Inconvenience and Consequential
                                                                                                Costs arising from Identity Theft
                                                                                        •       Loss of Reputation and Confidence

Copyright                                                                   Copyright
                                                                       21                                                                 22
2008-11                                                                     2008-11




                (5)   The Vulnerability Aspect                                          (5)       Threat Aspects – Second-Party
 •     The Environment                 •   Communications
        •   Physical Surroundings            •  Transaction Partners
                                                                                            •    Situations of Threat:
                                                                                                  • Banks
        •   Organisational Context           •  Data Transmission
        •   Social Engineering         •   Intrusions                                             • Telcos / Mobile Phone Providers
 •     The Device                            •  Malware Vectors                                   • Toll-Road eTag Providers
        •   Hardware, Systems Software       •  Malware Payloads                                  • Intermediaries
        •   Applications                     •  Hacking, incl.                                    • Devices
            Server-Driven Apps                  Backdoors, Botnets
        •                                                                                   •    Safeguards:
            (ActiveX, Java, AJAX)
                                                                                                  • Terms of Contract
        •   The Device's Functions:
            Known, Unknown, Hidden                                                                • Risk Allocation

        •   Software Installation                                                                 • Enforceability
        •   Software Activation                                                                   • Consumer Rights

Copyright                                                                   Copyright
                                                                       23                                                                 24
2008-11                                                                     2008-11
(6)        Threat Aspects – Third-Party, Within-System                         (6)       Threat Aspects – Third-Party, Within-Device
          (Who else can get at you, where, and how?)
                                                                                     •       Physical Intrusion       •   Electronic Intrusion
      •      Points-of-Payment Physical:       •   Network Electronic                •       Social Engineering            •   Interception
              •   Observation                       •   Interception                          •   Confidence Tricks        •   Cracking / ‘Hacking’
              •   Coercion                          •   Decryption                            •   Phishing                       • Bugs

      •      Points-of-Payment                      •   Man-in-the-                  •       Masquerade                          • Trojans
             Electronic:                                Middle Attacks               •       Abuse of Privilege                  • Backdoors
              •   Rogue Devices                •   Points-of-Processing                       •   Hardware                       • Masquerade
              •   Rogue Transactions                •   Rogue Employee                        •   Software                 •   Distributed Denial
              •   Keystroke Loggers                 •   Rogue Company                         •   Data                         of Service (DDOS)
              •   Private Key Reapers               •   Error                                                              •   Infiltration by
                                                                                                                               Software with a Payload

 Copyright                                                                      Copyright
                                                                          25                                                                             26
 2008-11                                                                        2008-11




(6)          Threat Aspects – Third-Party, Within-Device                                 Key Threat / Vulnerability Combinations
             Infiltration by Software with a Payload                                     •     Unauthorised Conduct of Transactions
                                                      Payload                            •     Interference with Legitimate Transactions
      Software (the ‘Vector’)              •   Trojan:
                                                •   Spyware
      •      Pre-Installed
                                                •   Performative
      •      User-Installed                     •   Communicative
      •      Virus                              •   Bot / Zombie
      •      Worm                          •   Spyware:
      •      ...                                •   Software Monitor
                                                •   Adware
                                                •   Keystroke Logger
                                                •   ...

 Copyright                                                                      Copyright
                                                                          27                                                                             28
 2008-11                                                                        2008-11
        Key Threat / Vulnerability Combinations                              Key Threat / Vulnerability Combinations
       •    Unauthorised Conduct of Transactions                            •    Unauthorised Conduct of Transactions
       •    Interference with Legitimate Transactions                       •    Interference with Legitimate Transactions
       •    Acquisition of Identity Authenticators                          •    Acquisition of Identity Authenticators
            e.g. Cr-Card Details (card-number as identifier,                     e.g. Cr-Card Details (card-number as identifier,
            plus the associated identity authenticators)                         plus the associated identity authenticators)
            e.g. Username (identifier) plus Password/PIN/                        e.g. Username (identifier) plus Password/PIN/
            Passphrase/Private Signing Key (id authenticator)                    Passphrase/Private Signing Key (id authenticator)
            e.g. Biometrics capture and comparison                               e.g. Biometrics capture and comparison
                                                                            •    Use of a Consumer Device as a Tool
                                                                                 in a fraud perpetrated on another party

Copyright                                                            Copyright
                                                                29                                                                       30
2008-11                                                              2008-11




      5.      Risk Assessment of Contactless Chips                          Contactless Chip-Cards as Payment Devices
                                                                                                     •   Presence of chip in card
                                                                                                         is not human-visible, but
                                                                     •    RFID / NFC chip                Logo / Brand may be visible
•   RFID / NFC chip
                                                                          embedded in card           •   No choice whether it's activated
    embedded in card
                                                                     •    Wireless operation, up     •   Operation of chip in card
•   Wireless operation, up
                                                                          to 5cm from a terminal         is not human-apparent
    to 5cm from a terminal
                                                                     •    Visa Paywave and           •   No action required when within
•   Visa Paywave and
                                                                          MasterCard PayPass             5cm range, i.e. automatic payment
    MasterCard PayPass
                                                                     •    Up to $100 and $35         •   No receipt is the norm
•   Up to $100
                                                                          resp. (cf. original $25)   •   Used as Cr-Card:
    (cf. original $25)
                                                                                                         Unauthenticated auto-lending
                                                                                                     •   Used as Dr-Card:
                                                                                                         PIN-less charge to bank account
Copyright                                                            Copyright
                                                                31                                                                       32
2008-11                                                              2008-11
      Key Safeguards for Chip Payment Schemes
                                                                                       Visa PayWave and MCard Paypass
  •    Authentication – None / A Non-Secret /
       / For Higher-Value Transactions Only / Always                     •     Authentication – None / A Non-Secret
       UK RingGo Parking Payment Scheme – last 4 digits                        (but Yes, for Transactions >$100 Only)
  •    Act of Consent – None / Unclear / Clear
                                                                         •     Act of Consent – None / Unclear / Clear
       e.g. Tap the Pad in Response to Display of Fare
                                                                               If the card is within 5cm of a device, whether seen or not
  •    Notification – None / Audio / Display
       If 'None', then enables surreptitious payment extraction          •     Notification – None? / Audio? / Display?
                                                                               If 'None', then enables surreptitious payment extraction
  •    Receipt / Voucher – None / Option or Online / Y
       Octopus, Drive-Through eTags for Road-Tolls                       •     Receipt / Voucher – None? / Option? / Y?
       UK RingGo Parking Payment Scheme

Copyright                                                              Copyright
                                                                  33                                                                        34
2008-11                                                                2008-11




               The (In)Security Profile of                                                 Key Safeguards Required
      Contactless Chip-Card Payment Transactions                                   •    Choice of Activation or Not
 •     Non-Authentication, or mere possession:                                     •    Two-Sided Device Authentication, i.e.
        • presentation of the card within a device's field, when                         •    by Payee’s Chip of Payer’s Chip
            that device is ready to charge money for something                           • by Payer’s Chip of Payee’s Chip
 •     Vulnerable to card-capture, rogue devices,                                  •    Notification to Payer of:
       rogue transactions by legitimate devices, ...                                     • Fact of Payment (e.g. Audio-Ack)
 •     Relies on:                                                                        • Amount of Payment
        • general levels of honesty among merchants and FIs
                                                                                   •    At least one Authenticator
        • (consumer reconciliation is infeasible – no vouchers,
            and either very long statements or no statements)                      •    Protection of the Authenticator(s)
        • invisibility of fraudulent transactions                                  •    A Voucher (Physical and/or Electronic)
        • self-insurance by consumers                                              •    Regular Account Reconciliation by Payers
Copyright                                                              Copyright
                                                                  35                                                                        36
2008-11                                                                2008-11
                The Status of Consumer Protection                                                              Payments in the Network Era
    •       Electronic Funds Transfer Code of Conduct
                                                                                                          Initially Wired, Increasingly Unwired
            ASIC – current version of 1 November 2008
                                                                                                                                      Insecure Models
    •       Soft regulation of such things as receipts, risk
                                                                                                                                      • EFTPOS – Cr Tx
            apportionment, complaints, privacy, ...                                                      ‘Secure’ Models
                                                                                                                                      • Credit Card Tx
    •       The banks have sought to weaken the protections                                              • ATMs
                                                                                                                                         over the Internet
            (and in NZ actually succeeded, until beaten back by                                          • EFTPOS – Dr Tx
                                                                                                                                         (CNP / MOTO)
            the tide of public opinion)                                                                  • Internet Banking
    •       It's not easy to read, but it appears that the Code's                                        • Debit Tx                   Highly Insecure Models
            provisions may apply to contactless-card transactions                                           over the Internet         • Contactless-Chip/
            http://www.asic.gov.au/fido/fido.nsf/byheadline/The+EFT+Code?openDocument                                                    RFID / NFC

Copyright                                                                                    Copyright
                                                                                        37                                                                     38
2008-11                                                                                      2008-11




                                  Mobile Security                                                          COMP 3410 – I.T. in Electronic Commerce
                                          Agenda                                                                          eSecurity
                                                                                                                        Mobile Security
              1.     The Motivation
              2.     Mobile Technology                                                                                      Roger Clarke
                                                                                                                       Xamax Consultancy, Canberra
              3.     Mobile Technology Users
                                                                                                                  Visiting Professor, A.N.U. and U.N.S.W.
              4.     Mobile Payments
                                                                                                                http://www.rogerclarke.com/EC/ ...
              5.     Risk Assessment for Mobile Payments
                                                                                                                       ETSecy4 {.html, .ppt}
              6.     Risk Assessment for Contactless Chips
                                                                                                                  ANU RSCS, 18 October 2011

Copyright                                                                                    Copyright
                                                                                        39                                                                     40
2008-11                                                                                      2008-11

								
To top