Security on Mobile Payment Terminals via Consumer Devices

Monday, May 16, 2011

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

Hello!  Once again it's time to talk about mobile devices and software security.

 I received an email to my last post on the topic (my post titled "The Hard Truth About Mobile Application Security - Separating Hype From Reality") from someone who works for an issuing bank and works with merchants advising them on the security of all manner of devices that accept payments.

I don't know if you've noticed, but there has been an explosion of devices and methods for accepting payments via mobile devices of late spilling over from audited, controlled devices like mobile payment terminals to people's personal consumer devices.  

This of course goes head-long into my last post about the security of mobile devices, and the various types of software security issues that we face trying to make them more like an ATM and less like a lost wallet.

Thinking about this a while, I came to the conclusion that while devices such as an Android-powered 'cell phone' (do we even call them that anymore?) have some basic OS measures in place, the mobile devices consumers purchase and use today are most closely related to that copy of Windows98 you all had at some point... and security has largely given way to functionality via widgets and what developers mistake for platform openness.  

So those who take payments (or work with merchants who do) over these mobile devices are faced with the unenviable task of figuring out how to secure these things to some reasonable degree.

The reality of the situation is that we don't have any good answers.  I've been looking unsuccessfully for some type of guidance that doesn't rely on the underlying mobile OS to protect the application... but that's really a fool's errand anyway.

I've gathered a few 'tips' for those of you who are currently stuck trying to write payment applications/systems for mobile devices... and if you have anything to add please do.  Links, papers, APIs, standards or whatever is welcome.  

I'd like to see how we can better help organizations secure their mobile device-based application data.

Tips for Keeping Mobile Application Data (Relatively) Safe

  • Always use a secure channel.  Never assume that you're on a cellular network where eavesdropping on connections is improbable... remember your users are just as likely (these days) to be on an open WiFi connection!
  • Minimize locally stored data.  Even if you must store persistent data (even something as simple as the user's login name) ensure it's the absolute minimum required for your application to function. Remember, mobile devices rely on an Internet connection, so you can always pull logic & sensitive information once the user launches the application successfully.
  • Remotely store encryption information.  The idea I've been thinking about works like this - all locally stored data is encrypted. But the keys are only stored temporarily in memory on the local device then destroyed when the app is closed. The device would pre-auth to a known remote system, authenticate the user, then push the necessary key to decrypt locally stored sensitive data as-needed in local memory while the app is running ...destroying key + decrypted data as part of app close
  • Perform sensitive logic on server-side.  Performing logic that's critical to the function of the system on the server may go against all (perceived) 'Web 2.0' ideals but it's the absolutely right thing to do.  Never, under any circumstances, trust the client.

While I'm sure there are other suggestions, and things that can be done on the specific mobile platforms (which I will likely write about over the coming months) - this is a high-level good start.  

You know... you can test for these things too, just in case you don't outright trust your developers to implement 4 simple security controls for mobile platforms.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
14392
PDAs/Smart Phones
Information Security
Encryption Mobile Devices Operating Systems Security applications Mobile Payments Consumers
Post Rating I Like this!
Default-avatar
cassandra hall Many customers these days rely upon the advantage and enjoyment of mobile applications. Somewhere along the line, individuals assumed their private information was secure. According to a new study by the business, top application makers like LinkedIn, Netflix, and Square store sensitive user info unencrypted in plain text files on mobile devices. These files could be easy pickings for the dishonest hackers of the world. I found this here: Study: Major mobile apps compromise your personal data, newstype.com
1307943238
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.