1 / 20

Privacy & Trust in Mobile Financial Services

Explore the risks in mobile financial services including malware, fraud, and compliance issues. Learn about examples like ZeuS botnets and how to protect against them.

dness
Download Presentation

Privacy & Trust in Mobile Financial Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy & Trust in Mobile Financial Services Gavin McWilliamsEngineering Manager

  2. Threats to Mobile Financial Services • Compliance & RegulationCustomer data loss, mandatory public disclosure, reputational damage • Market FailurePoor user adoption rates, resurgence of existing technology • Mobile MalwareBanking virus infection, mule accounts, money laundering • Technology FailuresCracked crypto keys & hardware security modules • FraudEnd user and/or retail fraudulent use of services

  3. Threats to Mobile Financial Services • Compliance & RegulationCustomer data loss, mandatory public disclosure, reputational damage • Market FailurePoor user adoption rates, resurgence of existing technology • Mobile MalwareBanking virus infection, mule accounts, money laundering • Technology FailuresCracked crypto keys & hardware security modules • FraudEnd user and/or retail fraudulent use of services

  4. Threats to Mobile Financial Services • Compliance & RegulationCustomer data loss, mandatory public disclosure, reputational damage • Market FailurePoor user adoption rates, resurgence of existing technology • Mobile MalwareBanking virus infection, mule accounts, money laundering • Technology FailuresCracked crypto keys & hardware security modules • FraudEnd user and/or retail fraudulent use of services

  5. Threats to Mobile Financial Services • Compliance & RegulationCustomer data loss, mandatory public disclosure, reputational damage • Market FailurePoor user adoption rates, resurgence of existing technology • Mobile MalwareBanking virus infection, mule accounts, money laundering • Technology FailuresCracked crypto keys & hardware security modules • FraudEnd user and/or retail fraudulent use of services

  6. Threats to Mobile Financial Services • Compliance & RegulationCustomer data loss, mandatory public disclosure, reputational damage • Market FailurePoor user adoption rates, resurgence of existing technology • Mobile MalwareBanking virus infection, mule accounts, money laundering • Technology FailuresCracked crypto keys & hardware security modules • FraudEnd user and/or retail fraudulent use of services

  7. Threats to Mobile Financial Services • Compliance & RegulationCustomer data loss, mandatory public disclosure, reputational damage • Market FailurePoor user adoption rates, resurgence of existing technology • Mobile MalwareBanking virus infection, mule accounts, money laundering • Technology FailuresCracked crypto keys & hardware security modules • FraudEnd user and/or retail fraudulent use of services

  8. Mobile Malware • 75% new malware targetted at Android • RIM now porting Android Apps to Blackberry • 36% SMS Trojans • Premium rate message services • Relatively unsophisticated • Limited attempts at code obfuscation • 42,000 reported cases of fraud in 2011 • Official Marketplaces are Protected • Google Bouncer • iTunes commercial chain • Off-piste danger…

  9. Mobile Malware Eco-System (UK) Mobile Handset Manufacturers RegulatorOfcomPhonePayPlus Law Enforcement Agencies Mobile System Software Anti-Virus Vendors Mobile Marketplaces Content Aggregators PRS Resellers Information Commisioner’s Office AppDevelopers Mobile Network Operators

  10. Mobile Malware Eco-System (UK) PCSystemSoftware SoftwareDevelopers Broadband NetworkOperators Law Enforcement Agencies Anti-Virus Vendors Mobile Marketplaces Content Aggregators PRS Resellers PCManufactures Information Commisioner’s Office RegulatorOfcom

  11. Learning Points from Broadband http://www.dataprotectioncenter.com/security/web-threats-trends-and-statistics, 2011

  12. Example Botnet – ZeuS • Trojan first observed in middle 2007 • HTTP as command and control mechanism • Targets mostly financial institutions (online banking) • Spreads through social engineering attacks e.g. spam campaigns and phishing • Polymorphic: signature-based detection difficult • Suicide-trojan: able to self-destruct • Activity increased by 130% between 2009 and 2010

  13. Example Botnet - ZeuS • Recently merged with SpyEye, dubbed the ZeuS killer! • Ice IX botnet based on ZeuS’ older source code • January 2012: ‘Gameover’ malware traced to maker of ZeuS • More distributed C&C (P2P) • Launch DDoS attack against targets (e.g. bank, financial institutions) immediately after stealing money • Diversion: while target deals with attack, criminals launder money (e.g. by purchasing jewelry)

  14. Broadband ISP response to Botnets • US Anti-Bot Code of Conduct for Internet Service Providers (A Voluntary Code) March 2012 • …an ISP will engage in at least one activity in each of the following general areas: • EducationIncrease end-user education and awareness of botnet issues • DetectionIdentify botnet activity in the ISP’s network • NotificationNotify customers of suspected bot infections • RemediationProvide information or assist end-users in remediating bot infections • CollaborationShare with other ISPs feedback and experience learned

  15. The Botnet Challenge • Can Mobey Forum do better ? • 5 billion mobile handsets • Much bigger problem than ISPs • One clear target for malware developers • Windows XP all over again • Customer base who don’t understand Android Manifest files • Can’t judge what services are appropriate for an App • Big Advantage: Handsets are portable and can be brought to a remediation service • Detection of malicious traffic in Mobile Operator Networks

  16. CSIT Test Network

  17. Experimental Setup

  18. C&C Periodicity 1 XP SP3 GET requests every 3600s (default) POST requests every 1200s (default) C&C Periodicity 2 XP SP2 Packet size GET/POST requests sizes constant within host Pattern observed: x, x-1, x-1, x-1, x-1 (XP SP2); x, x+1, x+1 (XP SP3) ZeuSTraffic Detection

  19. Q-Radar Rules Development

  20. Gavin McWilliams Questions? Questions?

More Related