Mobile Payment fraud & risk assessment


Published on

Addressing fraud and risk issue surrounding mobile payment using NFC technology. Barcellona 2011 Mobile Payment conference

Published in: Business, Economy & Finance
1 Comment
  • check for ppt
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 1) some short information about Telecom Italia 2) a mobile payment definition overview 3) an overview of mobile fraud 4) mobile payment threat management
  • 1) some short information about Telecom Italia 2) a mobile payment definition overview 3) an overview of mobile fraud 4) mobile payment threat management
  • build up a common definiton…what are, how can we define the so called mobile payment??
  • if you think about the so called mobile financial services for a while we do have a spread of several different words fying around… Are these all business the same ? Do they have the same meaning ?
  • Mobile Payment is a composite payment model which encompasses different paradigms, all characterized by the use of the Mobile phone as their primary means of interaction. There is a shift from paying “up close” in which the phone "emulates" a payment card (Mobile Proximity Payment), and the payment of services from a distance (remote) via SMS or Applications (Mobile Remote Payment), to managing in a broad sense, the entire process of purchase and payment remotely (mobile commerce) and the transfer of money between users or between users and financial institutions (Mobile Money Transfer). The common feature of these paradigms is the use of the phone and its distinctive features to innovate the payment methods: the huge population penetration (more than 5 billion devices worldwide), mobility, extreme portability and interactivity. We can evaluate the different types of mobile payment.
  • Having in mind what we have said we can identify 5 types of mobile payment
  • One upstart is called Square, which offers a smartphone app and a small piece of free hardware that plugs into a phone. The hardware swipes the credit card and charges $2.75 plus 15 cents for a swipe, or 3.5 percent plus 15 cents for a keyed-in credit-card entry. There are no contracts, no set-up fees, no monthly fees, and no monthly minimums. It has served as an alternative to payment gateways that charge higher fees.
  • EBay estimates the value of goods sold via its eBay iPhone app topped $400 million this year alone.
  • There are four major initiatives in the field of mobile money led by the GSM Association
  • Pay buy mobile is the NFC technology based project chosen to enable proximity based services by the mobile industry
  • Let’s start from the beginning…le’ts build up a common definiton…what are, how can we define the so called mobile payment??
  • MOBILE PAYMENTS ARE GROWING ,BUT ARE SO FAR USED MOSTLY FOR LOW-VALUE TRANSACTIONS Frost & Sullivan estimate the value of global m-payments at €140 billion at the end of 2012 and more over the total payment value for NFC globally will reach more than €110 billion in 2015.
  • T he mobile money market in Western Europe is forecast to increase up to €6 billion by 201.
  • Let’s start from the beginning…le’ts build up a common definiton…what are, how can we define the so called mobile payment??
  • Early analog technology was plagued by fraud Credit Card Fraud, Skimming, Chip PIN 1990, 2004
  • If we take a look at the service from the customer point of view, we can affirm that one of the biggest concerns for consumers is certainly security. Security is traditionally regarded as a very straightforward matter in the eyes of consumers, namely allowing only intended purchases and preventing theft
  • Security is of paramount importance in an e-payment system. As a first step in designing a cell phone-based e-payment system, it is important to analyze the various security issues that may arise from the choice of platform and of technologies. The truth, however, is that security is quite a complicated area in the mobile payments industry due to its complex architecture made of many players with different roles. In particular, retail and transit payments with a mobile phone require wireless carriers, retailers, transport providers and banks to all work together.
  • Because we all know that a system is only as secure as the weakest link in the security chain so it is important to analyze every single link of the chain
  • In order to perform a security analysis of a mobile-payment scheme it is necessary to understand the underlying standards, technologies, protocols and platforms used. An accurate security analysis is possible only if we take a holistic view of the vulnerabilities at each dimension instead of considering only a specific dimension of the m-payment system Based on some academic papers we used a taxonomy of some of vulnerabilities at different layers and their effects. This work it’s useful to examine how existing or proposed m-payment systems could be affected by them. Therefore, we started assessing the design flaws in protocols and standard in mobile network and m-payment system. We then assessed platforms from the hardware and software point of view and finally we analyzed devices especially taking into consideration new generations of malware and spyware.
  • Let’s now take a look at some potential security issues affecting mobile payments. In 2008 Collin Mulliner demonstrated that the NFC technology can be attacked using man in the middle. So the connection should be protected using strong cryptographic algorithms at higher levels Nowadays it’s largely demosntrated that with low-cost equipement it’s possible to eavsdrop calls by cracking the A5/1 alogrithm used in the GSM network. The takeover is related to impersonation attack types. In this case it happens what is expected from a customer perspective but dealing with a different entity. Data modification and lost of an NFC/RFID device are quite self-explicative from the security point of view.
  • We’re now aware of the major threats related to mobile payments Now let’s take a look at the possible impacts. They move from Revenue Losses in case of fraudolent transactions, to Loss of confidentiality especially associated to some information such as credit card datas, PINs etc. up to communication services and SIM card misuses
  • Up to know we just described some theory and academic works even if we used a very pragmatic approach. But now we need to understand if someone, and I’m talking about hackers or fradusters are interested in mobile payment. The answer is, unfortunatley yes, and you don’t need to throw a dice… the rationale is always the same, fradusters will always follow the money and with mobile payments we’re just managing what they want.
  • Everything it’s real and it’s already happening… Let me just give you some examples: last June Mr. Collin Mulliner gave a presentation of attacks to NFC at the hacker conference NinjaCon. What surprised the audience was that he did it using a very low-budget equipment which makes it even more risky. By the way, all the Operating System are impacted: Some hackers have added NFC to IPhone and others are trying to break Android systems with NFC embedded
  • These types of threats and vulnerabilities will open the door to new fraud scenarios. Some evergreen frauds such as the identity theft and the skimming of transactions will be used to make purchase of goods. We’ll also have some convergence also from payment and mobile frauds: just imagine downloading malware/malicious codes hidde in a tag able to make calls or send SMS to Premium Rate Numbers in a complete transparent manner from the customer point of view.
  • So we understood that security is a very complex matter in mobile payments because every link in the chain must be properly secured.
  • Let’s now take a deeper look at some of these elements from the customer point of view. The final user becomes a central and strategical point for the entire end-to-end ecosystem security. What’s new from the user perspective? Certainly new behaviours so a new customer awareness is needed in order to increase the attention to security
  • Also the endpoint is evolving. Devices anywhere and always on make difficult to define a perimeter so a new security apporach is needed…
  • And here comes the security element. It is a critical element for the mobile payment security. Depending on where it is located, we can have different players involved in the security pattern. If i’s embedded the device manufaturer will be the protagonist, if it’s in the SD card of course will be a card company and if we choose the sim card option the mobile operator will be involved…
  • Thank you very much for your attention
  • And please if you have any question Stefano and I will be more than pleased to answer you now or during the coffe break
  • Mobile Payment fraud & risk assessment

    1. 1. Detailing the fraud & security issues surrounding mobile payments Barcellona, 28.09.2011 Stefano Maria De' Rossi Francesco Magini
    2. 2. Agenda Mobile payment overview Brief overview of Mobile Fraud Mobile payment threat management Key takeaways
    3. 3. What are mobile payments ?
    4. 4. Mobile payment: a definition Mobile Payments Mobile Financial services Mobile Banking Mobile Commerce Mobile Money transfer
    5. 5. Mobile payment: a definition Mobile Payment is a composite payment model which encompasses different paradigms , all characterized by the use of the Mobile phone as their primary means of interaction . Mobile device may be used to do any/all of the steps: <ul><li>Initiate transaction (e.g., begin checkout) </li></ul><ul><li>Authenticate transaction </li></ul><ul><li>Settle transaction on the mobile phone bill </li></ul>
    6. 6. SEPA set apart 2 types of mobile payments SUB POINT Remote payments SEPA mobile payment framework Proximity payments
    7. 7. Main types of mobile payments SEPA main type Proximity payments <ul><li>Payment is made at the Point of Sale (POS) or in proximity to recipient </li></ul><ul><li>Competes with cash or swiping a plastic debit or credit card </li></ul><ul><li>Similar to a card-present transaction </li></ul><ul><li>Often involves Near Field Communication (NFC) </li></ul>
    8. 8. Main types of mobile payments Remote payments SEPA main type <ul><li>Payment is made remotely (e.g., via a web-enabled retailer) </li></ul><ul><li>Competes with PayPal, credit, debit and prepaid cards </li></ul><ul><li>Similar to a card-not-present transaction </li></ul><ul><li>Often involves Premium SMS or direct carrier billing </li></ul>
    9. 9. 5 types of Mobile Payments
    10. 10. MOBILE AT THE POINT OF SALE (the mobile wallet) It’s paying for things at a store with a mobile device using NFC or “tap & go” or some other yet to be hyped method
    11. 11. MOBILE AS THE POINT OF SALE (every smartphone is a cash register) This is merchant using a mobile device to process credit card payments. Do not confuse this with mobile payment. They are not the same thing
    12. 12. MOBILE PAYMENT PLATFORM (everything else mobile payment) This is a “catch all” category for product that let consumer send money to merchants or even each other (p2p) using mobile device. It might be at the point of sales, it might be on line.
    13. 13. DIRECT CARRIER BILLING (Put it on my phone bill) This is consumer buying ringtones or games or digital content by putting the charges on their cell phone bill
    14. 14. CLOSED LOOP MOBILE PAYMENT (the return of the store credit card: now it’s mobile) If a company doesn’t want to wait for someone else to build a wallet or a platform, it can always build it’s own. Starbucks did 3 million transaction in their first two months.
    15. 15. Mobile Money Initiative within GSMA Mobile Ticketing
    16. 16. “ Pay-Buy-Mobile”: introduction <ul><ul><li>Pay-Buy-Mobile is a Operator initiative within the GSM Association </li></ul></ul><ul><ul><li>Focus of GSMA Pay-Buy-Mobile is: </li></ul></ul><ul><li>UICC-based </li></ul><ul><li>NFC-enabled mobile proximity payment handset </li></ul><ul><li>Interacts (contactless) with Point Of Sale (POS) terminal to perform payment transaction “tap-and-go”) </li></ul>
    17. 17. Pillar 1 - UICC The UICC is considered the most appropriate NFC secure element for the mobile phone The UICC (Universal Integrated Circuit Card) is also known as the “SIM Card”) The SIM card is used as a multi-application Secure Element to perform trusted transactions with a contactless terminal.
    18. 18. Pillar 2 - Near Field Communications NFC, or near-field communications, is a short-wave radio communications technology that provides a way for two devices to communicate small amounts of data when they're placed about four inches apart. NFC is the technology of choice for the mobile industry to enable proximity-based services using the mobile phone
    19. 19. 46 Participating MNOs currently participating <ul><ul><li>AT&T (Phase 2 Lead) </li></ul></ul><ul><ul><li>KTF (Phase 1 Lead) </li></ul></ul><ul><ul><li>Brazil Telecom </li></ul></ul><ul><ul><li>Celcom </li></ul></ul><ul><ul><li>Chunghwa Telecom </li></ul></ul><ul><ul><li>CMCC </li></ul></ul><ul><ul><li>EITC </li></ul></ul><ul><ul><li>Etisalat </li></ul></ul><ul><ul><li>FarEasTone </li></ul></ul><ul><ul><li>GlobeTel </li></ul></ul><ul><ul><li>IMC Island </li></ul></ul><ul><ul><li>Kall </li></ul></ul><ul><ul><li>KPN </li></ul></ul><ul><ul><li>Maxis </li></ul></ul><ul><ul><li>MCI </li></ul></ul><ul><ul><li>Meteor </li></ul></ul><ul><ul><li>MobiCom </li></ul></ul><ul><ul><li>Mobilkom Austria </li></ul></ul><ul><ul><li>Mobitel d.d. </li></ul></ul><ul><ul><li>MTN </li></ul></ul><ul><ul><li>MTS </li></ul></ul><ul><ul><li>NTT DoCoMo </li></ul></ul><ul><ul><li>Orange </li></ul></ul><ul><ul><li>Partner </li></ul></ul><ul><ul><li>Pelephone </li></ul></ul><ul><ul><li>Rogers </li></ul></ul><ul><ul><li>SFR </li></ul></ul><ul><ul><li>SINGTEL </li></ul></ul><ul><ul><li>SINGTEL OPTUS </li></ul></ul><ul><ul><li>SK Telecom </li></ul></ul><ul><ul><li>SMART </li></ul></ul><ul><ul><li>Softbank Mobile </li></ul></ul><ul><ul><li>Starhub </li></ul></ul><ul><ul><li>Swisscom </li></ul></ul><ul><ul><li>Taiwan Mobile </li></ul></ul><ul><ul><li>TDC </li></ul></ul><ul><ul><li>Telefonica-O2 </li></ul></ul><ul><ul><li>Telenor </li></ul></ul><ul><ul><li>TeliaSonera </li></ul></ul><ul><ul><li>Telecom Italia </li></ul></ul><ul><ul><li>Telstra </li></ul></ul><ul><ul><li>Turkcell </li></ul></ul><ul><ul><li>Vimpelcom </li></ul></ul><ul><ul><li>Vodafone </li></ul></ul><ul><ul><li>Wind </li></ul></ul><ul><ul><li>Zain </li></ul></ul>
    20. 20. M-payment status around the world – some examples Source: Frost & Sullivan <ul><li>France </li></ul><ul><ul><li>NFC trials </li></ul></ul><ul><ul><li>Mobile ticketing </li></ul></ul><ul><li>Italy </li></ul><ul><ul><li>Mobile ticketing </li></ul></ul><ul><li>Germany </li></ul><ul><ul><li>Mobile ticketing </li></ul></ul><ul><ul><li>NFC trials </li></ul></ul><ul><li>United Kingdom </li></ul><ul><ul><li>NFC trials </li></ul></ul><ul><ul><li>Oyster </li></ul></ul><ul><li>Bangladesh </li></ul><ul><ul><li>Mobile remittance </li></ul></ul><ul><li>China </li></ul><ul><ul><li>Contactless mobile payment (Non NFC based) </li></ul></ul><ul><li>The Philippines </li></ul><ul><ul><li>Mobile banking </li></ul></ul><ul><li>Japan </li></ul><ul><ul><li>Contactless payments since 2004 </li></ul></ul><ul><li>Korea </li></ul><ul><ul><li>Proximity payment services since 2002 </li></ul></ul><ul><li>Kenya </li></ul><ul><ul><li>Mobile for the Unbanked </li></ul></ul><ul><li>South Africa </li></ul><ul><ul><li>Mobile remittance </li></ul></ul><ul><li>Sub-Saharan Africa </li></ul><ul><ul><li>Mobile remittance </li></ul></ul><ul><li>Canada </li></ul><ul><ul><li>NFC trials </li></ul></ul><ul><li>USA </li></ul><ul><ul><li>NFC trials </li></ul></ul>
    21. 21. That’s the technology… but what about the money ?
    22. 22. M-payment is positioned as a potentially lucrative revenue stream Time Market Volume Low Introduction Growth Maturity Decline High Fixed telephony Mobile communications Enhanced TV services Fixed broad-band Source: Frost & Sullivan Broadcast mobile TV services NB: bubble size approximates revenue accruing to communications service providers Mobile payments (excluding SMS-based) Quad-Play services Mobile broadband Triple Play services
    23. 23. Mobile payments are growing
    24. 24. A €6 billion opportunity by 2013 in Western Europe The market is expected to grow at an average of 25 per cent annually over the next five years
    25. 25. <ul><li>“ Innovative” technology </li></ul><ul><li>Valuable market size </li></ul><ul><li>Mobile device </li></ul>
    26. 26. The bad news – mobile fraud losses (*) Communications Fraud Control Association (*)
    27. 27. Mobile Phone Frauds Mobile phone fraud is not a new topic and today’s mobile security reflects the industry’s experience of fighting against fraud Analog Cellular mobile cloning Magnetic Stripe skimming Radio Telephony 1950 1970 1990 2000 2010 3G 4G mobile tampering Evolution of technical threats against mobiles and cards Analog Cellular mobile cloning 1G Digital Cellular 2G SIM USIM EMV Magnetic Stripe Embossing skimming counterfeiting 1980 Chip and PIN
    28. 28. Evolution of fraud scenario Phreaking fraud Vishing fraud
    29. 29. TLC market: new services trend Changes in the telco world are affected by radical evolutions starting from new technologies up to new services linked to different markets (Internet, media, banking) New types of threats and frauds are on the rise
    30. 30. What are the big concerns regarding mobile payments? Source: Mobile Money Market: Key Market Drivers & Restraints (2010-2015) Lack of regulation on mobile transactions Quality of service Lack of collaboration between players High cost of solution Better user awareness Ease of payment Secure network Interoperability across networks and platforms Efficiency and speed of mobile networks Drivers Restraints Security will remain a key inhibitor Security concerns
    31. 31. Mobile Payment Risks Mobile payment services need a complex architecture involving many players with different roles… Mobile Payment application Source: Aujas
    32. 32. A chain is only as strong as its weakest link…
    33. 33. Mobile Payment Risk Assessment In order to make a complete risk assessment it’s important to analyze the entire mobile payment ecosystem Man-in-the-middle attack Replay attacks Repudiation Impersonation Unauthorized access Source: Security Issues in Mobile Payment Systems, University of India Mobile payment Protocol Design flaws in mobile protocols Design flaws in m-payment protocols Weak cryptographic algorithm Platform HW SW Side channel attack SIM cloning Vulnerable APIs/Apps Devices Malware Spyware OS
    34. 34. Mobile Payment Security Issues <ul><li>Man-in-the-middle attacks - applications may use higher-layer cryptographic protocols such as SSL to establish a secure channel on top of the NFC standard. </li></ul><ul><li>Eaves dropping - by interception of the communication </li></ul><ul><li>Take over - is related to the impersonation attack. The take over of what is expected from a customer perspective but dealing with a different entity. </li></ul><ul><li>Data modification - t is relatively easy to alter data by using an RFID jammer. There is no way currently to prevent such an attack. However, some NFC devices can check the RF field to possibly detect attacks. </li></ul><ul><li>Lost property - losing the NFC/RFID card/device will open access to any finder and act as a single-factor authenticating entity. Mobile phones protected by a PIN code act as a single authenticating factor. </li></ul>
    35. 35. Mobile Payment Risks <ul><li>Frauds (transactions) </li></ul><ul><li>Mobile Platform Issues </li></ul><ul><li>Mobile Payment Application’s Database threats </li></ul><ul><li>SIM Card Application Attacks </li></ul><ul><li>App Store Security Issues </li></ul><ul><li>Mobile Payment Applications ( IP Based) threats </li></ul><ul><li>Mobile Device Security </li></ul>Major Threats Impacts <ul><li>Revenue Losses (Fraudulent Transactions) </li></ul><ul><li>Confidentiality (Personal Data –Credit/Debit Card Data, PIN, etc.) </li></ul><ul><li>Communications Services Misuse </li></ul><ul><li>SIM Card & Applications Misuse </li></ul>
    36. 36. Are hackers/fraudsters really interested in mobile payment?
    37. 37. Just some examples… <ul><li>Last June Mr. Collin Mulliner gave a presentation of attacks to NFC at the NinjaCon/B-Sides Conference in Vienna, Austria </li></ul><ul><li>Some possible attack methods with very low budget equipment were described. </li></ul><ul><li>Some hackers have added NFC to IPhone </li></ul><ul><li>Others are trying to break Android systems (or more specifically, Nexus S users) that already have NFC built into their phones </li></ul>
    38. 38. Let’s take a look at some possible frauds <ul><li>Identity theft - passports details, ID cards and loyalty cards used to support purchase of goods. </li></ul><ul><li>Theft of personal information - “ Nhishing ” ( phishing of NFC) to gain information for use in other frauds </li></ul><ul><li>Skimming of transactions at the point of sale using information for small purchases which will be unverified (theft of electronic money) </li></ul><ul><li>Monitoring the PIN being entered to a terminal to confirm a high value NFC financial transaction to then be later used with the terminal. </li></ul><ul><li>Interception of goods transferred to the terminal such as ring tones etc. </li></ul><ul><li>Injecting malware/malicious content from a tag that says it’s something free but it in fact connects and bills to your terminal account using Premium rate URL </li></ul>
    39. 39. Mobile Application Security
    40. 40. Mobile Application Security User Security The final user becomes a central and strategical point for the entire end-to-end ecosystem security Source: Mobile Payment Security, PWC <ul><li>New customer behaviours </li></ul><ul><li>Consumerization </li></ul><ul><li>Lost/stolen devices </li></ul><ul><li>A new customer awareness in needed </li></ul>
    41. 41. Mobile Application Security Endpoint Security Devices are anywhere and always on, the security perimeter is wider and boundaries are not well defined <ul><li>Data theft, cloning, malware, device theft </li></ul><ul><li>Smartphones with increased computational power </li></ul><ul><li>Low level device security </li></ul>
    42. 42. The Secure Element <ul><li>The secure element is a critical element for the entire mobile payment security. </li></ul><ul><li>It stores «in a secure way» applications/datas for service payment and cryptographic keys </li></ul>Device manufacturers Card companies Mobile Operators
    43. 43. Summary & key messages Market status There has been progress in m-payment trials and deployments in Europe but mass adoption remains to be seen. Market outlook The outlook for m-payment remains positive because of technology availability, an increased sense of urgency amongst key stakeholders to enable m-payment functions, and a growing number of end users being comfortable with m-payment functions. Market expectations M-payment methods will vary across Europe; the dominance of SMS-based m-payment functions will continue but contactless technology may become important over the medium term.
    44. 44. Key success factors Ease of use for the consumer In the absence of any life critical need, m-payment is a new service that requires consumers to change their habits. Convenience of use becomes very critical. Security assurance We strongly believes that the predominant m-payment technology will be the one that provides an appropriate security level proportionate to the m-transacton. Standardisation & Interoperability The eco-system requires further development to reduce complexity in interactions amongst stakeholders. Standardisation and efforts of interoperability are crucial to decrease fragmentation in the eco system.
    45. 46. [email_address] [email_address]