the rising standards of eu mobile payments october 2015 jeremy king, international director
TRANSCRIPT
The rising standards of EU Mobile Payments
October 2015
Jeremy King,International Director
We live in an increasingly connected world
42 Billion objects by end 2015
100 Billion objects by end 2020
About us: Founded in 2006 - Guiding open standards for payment card security
• Development
• Management
• Education
• Awareness
PCI Security Standards SuiteProtection of Cardholder Payment Data
The UK is now a smartphone society• According to Offcom• Smartphones overtake laptops
as UK internet users’ number one device
• Two thirds of people now own a smartphone, using it for nearly two hours every day to browse the internet, access social media, bank and shop online.
• Superfast 4G is helping change the way we shop, bank, watch TV and communicate
Mobile Payments
However: 54 percent of respondents do not think that security is a benefit of m-payments in-store. More than 87 percent of respondents expressed interest in using m-payments technology if security and fraud protection were guaranteed.
Consumers changing the way they interact with their bank
• 44% confirmed using Mobile Banking App regularly
• 80% confirmed using Online banking regularly
• Interestingly is that Telephone banking becoming used much less
• 46% never use telephone banking
TSYS: 2015 U.K. Consumer Mobile Payment Study
Understanding Credit Card Fraud is Simple
Steal the card Steal the PIN Steal the data
Oops…Nearly Forgot
Or you steal their phone, or buy their phone when they change it, or just pick it up from the back of the taxi, train carriage, plane or cafe where they dropped it
Which is not as strange as you may think
In 2014 TFL had 20,309 mobile phones handed in as lost property
Security risks and challenges remain
OWASP top 10 Mobile risks
Mobile Risks: Physical Security
• Mobile phones have limited if any Physical Security
• Secure Microprocessors are rarely used and address and data busses are openly available for monitoring and data capture
• Lost or stolen phones can easily have stored data accessed; this may include personal and card data
• Incorrect Permissions• An app with too many permissions may perform unintended functions• Permissions are vulnerable to hijacking by another app which may
obtain and transmit customer information• Exposed Communications
• Exposed internal comms allows apps to gather unintended information and inject new information
• Exposed external comms, (Network, WiFi, Blue tooth, NFC, etc) allows man in the middle attacks
• Functionality• Unintended functions could be performed outside of an Apps normal/
expected activity
Mobile Risks: Logical
Mobile Risks: Applications • A new Trojan called Ghost Push has been
wreaking havoc on thousands of Android devices across the world. It hides itself within popular apps and has made its way into various marketplaces, including Google Play Store. It reportedly gains root access and automatically downloads unwanted apps and ads.
• In addition some devices allow the installation of “unsigned” apps from outside the vendors preferred App store.
Mobile Malware
Mobile Risk: Criminals conning customers
The alarming texts encourage people to call a number or visit a website, often as a matter of urgency.
But the phone number or website is actually controlled by a criminal, enabling them to fool customers into handing over security details that can be used to access the victim's bank account and steal money.
To make the texts seem authentic, the fraudsters use specialist software , that alters the sender ID on a message so that it appears with the name of a bank as the sender.
Fraud warning texts from criminals pretending to be your bankBANK customers who receive text alerts about fraud could actually fall for a scam sent by the very fraudsters warned about in the message, experts have cautioned.
Mobile Risk: Open Ports
• It may be charging but what else is it doing?
• Hardware ports are not controlled
• Open USB ports can allow criminals to insert or extract data whilst the phone is charging
Mobile Risk : Any old iron
• Old, unused phones are rarely decommissioned properly. Leaving them full of stored personal information and confidential data
4857 used iPhone 5’s
More and more often we are bringing these devices to work
What do we know?
• Mobile phones are not secure• Consumers like using their mobile phones• Merchants and Banks see mobile phones as a great
opportunity• Criminals see mobile phones as a greater opportunity
Accepting Payments
Mobile POS
PCI Guidance Documents on Mobile
Tokenisation
• Apple Pay• Samsung Pay• Mobile Wallets
Please visit our website at www.pcisecuritystandards.org