Your SlideShare is downloading. ×
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Developing Bullet-Proof Payment Applications for Mobile and Consumer Electronic Devices

1,011

Published on

This session covers the technical approach to embedding payment functionality in applications. Attendees should be somewhat familiar with PayPal payment flows, knowledgeable about security risks, and …

This session covers the technical approach to embedding payment functionality in applications. Attendees should be somewhat familiar with PayPal payment flows, knowledgeable about security risks, and aware of secure application development practices and methodologies.

Published in: Technology, Business
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,011
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. BUILDING BULLET-PROOF PAYMENT APPLICATIONS FOR MOBILE AND CONSUMER ELECTRONICS DEVICES Hadi Nahari, Principal Security & Devices Architect PayPal Emerging Technologies
  • 2. AGENDA
    • Landscape
    • Requirements
    • Model
    • {ToDo || !ToDo}; That’s the Q
  • 3. LANDSCAPE: FACTS ABOUT MOBILE
    • Internet access (all means)
      • > 1 billion/day
    • Cellular network access
      • ~ 4 billion/day
    • Mobile is the only digital system many people will ever encounter.
  • 4. NEW USE CASES From Back Pocket to Front Pocket From Paper to Virtual Tickets From Paper to Virtual Coupons From Mass to Personalized From Pre-Sale to In-Store
  • 5. MOBILE IDENTITY CRISIS
    • Complex landscape
    • Identity proliferation
    • Many players
      • Neither trusts others
    • Heterogeneous identity
    • environment
    Retailers Banks Card Associations Mobile Network Operators Regulators Chip Vendors Trusted Service Manager Device Manufacturers
  • 6. MANY STANDARDIZATION BODIES
    • Global Platform
      • Smart Card infrastructure
    • Open Mobile Terminal Platform (OMTP)
      • Usability
      • Economic security
    • Open Mobile Alliance (OMA)
      • Decoupling
      • Interoperability
    • Near Field Communication (NFC) Forum
      • Proximity
    • European Telecommunications Standards Institute (ETSI)
      • Telecom integration
  • 7. YEAH, AND THE NETWORK…
    • The network is solated from other systems, such as the Internet.
    • Design assumptions are fundamentally different.
    • The application should know how the network operates.
  • 8. WHAT’S A PLATFORM?
    • Marc Andreessen
    • A "platform" is a system that can be programmed and therefore customized by outside developers and in that way, adapted to countless needs and niches that the platform's original developers could not have possibly contemplated, much less had time to accommodate.
    • By definition a platform is open. How open?
      • the “ we decide for you ” model
      • the “ don’t be evil” model
  • 9. AGENDA
    • Landscape
    • Requirements
    • Model
    • {ToDo || !ToDo}; That’s the Q
  • 10. OPEN PLATFORM MODEL (OPM) Portal App. N App. 0 Development SDK. N SDK. 1 SDK. 0 App. 1 App. N App. N App. N App. N App. M Deployment Download Device App. N App. 0 App. 1
  • 11. CLEARLY…
    • OPM is a distributed platform
    • By definition it is open
    • Realizes abstraction
      • Generic services
      • Modularization
      • Leaky abstractions?
    • OPM generations
  • 12. OPM SECURITY REQUIREMENTS
    • Environment
    • Autonomous governance of
      • Key material
      • Identities
    • Secure isolation
    • Cohabitation
      • Well-defined interaction contracts
    • Objects
    • Authentication
    • Asset protection
      • At rest
      • In transit
    • Channel protection
  • 13. AGENDA
    • Landscape
    • Requirements
    • Model
    • {ToDo || !ToDo}; That’s the Q
  • 14. OBJECTS’ SECURITY MESH MNO Financial Portal App. N App. 0 App. 1 Retailer Regulator
  • 15. ABSTRACT MODEL Cloud_m Cloud_n ID Claims Protection Declarations Enforcement Mechanisms Unforgeable, as in capability model Authorization Framework Claims Verification Authorization Framework Claims Verification
  • 16. OBJECTS’ RESPONSIBILITIES
    • Declares own security requirements
    • Authenticates the environment
    • Protects the key material
      • Claims
      • Requirement
      • And so on
    Protected by object itself Declaration is a security asset ID Claims Protection Declarations Enforcement Mechanisms
  • 17. ENVIRONMENT’S MANDATE
    • Authenticates objects
      • Based on objects’ claims
    • Authorizes interactions
      • Among objects
      • Between environments
    Authorization Framework Claims Verification
  • 18. INTER-OBJECT COMMUNICATION
    • Based on objects’ declarations
    • Environment facilitates only if authorized
    ? Authorization Framework Claims Verification ID Claims Protection Declarations Enforcement Mechanisms ID Claims Protection Declarations Enforcement Mechanisms
  • 19. INTER-ENVIRONMENT COMMUNICATION
    • Based on mutually-agreed declarations
    • Only if allowed by both environments
    Cloud_m Cloud_n ? ? ? Authorization Framework Claims Verification ID Claims Protection Declarations Enforcement Mechanisms Authorization Framework Claims Verification ? ID Claims Protection Declarations Enforcement Mechanisms
  • 20. AGENDA
    • Landscape
    • Requirements
    • Model
    • {ToDo || !ToDo}; That’s the Q
  • 21. {TODO || !TODO}; DECOUPLING
    • The model decouples authorization decisions.
      • Allows autonomy of environments
      • Enables flexible business models
    • Objects authenticate environments too.
      • Execution is based on mutual agreement.
  • 22. FURTHER WORK
    • Conflict resolution
      • Among objects
      • In between environments
    • Allowing the environment to modify objects declaration
      • Temporarily
      • Permanently
    • Updating objects declarations
      • While in transit in between environments
  • 23. CONCLUDING THOUGHTS
    • Build solid security…
    • … and a usable one ...
    • Know your enemies
    • Identify threats
    • Use and reuse
  • 24. MORE INFORMATION
    • Cryptography is hard: don’t mess with it!
    • Solid Vulnerability Assessment & Threat Analysis (VATA) pays off!
    • Be mindful of various operating system versions in embedded.
      • Linux-based: Android, Chrome
      • iPhone
      • Windows CE
      • Symbian
      • MultOS
  • 25. LEARN AND SHARE
    • www.x.com
    • Twitter: @paypalx
    • www.facebook.com/paypalx
    • Innovate 09 hashtag: #ppxi09
    LEARN AND SHARE www.x.com Twitter: @paypalx www.facebook.com/paypalx Innovate 09 hashtag: # ppxi09 Proprietary

×