MOBILE PAYMENT SECURITY RISK AND RESPONSE

Size: px

Start display at page:

Download "MOBILE PAYMENT SECURITY RISK AND RESPONSE"

Dominick Osborne
6 years ago
Views:

1 SESSION ID: MBS-F02 MOBILE PAYMENT SEURITY RISK AND RESPONSE Shaoliang hen Senior Security Expert Pw Aaron Turner EO & Founder Integriell

Introduction Shaoliang hen Shaoliang hen Pw Senior Security Expert Email: stevenchen2081@gmail.

2 Introduction Shaoliang hen Shaoliang hen Pw Senior Security Expert Wehat: Position: Senior Security Expert at Pricewaterhouseoopers(Pw) Beijing office. Security experience: A decade of experience in the information security area. Finance Industry experience: As a hief Security Architect role in mobile payment system construction. Social activities: Presenter at security and financial conferences Personal contributions: A series of papers on mobile payment security. 2

Introduction Aaron Turner 20 years of experience researching mobile payment system vulnerabilities Microsoft US Government (DHS, Treasury) o-inventor of several contactless payment technologies

3 Introduction Aaron Turner 20 years of experience researching mobile payment system vulnerabilities Microsoft US Government (DHS, Treasury) o-inventor of several contactless payment technologies Peer-to-peer contactless system based on elliptic curve cryptography Inventor & Entrepreneur Founded Terreo in 2014 as one of the first broadspectrum airspace monitoring systems to look for payment anomalies Sold Terreo to Verifone in

4 Agenda Mobile Payment Ecosystem Mobile Payment Risk Analysis How to Improve Mobile Payment Security 4

5 Part 1 Mobile Payment Ecosystem 5

6 Mobile Payment Definition and Methods Mobile Payment QR code NF Bluetooth Magnetic Fields Near field communication scenarios: Transit, urban commerce Basis of Apple Pay and Google Pay NF QR ode Electronic bracelet 6 Smart watch

Global Mobile Payment Well-Known Brands hina Alipay:

Hong Kong: NF - Octopus United States Apple Pay: NF

Brands South Korea: Samsung Pay India: Paytm Europe:

7 Global Mobile Payment Well-Known Brands hina Alipay: NF, QR code Wehat Pay: QR code UnionPay: NF, QR code Hong Kong: NF - Octopus United States Apple Pay: NF Google Pay: NF Square: QR code PayPal: QR code Other Brands South Korea: Samsung Pay India: Paytm Europe: Wirecard 7 reference: xinhuanet.com, hinadaily.com, various report

8 Mobile Payment Market Development Trend Global Market 8 USA Market reference: statista.com

9 Mobile Payment Security Incidents reference: bankinfosecurity.com reference: zdnet.com/blackhat.com 9

Security Issues for Payment apgemini & BNP Paribas 2017 World Payments Report Survey revealed that bank executives are most concerned about cybersecurity(65.

10 Security Issues for Payment apgemini & BNP Paribas 2017 World Payments Report Survey revealed that bank executives are most concerned about cybersecurity(65.0%) and data privacy(35.0%) yber Security 65% Data Privacy 35% More and more people focus on cyber security for payment an mobile tech help? reference: 10

Mobile Payment Architecture QR payment Online QR Payment ontent ommunication Payment ontent Module Mobile Payment Platform Mobile Payment User Mobile

11 Mobile Payment Architecture QR payment Online QR Payment ontent ommunication Payment ontent Module Mobile Payment Platform Mobile Payment User Mobile Payment Device Mobile Payment APP Backend Data ommunication Accounting System Deal System Security Protection Risk ontrol Network Hardware Software 11

12 Mobile Payment Process QR payment Online QR Payment Merchant 2.Scan commodity OR code Merchant OR code 1.Open the payment app 3. OR code is identified 5.Send payment request 4.onfirm information 6.1 Return payment result Server Database Mobile Payment User Mobile Device Mobile Payment System 12

Mobile Payment Architecture NF payment Online NF Payment ontent ommunication Payment ontent Module Mobile Payment Platform Mobile Payment User Mobile Payment Device NF

13 Mobile Payment Architecture NF payment Online NF Payment ontent ommunication Payment ontent Module Mobile Payment Platform Mobile Payment User Mobile Payment Device NF Module NF ommunication POS Backend Data ommunication Backend Data ommunication Accounting System Network Deal System Hardware Security Protection Risk ontrol Software Merchant 13

14 Mobile Payment Process- NF payment Merchant POS 4.Send order information and deduct money request 2.Send NF payment request 3.Read NF account 5.1 return payment result 1.Open the payment app 5.2 Return payment result Server Database Mobile Payment User Device with NF Module Mobile Payment System 14

15 Part 2 Risk and Analysis 15

16 Mobile Payment Risk Demo QR Payment Malicious QR code Hacker website Hacker 3.Scan QR code 2.Hacker forge fake QR code and decoy victim to scan 4.Malware infection/backdoor Merchant OR code Payment Gateway 1.Open the payment app 5.Hackers control victim account Victim Server Database 16

17 Mobile Payment Risk Demo Phishing Hacker website Fake base station Hacker 1.Hacker deploys malicious base station 4.Malware infection/backdoor 2.Send phishing SMS Payment Gateway 5.Hackers control user account Victim 3.Open URL in SMS Server Database 17

Risk Analysis Device Phishing ross Frame lickjacking Man-in-the-Middle Buffer Overflow No Passcode Weak Passcode Operating System Vulnerability Software Vulnerability No Encryption Weak Encryption

18 Risk Analysis Device Phishing ross Frame lickjacking Man-in-the-Middle Buffer Overflow No Passcode Weak Passcode Operating System Vulnerability Software Vulnerability No Encryption Weak Encryption Sensitive Data Storage No Encryption/Weak Encryption Improper SSL ertificate Validation Dynamic Runtime Injection Incorrect Default Permissions Escalated Privileges Malware Side hannel Attack Baseband Attack SMS Phishing Device Lost 18

19 Risk Analysis Network Network Surface Risk Analysis Protocol Access Man-in-the-Middle (MITM) Session Hijacking DNS (Domain Name System) Poisoning Fake SSL ertificate Wi-Fi (No Encryption/Weak Encryption) Rogue Access Point Packet Sniffing 19

20 Risk Analysis Backend System 01 Web Application Platform Vulnerabilities Brute-Force Attack OWASP Listed Web Vulnerabilities 02 Database 03 Server SQL Injection Privilege Escalation Data Dumping OS ommand Execution APT Attack Server Misconfiguration 20

21 Part 3 How to Improve Mobile Payment Security 21

22 Where are the weaknesses today? End-to-End Mobile Payment Security? Multi-level Security Technology Platform Strong Account System Risk ontrol Anti-Fraud Network APP IOS Android Strong authentication, Separation of privileges Models, Rules, Machine Learning.. 22

Mobile Payment Security Architecture Model People& Device APP ommunication Server User Account Risk ontrol Key requirement Device environment security check Malware software check APP source code

23 Mobile Payment Security Architecture Model People& Device APP ommunication Server User Account Risk ontrol Key requirement Device environment security check Malware software check APP source code security File encryption locally SDL Encryption protocol Security check of access Server OS update Server application update Anti-DDoS API Identity authentication Strong authentication User privacy management User transaction identification Risk management Anti-Fraud Platform Security Assessment ompliance Account Authority Management Authentication System Security Operation Anti-Fraud Privacy Protection Data Security Security Intelligence SDL Platform 23

24 Statistics for Authentication ompanies are adopting advanced authentication technologies Biometrics Software tokens Hardware tokens ryptographic tokens Multifactor authentication National IDs and epassports Smartphone tokens Other (fingerprints, retina scans, facial recognition, etc.) 60% 59% 55% 53% 51% 50% 48% 20% reference: Pw, IO and SO, The Global State of Information Security Survey 2018 Base 9500 respondents 24

25 Best Practice Authentication Technology omparison Technology Features Key Points Security key Biometric(fingerprint, facial recognition) Two-Factor Authentication Multi-factor Authentication National IDs and epassports Strong encryption Hardware key/usbkey Key file (*.key.) Higher identification rate User unique Hardware tokens Software tokens Smartphone tokens , SMS Multi-dimension Knowledge, possesion Various technologies (Security key, SMS, and etc.) Name ID number Build the key management system and ensure security Hardware key/usbkey is proved more secure by now Risk of permanent leakage Natural person property Privacy protection and legal compliance Mandatory to use when register Anti-fraud combination Backend analysis Risk model judgement Verified by public security department Response whether match between name and ID number Privacy 24

26 Turner s Hierarchy of MFA Hardware-separated rypto Systems Hardware One-Time-Passwords Software One-Time-Passwords SMS One-Time-Passwords Software ertificates 26

system VLAN should be configured Strict firewall

add security device, such as firewall, Anti-DDoS,

HR Email Rule control Anti-fraud Financial system

27 Best Practice Network Architecture Firewall/Anti-DDoS/WAF DMZ website Interactive system VLAN should be configured Strict firewall policy Deploy security device Base on requirement, add security device, such as firewall, Anti-DDoS, OA Security assessment Accounting system VPN Bank2 HR Rule control Anti-fraud Financial system User system VPN Bank1 Office Security Protection Platform Payment ore System 25

28 Best Practices SMS Verification? When to use it and when NOT to use it Human not a bot verification How effective versus captcha-sweatshops? Account recovery? What real-world processes can you implement to drive integrity to prevent account hijacking? Avoiding social engineering attacks? How far upstream can you get with mobile payment system designers? 28

Best Practice Key Points for Security Testing Device APP Payment Backend Bank1 Root OS version Access point/wireless/4g Proxy SSL certificates Malware ommunication Secret protection Authentication

29 Best Practice Key Points for Security Testing Device APP Payment Backend Bank1 Root OS version Access point/wireless/4g Proxy SSL certificates Malware ommunication Secret protection Authentication Logic check Bank2 SQL Injection/OWASP Database permission Interfaces Transaction quota Data Encryption Blacklist (IP address or high risk account) PI-DSS Test for failures at each stage how does the system respond to malicious input? 33

30 Best Practice Anti-Fraud 1 Account Account status, active account or not Black account list Account risk rate Device information Device serial number Device network MA address Device IMEI number Device MEID number Trends & Intel Frequency statistics Biggest statistic Device Information Account Trends & Intel User Behavior Anti-Fraud Data Resource Anomalies Account Relationship User Behavior Trade time Trade device Trade amount number Trade bank credit card Anomalies Abnormal operation, such as quickly transfer to multiple accounts. hange account payment password in late night Account Relationship Multiple accounts with the same identified individuals Geographical position 35

31 Best Practice Anti-Fraud 2 Rule Samples Rule Number Rule 1 Rule 2 Rule description A account has been changed password more than three times a day, which requires a SMS verification code to verify. The transaction takes place between 1 a.m. and 5 a.m., and the device is associated with two accounts, sending SMS verification codes. Rule formula When single account has been changed password times>3, then send SMS verification code. When transaction time between 1 a.m. to 5 a.m., one device is associated with the account number 2, then send SMS verification code. 36

32 Best Practice Anti-Fraud 3 Beijing Flight duration time: 12 hours San Francisco Scenario: Transaction IP address change in short time for one person with one account. First transaction IP address in hina. Second transaction IP address in USA. ause: Account information has been stolen or used proxy. Solution: 1. Block transaction directly 2. Manual verification 3. Deep analysis/model 37

Biometric Firewall Account types judgement Account rate Permission control Risk rule Risk list library Risk

33 Transaction Security ontrol Stream User transaction Security mechanism Account and permission Intelligent risk control Manual audit Filtered transaction data Two-factor authentication Multi-factor authentication Tokens Biometric Firewall Account types judgement Account rate Permission control Risk rule Risk list library Risk control model Anti-fraud Machine learning Transaction event security audit Manual verification ore transaction system 38

34 Mobile Payment hallenge Method Selection Which is more secure? NF & QR code (Two principles) Transaction size? User experience? Method Security Authentication mode NF Security SE Security chip Password QR code Encrypted URL Security software Security ontrol Small amount transaction(no password and signature) Backend quota one day one account Transaction amount control one day with one account<500 NY Reference Standard GSMA Organization EMA Organization hina UnionPay has independent QR code standard and ecosystem, EMVo QR ode Specification for Payment Systems: onsumer Presented Mode 1.0 Main Risk Scenarios Lost device Malware Phishing URL: 39

35 Mobile Payment hallenge-privacy Protection What kind of data should be protected hina yber Law GDPR Reference to law and standard, such as Privacy Act Other sensitive data What methods are used to protect data? DLP Reference to PI-DSS Encryption is necessary, ID number 40

36 Mobile Payment hallenge Smart Device Various payment methods i.e. wearable device payment More complicated ecosystem More interfaces More dimensional attacks More risk points 41 Reference: csoonline.com

37 onclusions Identification authentication is the key factor for mobile payment security. New authentication technology does not mean that it is more secure. Pay more attention to privacy protection. Accumulating bad samples is the key to building a risk control model. Machine learning will become good solution to against mobile payment attack in the future. Rules and risk control models must be worked together now. 42

38 Poll the Audience Session ID:MBS-F02 What other security topic you want to know in terms of mobile payment in the future? A-Architecture/New Technology B-Development/App -Anti-Fraud/ompliance 43

39 Wehat: THANK YOU Follow Aaron Turner on LinkedIn:

Ethical Hacking and Prevention

Ethical Hacking and Prevention This course is mapped to the popular Ethical Hacking and Prevention Certification Exam from US-Council. This course is meant for those professionals who are looking for comprehensive