Copyright 2013-15 1 COMP 2410 – Networked Information Systems SC3 – Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U

Copyright2013-15

1

COMP 2410 – Networked Information Systems

SC3 – Mobile Security

Roger ClarkeXamax Consultancy, Canberra

Visiting Professor, A.N.U. and U.N.S.W.

http://www.rogerclarke.com/II/NIS2410.html#L6http://www.rogerclarke.com/II/NIS2410-6 {.ppt, .pdf}

ANU RSCS, 2 April 2015

Copyright2013-15

2

Neworked Information SystemsThe Applications Layer

1. Application Architectures

.1 Master-Slave Architecture

.2 Client-Server Architecture• Cloud Computing

.3 Peer-to-Peer (P2P) Architecture2. Categories of Networked Application

.1 Mobile Computing

.2 Web 2.0 and Social Media

3. Networked Info Systems Security

.1 Security of Info and I.T.

.2 Malware and Other Attacks.3 Mobile Security

Copyright2013-15

3

1. Mobile Devices 'Any device that provides users with the capacity to

participate in Transactions with Adjacent and Remote devices by Wireless Means'• Nomadic / Untethered Portables

• Mobiles / Smartphones• Handheld Computing Devices

PDAs, games machines, music-players, 'converged' / multi-function devices,Tablets esp. iPad but now many followers

• Processing Capabilities in Other 'Form Factors'Credit-cards, RFID and NFC tags, subcutaneous chips

• Wearable Computing DevicesWatches, finger-rings, spectacles, key-rings, necklaces, bracelets, anklets, body-piercings ... chip implants

Copyright2013-15

4

Wireless Comms• Wide Area Networks – Satellite (Geosynch; Low-Orbit)

GS is Large footprint, very high latency (c. 2 secs)• Fixed-Wireless/Line-of-Sight – 802.16 (WiMAX) '08

TD-LTE/LTE-TDD '12(3-10 km per cell, high-capacity per user, local monopoly?, trees!)

• Wide Area Networks – Cellular (50m to 10km cell-radius, with increasing capacity per user, particularly 3G onwards)

1G – Analogue Cellular, e.g. AMPS, TACS2G – Digital Cellular, e.g. GSM, CDMA3G – GSM/GPRS/EDGE, CDMA2000, UMTS/HSPA4G – LTE, deployed / deploying

• Local Area Networks – ‘WiFi’ (10-100 m radius)primarily IEEE 802.11x, where x=a,b,g,n

• Personal Area Networks (1-10 metres) – Bluetooth? Infra-red?• Contactless Cards / RFID Tags / NFC Chips (1-10cm radius)

Copyright2013-15

5

Mobile Usage• Messaging – synch and asynch, 1-1 and m-

nEmail, Chat/IM, Voice, Video, ...

• Content AccessOpen Web, SearchSemi-Closed Wall-PostingsOrganisational Data

• Content Preparation / PublishingFormal Docs, Informal Postings /-bloggingOpen, Corporate, Personal

• TransactionsApplication Forms to Government Agencies, Purchases, Payments, Internet Banking, ...

Copyright2013-15

6

Mobile Usage• Messaging – synch and asynch, 1-1 and m-

nEmail, Chat/IM, Voice, Video, ...




Copyright2013-15

7

Mobile Security

Agenda

1. Mobile Devices, Comms, Usage2. Case Studies

A. Contactless Chip PaymentB. Location and Tracking

3. Application of the Security Model4. What Do We Do About It?

Copyright2013-15

8

2. Case Study A – Contactless Chip Payment

• RFID / NFC chip embedded in card

• Wireless operation, up to 5cm from a terminal

• Visa Paywave and MasterCard PayPass

• Up to $100 (cf. original $25)

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.



Copyright2013-15

9

Contactless Chip-Cards as Payment Devices

• RFID / NFC chip embedded in card

• Wireless operation, up to 5cm from a terminal

• Visa Paywave and MasterCard PayPass

• Up to $100 and $35 resp. (cf. original $25)

• Presence of chip in card is not human-visible, butLogo / Brand may be visible

• No choice whether it's activated• No choice about the threshold• Operation of chip in card

is not human-apparent• No action required when within

5cm range, i.e. automatic payment• No receipt becomes the norm?• Used as Cr-Card:

Unauthenticated auto-lending• Used as Dr-Card:

PIN-less charge to bank account

Copyright2013-15

10

• Authentication – None / A Non-Secret // For Higher-Value Transactions Only / Always[UK RingGo Parking Payment Scheme – last 4 digits]

• Act of Consent – None / Unclear / Clear[e.g. Tap the Pad in Response to Display of Amount Due]

• Notification – None / Audio / Display[If 'None', surreptitious payment extraction is feasible]

• Receipt / Voucher – None / Option or Online / Y[Octopus, Toll-Roads, UK RingGo Parking Payment Scheme]

Key Safeguards for Chip Payment Schemes

Copyright2013-15

11

• Authentication – None / A Non-Secret (but Yes, for Transactions >$100 Only)

• Act of Consent – None? / Unclear? / Clear?If the card is within 5cm of a device, whether seen or notBut the 'consent' is by whoever possesses the card

• Notification – None? / Audio? / Display?If 'None', then enables surreptitious payment extraction

• Receipt / Voucher – None? / Option? / Y?

Are These Safeguards in Place for

Visa PayWave and MCard Paypass?

Copyright2013-15

12

2.Case Study B – Location and Tracking

Location is Inherent to Mobile Technologies• Insufficient capacity to broadcast all traffic in all

cells• The network needs to know the cell each mobile

is in• Mobiles send registration messages to base-

station(s)• Even if nominally switched off or placed on

standby

Copyright2013-15

13

2.Case Study B – Location and Tracking

Location is Inherent to the Technology• Insufficient capacity to broadcast all traffic in all cells• The network needs to know the cell each mobile is in• Mobiles send registration messages to base-station(s)• Even if nominally switched off or placed on standbyWhat's Being Tracked?• The SIM-card, an identifier of the device, e.g. IMSI• The mobile-phone id, an entifier of the device, e.g.

IMEI• The person the SIM-card and/or mobile-phone is

registered to (and may be required by law to be so)• Most handsets have one SIM-card, and one user

Copyright2013-15

14

The Precision of Handset Location

• Intrinsically, the Cell-Size:• 1km-10km radius for non-CBD Cells• c. 100m radius for Wifi & CBD

Cells

• Potentially much more fine-grained:• Directional Analysis• Differential Signal Analysis• Triangulation• Self-Reporting of GPS coordinates

Copyright2013-15

15

Handset Location – Accuracy and Reliability

• Directional AnalysisThe Case of the Cabramatta Murder Conviction

• Differential Signal AnalysisA Wide Array of Error-Factors

• TriangulationMultiple TransceiversMultiple Error-Factors

• Self-Reporting of GPS coordinatesHighly situation-dependent, and unknownDependent on US largesse, ‘operational requirements’

Copyright2013-15

16

The Primary Geolocation Technologies



http://www.rogerclarke.com/DV/LTMD.html

Copyright2013-15

17

Location and TrackingSome Scenarios

• Arresting a crook• Investigating the proximity of suspect to crime-

scene• Targeting an enemy

• Being accused of association with another person• Having your association with a person discovered• Being targeted by a marketer ...• ... who knows a great deal about you• Being monitored by your partner, or your next date• Being targeted by an enemy• Being found by a fan, stalker, abusive ex-partner

Copyright2013-15

18

3. Application of the Security Model

to Mobile Usage• Messaging – synch and asynch, 1-1 and m-nEmail, Chat/IM, Voice, Video, ...




Copyright2013-15

19

http://www.rogerclarke.com/EC/PBAR.html#App1

QuickTime™ and aTIFF (Uncompressed) decompressor


ConventionalIT Security

Model

Copyright2013-15

20

The Harm Aspect• Injury to Persons• Damage to Property• Loss of Value of an Asset• Breach of Personal Data Security,

or Privacy more generally• Financial Loss• Inconvenience and Consequential Costs

arising from Identity Fraud (very common)• Serious Inconvenience and Consequential

Costs arising from Identity Theft (very rare)

• Loss of Reputation and Confidence

Copyright2013-15

21

The Vulnerability Aspect• The Environment

• Physical Surroundings• Organisational Context• Social Engineering

• The Device• Hardware, Systems Software• Applications• Server-Driven Apps

(ActiveX, Java, AJAX)• The Device's Functions:

Known, Unknown, Hidden• Software Installation• Software Activation

• Communications• Transaction

Partners• Data Transmission

• Intrusions• Malware Vectors• Malware Payloads• Hacking, incl.

Backdoors, Botnets

Copyright2013-15

22

Threat Aspects – Third-Party, Within the System

(Who else can get at you, where, and how?)

• Points-of-Trans'n Physical

• Observation• Coercion

• Points-of-Trans'n Electronic

• Rogue Devices• Rogue Transactions• Keystroke Loggers• Private Key Reapers

• Comms Network• Interception• Decryption• Man-in-the-

Middle Attacks• Points-of-

Processing• Rogue Employee• Rogue Company• Error

Copyright2013-15

23

Threat Aspects – Third-Party, Within the Device

• Physical Intrusion• Social Engineering

• Confidence Tricks• Phishing

• Masquerade• Abuse of Privilege

• Hardware• Software• Data

• Electronic Intrusion• Interception• Cracking / ‘Hacking’

• Bugs• Trojans• Backdoors• Masquerade

• Distributed Denialof Service (DDOS)

• Infiltration by Software with a Payload

Copyright2013-15

24

Threat Aspects – Second-Party• Situations of Threat

• Banks• Telcos / Mobile Phone Providers• Toll-Road eTag Providers• Intermediaries• Devices

• Safeguards• Terms of Contract• Risk Allocation• Enforceability• Consumer Rights

Copyright2013-15

25

Key Threat / Vulnerability Combinations

re Mobile Payments

• Unauthorised Conduct of Transactions

• Interference with Legitimate Transactions

• Acquisition of Identity Authenticatorse.g. Cr-Card Details (card-number as identifier, plus the associated identity authenticators)

e.g. Username (identifier) plus Password/PIN/Passphrase/Private Signing Key (id authenticator)

e.g. Biometrics capture and comparison

Copyright2013-15

26

4. What Do We Do About It?

• Consumers• Organisations

• Corporate Devices• BYOD

Copyright2013-15

27

The Status of Consumer Protection

• EFT Code of Conduct – longstanding, phased out

• ePayments Code – wef 30 March 2013http://www.asic.gov.au/asic/asic.nsf/byheadline/ePayments-Code?openDocument

• Soft regulation of such things as receipts, risk apportionment, complaints, privacy, ...

• The banks have sought to weaken the protections (In NZ they succeeded, but were beaten back by the tide of public opinion, and withdrew the changes)

• The Code's provisions apply to contactless-card transactions – but with a lot of 'buts'

Copyright2013-15

28

The Absolute-Minimum Security Safeguards

1. Physical Safeuguards2. Access Control3. Malware Detection and Eradication4. Patching Procedures5. Firewalls6. Incident Management Processes7. Logging 8. Backup and Recovery Plans,

Procedures9. Training10. Responsibility

http://www.xamax.com.au/EC/ISInfo.pdf

Copyright2013-15

29

Beyond the Absolute-Minimum Safeguards

Risk Asssessment, leading to at least some of:

11. Data Communications Encryption12. Data Storage Encryption13. Vulnerability Testing14. Standard Operating Environments15. Application Whitelisting16. Device Authentication and

Authorisation17. Use of Virtual Private Networks 18. Intrusion Detection and Prevention19. User Authentication20. Firewall Configurations, Outbound

http://www.xamax.com.au/EC/ISInfo.pdf

Copyright2013-15

30

Mobile Security

Agenda

1. Mobile Devices, Comms, Usage2. Case Studies

A. Contactless Chip PaymentB. Location and Tracking

3. Application of the Security Model4. What Do We Do About It?

Copyright2013-15

31

Neworked Information SystemsThe Applications Layer

1. Application Architectures.1 Master-Slave Architecture.2 Client-Server Architecture

• Cloud Computing.3 Peer-to-Peer (P2P) Architecture

2. Categories of Networked Application.1 Mobile Computing.2 Web 2.0 and Social Media

3. Networked Info Systems Security.1 Security of Info and I.T..2 Malware and Other Attacks.3 Mobile Security

Copyright2013-15

32

COMP 2410 – Networked Information Systems

SC3 – Mobile Security

Roger ClarkeXamax Consultancy, Canberra

Visiting Professor, A.N.U. and U.N.S.W.

http://www.rogerclarke.com/II/NIS2410.html#L6http://www.rogerclarke.com/II/NIS2410-6 {.ppt, .pdf}

ANU RSCS, 2 April 2015

Documents

Copyright 2013-15 1 COMP 2410 – Networked Information Systems SC3 – Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U