Mitigating Mobile Security RisksPwC's Desai on How to Improve Mobile Payment Devices
The total number of detected security incidents is growing at a rate of 48 percent, says a global information security survey report from PricewaterhouseCoopers. It says many organizations are unaware of attacks, and the rise in incidents is in part due to increasing use of mobile applications and payment devices.
Says Suhas Desai, associate director, Cybersecurity, PwC India, mobile payment methods have adversely impacted all enterprises across Asia Pacific. Some mobile trends have increased the security challenges for CISOs across all enterprises, as the attack vectors against mobile payment devices have compromised the devices, applications and infrastructure.
However, Desai says that practitioners must understand risk patterns that take place across applications, devices and communications channels if risks involving mobile devices are to be mitigated.
In this interview with Information Security Media Group, Desai says security starts at the design and architecture level; and to develop a secure architecture, it's important to understand the mobile payment eco-system. He discusses:
- Real-time mobile security risks;
- Avoiding common mistakes in source code;
- Ways to secure mobile payment infrastructure
Desai has nine years of industry experience in cybersecurity, with extensive skills in cloud and mobile security, mobile payments, software security, MDM and financial inclusion security. He has two patents (pending) on mobile security and authored several research papers on USSD.
Mobile Payment Trends
GEETHA NANDIKOTKUR: It is said that the trend of mobile payments and payment devices usage has boosted security risks for consumers. What kind of attack vectors are emerging that challenge security teams?
SUHAS DESAI: I must say that mobile payment methods have adversely impacted all enterprises across Asia Pacific. According to a report from PwC, mobile payments in US alone are predicted to reach $37 billion in 2015 and $808 billion by 2019. Some of the trends like contactless payments, cardless cash withdrawal, QR code payments and wearable payments have increased security challenges for CISOs across enterprises. The reason: attack vectors have compromised the devices, payment application and payment terminal infrastructure. Some important threats users face include phishing, attacks directed through physical interfaces and wireless interfaces. Mobile application security vulnerabilities are on the rise, and server side web application or web services security vulnerabilities have multiplied. Security teams notice compromises of back-end infrastructure.
In addition, common security vulnerabilities are posing a big threat to the enterprise infrastructure due to add-on devices, application, Device + OS, local storage and communications.
Real-time Mobile Security Risks
NANDIKOTKUR: What security risks must security practitioners be cautioned about?
DESAI: To address any risk associated with mobile payments, it is critical to understand the risk pattern across applications, devices, communication channel and add-on devices. That would be:
- Mobile Device Risks: caused due to direct interface and wireless with the use of malware, third-party applications or automatically generated malicious applications, Android and iPhone.
- Mobile Application Risks: insecure data storage, as the data is not stored encrypted by the application, reliance on OS security controls, unauthorized access to PII and insecure payload, reverse engineering involving sensitive data disclosure and patch the application.
- Payment Device Risk: caused due to unrestricted access to setting and through communication channels as Bluetooth device is integrated on the payment device.
- Add-on Devices Risks: caused due to fingerprint scanners and printers.
8 Common Mistakes in Source Code
NANDIKOTKUR: Against these risks, then, what are the risk mitigation strategies that security heads must plan for?
DESAI: The key and most important mitigation technique I'd recommend is through secure SDLC program. One should take note of the common mistakes in source code:
- Hardcoded sensitive data;
- Cryptography usage;
- Exception & Error Handling;
- Logging l
- Improper Code Signing;
- Configuration Files;
- Session Management,
Against these slips, secure SDLC is one way of creating a robust breach response model. There are three stages to secure software development life cycle: define security principals, secure development and assess, remediate and secure release.
Security starts at the design and architecture level, and to develop a secure architecture, it is important to understand the mobile payment eco-system, business logic and customer usage. I'd recommend secure source code by applying OWASP mobile security guidelines in source code development. Security teams need to align with developers in ensuring a secure release involved in code signing, server security, device security, controls and incidence management strategy.
Our Global State of Information Security Survey 2015 discovered that less than 50 percent of ban user-owner devices in the workplace/network access instead of following a secure SDLC policy. At the most they use mobile device management or mobile access management software.
Mobile Security Best Practices
NANDIKOTKUR: What do you recommend as regards mobile security best practices?
DESAI: There are a couple of imperatives that practitioners must work on to secure mobile payment infrastructure:
- Secure data integration with third party services and applications: Validate the third party code/libraries integration and consent mechanism during application install, data transit and opt-out functionalities.
- Secure backend services and the platform: Implement secure backend APIs or services, server and infrastructure hardening, secure data transfer between the mobile device and web-server external interfaces.
- Data storage and protection: Implement data encryption/hashing on the device and server, using NIST approved encryption standard algorithms to encrypt the sensitive data. A point to remember is that encryption keys shall never be in RAM - instead, they must be generated real time for encryption/decryption as needed and discarded each time.
- Authentication, Authorization and Session manager: Two-factor authentication, unique session tokens to form valid and unique message payloads