Friday, January 16, 2015

Mobile Payment Risks and Security

Mobile Payment Risks and Security


Prepared By:
Glenn Ford

Table of Contents

1    Executive Summary  

2    What are Mobile Payments?  

2.1    Mobile-point-of-sale  

2.2    Proximity mobile payments  

2.3    Remote mobile payments  

2.4    Mobile Payments Growth  

3    Popular Mobile Payment Applications Overview  

3.1    Google Wallet Overview  

3.1.1    Google Wallet Security Analysis  

3.1.2    Google Wallet Reported Vulnerabilities  

3.2    Apple Pay Overview  

3.2.1    Apple Pay Security Analysis  

3.2.2    Apple Pay Reported Vulnerabilities  

4    Mobile Payment Industry Risk and Security Concerns  

4.1    Mobile Payment Risks  

4.2    Mobile Application Risks  

4.3    Strategies to Address Risks  

5    Conclusion  

6    References

  1. Executive Summary

Mobile payments are quickly becoming ubiquitous, from developing nations in Africa to Europe and the United States. In the United States alone the mobile payments industry will grow by over $400 billion from 2014 to 2018, representing an incredible 600 percent growth. In that same time frame, United States mobile payments done at brick and mortar stores will grow by over $180 billion.
With growth comes risk. As more and more mobile device users use their device to make payments using an ever increasing number of applications and websites, it increases the attack surface. The end user is not the only set of attack vectors, merchants are also at risk. Merchants use mobile-point-of-sale (mPOS), point of sale and other systems and communication to authenticate, authorize and complete a transaction. Banks, communication providers, and payment processor services are also often required to complete the payment transaction. With such a large number of assets and stakeholders involved in order to make a single mobile payment succeed, it provides malicious actors with a target rich environment.
There are three main mobile payment methods: mPOS, proximity mobile payments, and remote mobile payments. Each of these payment methods have a multitude of technologies, configurations, assets and stakeholders. This creates an almost limitless number of permutations, further muddying the security posture of any single implementation.
Google Android and Apple iOS devices account for most of the mobile industry. They both have their own mobile payment applications, Google Wallet released in 2011 and Apple Pay released in September 2014. Both use near field communication (NFC) technology to execute mobile payments, but beyond that they differ in their implementation styles. Security analysis of both products reveals various potential security risks, highlighting the fact that even the largest enterprises’ mobile payment solutions are not a guarantee to consumers of mobile payments being risk-free.
The mobile payment ecosystem has specific risks, such as: identify theft, information disclosure, repudiation, replay attacks, authentication, consumer obsolete technology, transaction fraud, and denial of service. The vulnerability and threat for each risk is summarized, as well as proposed countermeasures.
The mobile payment risks are a subset of the mobile device risk attack vectors. It is therefore important to understand the difference. The Open Web Application Security Project (OWASP) provides a top 10 mobile security risk list and should be part of an overall security solution.
Mobile applications, such as Google Wallet and Apple Pay, can have very specific risks as well and those need to be considered as part of the overall mobile security for development, acceptance testing, application examination process, and security software to run on the device itself. A top 10 list of mobile application risks is summarized with a brief discussion on each as to its importance.
An overall strategy to mitigate mobile payment risk is to map out the threat landscape on the mobile payment ecosystem and then implement a detailed test plan. Proper development of the test policies and procedures is vital to proper risk mitigation by all major stakeholders. It is equally important that there be security collaboration between stakeholders, such as banks and payment processor services. Proper data classification is another strategy to mitigate risk. A number of reported vulnerabilities found show proper data classification was not done. The overall security plan should include data classification policies and procedures.  With proper data classification an encryption strategy should be applied to data-at-rest, data-in-transit, and data-in-memory or process using FIPS 140-2 cryptography compliance. Finally, levels of redundancy to increase security is a strategy that should be done by applying layers of security with each layer including proper data classification and encryption.

Monday, December 1, 2014

How to do Negative SEO for Reputation Management or to Kill your Competition

This isn't exactly a cyber security topic but protecting your website is and this could be something that is happening to you. First off, what is negative SEO? In April 2012 Google launched an algorithm called penguin. From that moment foward, negative SEO was born. You could now build spam links to your competitors or to knock out undesirable search results for managing your brands reputation. It wasn't just this algorithm Google launched that made this possible, but this was the beginning of several anti-spam black hat SEO algorithms released. You can see a full history at moz right here.

In October 2012, Google who had all along said in no uncertain terms you can't be hurt by negative SEO, released a disavow tool. This now made it possible to get rid of unwanted links that point to your website. You would think negative SEO is dead, right?

Think again..

Wednesday, October 15, 2014

Students and Surveillance

Below is a text summarization of this excellent article:


Instead, FERPA threatens to take federal funding away from schools who are found to have breached student privacy while it fails to mandate bare minimum security standards for the storage and transmission of student data. Though lawmakers and privacy advocates are regularly outraged at the immense volume of student data freely floating through the web, the repeated failure to create legislation that protects student data from being used for profit is astounding. In the case of Securly, the first filtering tool designed for schools, the controls set by IT and administration for web access can extend far beyond the walls of the school and determine what content students can access while using school- issued machines from their home internet connections.

Friday, May 30, 2014

Wednesday, May 7, 2014

An Insider Attack on the eCommerce Industry

An Insider Attack on the eCommerce Industry
CYBR650 Research Paper

Glenn Ford and Zack Rich
UMBC Cybersecurity M.P.S.
CYBR650 - Managing Cyber Operations
Dr. Robert R. Romano
April 29, 2014

An Assessment of Cybersecurity Environment in Russian Federation

An Assessment of Cybersecurity Environment in Russian Federation

Glenn Ford, Timothy Casassa, Zack Rich

Friday, March 28, 2014

Ransomware Challenges Posed by Cyber Criminals

Ransomware dates back to 1989 with the AIDS Trojan, which would modify the autoexec.bat file and once a computer booted 90 times the malware would begin to hide directories and encrypt the names of all files. It would then prompt the user to renew their license and contact PC Cyborg Corporation for $189.00 payment. This had to be sent to a P.O. Box in Panama (Smith, 2002). Today the number of unique new samples of ransomware malware is almost 250,000 in the first three months of 2013. This has doubled from the first quarter of 2012. Even more troubling is the reported number of infections. The visibility on infection data is limited because client machines share detection only with McAfee. There are two main reasons for the increased popularity of Ransomware: (1) Cybercriminals have easy access to anonymous payment systems, such as bitcoin; (2) There is a thriving underground market that helps with pay-per-install services on pre-infected computers, such as Citadel. Cyber criminals can also easily purchase ransomware kits, such as Lyposit, from the underground markets (McAfee Labs, 2013a, p. 12).