copyright 2008-12 1 comp 3410 – i.t. in electronic commerce esecurity mobile security roger clarke...

COMP 3410 – I.T. in Electronic Commerce

eSecurityMobile Security

Roger ClarkeXamax Consultancy, Canberra

Visiting Professor, A.N.U. and U.N.S.W.

http://www.rogerclarke.com/EC/ ...ETSecy4 {.html, .ppt}

ANU RSCS, 16 October 2012

Mobile Security

Agenda

1. Mobile Technology• Devices• Wireless Comms

2. Mobile Technology Users3. Mobile Payments4. Risk Assessment for Mobile Payments5. Risk Assessment for Contactless Chips

1. Mobile Devices 'Any device that provides users with the capacity to

participate in Transactions with Adjacent and Remote devices by Wireless Means'

• Mobiles / Smartphones• Handheld Computing Devices

PDAs, games machines, music-players, 'converged' / multi-function devices,Tablets esp. iPad but now many followers

• Processing Capabilities in Other 'Form Factors'Credit-cards, RFID tags, subcutaneous chips

• Wearable Computing DevicesWatches, finger-rings, key-rings, glasses, necklaces, bracelets, anklets, body-piercings

• ? Nomadic / Untethered PCs

Wireless Comms and Mobile Security in 2011

• Wide Area Networks – Satellite• Geosynchronous (2 second latency)• Low-Orbit (Iridium)

• Wide Area Networks – ‘WiMax’ / IEEE 802.16; iBurst• Wide Area Networks – Cellular (0.5 to 20km per cell)

1 – Analogue Cellular, e.g. AMPS, TACS2 – Digital Cellular, e.g. GSM, CDMA3 – GSM/GPRS/EDGE, CDMA2000, UMTS/HSPA4G – LTE, with preliminary versions imminent

• Local Area Networks – ‘WiFi’ / 802.11x (10-100m radius)

• Personal Area Networks – Bluetooth (1-10 m radius)• Contactless Cards / RFID Tags / NFC (1-10cm radius)

2. Mobile Technology UsersDimensions of Differentiation

• Education, Income, Wealth• Infrastructure Availability• Technical Capability

• Opportunity-Awareness• Leadership / Followership• Risk-Awareness, Risk-

Aversion

• Opportunity-Awareness• Leadership / Followership• Risk-Awareness, Risk-

Aversion

• Age / 'Generation'

The 'Generations' of Computing Consumers

Indicative Indicative Generation Birth-Years Age in 2011Silent / Seniors 1910-45 66-100Baby Boomers – Early 1945-55 56-66Baby Boomers – Late 1955-65 46-56Generation X 1965-80 31-46Generation Y 1980-95 16-31The iGeneration 1995- 0-

Generational Differences

Baby Boomers (45-65)Handshake/phone, PCs came late, had to adapt to mobile phonesWork is Life, the team discusses / the boss decides, process-oriented

GenXs (30-45)Grew up with PCs, email and mobile phones, hence multi-taskersWork to Have More Life, expect payback from work, product-oriented

GenYs (15-30)Grew up with IM/chat, texting and video-games, strong multi-taskersLife-Work Balance, expect fulfilment from work, highly interactive

iGens (to 15)Growing up with texting, multi-media social networking, networked games, multi-channel immersion / inherent multi-tasking?Life before Work, even more hedonistic, highly (e-)interactive

3. Mobile Payments• Commerce

Purchases of physical goods and services, atphysical POS, road tolls (Contactless Chips, NFC)

Mobile Payments• Commerce

• eCommercePurchases of physical goods and servicesat virtual points of sale (Internet, Cellular phone)

• MCommercePurchases of digital goods and services, such as image, audio and video, and location-specific data

• MCommercePurchases of digital g&s, such as image, audio and video, and location-specific data

• Consumer-to-Consumer (C2C) Transfers of value between individuals

4. Risk Assessment for Mobile Payments

(0) The Mainstream Security Model

(1) The Technical Architecture(2) The Commercial Architecture(3) The Transaction Process Aspect(4) The Harm Aspect(5) The Vulnerability Aspect(6) The Threat Aspects(7) The Safeguards Aspect

(0) The Mainstream Security Model

Abstract ThreatsBecome Actual Threatening

Events ,Impinge on Vulnerabilities,

Overcome Safeguards& Cause Harm

Security is a (desirable) condition

in which Harm does not arisebecause Threats are countered

by Safeguards

Technical Architecture

Physical Infrastructure

Commercial Architecture

Trans-

action

Process

Security Model

Threats

Safeguards

Vulnerabilities

(1) The Technical ArchitectureIndicative Model

QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.

AccessDevice

Personal

Area Network& Router / Proxy

InternetAccess

Provider (IAP)or

TransactionDevice (TD)

NetworkIntermediary

Nodes(Routers /Proxies)

NetworkIntermediary

Nodes(Routers /Proxies)

Gateways

AccessNetworks(Unwired)

Core Networks(Wired, Unwired)

–––––––––––– The Internet –––––––––––

PaymentIntermediaries

PaymentServices

Physical Context

(2) Commercial Architecture

• Customer/Payer• Seller/Payee• Payment Handler• Delivery Handler• Customer Support

Internet Online Trading Protocol (IOTP):

(2) Commercial Architecture

• Customer/Payer• Seller/Payee• Payment Handler• Delivery Handler• Customer Support

BUT ALSO ...

• Internet Access Providers (IAPs)• Carriage Service Providers (CSPs)• Commercial Intermediaries, e.g.

Paypal• Transaction Service Providers

e.g. banks and credit-card companies• Payment Services Providers, e.g.

deposit-holders, lenders and insurers• Regulators and complaints bodies

e.g. financial services ombudsmen• Consumer Rights representative

and advocacy organisations• Consumer Segments, e.g. the

mobility-disadvantaged, the sight-impaired, people with limited financial assets

Internet Online Trading Protocol (IOTP):

(3) The Transaction Process Aspect

From Herzberg (2003), p. 56

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

(4) The Harm Aspect• Injury to Persons• Damage to Property• Loss of Value of an Asset

(4) The Harm Aspect• Injury to Persons• Damage to Property• Loss of Value of an Asset• Breach of Personal Data Security,

or Privacy more generally• Financial Loss

(4) The Harm Aspect• Injury to Persons• Damage to Property• Loss of Value of an Asset• Breach of Personal Data Security,

or Privacy more generally• Financial Loss• Inconvenience and Consequential

Costs arising from Identity Fraud

• Serious Inconvenience and Consequential Costs arising from Identity Theft

• Loss of Reputation and Confidence

(5) The Vulnerability Aspect• The Environment

• Physical Surroundings• Organisational Context• Social Engineering

• The Device• Hardware, Systems Software• Applications• Server-Driven Apps

(ActiveX, Java, AJAX, HTML5)• The Device's Functions:

Known, Unknown, Hidden• Software Installation• Software Activation

• Communications• Transaction

Partners• Data Transmission

• Intrusions• Malware Vectors• Malware Payloads• Hacking, incl.

Backdoors, Botnets

(5) Threat Aspects – Second-Party• Situations of Threat:

• Banks• Telcos / Mobile Phone Providers• Toll-Road eTag Providers• Intermediaries• Devices

• Safeguards:• Terms of Contract• Risk Allocation• Enforceability• Consumer Rights

(6) Threat Aspects – Third-Party, Within-System

(Who else can get at you, where, and how?)

• Points-of-Payment Physical:• Observation• Coercion

• Points-of-Payment Electronic:

• Rogue Devices• Rogue Transactions• Keystroke Loggers• Private Key Reapers

• Network Electronic• Interception• Decryption• Man-in-the-

Middle Attacks• Points-of-Processing

• Rogue Employee• Rogue Company• Error

(6) Threat Aspects – Third-Party, Within-Device

• Physical Intrusion• Social Engineering

• Confidence Tricks• Phishing

• Masquerade• Abuse of Privilege

• Hardware• Software• Data

• Electronic Intrusion• Interception• Cracking / ‘Hacking’

• Bugs• Trojans• Backdoors• Masquerade

• Distributed Denialof Service (DDOS)

• Infiltration by Software with a Payload

(6) Threat Aspects – Third-Party, Within-Device

Infiltration by Software with a Payload

Software (the ‘Vector’)

• Pre-Installed• User-Installed• Virus• Worm• ...

Payload• Trojan:

• Spyware• Performative• Communicative• Bot / Zombie

• Spyware:• Software Monitor• Adware• Keystroke Logger• ...

Key Threat / Vulnerability Combinations

• Unauthorised Conduct of Transactions

• Interference with Legitimate Transactions

• Acquisition of Identity Authenticatorse.g. Cr-Card Details (card-number as identifier, plus the associated identity authenticators)

e.g. Username (identifier) plus Password/PIN/Passphrase/Private Signing Key (id authenticator)

e.g. Biometrics capture and comparison

• Acquisition of Identity Authenticatorse.g. Cr-Card Details (card-number as identifier, plus the associated identity authenticators)e.g. Username (identifier) plus Password/PIN/Passphrase/Private Signing Key (id authenticator)e.g. Biometrics capture and comparison

• Use of a Consumer Device as a Tool in a fraud perpetrated on another party

5. Risk Assessment of Contactless Chips

• RFID / NFC chip embedded in card

• Wireless operation, up to 5cm from a terminal

• Visa Paywave and MasterCard PayPass

• Up to $100 (cf. original $25)

Contactless Chip-Cards as Payment Devices

• RFID / NFC chip embedded in card

• Wireless operation, up to 5cm from a terminal

• Visa Paywave and MasterCard PayPass

• Up to $100 and $35 resp. (cf. original $25)

• Presence of chip in card is not human-visible, butLogo / Brand may be visible

• No choice whether it's activated• Operation of chip in card

is not human-apparent• No action required when within

5cm range, i.e. automatic payment

• No receipt is the norm • Used as Cr-Card:

Unauthenticated auto-lending• Used as Dr-Card:

PIN-less charge to bank account

• Authentication – None / A Non-Secret // For Higher-Value Transactions Only / AlwaysUK RingGo Parking Payment Scheme – last 4 digits

• Act of Consent – None / Unclear / Cleare.g. Tap the Pad in Response to Display of Fare

• Notification – None / Audio / DisplayIf 'None', then enables surreptitious payment extraction

• Receipt / Voucher – None / Option or Online / YOctopus, Drive-Through eTags for Road-TollsUK RingGo Parking Payment Scheme

Key Safeguards for Chip Payment Schemes

• Authentication – None / A Non-Secret (but Yes, for Transactions >$100 Only)

• Act of Consent – None? / Unclear? / Clear?If the card is within 5cm of a device, whether seen or not

• Notification – None? / Audio? / Display?If 'None', then enables surreptitious payment extraction

• Receipt / Voucher – None? / Option? / Y?

Visa PayWave and MCard Paypass

The (In)Security Profile ofContactless Chip-Card Payment

Transactions• Non-Authentication, or mere possession:

• presentation of the card within a device's field, when that device is ready to charge money for something

• Vulnerable to card-capture, rogue devices, rogue transactions by legitimate devices, ...

• Relies on:• general levels of honesty among merchants and FIs• (consumer reconciliation is infeasible – no

vouchers, and either very long statements or no statements)

• (fraudulent transactions are obscured)• self-insurance by consumers

Key Safeguards Required• Choice of Activation or Not• Two-Sided Device Authentication, i.e.

• by Payee’s Chip of Payer’s Chip• by Payer’s Chip of Payee’s Chip

• Notification to Payer of:• Fact of Payment (e.g. Audio-Ack)• Amount of Payment

• At least one Authenticator• Protection of the Authenticator(s)• A Voucher (Physical and/or Electronic)• Regular Account Reconciliation by

Payers

The Status of Consumer Protection

• EFT Code of Conduct – phasing outhttp://www.asic.gov.au/asic/pdflib.nsf/LookupByFileName/EFT-Code-as-amended-from-1-July-2012.pdf

• ePayments Code – phasing in by 30 March 2013http://www.asic.gov.au/asic/asic.nsf/byheadline/ePayments-Code?openDocument

• Soft regulation of such things as receipts, risk apportionment, complaints, privacy, ...

• The banks have sought to weaken the protections (In NZ they succeeded, but were beaten back by the tide of public opinion, and withdrew the changes)

• The Code's provisions apply to contactless-card transactions – but with a lot of 'buts'

Payments in the Network EraInitially Wired, Increasingly

Unwired

‘Secure’ Models• ATMs• EFTPOS – Dr Tx• Internet

Banking• Debit Tx

over the Internet

Insecure Models• EFTPOS – Cr Tx• Credit Card Tx

over the Internet(CNP / MOTO)

Highly Insecure Models

• Contactless-Chip/ RFID / NFC

Mobile Security

Agenda

1. The Motivation2. Mobile Technology3. Mobile Technology Users4. Mobile Payments5. Risk Assessment for Mobile Payments6. Risk Assessment for Contactless Chips

COMP 3410 – I.T. in Electronic Commerce

eSecurityMobile Security

Roger ClarkeXamax Consultancy, Canberra

Visiting Professor, A.N.U. and U.N.S.W.

http://www.rogerclarke.com/EC/ ...ETSecy4 {.html, .ppt}

ANU RSCS, 16 October 2012

copyright 2008-12 1 comp 3410 – i.t. in electronic commerce esecurity mobile security roger clarke...

mobile devices

nfc slide

radius slide

contactless chips slide

mobile phones work

cellular phone slide

riskaversion slide

mobile security agenda

Documents

nshield general purpose hardware...

copyright 2000-12 1 comp 3410 – i.t. in electronic...

thales encryption...

curriculumvitaeofrolfoppliger - esecurity · december 10 -...

copyright 2005 1 realities of cyborgisation roger clarke...

esecurity framework-camp-final

a.n.u. b.pharmacy syllabus (with effect from · pdf...

a.n.u m.pharmacy (ceutics) syallabus (with...

4 esecurity conference 2020

copyright, 1995-2012 1 comp 3410 – i.t. in electronic...

copyright 2010 1 roger clarke, xamax consultancy, canberra

1 isss / loris 2004 conference isss / loris 2004 esecurity:...

esecurity conference 2018

copyright, 2000-04 1 biometric insecurity roger clarke xamax...

esecurity e202

copyright 2008 1 an ecommerce perspective on carbon trading...

copyright 2012 1 roger clarke xamax consultancy, canberra...

copyright 2005 1 p2p technologys strategic & policy...

thales esecurity: securing your digital ... · enterprises...

copyright 2000-12 1 comp 3410 – i.t. in electronic...