Detailing the fraud & security issues surrounding mobile paymentsBarcellona, 28.09.2011

Stefano Maria De' Rossi Francesco Magini

Agenda

Mobile payment overview

Mobile payment overview

Brief overview of Mobile Fraud

Brief overview of Mobile Fraud

Mobile payment threat management

Mobile payment threat management

Key takeawaysKey takeaways

What are mobile payments ?

Mobile payment: a definition

Mobile Payments

Mobile Financial services

Mobile Banking

Mobile Commerce

Mobile Money transfer

Mobile payment: a definition

Mobile Payment is a composite payment model which encompasses different paradigms, all characterized by the use of the Mobile phone as their primary means of interaction.

Mobile device may be used to do any/all of the steps:• Initiate transaction (e.g., begin checkout)• Authenticate transaction• Settle transaction on the mobile phone bill

SEPA set apart 2 types of mobile payments

SUB POINT

Remote payments

SEPA mobile payment framework

Proximity payments

Main types of mobile payments

SEPA main type

Proximity payments

• Payment is made at the Point of Sale (POS) or in proximity to recipient

• Competes with cash or swiping a plastic debit or credit card

• Similar to a card-present transaction• Often involves Near Field

Communication (NFC)

Main types of mobile payments

Remote payments

SEPA main type

• Payment is made remotely (e.g., via a web-enabled retailer)

• Competes with PayPal, credit, debit and prepaid cards

• Similar to a card-not-present transaction

• Often involves Premium SMS or direct carrier billing

5 types of

Mobile Payments

MOBILE AT THE POINT OF SALE(the mobile wallet)It’s paying for things at a store with a mobile device using NFC or “tap & go” or some other yet to be hyped method

MOBILE AS THE POINT OF SALE(every smartphone is a cash register)This is merchant using a mobile device to process credit card payments. Do not confuse this with mobile payment. They are not the same thing

MOBILE PAYMENT PLATFORM(everything else mobile payment)This is a “catch all” category for product that let consumer send money to merchants or even each other (p2p) using mobile device. It might be at the point of sales, it might be on line.

DIRECT CARRIER BILLING(Put it on my phone bill)This is consumer buying ringtones or games or digital content by putting the charges on their cell phone bill

CLOSED LOOP MOBILE PAYMENT(the return of the store credit card: now it’s mobile)If a company doesn’t want to wait for someone else to build a wallet or a platform, it can always build it’s own. Starbucks did 3 million transaction in their first two months.

Mobile Money Initiative within GSMA

Mobile TicketingMobile Ticketing

“Pay-Buy-Mobile”: introduction

Pay-Buy-Mobile is a Operator initiative within the GSM Association

Pay-Buy-Mobile is a Operator initiative within the GSM Association

Focus of GSMA Pay-Buy-Mobile is:Focus of GSMA Pay-Buy-Mobile is:

• UICC-based• NFC-enabled mobile proximity payment

handset• Interacts (contactless) with Point Of Sale

(POS) terminal to perform payment transaction “tap-and-go”)

Pillar 1 - UICC

The UICC is considered the most appropriate NFC secure element for the mobile phone

The UICC (Universal Integrated Circuit Card) is alsoknown as the “SIM Card”)

The SIM card is used as a multi-application Secure Element to perform trusted transactions with a contactless terminal.

The SIM card is used as a multi-application Secure Element to perform trusted transactions with a contactless terminal.

Pillar 2 - Near Field Communications

NFC, or near-field communications, is a short-wave radio communications technology that provides a way for two devices to communicate small amounts of data when they're placed about four inches apart.

NFC is the technology of choice for the mobile industry to enable proximity-based services using the mobile phone

46 Participating MNOs currently participating

1. AT&T (Phase 2 Lead)2. KTF (Phase 1 Lead)3. Brazil Telecom4. Celcom5. Chunghwa Telecom6. CMCC7. EITC 8. Etisalat9. FarEasTone10. GlobeTel11. IMC Island12. Kall13. KPN14. Maxis15. MCI16. Meteor17. MobiCom18. Mobilkom Austria19. Mobitel d.d.20. MTN21. MTS22. NTT DoCoMo23. Orange

24. Partner25. Pelephone26. Rogers27. SFR28. SINGTEL29. SINGTEL OPTUS30. SK Telecom31. SMART 32. Softbank Mobile33. Starhub34. Swisscom35. Taiwan Mobile36. TDC37. Telefonica-O238. Telenor 39. TeliaSonera 40. Telecom Italia41. Telstra 42. Turkcell43. Vimpelcom44. Vodafone45. Wind46. Zain

M-payment status around the world – some examples

Source: Frost & Sullivan

•France•NFC trials•Mobile ticketing

•Italy•Mobile ticketing

•Germany•Mobile ticketing

•NFC trials

•United Kingdom•NFC trials•Oyster

•Bangladesh•Mobile remittance

•China•Contactless mobile payment (Non NFC based)

•The Philippines•Mobile banking

•Japan•Contactless payments since 2004

•Korea•Proximity payment services since 2002

•Kenya•Mobile for the Unbanked

•South Africa•Mobile remittance

•Sub-Saharan Africa

•Mobile remittance

•Canada•NFC trials

•USA•NFC trials

That’s the technology…but what about the

money ?

M-payment is positioned as a potentially lucrative revenue stream

Time

Mar

ket

Vo

lum

e

Low

Introduction Growth Maturity DeclineHigh

Fixed telephon

yMobile

communications

Enhanced TV

services

Fixed broad-band

Source: Frost & Sullivan

Broadcast mobile TV services

NB: bubble size approximates revenue accruing to communications service providers

Mobile payments (excluding

SMS-based)

Quad-Play servicesQuad-Play services

Mobile broadband

Mobile broadband

Triple Play

services

Mobile payments are growing

A €6 billion opportunity by 2013 in Western Europe

The market is expected to grow at an average of 25 per cent annually over the next five years

• “Innovative” technology

• Valuable market size

• Mobile device

The bad news – mobile fraud losses

(*)

(*) www.cfca.orgCommunications Fraud Control Association

Mobile Phone Frauds

Mobile phone fraud is not a new topic and today’s mobile security reflects the industry’s experience of fighting against fraud

Radio Telephony

1950

1970

1990

2000

2010

3G 4G

mobile tampering

Evolution of technical threats against mobiles and cards

Analog Cellularmobile cloning

1G

Digital Cellular

2G

SIM USIM

EMVMagnetic StripeEmbossing

skimmingcounterfeiting

1980

Chip and PIN

Analog Cellularmobile cloning

Magnetic Stripeskimming

Evolution of fraud scenario

Phreaking fraudPhreaking fraud Vishing fraudVishing fraud

New types of threats and frauds are on the rise

TLC market: new services trend

Changes in the telco world are affected by radical evolutions starting from new technologies up to new services linked to different markets (Internet, media, banking)

What are the big concerns regarding mobile payments?

Source: Mobile Money Market: Key Market Drivers & Restraints (2010-2015)

Lack of regulation on mobile transactions

Quality of service

Lack of collaboration between players

High cost of solution

Better user awareness

Ease of payment

Secure network

Interoperability across networks and platforms

Efficiency and speed of mobile networks

Drivers Restraints

Security will remain a key inhibitor

Security concerns

Mobile Payment Risks

Mobile payment services need a complex architecture involving many players with different roles…

Mobile Payment

application

Source: Aujas

A chain is only as strong as its weakest link…

Mobile Payment Risk Assessment

In order to make a complete risk assessment it’s important to analyze the entire mobile payment ecosystem

Mobile payment

Man-in-the-middle attack

Replay attacks

Repudiation

Impersonation

Unauthorized access

Protocol

Design flaws in mobile

protocols

Design flaws in m-

payment protocols

Weak cryptograp

hic algorithm

Platform

HW SW

Side channel attack

SIM cloning

Vulnerable APIs/Apps

Devices

Malware Spyware

OS

Source: Security Issues in Mobile Payment Systems, University of India

Mobile Payment Security Issues

• Man-in-the-middle attacks - applications may use higher-layer cryptographic protocols such as SSL to establish a secure channel on top of the NFC standard.

• Eaves dropping - by interception of the communication

• Take over - is related to the impersonation attack. The take over of what is expected from a customer perspective but dealing with a different entity.

• Data modification - t is relatively easy to alter data by using an RFID jammer. There is no way currently to prevent such an attack. However, some NFC devices can check the RF field to possibly detect attacks.

• Lost property - losing the NFC/RFID card/device will open access to any finder and act as a single-factor authenticating entity. Mobile phones protected by a PIN code act as a single authenticating factor.

Mobile Payment Risks

• Frauds (transactions)• Mobile Platform Issues• Mobile Payment

Application’s Database threats

• SIM Card Application Attacks

• App Store Security Issues

• Mobile Payment Applications ( IP Based) threats

• Mobile Device Security

• Frauds (transactions)• Mobile Platform Issues• Mobile Payment

Application’s Database threats

• SIM Card Application Attacks

• App Store Security Issues

• Mobile Payment Applications ( IP Based) threats

• Mobile Device Security

Major Threats Impacts

• Revenue Losses (Fraudulent Transactions)

• Confidentiality (Personal Data –Credit/Debit Card Data, PIN, etc.)

• Communications Services Misuse

• SIM Card & Applications Misuse

• Revenue Losses (Fraudulent Transactions)

• Confidentiality (Personal Data –Credit/Debit Card Data, PIN, etc.)

• Communications Services Misuse

• SIM Card & Applications Misuse

Are hackers/fraudsters really interested in mobile payment?

Just some examples…

• Last June Mr. Collin Mulliner gave a presentation of attacks to NFC at the NinjaCon/B-Sides Conference in Vienna, Austria http://www.mulliner.org/nfc/feed/nfc_ndef_security_ninjacon_2011.pdf

• Some possible attack methods with very low budget equipment were described.

• Some hackers have added NFC to IPhone http://www.unplggd.com/unplggd/iphone/add-nfc-payment-to-your-iphone-4-152556

• Others are trying to break Android systems (or more specifically, Nexus S users) that already have NFC built into their phones

Let’s take a look at some possible frauds

• Identity theft - passports details, ID cards and loyalty cards used to support purchase of goods.

• Theft of personal information - “Nhishing” (phishing of NFC) to gain information for use in other frauds

• Skimming of transactions at the point of sale using information for small purchases which will be unverified (theft of electronic money)

• Monitoring the PIN being entered to a terminal to confirm a high value NFC financial transaction to then be later used with the terminal.

• Interception of goods transferred to the terminal such as ring tones etc.

• Injecting malware/malicious content from a tag that says it’s something free but it in fact connects and bills to your terminal account using Premium rate URL

Mobile Application Security

Mobile Application Security

User Security

The final user becomes a central and strategical point for the entire end-to-end ecosystem security

•New customer behaviours

•Consumerization

•Lost/stolen devices

•A new customer awareness in needed

Source: Mobile Payment Security, PWC

Mobile Application Security

Endpoint Security

Devices are anywhere and always on, the security perimeter is wider and boundaries are not well defined

•Data theft, cloning, malware, device theft

•Smartphones with increased computational power

•Low level device security

The Secure Element

• The secure element is a critical element for the entire mobile payment security.

• It stores «in a secure way» applications/datas for service payment and cryptographic keys

Device manufacturers

Card companies

Mobile Operators

Summary & key messages

Market statusThere has been progress in m-payment trials and deployments in Europe but mass adoption remains to be seen.

Market outlook

The outlook for m-payment remains positive because of technology availability, an increased sense of urgency amongst key stakeholders to enable m-payment functions, and a growing number of end users being comfortable with m-payment functions.

Market expectations

M-payment methods will vary across Europe; the dominance of SMS-based m-payment functions will continue but contactless technology may become important over the medium term.

Key success factors

Ease of use for the consumer

In the absence of any life critical need, m-payment is a new service that requires consumers to change their habits. Convenience of use becomes very critical.

Security assurance

We strongly believes that the predominant m-payment technology will be the one that provides an appropriate security level proportionate to the m-transacton.

Standardisation & Interoperability

The eco-system requires further development to reduce complexity in interactions amongst stakeholders. Standardisation and efforts of interoperability are crucial to decrease fragmentation in the eco system.

STEFANOMARIA.DEROSSI@TELECOMITALIA.IT

FRANCESCO.MAGINI@TELECOMITALIA.IT