During the Mobile Financial Services Forum (#MobileForum on Twitter) in Arlington, Va., in October, Jason Rouse, a mobile security expert and principal consultant of the mobile and wireless practice for Cigital, said mobile security and the authentication of mobile transactions are challenges the industry must address. Fluid mobile browsing habits and lacking authentication technology for mobile devices are to blame.
Rouse says radio-frequency communication, in general, is insecure. "802.11, ZigBee, Bluetooth -- all of these NFC (near-field communications) are very insecure by their nature, and therefore must be paired up with things like Global Platform in order to be even remotely secured," he says. "Throughout history, in almost every platform available, there have always been implementation problems; there have always been hiccups."
Security issues usually crop up when a technology or standard has been used beyond its capacity, Rouse says, as has been the case TCP/IP.
In this interview (transcript below), recorded during the forum, Rouse offers his top three mobile-security tips:
- Managing the user experience and authenticating mobile transactions;
- Research and investment in security; and
- The use of solid analytics.
Rouse is the principal security consultant for Cigital, where he leads the mobile and wireless security practice, performs security architecture assessments and serves as an advisor to some of the world's largest development organizations. He also is responsible for the creation of durable, actionable artifacts, spanning the continuum of software security from development standards to enterprise risk-management frameworks.
Mobile Security and the Global PlatformTRACY KITTEN: Jason, yesterday you sat on a panel and during the panel discussion we talked quite a bit about the security of the mobile channel overall, and you noted that near-field communications, or radio frequency communication, is perhaps the least secure type of communication. That statement is interesting, because I spoke with someone yesterday who was talking about the Global Platform, this set of standards that is basically set up to protect some of this wireless connectivity or wireless communication. Could you talk a little bit about the security and where the Global Platform from your mind fits into the picture?
Jason Rouse: Global Platform is a set of protocols and standards that allow for secure communication over potentially insecure channels. When we were talking on the panel yesterday, I wanted to note that radio frequency communication, in general -- 802.11, ZigBee, Bluetooth -- all of these NFC are very insecure, by their nature, and therefore must be paired up with things like Global Platform in order to be even remotely secured. Most of the time, security standards are very well implemented and they are very well designed. But, throughout history, in almost every platform available, there have always been implementation problems; there have always been hiccups and there have always been issues that come up, usually when a technology or a standard has been used beyond its normal end-of-life.
We have used TCP for a long time, and a lot of hiccups have come up over the last 10 years with the Internet; that is because it is being used much, much further than its design capacity. Global Platform is relatively recent and very dynamic; but at the same time, we still have to rely on old-fashioned things like getting it right, especially in implementation. We have to make sure that we test these things in order to actually assure security. Global Platform paired with radio-frequency communication should be secure. In general, though, each does not guarantee security for the other.
Authenticating Mobile Transactions: BiometricsKitten: Authentication, and this ties in with IP security, on the mobile device is challenging. It is a fluid IP address, so it is very difficult to authenticate or to do some kind of comparison or data analytics, because this person browsing the Internet could be browsing the Internet on a mobile device anywhere in the world and there is no way to really nail down where this person is. How do we get around some of those authentication questions, when it comes to mobile banking or mobile payments, and what role could biometrics play?
Rouse: I think that biometrics are wonderful. A lot of the time we are limited by the number of transducers to the phone, so it would be great if I could just down press my fingertip to the surface of the screen and have it become a fingerprint; but, unfortunately, especially nowadays with most platforms, we are limited to simply a microphone as our main biometric transducer. Alton (Drake) from AT&T spoke about voiceprint biometrics, so in terms of using biometrics to firmly identify a person, I think it is a great idea and it has lots of technical merit. I think that the handsets, though, are far from the ideal for a platform that can capture those biometrics; so we may see things like sleeves or add-on devices, even Bluetooth-tethered devices, that may take things like fingerprints or even iris scans. But right now, platforms like Android, iPhone and BlackBerry simply don't have a very rich set of capabilities.
You mentioned things like the IP address being very fluid, and it's an unfortunate side-effect of the way that a lot of wireless networks are structured. As I connect and disconnect from the network, as I turn my phone on and off, or as I just roam to other carriers, it is actually very difficult to maintain a single IP address. As a consequence of the networks' structures, we normally have IP changes in the range of hours to days for every mobile client. While we can white-list things like IP blocks for providers such as AT&T, Verizon, T-Mobile and Sprint, we generally can't rely on individual IP addresses per handset as a white-listing capability for our transaction security.
Top 3 Mobile TipsKitten: What are the three pieces of advice you could give to an institution that is just now beginning to embark upon a mobile platform?
Rouse: The first one is not even security-related, which is kind of embarrassing, because I am supposed to be a security wonk. But I would say the first one is managing the user experience. You have to be careful in moving into the mobile platform because you are speaking to a different mindset. Consumers have a very different mindset when they are using a mobile handset or a mobile device.
No. 2 is that all of the technology you need to secure your phones already exists, so you should not panic that you don't have the controls that you need, and you shouldn't panic that the mobile devices are some sort of magical land that you can't control. You can control them, but it is going to take a long-term investment in both research and implementation to get the mobile device or the mobile platform to the place where you, as a bank, would want it to be.
And the third piece of advice would be, your best friend is analytics; I think we actually mentioned this on the panel a few times yesterday. By keeping track of what is happening in your systems, anti-fraud, anti-money laundering, and even just transaction-risk measures, can be your best friend as you deploy mobile devices or mobile applications to mobile platforms.
So those are very important; and, if I can add a fourth, for gosh sakes, make the platform transparent. In terms of market capture or subscriber capture, what you really want to do is ignore the fact that you know one platform is more popular or more interesting than the other. Right now, the top three platforms in North America are iPhone, Android and BlackBerry, in no particular order. You should make sure that if you deploy a capability on one that you actually deploy it on all of the others as well. And even though the platforms differ in their security capabilities, the controls that you already have can be used effectively to secure each platform, regardless of their inherent capabilities.