This presentation was given at the Credit Union InfoSec 2013 Conference in Las Vegas, NV.

1. Think beyond. Go beyond.
Securing 3-mode Mobile Banking
Jay McLaughlin, CISSP
SVP, Chief Security Officer
Q2ebanking

2. Agenda
• Impact: Consumerization of Technology
• Understanding the Threat Landscape
• Securing the Channel
• Evolving Security within this Space
• Summary & QA

3. Mobile Waves
• 300,000
• 1.2 billion
• 8 trillion
• 35 billion
• 1 billion
• apps developed in 3 years
• mobile web users
• SMS messages sent last year
• value of apps downloaded
• Est mobile banking customers*
*Source: Juniper Research, Mar 2013

4. Consumerization of Technology
• Growing tendency for new information
technology to emerge first in the consumer
market and then spread into business and
government organizations
• Consumer markets as the primary driver of
information technology innovation
• One of the most difficult issues facing
mobile banking today is providing access
to the multiplicity of devices that customers
use.
– This list of devices has only grown longer and more
complex with the addition of tablets

5. Growing Impact
People camped outside of Apple’s stores to purchased
the iPhone & iPad!
When was the last time a customer camped outside of
your branch with excitement?
5

6. Source: Chetan Sharma Consulting, 2012 www.chetansharma.com
Putting Global Mobile in Context

7. Mobile Phones Outnumber Credit Cards

8. Apps On The Rise

9. The Common Language: SMS
• Providing a text channel should be a high priority
• Text message banking offers compelling advantages
– Encourages consumers to avoid more costly in‐branch
and phone interactions, while at the same time boosting
consumer satisfaction through increased convenience.
Providing a text channel is necessary to raise mobile
banking
– And, unlike browser and app banking channels, text
message banking does not require costly development
across multiple platforms.
– Adoption across all levels of
mobile device ownership

10. Critical Barrier to Adoption
• Awareness [about mobile banking] is limited
to slightly more than half of all smartphone
owners with a bank account
• Concerns about the security of mobile
banking and mobile payment technologies
remain one of the primary impediments to
further adoption
– *Security concerns are cited as the top barrier to
both online and mobile banking
(*Source: Javelin Research “Mobile Banking Financial Institution Scorecard, Nov 2012)

11. Think beyond. Go beyond.
Understanding the Threats

12. • As the technology changes, the attack surface will change
• Fraudsters have all the tools they need to effectively turn
mobile malware into the biggest customer security problem
we've ever seen.
– Important factor is lacking - customer adoption. Number of users who bank
online from their mobile devices is still relatively low in comparison.
– Additionally, transactions types are limited or not yet enabled for mobile devices.
Since online fraud is mostly a big numbers game, attacking mobile bankers is
not yet an effective fraud operation.
• Security vendor Trusteer has predicted that within 12 to 24
months over 1 in 20 (5.6%) of all Android and iOS devices
ARE LIKELY to be infected by mobile malware
Incoming!!! Mobile!!!

13. Mobile: Current Threat Landscape
• App Stores
– AppStore, GooglePlay, BlackberryWorld, WindowsPhone store
• Mobile malware (Trojans, downloaders, etc.)
• Insecure device security (rooting, jail breaking, etc.)
• Insecure applications
– Ex. third-party APIs, insecure data storage, information disclosure
• User exploitation
• Failure to recognize the power of mobile devices

14. Remember 1993? …10 years later…

15. Mobile Malware
• Researchers identify
first instance of
mobile malware in
2004
• More than 80 infected
apps have been
removed from Google
Play since 2011
• Android malware has
infected more than
250,000 users
ex. Gozi

16. Mobile Malware Dangers

17. • Mobile malware component that ZeuS entices users
to load and run in their mobile devices.
• ZitMO (aka “ZeuS-in-the-Mobile”) / CitMO (Carberg)
Mobile Malware
http://www.infosecurity-magazine.com/view/29705/-zeus-malware-
throws-36-million-lightning-bolt-across-europe

18. Malware Vectors
• Malicious apps in App Store
• Vulnerabilities in software leveraged during
normal user behavior (exploits)
• Malicious e-mail or attachment (“spear
phishing”)
• Malicious web content (“drive by download”)
• Fewer vectors – absence of Flash Java

19. Malicious Apps

20. Security Models: iOS vs. Android
• iOS
– Mandatory code signing by Apple
– Individual apps are sandboxed using mandatory
access control (MAC) security
– Uses ASLR on sysbin and some apps
– Single app store to control publishing
• Android
– Can load new code at runtime
– Sandbox is flawed allowing an app to exploit the kernel
– Apps can have any permissions, require approval
– Many app stores (Google, Amazon, underground)

21. Security Around The Delivery of the App
• Code Signing requires apps to be
downloaded from the App Store
• Publishers’ real-world identities
are verified by Apple
• Apps are reviewed by Apple before
they are available in App Store
• Apple acts as an Anti-Virus for iOS

22. Year in Review: Mobile Threatscape
(*Source: F-Secure Mobile Threat Report Q4 2012)

23. Jail breaking Devices
• sn0wbreeze, redsn0w, acidsn0w,
jailbreakme, greenpoison
• Why? for functionality, more apps
• “Jailbreaking” or “rooting destroys
the security model
• Jailbreaking techniques leave the
device with a standard root
password that may grant admin-
level access
• Convenience at the sake of security

24. Physical Attacks
• Latest proof of concept device attack
– If physical access is ever gained, GAMEOVER.
Source: BBC News, June 2013 http://www.bbc.co.uk/news/technology-22764815

26. QR Codes
• QR codes surfacing
containing malicious
links
• First case confirmed by
Kaspersky Labs last year
- mobile malware used to
send premium SMS
messages
http://siliconangle.com/blog/
2011/10/21/infected-qr-malware-
surfaces-on-smartphones-apps/

27. Can you spot which one is EVIL?

28. Think beyond. Go beyond.
Securing the Channel

29. Emerging Target
• Fraudsters target the largest bang
for their buck
– Currently represents online channel
• Perception is not necessarily
Reality
– but expect the mobile channel to
present itself as a larger target as
adoption increases

30. Mobile Security
• Mobile banking presents a set of security
risks [significantly] different than those for
non-mobile online banking…NOT REALLY
• User authentication, transaction
authorization, and data security in the
mobile channel must be dealt with
– Is it different than securing other channels?

31. Device Security
• It is hard to design a security model which
protects against programs a user
downloads and wants to run
• It is typically not the job of the OS to
prevent you from running the programs
you choose to run
• Anti-Virus is designed to help decide
which programs are okay to run and which
are not

32. • Defense-in-depth
Ø “deep” or “elastic”
• Derived from a military strategy;
requires that a defender deploy
resources at and well behind the
front line
• Reliance on any single control or
mitigating factor is not sufficient
• Prevents shortfalls in any single
defense control
Building a Layered Security Model

33. Consumer Focus Group: Computer Security

34. Mobile Authentication
• Extend online security models
– provides comprehensive, multi-layered security
features for both you and your end users
– FFIEC Guidance called out the mobile channel
• Out-of-band multi-factor authentication (MFA)
• Leveraging temporary access codes (TACs)
• Delivery via phone call, SMS, email
• Device registration using HTML5 cookies

35. Out-of-Band 2F Will Replace Passwords
Out-of-band two factor authentication is becoming more popular
across consumer technologies replacing passwords

36. It’s More Mainstream than you Realize

37. Mobile Transaction Authorization
• Out-of-Band Transaction approval
Direct from FFIEC’s June 2011 Guidance
“Out-of-band authentication means that a
transaction that is initiated via one delivery
channel [e.g.. online] must be re-
authenticated or verified via an
independent delivery channel [e.g..
telephone] in order for the transaction to be
completed”

38. Leverage Alerts
• Users must play a part and participate in fighting fraud
• Real-time alerts delivered to a victim are timely and provide
the opportunity to alert the financial institution of activity
• Transactional Alerting
Ø Ex: creation, authorization
• Changes to profile settings
• Security Event Alerts
Ø Ex: pwd changes, failed logon attempts

39. Behavioral & Machine Learning Models
Login
Behavior
Time of Login
Location of
Login
Transaction
Behavior
Transaction
Behavioral
Models
Dom/Intl Wire,
ACH, Payroll,
Ext Transfer,
Transaction
Policies
Recipient
Monitoring
Modifications
to templates
Endpoint
Interrogation
User Agent
Device ID
Recognized
Devices
Score
Yes or No
Suspect or Normal

40. Secure Development & Testing
• Develop with security at the foundation
– Follow best practices, SDLC, etc.
• Intentionally limit app caching
– Can perform app cache clearing during init
• HTML5 rendering performed client side
– BLOB sent from server to client
– Limits injection, XSS, other attacks

41. Think beyond. Go beyond.
Closing Remarks

42. “The future
ain’t what it
used to be.”
- Lawrence “Yogi” Berra
New York Yankees, 1946-1964
The Future

43. Get Out in Front
• Ad-hoc approaches result in
reactive decisions
• Disruptive changes present
opportunities

44. Q & A
Declare var $response!
!
if [?] >= ‘1’!
!
!then!
!
! !$response = ‘answer’!
!
!else !
!
! !$response = ‘thankyou’!
!
end if;!

45. linkedin.com/in/mclaughlinjay
jmclaughlin@q2ebanking.com
Thank you