The rising standards of EU Mobile Payments October 2015 Jeremy King, International Director.

The rising standards of EU Mobile Payments

October 2015

Jeremy King,International Director

We live in an increasingly connected world

42 Billion objects by end 2015

100 Billion objects by end 2020

About us: Founded in 2006 - Guiding open standards for payment card security

• Development

• Management

• Education

• Awareness

PCI Security Standards SuiteProtection of Cardholder Payment Data

The UK is now a smartphone society• According to Offcom• Smartphones overtake laptops

as UK internet users’ number one device

• Two thirds of people now own a smartphone, using it for nearly two hours every day to browse the internet, access social media, bank and shop online.

• Superfast 4G is helping change the way we shop, bank, watch TV and communicate

Mobile Payments

However: 54 percent of respondents do not think that security is a benefit of m-payments in-store. More than 87 percent of respondents expressed interest in using m-payments technology if security and fraud protection were guaranteed.

Consumers changing the way they interact with their bank

• 44% confirmed using Mobile Banking App regularly

• 80% confirmed using Online banking regularly

• Interestingly is that Telephone banking becoming used much less

• 46% never use telephone banking

TSYS: 2015 U.K. Consumer Mobile Payment Study

Understanding Credit Card Fraud is Simple

Steal the card Steal the PIN Steal the data

Oops…Nearly Forgot

Or you steal their phone, or buy their phone when they change it, or just pick it up from the back of the taxi, train carriage, plane or cafe where they dropped it

Which is not as strange as you may think

In 2014 TFL had 20,309 mobile phones handed in as lost property

Security risks and challenges remain

OWASP top 10 Mobile risks

Mobile Risks: Physical Security

• Mobile phones have limited if any Physical Security

• Secure Microprocessors are rarely used and address and data busses are openly available for monitoring and data capture

• Lost or stolen phones can easily have stored data accessed; this may include personal and card data

• Incorrect Permissions• An app with too many permissions may perform unintended functions• Permissions are vulnerable to hijacking by another app which may

obtain and transmit customer information• Exposed Communications

• Exposed internal comms allows apps to gather unintended information and inject new information

• Exposed external comms, (Network, WiFi, Blue tooth, NFC, etc) allows man in the middle attacks

• Functionality• Unintended functions could be performed outside of an Apps normal/

expected activity

Mobile Risks: Logical

Mobile Risks: Applications • A new Trojan called Ghost Push has been

wreaking havoc on thousands of Android devices across the world. It hides itself within popular apps and has made its way into various marketplaces, including Google Play Store. It reportedly gains root access and automatically downloads unwanted apps and ads.

• In addition some devices allow the installation of “unsigned” apps from outside the vendors preferred App store.

Mobile Malware

Mobile Risk: Criminals conning customers

The alarming texts encourage people to call a number or visit a website, often as a matter of urgency. 

But the phone number or website is actually controlled by a criminal, enabling them to fool customers into handing over security details that can be used to access the victim's bank account and steal money.

To make the texts seem authentic, the fraudsters use specialist software , that alters the sender ID on a message so that it appears with the name of a bank as the sender. 

Fraud warning texts from criminals pretending to be your bankBANK customers who receive text alerts about fraud could actually fall for a scam sent by the very fraudsters warned about in the message, experts have cautioned.

Mobile Risk: Open Ports

• It may be charging but what else is it doing?

• Hardware ports are not controlled

• Open USB ports can allow criminals to insert or extract data whilst the phone is charging

Mobile Risk : Any old iron

• Old, unused phones are rarely decommissioned properly. Leaving them full of stored personal information and confidential data

4857 used iPhone 5’s

More and more often we are bringing these devices to work

What do we know?

• Mobile phones are not secure• Consumers like using their mobile phones• Merchants and Banks see mobile phones as a great

opportunity• Criminals see mobile phones as a greater opportunity

Accepting Payments

Mobile POS

PCI Guidance Documents on Mobile

Tokenisation

• Apple Pay• Samsung Pay• Mobile Wallets

Please visit our website at www.pcisecuritystandards.org