An overview of threats and mitigations for mobile payment industry by Riscure's Marc Witteman. This presentation highlights the benefits of security evaluations for mobile payment applications.
Salesforce Miami User Group Event - 1st Quarter 2024
How to secure HCE
1. How to secure HCE?
Marc Witteman (CTO)
HCE Summit, October 15, 2014, London
2. Mobile payment apps
a) should be (almost) as secure as smart cards?
b) should just be more secure than mag-stripe?
How much security do we need?
public
2
9. • Rooting = getting system level access to all resources
• Files
• Memory
• Peripherals
• Interfaces
• All OS protection voids with rooting
• Rooting is achieved by exploiting an OS bug
• Many attacks start by rooting…
Rooting
public
9
11. Android attack tools
public
11
Rooting tool
e.g. Towelroot
Development kit
Inspection tool
e.g. Androguard
Disassembler
e.g. IDA
Debugger
e.g. GDB, JDWP
Instrumenting
e.g. ADBI, DDI
Decompiler
e.g. JEB
12. • Any phone
may be rooted
• Any application
may be reversed
• Any asset
may be compromised
• Malware attacks tend to scale easily
• Is there any hope for mobile software security?
Rooting impact
public
12
14. • Software protection
• Obfuscation
• Tamper proofing
• White-Box crypto
• Hardware security support
• Secure Element
• Trusted Execution Environment
• Cloud
• Secure Element in the cloud
• Tokenization
• Key rotation / software update
Great security requires an effective mix of countermeasures
Increased security for mobile apps
public
14
15. Hurdles to great security
• Awareness
• Readiness
• Cost
• Bugs
How can you know the strength of your solution?
• Wait for security breach in the field (plug and pray)
• Test before you go (evaluation)
Perfect security?
public
15
16. 5. Recognition
• Independent proof of strengths
• Exposure through scheme
6. Quality
• Timely address issues
• Stay ahead of new threats
1. Validate assumptions
• Trust the context?
• New threats?
2. Find weaknesses
• Known threats addressed?
• Implementation flaws?
3. Rate vulnerabilities
• Severity
• Impact
4. Mitigate issues
• Workarounds
• Development directions
Find your weaknesses before they hurt!
Evaluation benefits
public
16
17. • Riscure is a leading lab, accredited by major schemes
• Clients: banks and solution providers
• Methodology:
o black-box (incl. reverse engineering, hacking style)
o white-box (incl. vulnerability analysis of source code)
• Workload: 25-40 days (incl. iterations)
• Completed and ongoing projects: 4
• Price: Meet you at booth 8 to discuss more…
HCE security certification by Riscure
public
17
19. Conclusion
19
• We’re in trouble…
• Smart phones are not secure platforms
• Scalability of malware attacks increases risk
• Can HCE be secure?
• New concepts are emerging that may enable secure apps
• Evaluation can help identify & mitigate risk
• Interaction between development and evaluation drives
industry best practices
• The race is on
public
20. Riscure North America
550 Kearny Street, Suite 330
San Francisco CA 94108
USA
Phone: +1 650 646 99 79
inforequest@riscure.com
Riscure B.V.
Frontier Building, Delftechpark 49
2628 XJ Delft
The Netherlands
Phone: +31 15 251 40 90
www.riscure.com
Contact: Marc Witteman (witteman@riscure.com)
Evaluation needed? Visit us at booth 8