Copyright COMP 2410 – Networked Information Systems SC3 – Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U. and U.N.S.W. {.ppt,.pdf} ANU RSCS, 2 April 2015
Copyright Neworked Information Systems The Applications Layer 1.Application Architectures.1Master-Slave Architecture.2Client-Server Architecture Cloud Computing.3Peer-to-Peer (P2P) Architecture 2.Categories of Networked Application.1Mobile Computing.2Web 2.0 and Social Media 3. Networked Info Systems Security.1Security of Info and I.T..2Malware and Other Attacks.3Mobile Security
Copyright Mobile Devices 'Any device that provides users with the capacity to participate in Transactions with Adjacent and Remote devices by Wireless Means' Nomadic / Untethered Portables Mobiles / Smartphones Handheld Computing Devices PDAs, games machines, music-players, 'converged' / multi-function devices, Tablets esp. iPad but now many followers Processing Capabilities in Other 'Form Factors' Credit-cards, RFID and NFC tags, subcutaneous chips Wearable Computing Devices Watches, finger-rings, spectacles, key-rings, necklaces, bracelets, anklets, body-piercings... chip implants
Copyright Wireless Comms Wide Area Networks – Satellite (Geosynch; Low-Orbit) GS is Large footprint, very high latency (c. 2 secs) Fixed-Wireless/Line-of-Sight – (WiMAX) '08 TD-LTE/LTE-TDD '12 (3-10 km per cell, high-capacity per user, local monopoly?, trees!) Wide Area Networks – Cellular (50m to 10km cell-radius, with increasing capacity per user, particularly 3G onwards) 1G – Analogue Cellular, e.g. AMPS, TACS 2G – Digital Cellular, e.g. GSM, CDMA 3G – GSM/GPRS/EDGE, CDMA2000, UMTS/HSPA 4G – LTE, deployed / deploying Local Area Networks – ‘WiFi’ ( m radius) primarily IEEE x, where x=a,b,g,n Personal Area Networks (1-10 metres) – Bluetooth? Infra-red? Contactless Cards / RFID Tags / NFC Chips (1-10cm radius)
Copyright Mobile Usage Messaging – synch and asynch, 1-1 and m-n , Chat/IM, Voice, Video,... Content Access Open Web, Search Semi-Closed Wall-Postings Organisational Data Content Preparation / Publishing Formal Docs, Informal Postings / -blogging Open, Corporate, Personal Transactions Application Forms to Government Agencies, Purchases, Payments, Internet Banking,...
Copyright Mobile Usage Messaging – synch and asynch, 1-1 and m-n , Chat/IM, Voice, Video,... Content Access Open Web, Search Semi-Closed Wall-Postings Organisational Data Content Preparation / Publishing Formal Docs, Informal Postings / -blogging Open, Corporate, Personal Transactions Application Forms to Government Agencies, Purchases, Payments, Internet Banking,...
Copyright Mobile Security Agenda 1.Mobile Devices, Comms, Usage 2.Case Studies A.Contactless Chip Payment B.Location and Tracking 3.Application of the Security Model 4.What Do We Do About It?
Copyright Case Study A – Contactless Chip Payment RFID / NFC chip embedded in card Wireless operation, up to 5cm from a terminal Visa Paywave and MasterCard PayPass Up to $100 (cf. original $25)
Copyright Contactless Chip-Cards as Payment Devices RFID / NFC chip embedded in card Wireless operation, up to 5cm from a terminal Visa Paywave and MasterCard PayPass Up to $100 and $35 resp. (cf. original $25) Presence of chip in card is not human-visible, but Logo / Brand may be visible No choice whether it's activated No choice about the threshold Operation of chip in card is not human-apparent No action required when within 5cm range, i.e. automatic payment No receipt becomes the norm? Used as Cr-Card: Unauthenticated auto-lending Used as Dr-Card: PIN-less charge to bank account
Copyright Authentication – None / A Non-Secret / / For Higher-Value Transactions Only / Always [ UK RingGo Parking Payment Scheme – last 4 digits] Act of Consent – None / Unclear / Clear [ e.g. Tap the Pad in Response to Display of Amount Due] Notification – None / Audio / Display [ If 'None', surreptitious payment extraction is feasible] Receipt / Voucher – None / Option or Online / Y [ Octopus, Toll-Roads, UK RingGo Parking Payment Scheme] Key Safeguards for Chip Payment Schemes
Copyright Authentication – None / A Non-Secret (but Yes, for Transactions >$100 Only) Act of Consent – None? / Unclear? / Clear? If the card is within 5cm of a device, whether seen or not But the 'consent' is by whoever possesses the card Notification – None? / Audio? / Display? If 'None', then enables surreptitious payment extraction Receipt / Voucher – None? / Option? / Y? Are These Safeguards in Place for Visa PayWave and MCard Paypass?
Copyright Case Study B – Location and Tracking Location is Inherent to Mobile Technologies Insufficient capacity to broadcast all traffic in all cells The network needs to know the cell each mobile is in Mobiles send registration messages to base-station(s) Even if nominally switched off or placed on standby
Copyright Case Study B – Location and Tracking Location is Inherent to the Technology Insufficient capacity to broadcast all traffic in all cells The network needs to know the cell each mobile is in Mobiles send registration messages to base-station(s) Even if nominally switched off or placed on standby What's Being Tracked? The SIM-card, an identifier of the device, e.g. IMSI The mobile-phone id, an entifier of the device, e.g. IMEI The person the SIM-card and/or mobile-phone is registered to (and may be required by law to be so) Most handsets have one SIM-card, and one user
Copyright The Precision of Handset Location Intrinsically, the Cell-Size: 1km-10km radius for non-CBD Cells c. 100m radius for Wifi & CBD Cells Potentially much more fine-grained: Directional Analysis Differential Signal Analysis Triangulation Self-Reporting of GPS coordinates
Copyright Handset Location – Accuracy and Reliability Directional Analysis The Case of the Cabramatta Murder Conviction Differential Signal Analysis A Wide Array of Error-Factors Triangulation Multiple Transceivers Multiple Error-Factors Self-Reporting of GPS coordinates Highly situation-dependent, and unknown Dependent on US largesse, ‘operational requirements’
Copyright The Primary Geolocation Technologies
Copyright Location and Tracking Some Scenarios Arresting a crook Investigating the proximity of suspect to crime-scene Targeting an enemy Being accused of association with another person Having your association with a person discovered Being targeted by a marketer who knows a great deal about you Being monitored by your partner, or your next date Being targeted by an enemy Being found by a fan, stalker, abusive ex-partner
Copyright Application of the Security Model to Mobile Usage Messaging – synch and asynch, 1-1 and m-n , Chat/IM, Voice, Video,... Content Access Open Web, Search Semi-Closed Wall-Postings Organisational Data Content Preparation / Publishing Formal Docs, Informal Postings / -blogging Open, Corporate, Personal Transactions Application Forms to Government Agencies, Purchases, Payments, Internet Banking,...
Copyright EC/PBAR.html#App1 Conventional IT Security Model
Copyright The Harm Aspect Injury to Persons Damage to Property Loss of Value of an Asset Breach of Personal Data Security, or Privacy more generally Financial Loss Inconvenience and Consequential Costs arising from Identity Fraud (very common) Serious Inconvenience and Consequential Costs arising from Identity Theft (very rare) Loss of Reputation and Confidence
Copyright The Vulnerability Aspect The Environment Physical Surroundings Organisational Context Social Engineering The Device Hardware, Systems Software Applications Server-Driven Apps (ActiveX, Java, AJAX) The Device's Functions: Known, Unknown, Hidden Software Installation Software Activation Communications Transaction Partners Data Transmission Intrusions Malware Vectors Malware Payloads Hacking, incl. Backdoors, Botnets
Copyright Threat Aspects – Third-Party, Within the System (Who else can get at you, where, and how?) Points-of-Trans'n Physical Observation Coercion Points-of-Trans'n Electronic Rogue Devices Rogue Transactions Keystroke Loggers Private Key Reapers Comms Network Interception Decryption Man-in-the-Middle Attacks Points-of-Processing Rogue Employee Rogue Company Error
Copyright Threat Aspects – Third-Party, Within the Device Physical Intrusion Social Engineering Confidence Tricks Phishing Masquerade Abuse of Privilege Hardware Software Data Electronic Intrusion Interception Cracking / ‘Hacking’ Bugs Trojans Backdoors Masquerade Distributed Denial of Service (DDOS) Infiltration by Software with a Payload
Copyright Threat Aspects – Second-Party Situations of Threat Banks Telcos / Mobile Phone Providers Toll-Road eTag Providers Intermediaries Devices Safeguards Terms of Contract Risk Allocation Enforceability Consumer Rights
Copyright Key Threat / Vulnerability Combinations re Mobile Payments Unauthorised Conduct of Transactions Interference with Legitimate Transactions Acquisition of Identity Authenticators e.g. Cr-Card Details (card-number as identifier, plus the associated identity authenticators) e.g. Username (identifier) plus Password/PIN/ Passphrase/Private Signing Key (id authenticator) e.g. Biometrics capture and comparison
Copyright What Do We Do About It? Consumers Organisations Corporate Devices BYOD
Copyright The Status of Consumer Protection EFT Code of Conduct – longstanding, phased out ePayments Code – wef 30 March Code?openDocument Soft regulation of such things as receipts, risk apportionment, complaints, privacy,... The banks have sought to weaken the protections (In NZ they succeeded, but were beaten back by the tide of public opinion, and withdrew the changes) The Code's provisions apply to contactless-card transactions – but with a lot of 'buts'
Copyright The Absolute-Minimum Security Safeguards 1.Physical Safeuguards 2.Access Control 3.Malware Detection and Eradication 4.Patching Procedures 5.Firewalls 6.Incident Management Processes 7.Logging 8.Backup and Recovery Plans, Procedures 9.Training 10.Responsibility
Copyright Beyond the Absolute-Minimum Safeguards Risk Asssessment, leading to at least some of: 11.Data Communications Encryption 12.Data Storage Encryption 13.Vulnerability Testing 14.Standard Operating Environments 15.Application Whitelisting 16.Device Authentication and Authorisation 17.Use of Virtual Private Networks 18.Intrusion Detection and Prevention 19.User Authentication 20.Firewall Configurations, Outbound
Copyright Mobile Security Agenda 1.Mobile Devices, Comms, Usage 2.Case Studies A.Contactless Chip Payment B.Location and Tracking 3.Application of the Security Model 4.What Do We Do About It?
Copyright Neworked Information Systems The Applications Layer 1.Application Architectures.1Master-Slave Architecture.2Client-Server Architecture Cloud Computing.3Peer-to-Peer (P2P) Architecture 2.Categories of Networked Application.1Mobile Computing.2Web 2.0 and Social Media 3.Networked Info Systems Security.1Security of Info and I.T..2Malware and Other Attacks.3Mobile Security
Copyright COMP 2410 – Networked Information Systems SC3 – Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U. and U.N.S.W. {.ppt,.pdf} ANU RSCS, 2 April 2015