Deliver Strong Mobile App Security and the Ultimate User Experience

Similar documents
How to secure your mobile application with RASP

Topics. Ensuring Security on Mobile Devices

PCI Compliance Updates

Digital Identity Trends in Banking

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Bank Infrastructure - Video - 1

Trending: Mobile Payments. Dan McLoughlin, VASCO Data Security Julian Sawyer, Starling Bank

Copyright

Standard Categories for Incident Response (definitions) V2.1. Standard Categories for Incident Response Teams. Definitions V2.1.

C1: Define Security Requirements

With VASCO to the top

Critical Hygiene for Preventing Major Breaches

BETTER Mobile Threat Defense (BMTD)

INNOVATIVE IT- SECURITY FOR THE BANKING AND PAYMENT INDUSTRY

Ingram Micro Cyber Security Portfolio

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Phishing is Yesterday s News Get Ready for Pharming

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

SentinelOne Technical Brief

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

Quick Heal Mobile Security. Free protection for your Android phone against virus attacks, unwanted calls, and theft.

Certified Ethical Hacker (CEH)

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Comprehensive Database Security

Endpoint Security - what-if analysis 1

May the (IBM) X-Force Be With You

PROVE IT! Matt and Dan, Dan and Matt, Those Fookers!

Quick Heal Total Security for Android. Anti-Theft Security. Web Security. Backup. Real-Time Protection. Safe Online Banking & Shopping.

This Online Gaming Company Didn t Want to Roll the Dice on Security That s Why it Worked with BlackBerry

SentinelOne Technical Brief

IT Security Update on Practical Risk Mitigation Strategies

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Mobile Devices prioritize User Experience

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

Integrated Access Management Solutions. Access Televentures

Google on BeyondCorp: Empowering employees with security for the cloud era

Ceedo Client Family Products Security

Endpoint Protection : Last line of defense?

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Introducing MVISION. Cohesive Cloud-based Management of Threat Countermeasures and Devices Leveraging Built-in Device Controls. Jon Parkes.

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Mobile devices boon or curse

CS 356 Operating System Security. Fall 2013

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

UNLOCKED DOORS RESEARCH SHOWS PRINTERS ARE BEING LEFT VULNERABLE TO CYBER ATTACKS

MOBILE THREAT LANDSCAPE. February 2018

How Next Generation Trusted Identities Can Help Transform Your Business

Cybersecurity. You have been breached; What Happens Next THE CHALLENGE FOR THE FINANCIAL SERVICES INDUSTRY

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Smart Attacks require Smart Defence Moving Target Defence

MOBILE SECURITY OVERVIEW. Tim LeMaster

Unsecure Endpoints Threaten Financial Transactions

LET S TALK MONEY. Fahad Pervaiz. Sam Castle, Galen Weld, Franziska Roesner, Richard Anderson

Secure Access & SWIFT Customer Security Controls Framework

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

ANATOMY OF AN ATTACK!

Comodo Internet Security Essentials Software Version 1.3

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Mobility & Security Enhancing User Experience

2010 Online Banking Security Survey:

COMPUTER NETWORK SECURITY

Cybersecurity Survey Results

2017 Annual Meeting of Members and Board of Directors Meeting

Protecting Against Online Banking Fraud with F5

Discount Kaspersky PURE 3.0 internet download software for windows 8 ]

Invisible Mobile Banking Channel Security

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Dumpswheel. Exam : v10. Title : Certified Ethical Hacker Exam ( CEH v 10) Vendor : EC-COUNCIL. Version : DEMO.

IT Security Update on Practical Risk Mitigation Strategies

How Breaches Really Happen

Hackveda Training - Ethical Hacking, Networking & Security

New Zealand National Cyber Security Centre Incident Summary

Product Security Briefing

INVISIBLE MOBILE BANKING CHANNEL SECURITY WHITE PAPER

Seqrite Antivirus for Server

PSD2 Compliance - Q&A


Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

SDR Guide to Complete the SDR

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

JPCERT/CC Incident Handling Report [January 1, March 31, 2018]

CIS 5373 Systems Security

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

Security Readiness Assessment

IBM Future of Work Forum

MOBILE PAYMENT SECURITY RISK AND RESPONSE

Ethical Hacking and Prevention

716 West Ave Austin, TX USA

Aguascalientes Local Chapter. Kickoff

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

Transcription:

Deliver Strong Mobile App Security and the Ultimate User Experience

The Presenters Will LaSala, Director of Services @ VASCO Will has been with VASCO since 2001 and over the years has been involved in all aspects of product implementation within financial institutions and mobile application developers. Will also oversees the VASCO professional services group helping banks, enterprises, and ASPs in with custom mobile application security, identity management, and authentication projects. He brings to the table over 20 years of software and cyber security experience. Will s research interests are focused around the use of mobile technology to improve user experience. Andrew Showstead, Director of Technical Consultancy and Market Solutions @ VASCO Andrew oversees engineering and product implementation aspects of mobile application security and fraud prevention projects for the enterprise clients. He is also a technical team lead tasked with researching and developing new markets for VASCO in North America. Andrew comes back to VASCO after serving as a Chief Technology Officer for njuvo Inc. where he led the development of an Internet security product for payment fraud prevention. His research interests include identity federation and the use of embedded technologies to simplify security.

About VASCO Company Highlights Founded in 1991 Publicly traded on the NASDAQ since 1997 (VDSI) More than 10,000 customers in 100 countries 50+ consecutive quarters of profitability 17+ global offices

WHAT S THE PROBLEM WITH MY MOBILE EXPERIENCE?

The Growth of Mobile App Fraud 5

6 Threats to Your Mobile App 1. Corruption of the execution environment Application sandboxing is broken on rooted device: the data you store on the device can be read or updated by any other application running on the same device Default keyboard is replaced by keyboard including a keylogger Screen reader record application display and forward information 2. Reverse engineering of the application through instrumentation and debugging 3. Modification of the application Modified and repackage applications are published on alternative store for phishing attacks

7 Mobile Vulnerabilities *2014 VIA Forensics Device Attack Surface: What behaviors can present issues? Browser Phishing Pharming Clickjacking Man-in-the-Middle Buffer Overflow Data Caching System No Passcode/Weak Passcode IOS Jailbreaking Android Rooting OS Data Caching Passwords & Data Accessible Carrier-Loaded Software No Encryption/Weak Encryption User-Initiated Code Malware Phone/SMS Baseband Attacks SMishing Apps Sensitive Data Storage No Encryption/Weak Encryption Improper SSL Validation Config Manipulation Dynamic Runtime Injection Unintended Permissions Escalated Privileges

8 Mobile Vulnerability Reverse Engineering MY Bank

4:22 PM 100% 9 Threats to the application MY Bank MY Bank

4:22 PM 100% 10 Threats to the application MY Bank MY Bank

4:22 PM 100% 11 Threats to the application MY Bank MY Bank

4:22 PM 100% 12 Threats to the application MY Bank My Bank Too Password?! MY Bank

BEST PRACTICES

Threats to the Application Consider the Platform apply rootkit/jailbreak protections Protect the User Interface from Malicious Compromise Secure Provisioning is a must-have, and Implement a Secure Encrypted Channel Avoid Storing data on the mobile Apply persistent protection when you must Two-Factor Authentication can be achieved through an easy user experience Secure your Transactions and Document Signing Process 14

SECURING THE MOBILE EXPERIENCE: DIGIPASS FOR APPS

17 What is Runtime Application Self-Protection RASP or application shielding is a set of technologies used to add security functionality directly to mobile applications for the detection and prevention of application-level intrusions

18 What Does RASP Do? Proactively shields applications from malware Controls execution, and preventing real-time attacks Protects the integrity of mobile applications to ensure data and transactions are not compromised Maintains a mobile application's run time integrity even if a user inadvertently downloads malware onto their device

19 Why Do I Need RASP? The hackers may be gaining access through applications and solutions... many organizations have significant network security in place but it s not enough as 84% of all cyber-attacks are happening on the application layer. Only 1% of all apps today have a Runtime Application Self-Protection running but by 2020, 44% of all applications will be leveraging some type of RASP protection http://www.forbes.com/sites/sap/2015/03/10/most-cyber-attacksoccur-from-this-common-vulnerability/#122ee06741ae http://www.technavio.com/report/global-it-security-global-runtimeapplication-self-protection-security-market-2016-2020

23 MY App real-time queuing Approve Deny

ACHIEVING THE BEST PRACTICES

Achieving Best Security Practice with DIGIPASS for APPS RASP RASP DIGIPASS for Apps DIGIPASS for Apps DIGIPASS for Apps DIGIPASS for Apps Consider the Platform apply rootkit/jailbreak protections Protect the User Interface from Malicious Compromise Secure Provisioning is a must-have, and Implement a Secure Encrypted Channel Avoid Storing data on the mobile Apply persistent protection when you must Two-Factor Authentication can be achieved through an easy user experience Secure your Transactions and Document Signing Process 27

WHAT S NEXT? Contact the VASCO team to get a live demo that: - demonstrates compromised app behavior - outlines DIGIPASS for APPS protection mechanisms - info-usa@vasco.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback