Upload
stefano-maria-de-rossi
View
9.445
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Addressing fraud and risk issue surrounding mobile payment using NFC technology. Barcellona 2011 Mobile Payment conference
Citation preview
Detailing the fraud & security issues surrounding mobile paymentsBarcellona, 28.09.2011
Stefano Maria De' Rossi Francesco Magini
Agenda
Mobile payment overview
Mobile payment overview
Brief overview of Mobile Fraud
Brief overview of Mobile Fraud
Mobile payment threat management
Mobile payment threat management
Key takeawaysKey takeaways
What are mobile payments ?
Mobile payment: a definition
Mobile Payments
Mobile Financial services
Mobile Banking
Mobile Commerce
Mobile Money transfer
Mobile payment: a definition
Mobile Payment is a composite payment model which encompasses different paradigms, all characterized by the use of the Mobile phone as their primary means of interaction.
Mobile device may be used to do any/all of the steps:• Initiate transaction (e.g., begin checkout)• Authenticate transaction• Settle transaction on the mobile phone bill
SEPA set apart 2 types of mobile payments
SUB POINT
Remote payments
SEPA mobile payment framework
Proximity payments
Main types of mobile payments
SEPA main type
Proximity payments
• Payment is made at the Point of Sale (POS) or in proximity to recipient
• Competes with cash or swiping a plastic debit or credit card
• Similar to a card-present transaction• Often involves Near Field
Communication (NFC)
Main types of mobile payments
Remote payments
SEPA main type
• Payment is made remotely (e.g., via a web-enabled retailer)
• Competes with PayPal, credit, debit and prepaid cards
• Similar to a card-not-present transaction
• Often involves Premium SMS or direct carrier billing
5 types of
Mobile Payments
MOBILE AT THE POINT OF SALE(the mobile wallet)It’s paying for things at a store with a mobile device using NFC or “tap & go” or some other yet to be hyped method
MOBILE AS THE POINT OF SALE(every smartphone is a cash register)This is merchant using a mobile device to process credit card payments. Do not confuse this with mobile payment. They are not the same thing
MOBILE PAYMENT PLATFORM(everything else mobile payment)This is a “catch all” category for product that let consumer send money to merchants or even each other (p2p) using mobile device. It might be at the point of sales, it might be on line.
DIRECT CARRIER BILLING(Put it on my phone bill)This is consumer buying ringtones or games or digital content by putting the charges on their cell phone bill
CLOSED LOOP MOBILE PAYMENT(the return of the store credit card: now it’s mobile)If a company doesn’t want to wait for someone else to build a wallet or a platform, it can always build it’s own. Starbucks did 3 million transaction in their first two months.
Mobile Money Initiative within GSMA
Mobile TicketingMobile Ticketing
“Pay-Buy-Mobile”: introduction
Pay-Buy-Mobile is a Operator initiative within the GSM Association
Pay-Buy-Mobile is a Operator initiative within the GSM Association
Focus of GSMA Pay-Buy-Mobile is:Focus of GSMA Pay-Buy-Mobile is:
• UICC-based• NFC-enabled mobile proximity payment
handset• Interacts (contactless) with Point Of Sale
(POS) terminal to perform payment transaction “tap-and-go”)
Pillar 1 - UICC
The UICC is considered the most appropriate NFC secure element for the mobile phone
The UICC (Universal Integrated Circuit Card) is alsoknown as the “SIM Card”)
The SIM card is used as a multi-application Secure Element to perform trusted transactions with a contactless terminal.
The SIM card is used as a multi-application Secure Element to perform trusted transactions with a contactless terminal.
Pillar 2 - Near Field Communications
NFC, or near-field communications, is a short-wave radio communications technology that provides a way for two devices to communicate small amounts of data when they're placed about four inches apart.
NFC is the technology of choice for the mobile industry to enable proximity-based services using the mobile phone
46 Participating MNOs currently participating
1. AT&T (Phase 2 Lead)2. KTF (Phase 1 Lead)3. Brazil Telecom4. Celcom5. Chunghwa Telecom6. CMCC7. EITC 8. Etisalat9. FarEasTone10. GlobeTel11. IMC Island12. Kall13. KPN14. Maxis15. MCI16. Meteor17. MobiCom18. Mobilkom Austria19. Mobitel d.d.20. MTN21. MTS22. NTT DoCoMo23. Orange
24. Partner25. Pelephone26. Rogers27. SFR28. SINGTEL29. SINGTEL OPTUS30. SK Telecom31. SMART 32. Softbank Mobile33. Starhub34. Swisscom35. Taiwan Mobile36. TDC37. Telefonica-O238. Telenor 39. TeliaSonera 40. Telecom Italia41. Telstra 42. Turkcell43. Vimpelcom44. Vodafone45. Wind46. Zain
M-payment status around the world – some examples
Source: Frost & Sullivan
•France•NFC trials•Mobile ticketing
•Italy•Mobile ticketing
•Germany•Mobile ticketing
•NFC trials
•United Kingdom•NFC trials•Oyster
•Bangladesh•Mobile remittance
•China•Contactless mobile payment (Non NFC based)
•The Philippines•Mobile banking
•Japan•Contactless payments since 2004
•Korea•Proximity payment services since 2002
•Kenya•Mobile for the Unbanked
•South Africa•Mobile remittance
•Sub-Saharan Africa
•Mobile remittance
•Canada•NFC trials
•USA•NFC trials
That’s the technology…but what about the
money ?
M-payment is positioned as a potentially lucrative revenue stream
Time
Mar
ket
Vo
lum
e
Low
Introduction Growth Maturity DeclineHigh
Fixed telephon
yMobile
communications
Enhanced TV
services
Fixed broad-band
Source: Frost & Sullivan
Broadcast mobile TV services
NB: bubble size approximates revenue accruing to communications service providers
Mobile payments (excluding
SMS-based)
Quad-Play servicesQuad-Play services
Mobile broadband
Mobile broadband
Triple Play
services
Mobile payments are growing
A €6 billion opportunity by 2013 in Western Europe
The market is expected to grow at an average of 25 per cent annually over the next five years
• “Innovative” technology
• Valuable market size
• Mobile device
The bad news – mobile fraud losses
(*)
(*) www.cfca.orgCommunications Fraud Control Association
Mobile Phone Frauds
Mobile phone fraud is not a new topic and today’s mobile security reflects the industry’s experience of fighting against fraud
Radio Telephony
1950
1970
1990
2000
2010
3G 4G
mobile tampering
Evolution of technical threats against mobiles and cards
Analog Cellularmobile cloning
1G
Digital Cellular
2G
SIM USIM
EMVMagnetic StripeEmbossing
skimmingcounterfeiting
1980
Chip and PIN
Analog Cellularmobile cloning
Magnetic Stripeskimming
Evolution of fraud scenario
Phreaking fraudPhreaking fraud Vishing fraudVishing fraud
New types of threats and frauds are on the rise
TLC market: new services trend
Changes in the telco world are affected by radical evolutions starting from new technologies up to new services linked to different markets (Internet, media, banking)
What are the big concerns regarding mobile payments?
Source: Mobile Money Market: Key Market Drivers & Restraints (2010-2015)
Lack of regulation on mobile transactions
Quality of service
Lack of collaboration between players
High cost of solution
Better user awareness
Ease of payment
Secure network
Interoperability across networks and platforms
Efficiency and speed of mobile networks
Drivers Restraints
Security will remain a key inhibitor
Security concerns
Mobile Payment Risks
Mobile payment services need a complex architecture involving many players with different roles…
Mobile Payment
application
Source: Aujas
A chain is only as strong as its weakest link…
Mobile Payment Risk Assessment
In order to make a complete risk assessment it’s important to analyze the entire mobile payment ecosystem
Mobile payment
Man-in-the-middle attack
Replay attacks
Repudiation
Impersonation
Unauthorized access
Protocol
Design flaws in mobile
protocols
Design flaws in m-
payment protocols
Weak cryptograp
hic algorithm
Platform
HW SW
Side channel attack
SIM cloning
Vulnerable APIs/Apps
Devices
Malware Spyware
OS
Source: Security Issues in Mobile Payment Systems, University of India
Mobile Payment Security Issues
• Man-in-the-middle attacks - applications may use higher-layer cryptographic protocols such as SSL to establish a secure channel on top of the NFC standard.
• Eaves dropping - by interception of the communication
• Take over - is related to the impersonation attack. The take over of what is expected from a customer perspective but dealing with a different entity.
• Data modification - t is relatively easy to alter data by using an RFID jammer. There is no way currently to prevent such an attack. However, some NFC devices can check the RF field to possibly detect attacks.
• Lost property - losing the NFC/RFID card/device will open access to any finder and act as a single-factor authenticating entity. Mobile phones protected by a PIN code act as a single authenticating factor.
Mobile Payment Risks
• Frauds (transactions)• Mobile Platform Issues• Mobile Payment
Application’s Database threats
• SIM Card Application Attacks
• App Store Security Issues
• Mobile Payment Applications ( IP Based) threats
• Mobile Device Security
• Frauds (transactions)• Mobile Platform Issues• Mobile Payment
Application’s Database threats
• SIM Card Application Attacks
• App Store Security Issues
• Mobile Payment Applications ( IP Based) threats
• Mobile Device Security
Major Threats Impacts
• Revenue Losses (Fraudulent Transactions)
• Confidentiality (Personal Data –Credit/Debit Card Data, PIN, etc.)
• Communications Services Misuse
• SIM Card & Applications Misuse
• Revenue Losses (Fraudulent Transactions)
• Confidentiality (Personal Data –Credit/Debit Card Data, PIN, etc.)
• Communications Services Misuse
• SIM Card & Applications Misuse
Are hackers/fraudsters really interested in mobile payment?
Just some examples…
• Last June Mr. Collin Mulliner gave a presentation of attacks to NFC at the NinjaCon/B-Sides Conference in Vienna, Austria http://www.mulliner.org/nfc/feed/nfc_ndef_security_ninjacon_2011.pdf
• Some possible attack methods with very low budget equipment were described.
• Some hackers have added NFC to IPhone http://www.unplggd.com/unplggd/iphone/add-nfc-payment-to-your-iphone-4-152556
• Others are trying to break Android systems (or more specifically, Nexus S users) that already have NFC built into their phones
Let’s take a look at some possible frauds
• Identity theft - passports details, ID cards and loyalty cards used to support purchase of goods.
• Theft of personal information - “Nhishing” (phishing of NFC) to gain information for use in other frauds
• Skimming of transactions at the point of sale using information for small purchases which will be unverified (theft of electronic money)
• Monitoring the PIN being entered to a terminal to confirm a high value NFC financial transaction to then be later used with the terminal.
• Interception of goods transferred to the terminal such as ring tones etc.
• Injecting malware/malicious content from a tag that says it’s something free but it in fact connects and bills to your terminal account using Premium rate URL
Mobile Application Security
Mobile Application Security
User Security
The final user becomes a central and strategical point for the entire end-to-end ecosystem security
•New customer behaviours
•Consumerization
•Lost/stolen devices
•A new customer awareness in needed
Source: Mobile Payment Security, PWC
Mobile Application Security
Endpoint Security
Devices are anywhere and always on, the security perimeter is wider and boundaries are not well defined
•Data theft, cloning, malware, device theft
•Smartphones with increased computational power
•Low level device security
The Secure Element
• The secure element is a critical element for the entire mobile payment security.
• It stores «in a secure way» applications/datas for service payment and cryptographic keys
Device manufacturers
Card companies
Mobile Operators
Summary & key messages
Market statusThere has been progress in m-payment trials and deployments in Europe but mass adoption remains to be seen.
Market outlook
The outlook for m-payment remains positive because of technology availability, an increased sense of urgency amongst key stakeholders to enable m-payment functions, and a growing number of end users being comfortable with m-payment functions.
Market expectations
M-payment methods will vary across Europe; the dominance of SMS-based m-payment functions will continue but contactless technology may become important over the medium term.
Key success factors
Ease of use for the consumer
In the absence of any life critical need, m-payment is a new service that requires consumers to change their habits. Convenience of use becomes very critical.
Security assurance
We strongly believes that the predominant m-payment technology will be the one that provides an appropriate security level proportionate to the m-transacton.
Standardisation & Interoperability
The eco-system requires further development to reduce complexity in interactions amongst stakeholders. Standardisation and efforts of interoperability are crucial to decrease fragmentation in the eco system.