Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2008-12 1 COMP 3410 – I.T. in Electronic Commerce eSecurity Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U.

Published byAllison Knight Modified over 11 years ago

Similar presentations

Presentation on theme: "Copyright 2008-12 1 COMP 3410 – I.T. in Electronic Commerce eSecurity Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U."— Presentation transcript:

1 Copyright 2008-12 1 COMP 3410 – I.T. in Electronic Commerce eSecurity Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U. and U.N.S.W. http://www.rogerclarke.com/EC/... ETSecy4 {.html,.ppt} ANU RSCS, 16 October 2012

2 Copyright 2008-12 2 Mobile Security Agenda 1.Mobile Technology Devices Wireless Comms 2.Mobile Technology Users 3.Mobile Payments 4.Risk Assessment for Mobile Payments 5.Risk Assessment for Contactless Chips

3 Copyright 2008-12 3 1.Mobile Devices 'Any device that provides users with the capacity to participate in Transactions with Adjacent and Remote devices by Wireless Means' Mobiles / Smartphones Handheld Computing Devices PDAs, games machines, music-players, 'converged' / multi-function devices, Tablets esp. iPad but now many followers Processing Capabilities in Other 'Form Factors' Credit-cards, RFID tags, subcutaneous chips Wearable Computing Devices Watches, finger-rings, key-rings, glasses, necklaces, bracelets, anklets, body-piercings ? Nomadic / Untethered PCs

4 Copyright 2008-12 4 Wireless Comms and Mobile Security in 2011 Wide Area Networks – Satellite Geosynchronous (2 second latency) Low-Orbit (Iridium) Wide Area Networks – WiMax / IEEE 802.16; iBurst Wide Area Networks – Cellular (0.5 to 20km per cell) 1 – Analogue Cellular, e.g. AMPS, TACS 2 – Digital Cellular, e.g. GSM, CDMA 3 – GSM/GPRS/EDGE, CDMA2000, UMTS/HSPA 4G – LTE, with preliminary versions imminent Local Area Networks – WiFi / 802.11x (10-100m radius) Personal Area Networks – Bluetooth (1-10 m radius) Contactless Cards / RFID Tags / NFC (1-10cm radius)

5 Copyright 2008-12 5 2.Mobile Technology Users Dimensions of Differentiation Education, Income, Wealth Infrastructure Availability Technical Capability

6 Copyright 2008-12 6 2.Mobile Technology Users Dimensions of Differentiation Education, Income, Wealth Infrastructure Availability Technical Capability Opportunity-Awareness Leadership / Followership Risk-Awareness, Risk-Aversion

7 Copyright 2008-12 7 2.Mobile Technology Users Dimensions of Differentiation Education, Income, Wealth Infrastructure Availability Technical Capability Opportunity-Awareness Leadership / Followership Risk-Awareness, Risk-Aversion Age / 'Generation'

8 Copyright 2008-12 8 The 'Generations' of Computing Consumers Indicative Indicative GenerationBirth-YearsAge in 2011 Silent / Seniors 1910-45 66-100 Baby Boomers – Early 1945-55 56-66 Baby Boomers – Late 1955-65 46-56 Generation X 1965-80 31-46 Generation Y 1980-95 16-31 The iGeneration 1995- 0- 16

9 Copyright 2008-12 9 Generational Differences Baby Boomers (45-65) Handshake/phone, PCs came late, had to adapt to mobile phones Work is Life, the team discusses / the boss decides, process-oriented GenXs (30-45) Grew up with PCs, email and mobile phones, hence multi-taskers Work to Have More Life, expect payback from work, product-oriented GenYs (15-30) Grew up with IM/chat, texting and video-games, strong multi-taskers Life-Work Balance, expect fulfilment from work, highly interactive iGens (to 15) Growing up with texting, multi-media social networking, networked games, multi-channel immersion / inherent multi-tasking ?Life before Work, even more hedonistic, highly (e-)interactive

10 Copyright 2008-12 10 3.Mobile Payments Commerce Purchases of physical goods and services, at physical POS, road tolls (Contactless Chips, NFC)

11 Copyright 2008-12 11 Mobile Payments Commerce Purchases of physical goods and services, at physical POS, road tolls (Contactless Chips, NFC) eCommerce Purchases of physical goods and services at virtual points of sale (Internet, Cellular phone)

12 Copyright 2008-12 12 Mobile Payments Commerce Purchases of physical goods and services, at physical POS, road tolls (Contactless Chips, NFC) eCommerce Purchases of physical goods and services at virtual points of sale (Internet, Cellular phone) MCommerce Purchases of digital goods and services, such as image, audio and video, and location-specific data

13 Copyright 2008-12 13 Mobile Payments Commerce Purchases of physical goods and services, at physical POS, road tolls (Contactless Chips, NFC) eCommerce Purchases of physical goods and services at virtual points of sale (Internet, Cellular phone) MCommerce Purchases of digital g&s, such as image, audio and video, and location-specific data Consumer-to-Consumer (C2C) Transfers of value between individuals

14 Copyright 2008-12 14 4.Risk Assessment for Mobile Payments (0)The Mainstream Security Model (1)The Technical Architecture (2)The Commercial Architecture (3)The Transaction Process Aspect (4)The Harm Aspect (5)The Vulnerability Aspect (6)The Threat Aspects (7)The Safeguards Aspect

15 Copyright 2008-12 15 (0)The Mainstream Security Model Abstract Threats Become Actual Threatening Events, Impinge on Vulnerabilities, Overcome Safeguards & Cause Harm Security is a (desirable) condition in which Harm does not arise because Threats are countered by Safeguards

16 Copyright 2008-12 16 (1)The Technical Architecture Indicative Model

17 Copyright 2008-12 17 (2)Commercial Architecture Customer/Payer Seller/Payee Payment Handler Delivery Handler Customer Support Internet Online Trading Protocol (IOTP):

18 Copyright 2008-12 18 (2)Commercial Architecture Customer/Payer Seller/Payee Payment Handler Delivery Handler Customer Support BUT ALSO... Internet Access Providers (IAPs) Carriage Service Providers (CSPs) Commercial Intermediaries, e.g. Paypal Transaction Service Providers e.g. banks and credit-card companies Payment Services Providers, e.g. deposit-holders, lenders and insurers Regulators and complaints bodies e.g. financial services ombudsmen Consumer Rights representative and advocacy organisations Consumer Segments, e.g. the mobility- disadvantaged, the sight-impaired, people with limited financial assets Internet Online Trading Protocol (IOTP):

19 Copyright 2008-12 19 (3)The Transaction Process Aspect From Herzberg (2003), p. 56

20 Copyright 2008-12 20 (4)The Harm Aspect Injury to Persons Damage to Property Loss of Value of an Asset

21 Copyright 2008-12 21 (4)The Harm Aspect Injury to Persons Damage to Property Loss of Value of an Asset Breach of Personal Data Security, or Privacy more generally Financial Loss

22 Copyright 2008-12 22 (4)The Harm Aspect Injury to Persons Damage to Property Loss of Value of an Asset Breach of Personal Data Security, or Privacy more generally Financial Loss Inconvenience and Consequential Costs arising from Identity Fraud Serious Inconvenience and Consequential Costs arising from Identity Theft Loss of Reputation and Confidence

23 Copyright 2008-12 23 (5)The Vulnerability Aspect The Environment Physical Surroundings Organisational Context Social Engineering The Device Hardware, Systems Software Applications Server-Driven Apps (ActiveX, Java, AJAX, HTML5) The Device's Functions: Known, Unknown, Hidden Software Installation Software Activation Communications Transaction Partners Data Transmission Intrusions Malware Vectors Malware Payloads Hacking, incl. Backdoors, Botnets

24 Copyright 2008-12 24 (5)Threat Aspects – Second-Party Situations of Threat: Banks Telcos / Mobile Phone Providers Toll-Road eTag Providers Intermediaries Devices Safeguards: Terms of Contract Risk Allocation Enforceability Consumer Rights

25 Copyright 2008-12 25 (6)Threat Aspects – Third-Party, Within- System (Who else can get at you, where, and how?) Points-of-Payment Physical: Observation Coercion Points-of-Payment Electronic: Rogue Devices Rogue Transactions Keystroke Loggers Private Key Reapers Network Electronic Interception Decryption Man-in-the- Middle Attacks Points-of-Processing Rogue Employee Rogue Company Error

26 Copyright 2008-12 26 (6)Threat Aspects – Third-Party, Within-Device Physical Intrusion Social Engineering Confidence Tricks Phishing Masquerade Abuse of Privilege Hardware Software Data Electronic Intrusion Interception Cracking / Hacking Bugs Trojans Backdoors Masquerade Distributed Denial of Service (DDOS) Infiltration by Software with a Payload

27 Copyright 2008-12 27 (6)Threat Aspects – Third-Party, Within-Device Infiltration by Software with a Payload Software (the Vector) Pre-Installed User-Installed Virus Worm... Payload Trojan: Spyware Performative Communicative Bot / Zombie Spyware: Software Monitor Adware Keystroke Logger...

28 Copyright 2008-12 28 Key Threat / Vulnerability Combinations Unauthorised Conduct of Transactions Interference with Legitimate Transactions

29 Copyright 2008-12 29 Key Threat / Vulnerability Combinations Unauthorised Conduct of Transactions Interference with Legitimate Transactions Acquisition of Identity Authenticators e.g. Cr-Card Details (card-number as identifier, plus the associated identity authenticators) e.g. Username (identifier) plus Password/PIN/ Passphrase/Private Signing Key (id authenticator) e.g. Biometrics capture and comparison

30 Copyright 2008-12 30 Key Threat / Vulnerability Combinations Unauthorised Conduct of Transactions Interference with Legitimate Transactions Acquisition of Identity Authenticators e.g. Cr-Card Details (card-number as identifier, plus the associated identity authenticators) e.g. Username (identifier) plus Password/PIN/ Passphrase/Private Signing Key (id authenticator) e.g. Biometrics capture and comparison Use of a Consumer Device as a Tool in a fraud perpetrated on another party

31 Copyright 2008-12 31 5.Risk Assessment of Contactless Chips RFID / NFC chip embedded in card Wireless operation, up to 5cm from a terminal Visa Paywave and MasterCard PayPass Up to $100 (cf. original $25)

32 Copyright 2008-12 32 Contactless Chip-Cards as Payment Devices RFID / NFC chip embedded in card Wireless operation, up to 5cm from a terminal Visa Paywave and MasterCard PayPass Up to $100 and $35 resp. (cf. original $25) Presence of chip in card is not human-visible, but Logo / Brand may be visible No choice whether it's activated Operation of chip in card is not human-apparent No action required when within 5cm range, i.e. automatic payment No receipt is the norm Used as Cr-Card: Unauthenticated auto-lending Used as Dr-Card: PIN-less charge to bank account

33 Copyright 2008-12 33 Authentication – None / A Non-Secret / / For Higher-Value Transactions Only / Always UK RingGo Parking Payment Scheme – last 4 digits Act of Consent – None / Unclear / Clear e.g. Tap the Pad in Response to Display of Fare Notification – None / Audio / Display If 'None', then enables surreptitious payment extraction Receipt / Voucher – None / Option or Online / Y Octopus, Drive-Through eTags for Road-Tolls UK RingGo Parking Payment Scheme Key Safeguards for Chip Payment Schemes

34 Copyright 2008-12 34 Authentication – None / A Non-Secret (but Yes, for Transactions >$100 Only) Act of Consent – None? / Unclear? / Clear? If the card is within 5cm of a device, whether seen or not Notification – None? / Audio? / Display? If 'None', then enables surreptitious payment extraction Receipt / Voucher – None? / Option? / Y? Visa PayWave and MCard Paypass

35 Copyright 2008-12 35 The (In)Security Profile of Contactless Chip-Card Payment Transactions Non-Authentication, or mere possession: presentation of the card within a device's field, when that device is ready to charge money for something Vulnerable to card-capture, rogue devices, rogue transactions by legitimate devices,... Relies on: general levels of honesty among merchants and FIs (consumer reconciliation is infeasible – no vouchers, and either very long statements or no statements) (fraudulent transactions are obscured) self-insurance by consumers

36 Copyright 2008-12 36 Key Safeguards Required Choice of Activation or Not Two-Sided Device Authentication, i.e. by Payees Chip of Payers Chip by Payers Chip of Payees Chip Notification to Payer of: Fact of Payment (e.g. Audio-Ack) Amount of Payment At least one Authenticator Protection of the Authenticator(s) A Voucher (Physical and/or Electronic) Regular Account Reconciliation by Payers

37 Copyright 2008-12 37 The Status of Consumer Protection EFT Code of Conduct – phasing out http://www.asic.gov.au/asic/pdflib.nsf/LookupByFileName/EFT-Code- as-amended-from-1-July-2012.pdf ePayments Code – phasing in by 30 March 2013 http://www.asic.gov.au/asic/asic.nsf/byheadline/ePayments- Code?openDocument Soft regulation of such things as receipts, risk apportionment, complaints, privacy,... The banks have sought to weaken the protections (In NZ they succeeded, but were beaten back by the tide of public opinion, and withdrew the changes) The Code's provisions apply to contactless-card transactions – but with a lot of 'buts'

38 Copyright 2008-12 38 Payments in the Network Era Initially Wired, Increasingly Unwired Secure Models ATMs EFTPOS – Dr Tx Internet Banking Debit Tx over the Internet Insecure Models EFTPOS – Cr Tx Credit Card Tx over the Internet (CNP / MOTO) Highly Insecure Models Contactless-Chip/ RFID / NFC

39 Copyright 2008-12 39 Mobile Security Agenda 1.The Motivation 2.Mobile Technology 3.Mobile Technology Users 4.Mobile Payments 5.Risk Assessment for Mobile Payments 6.Risk Assessment for Contactless Chips

40 Copyright 2008-12 40 COMP 3410 – I.T. in Electronic Commerce eSecurity Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U. and U.N.S.W. http://www.rogerclarke.com/EC/... ETSecy4 {.html,.ppt} ANU RSCS, 16 October 2012

Download ppt "Copyright 2008-12 1 COMP 3410 – I.T. in Electronic Commerce eSecurity Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U."

Similar presentations

A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong Kong, Cyberspace.

A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong Kong, Cyberspace.
Copyright, 1995-2008 1 Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong.

Copyright, Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong.
Copyright 2000-12 1 COMP 3410 – I.T. in Electronic Commerce eTrading 2 Technologies Underlying eTrading Roger Clarke Xamax Consultancy, Canberra Visiting.

Copyright COMP 3410 – I.T. in Electronic Commerce eTrading 2 Technologies Underlying eTrading Roger Clarke Xamax Consultancy, Canberra Visiting.
Copyright 1987-2009 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor – Cyberspace Law & Policy UNSW and at the ANU and the Uni. of.

Copyright Roger Clarke Xamax Consultancy, Canberra Visiting Professor – Cyberspace Law & Policy UNSW and at the ANU and the Uni. of.
1

1
Copyright 2008-12 1 COMP 3410 / 6341 – I.T. in Electronic Commerce E-Trading 3.Electronic Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor,

Copyright COMP 3410 / 6341 – I.T. in Electronic Commerce E-Trading 3.Electronic Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor,
Copyright, 1995-2006 1 The Malware Menagerie Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce.

Copyright, The Malware Menagerie Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce.
Copyright, 1995-2007 1 Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong.

Copyright, Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong.
Copyright, 1995-2004 1 Issues from Internet Technologies 1 – Internet Connected Devices Roger Clarke, Xamax Consultancy, Canberra Visiting Prof/Fellow,

Copyright, Issues from Internet Technologies 1 – Internet Connected Devices Roger Clarke, Xamax Consultancy, Canberra Visiting Prof/Fellow,
Copyright 2010 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW

Copyright Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW
Copyright 2008-11 1 A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science at.

Copyright A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science at.
Distributed Systems Architectures

Distributed Systems Architectures
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.

FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
European Consumer Summit 2014 On-line and mobile payments Dr Florent Frederix Trust & Security Unit, DG CONNECT, European Commission 1 th of April 2014.

European Consumer Summit 2014 On-line and mobile payments Dr Florent Frederix Trust & Security Unit, DG CONNECT, European Commission 1 th of April 2014.

Similar presentations

Ads by Google