Mobile Risk Analysis: Take Your Mobile App Security to the Next Level

Mobile Risk Analysis: Take Your Mobile App Security to the Next Level

Charley Chell

Security

CA Technologies

Security Product Management

SCT24T

@CharleyChell

#CAWorld

2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.

The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type of

warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.

For Informational Purposes Only

Terms of this Presentation


Abstract

The mobile application is becoming the primary interface between your enterprise and end users — but what will be used to secure this access? Come learn how to leverage data from mobile devices to help identify the legitimacy of a user attempting to login or perform a sensitive transaction.

Charley Chell

CA Technologies

Advisor


Agenda

A BRIEF LOOK AT HISTORY

MOBILE DEVICE AUTHENTICATION

CAUTIONS

RAISING THE SECURITY BAR FOR AUTHENTICATION

1

2

3

4


Authentication – Traditional Ideas

Something that you KNOW

Something that you

HAVE

Something that you

ARE


Before Mobile


The Mobile Device

Brings together something that you HAVE and something that you ARE

Is your mobile separate from you?


Something About Mobile Devices

Everyone has one

Everyone has their own

Everyone (almost) has just one (may change from time to time, but one current)

And, it is not shared!


Mobile Devices and Authentication

Authenticate WITH

Authenticate TO

Authenticate THROUGH


Authentication Schemes

Lifelong

Thumbprint

Drivers License

Years

Work badge

Credit/Debit Card

Days

Hotel room key

Boarding Pass


Authentication Schemes – Cautions

Lifelong

Thumbprint

Drivers License

Years

Work badge

Credit/Debit Card

Days

Hotel room key

Boarding Pass

Fraudulent

Online Check In

Stolen

Sophisticated

fraud if the

value is there


Mobile Device for Authentication – Significant benefits

Multi-mode Usability Visual – something user can view and enter

Interactive – direct interface at POI

Automatic – backend without user interaction

Retention of usage history User audit possible

But, not without risk checks Wealth of data

Identify legitimate behavior


General Pattern for Risk Assessment


Authentication for Browser-Based Access

Assessment generally at key points like login, accessing a new application, sensitive requests

Authentication has evolved– From Username / Password

– Evolved to Strong 2FA primary credential, like a HW or SW Token

– Now Evolving to Username / Password + Out-of-Band One-Time Password (OOB OTP)

CA Auth ID

Q&A OATH Tokens

OTP – Out of Band

CA Mobile OTP



Considerable discussion on new

authenticators. However, there has been

little progress on eliminating the password.

Many companies use hardware tokens for

some small set of users.

The decision process here is largely based on

fixed policies. However, the use of

behavioral analytics is growing.

Q&A usage is on the decline and is

being replaced by One Time

Password (OTP) over SMS or email.

Confirmation via push notification is

gaining ground.


What’s Driving the Changes?

Change 1 – Use of the Phone as an Authenticator

– Everyone has a Phone

Hardware tokens too cumbersome

But need for multifactor authenticationhasn’t changed. Passwords too easy to crack.

– It’s a personal device

Only used by one person, always available, rarely shared


What’s Driving the Changes?

Change 2 – Behavioral Analytics Use

– A person’s behavior is difficult to mimic

Attacker must watch for a very long time to determine behavior

Then simulating it is still hard

– And generally, the attacker must change the behavior in order to accomplish the illegal act they are perpetrating


Risk Assessment is a Strong Credential

RISK DATA AVAILABLE

Where is the user? What device is being used?

What is the user trying to do?

Is the action consistent with history?

Is the location inherently suspect?

Have they been there before?

Where were they recently?

LOCATION

What kind of device is it?

Have they used it before?

Has it changed since they last used it?

DEVICE DNA

Is this a typical action for the user?

Is the action inherently risky?

Have they taken similar actions before?

BEHAVIOR

Is this a normal time of day for them?

Is their frequency of login abnormal?

Is their current action consistent with prior actions?

HISTORY


Authentication for the Mobile App

“Login” is different. That concept doesn’t really exist in the app world.

App developer has a choice– Trust the on-phone authentication

Touch ID

– Supplement the on-phone authentication with something else, like

SMS to verify that the phone is bound to the phone number on file

– Authenticate from the app



Access generally is persistent. The app

always knows who you are.

The decision process here is largely

nonexistent today.

Therefore, the concept of risk-based

additional authentication is just emerging.

But it will take many forms ranging from

identity confirmation to transaction signing.

Most apps provide the option to require a

PIN/fingerprint at the first major activity.


Why Mobile Risk is Important

Credentials can be compromised– Phones may be lost/stolen

– Or simply left unlocked at the desk

Behavioral assessment best indicator of identity

Wealth of data available on a phone, much more than a browser world


Let’s Take a Look at Mobile Risk Up Close

Rich data available on mobile

Can generate a risk score

Can require step up based on score


Top 5 Takeaways1. The mobile device improves the browser authentication experience

– Easy intuitive experience– Provides a platform for security Mobility index

2. And mobile app authentication is becoming increasing important– Organizations are looking to apps as a way to reach their customers– Authentication is of course necessary

3. Mobile app authentication is lagging the browser– Risk assessment not prevalent– But will become important quickly

4. Users use multiple devices in multiple locations– You have to tie the activity together– Risk assessment that uses behavioral profiling and a mobility index can account for this

5. Mobile Device Identification gives us an important tool– More precise and more data available to make a decision– Can be done without invading the user’s privacy


CA Advanced Authentication

Versatile Authentication

CA Strong Authentication™

CA Auth ID

Q&A OATH Tokens

OTP – Out of Band

CA Mobile OTP

Contextual Authentication

CA Risk Authentication™

Where isthe user?

What is the usertrying to do?

Is the action consistent with

history?

What device is being used?


Recommended Sessions

SESSION # TITLE DATE/TIME

SCT21T Enable Omnichannel with Security and API Management Thurs. Nov 19 at 2:00 pm

SCT17T Strong Auth in IdM Thurs. Nov 19 at 3:45 pm


Must See Demos

Protect Against Fraud & Breaches

CA Advanced Auth

Security Theater

Engage Customers

CA SSO

Security Theater

Innovation – IoTSlot Car

CA AA, APIM

Security Theater

Secure Omni-Channel Access

CA AA, APIM, SSO

Security Theater


Q & A


For More Information

To learn more, please visit:

http://cainc.to/Nv2VOe

CA World ’15

http://cainc.to/Nv2VOe

http://bit.ly/1wbjjqX

Mobile Risk Analysis: Take Your Mobile App Security to the Next Level

Technology