LET S TALK MONEY. Fahad Pervaiz. Sam Castle, Galen Weld, Franziska Roesner, Richard Anderson

Similar documents
Richard Anderson University of Washington Seattle, USA

Computing and Digital Financial Services. Richard Anderson University of Washington Seattle, USA

Bank Infrastructure - Video - 1

MOBILE THREAT LANDSCAPE. February 2018

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

Topics. Ensuring Security on Mobile Devices

Mobile Money. Lecture 9: CSE 490c. 10/15/2018 University of Washington, Autumn

Copyright

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

UW Digital Financial Services Research Group. Richard Anderson University of Washington Seattle, USA

How Secure is Blockchain? June 6 th, 2017

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Richard Anderson University of Washington Seattle, USA

Deliver Strong Mobile App Security and the Ultimate User Experience

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

IBM Future of Work Forum

UW Digital Financial Services Research Group. Richard Anderson University of Washington Seattle, USA

Cyber Security Updates and Trends Affecting the Real Estate Industry

Ch 9: Mobile Payments. CNIT 128: Hacking Mobile Devices. Updated

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

How. Biometrics. Expand the Reach of Mobile Banking ENTER

NGN: Carriers and Vendors Must Take Security Seriously

Secure Frame Communication in Browsers Review

Quick Heal Mobile Security. Anti-Theft Security. Real-Time Protection. Safe Online Banking & Shopping.

ISO/IEC Common Criteria. Threat Categories

Towards Trustworthy Internet of Things for Mission-Critical Applications. Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Authentication Technology for a Smart eid Infrastructure.

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

The Android security jungle: pitfalls, threats and survival tips. Scott

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

C1: Define Security Requirements

COMPANY PROFILE < >

1 About Web Security. What is application security? So what can happen? see [?]

WHITE PAPER 2019 AUTHENTICATOR WHITE PAPER

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

CSWAE Certified Secure Web Application Engineer

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Are You Avoiding These Top 10 File Transfer Risks?

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

Quick Heal Mobile Security. Free protection for your Android phone against virus attacks, unwanted calls, and theft.

PCI Compliance. What is it? Who uses it? Why is it important?

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Engineering Your Software For Attack

Integrated Access Management Solutions. Access Televentures

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Introduction to Information Security Dr. Rick Jerz

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

Effective Strategies for Managing Cybersecurity Risks

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Certified Secure Web Application Engineer

C and C++ Secure Coding 4-day course. Syllabus

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Presents: PIN less e-top-up and Bill Pay services for Bank Customers. Powered by: arttha. Reliable & Secure Payments

Quick Heal Total Security for Android. Anti-Theft Security. Web Security. Backup. Real-Time Protection. Safe Online Banking & Shopping.

CSE484 Final Study Guide

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

AN IPSWITCH WHITEPAPER. 7 Steps to Compliance with GDPR. How the General Data Protection Regulation Applies to External File Transfers

FIDO ALLIANCE: UPDATES & OVERVIEW BRETT MCDOWELL EXECUTIVE DIRECTOR. All Rights Reserved FIDO Alliance Copyright 2017

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

REPORT. proofpoint.com

How NOT To Get Hacked

Security Audit What Why

Securing Information Systems

Security Philosophy. Humans have difficulty understanding risk

RSA Web Threat Detection

Cyberspace : Privacy and Security Issues

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Adversary Models. CPEN 442 Introduction to Computer Security. Konstantin Beznosov

Endpoint Security - what-if analysis 1

SOCIAL NETWORKING IN TODAY S BUSINESS WORLD

Evaluating the Security Risks of Static vs. Dynamic Websites

Office 365 Buyers Guide: Best Practices for Securing Office 365

FFIEC Guidance: Mobile Financial Services

Zimperium Global Threat Data

How do we become digital? Marie Valdez, Regional Director Software Group 25 July 2014 Century Park Hotel, Manila

HOLISTIC COMMUNICATIONS SECURITY

2015 Online Trust Audit & Honor Roll Methodology

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Cloud-Security: Show-Stopper or Enabling Technology?

June 2 nd, 2016 Security Awareness

MOBILE DEFEND. Powering Robust Mobile Security Solutions

How Threat Modeling Can Improve Your IAM Solution

CLX.MAP & Mobile Security

Wireless LAN Security (RM12/2002)

Professional Services Overview

mhealth SECURITY: STATS AND SOLUTIONS

Vincent van Kooten, EMEA North Fraud & Risk Intelligence Specialist RSA, The Security Division of EMC

Transcription:

LET S TALK MONEY Fahad Pervaiz Sam Castle, Galen Weld, Franziska Roesner, Richard Anderson

Unbanked Population

Branchless Banking Bank/Financial Institute Bank of America, Standard Chartered Bank Telecommunication Company Verizon, Safaricom 3 rd Party Software Company Paypal, Google Wallet

Agent Based Banking

Communication Channels Internet SMS USSD

Physical Security to Digital Security how

Prior Work Vulnerabilities in seven branchless banking applications Improper certificate verification Non-standard and weak cryptography Information leakage Data Exposure Weak password recovery Reaves et al. Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World. USENIX 2015.

Building Threat Model Confidentiality Integrity Availability External Apps External Libraries SMS Intercept Server Attack Man-in-the-Middle Authentication Attack SMS Spoof Agent-driven Fraud Fake Accounts Data Loss Denial-of-Service (DoS) Theft of Services Device Theft

Methodology General Analysis Decompiled android apps Ran automated scripts to find indicators In-Depth Analysis Examine service s website Search for promotional flyers Developer Interviews No of Developers: 7 Average Interview duration: 45 min Questions: Experience, Org Structure, Training and Security Processes

General App Analysis Approx 400 active services; majority are from GSMA mobile money development tracker database lists Selected Services: 197 Android apps Indicators: version, permission, external libraries, URLs

Stealing Data from Android Debug Log Another app can get permission to access logs Issue fixed in Android v4.1 5%

Over-Privilege Applications Over-privilege apps leaves room for vulnerability

External Tracking Libraries Malicious or buggy 3 rd party libraries can introduce new data leaks and vulnerabilities

Insecure Connections Insecure connections are vulnerable to man-in-the-middle attacks

In-Depth App Analysis Selected set have 71 services that includes Android app as well as USSD supported apps 11 43 17

In-Depth App Analysis 36 20 12 apps services returned can do not be account require accessed info, user without balance to present user s and a transactions SIM government card issued via SMS ID Server Fake Accounts Attack, Authentication Attack

In-Depth App Analysis Password Reset 16 Apps reset the password via security questions based on personal information that is common knowledge in rural area 4 Apps reset the password to 1234

Developer Interviews To better understand the sources of vulnerabilities, we interviewed developers from developing world. Contacted 249 unique email address Location: Nigeria, Kenya, Uganda, Zimbabwe, Colombia Organizations: Bank (3), Telco (2), Software (2) Majority of organizations were large One small company with only 50 K 100 K downloads

Developer Interviews Most developer had college degrees and more than 5 year industry experience Except for one, all companies provided technical training to their developers All organizations had a separate security review team and code review processes External libraries use was allowed but either developers were skeptical or there is organizational review needed All developers except for one listed stack overflow among top two resources to use for help

Developer Interviews Incomplete Threat Model Protecting organization from theft is considered more important than protecting customers There are two security risks and both are human. One is an exemployee, and second is the customer...i take part in API discussions and system architecture for a new system...with my experience and training, I would say if I left the company today, there are 900 security breaches, and I would be able to breach one of them.

Developer Interviews Partner Requirements and Regulations Certain insecurities are dictated by the partner specifications and/or government regulations We did one crazy one [implementation] in West Africa where they didn't use any [encryption]. There again we are just at the mercy of the partner...we made them sign documents seven ways to Sunday because we were absolutely worried about [security]. What you'll find in these markets is that you have an IT person, and you are forced to work to their level of expertise.

Conclusion Designed a Threat Model General Analysis Mandating updated Android versions Whitelist of secure 3 rd party libraries Advocate end-to-end secured communication In-Depth Analysis Use of Govt. ID to avoid fake accounts Better requirements are needed for password reset Privacy issues with SMS communication Developer Interviews Vulnerabilities due to specifications managed by different stakeholders Complete threat model is needed to eliminate lack of understanding Providing resources for best security practices to replace unreliable online forums

Thank You Fahad Pervaiz fahadp@cs.washington.edu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback