Mobile Payment fraud & risk assessment

Detailing the fraud & security issues surrounding mobile payments Barcellona, 28.09.2011 Stefano Maria De' Rossi Francesco Magini

Agenda Mobile payment overview Brief overview of Mobile Fraud Mobile payment threat management Key takeaways

What are mobile payments ?

Mobile payment: a definition Mobile Payments Mobile Financial services Mobile Banking Mobile Commerce Mobile Money transfer

Mobile payment: a definition Mobile Payment is a composite payment model which encompasses different paradigms , all characterized by the use of the Mobile phone as their primary means of interaction . Mobile device may be used to do any/all of the steps:
Initiate transaction (e.g., begin checkout)
Authenticate transaction
Settle transaction on the mobile phone bill

SEPA set apart 2 types of mobile payments SUB POINT Remote payments SEPA mobile payment framework Proximity payments

Main types of mobile payments SEPA main type Proximity payments
Payment is made at the Point of Sale (POS) or in proximity to recipient
Competes with cash or swiping a plastic debit or credit card
Similar to a card-present transaction
Often involves Near Field Communication (NFC)

Main types of mobile payments Remote payments SEPA main type
Payment is made remotely (e.g., via a web-enabled retailer)
Competes with PayPal, credit, debit and prepaid cards
Similar to a card-not-present transaction
Often involves Premium SMS or direct carrier billing

5 types of Mobile Payments

MOBILE AT THE POINT OF SALE (the mobile wallet) It’s paying for things at a store with a mobile device using NFC or “tap & go” or some other yet to be hyped method

MOBILE AS THE POINT OF SALE (every smartphone is a cash register) This is merchant using a mobile device to process credit card payments. Do not confuse this with mobile payment. They are not the same thing

MOBILE PAYMENT PLATFORM (everything else mobile payment) This is a “catch all” category for product that let consumer send money to merchants or even each other (p2p) using mobile device. It might be at the point of sales, it might be on line.

DIRECT CARRIER BILLING (Put it on my phone bill) This is consumer buying ringtones or games or digital content by putting the charges on their cell phone bill

CLOSED LOOP MOBILE PAYMENT (the return of the store credit card: now it’s mobile) If a company doesn’t want to wait for someone else to build a wallet or a platform, it can always build it’s own. Starbucks did 3 million transaction in their first two months.

Mobile Money Initiative within GSMA Mobile Ticketing

“ Pay-Buy-Mobile”: introduction
Pay-Buy-Mobile is a Operator initiative within the GSM Association
Focus of GSMA Pay-Buy-Mobile is:
UICC-based
NFC-enabled mobile proximity payment handset
Interacts (contactless) with Point Of Sale (POS) terminal to perform payment transaction “tap-and-go”)

Pillar 1 - UICC The UICC is considered the most appropriate NFC secure element for the mobile phone The UICC (Universal Integrated Circuit Card) is also known as the “SIM Card”) The SIM card is used as a multi-application Secure Element to perform trusted transactions with a contactless terminal.

Pillar 2 - Near Field Communications NFC, or near-field communications, is a short-wave radio communications technology that provides a way for two devices to communicate small amounts of data when they're placed about four inches apart. NFC is the technology of choice for the mobile industry to enable proximity-based services using the mobile phone

46 Participating MNOs currently participating
AT&T (Phase 2 Lead)
KTF (Phase 1 Lead)
Brazil Telecom
Celcom
Chunghwa Telecom
CMCC
EITC
Etisalat
FarEasTone
GlobeTel
IMC Island
Kall
KPN
Maxis
MCI
Meteor
MobiCom
Mobilkom Austria
Mobitel d.d.
MTN
MTS
NTT DoCoMo
Orange
Partner
Pelephone
Rogers
SFR
SINGTEL
SINGTEL OPTUS
SK Telecom
SMART
Softbank Mobile
Starhub
Swisscom
Taiwan Mobile
TDC
Telefonica-O2
Telenor
TeliaSonera
Telecom Italia
Telstra
Turkcell
Vimpelcom
Vodafone
Wind
Zain

M-payment status around the world – some examples Source: Frost & Sullivan
France
NFC trials
Mobile ticketing
Italy
Mobile ticketing
Germany
Mobile ticketing
NFC trials
United Kingdom
NFC trials
Oyster
Bangladesh
Mobile remittance
China
Contactless mobile payment (Non NFC based)
The Philippines
Mobile banking
Japan
Contactless payments since 2004
Korea
Proximity payment services since 2002
Kenya
Mobile for the Unbanked
South Africa
Mobile remittance
Sub-Saharan Africa
Mobile remittance
Canada
NFC trials
USA
NFC trials

That’s the technology… but what about the money ?

M-payment is positioned as a potentially lucrative revenue stream Time Market Volume Low Introduction Growth Maturity Decline High Fixed telephony Mobile communications Enhanced TV services Fixed broad-band Source: Frost & Sullivan Broadcast mobile TV services NB: bubble size approximates revenue accruing to communications service providers Mobile payments (excluding SMS-based) Quad-Play services Mobile broadband Triple Play services

Mobile payments are growing

A €6 billion opportunity by 2013 in Western Europe The market is expected to grow at an average of 25 per cent annually over the next five years

“ Innovative” technology
Valuable market size
Mobile device

The bad news – mobile fraud losses (*) www.cfca.org Communications Fraud Control Association (*)

Mobile Phone Frauds Mobile phone fraud is not a new topic and today’s mobile security reflects the industry’s experience of fighting against fraud Analog Cellular mobile cloning Magnetic Stripe skimming Radio Telephony 1950 1970 1990 2000 2010 3G 4G mobile tampering Evolution of technical threats against mobiles and cards Analog Cellular mobile cloning 1G Digital Cellular 2G SIM USIM EMV Magnetic Stripe Embossing skimming counterfeiting 1980 Chip and PIN

Evolution of fraud scenario Phreaking fraud Vishing fraud

TLC market: new services trend Changes in the telco world are affected by radical evolutions starting from new technologies up to new services linked to different markets (Internet, media, banking) New types of threats and frauds are on the rise

What are the big concerns regarding mobile payments? Source: Mobile Money Market: Key Market Drivers & Restraints (2010-2015) Lack of regulation on mobile transactions Quality of service Lack of collaboration between players High cost of solution Better user awareness Ease of payment Secure network Interoperability across networks and platforms Efficiency and speed of mobile networks Drivers Restraints Security will remain a key inhibitor Security concerns

Mobile Payment Risks Mobile payment services need a complex architecture involving many players with different roles… Mobile Payment application Source: Aujas

A chain is only as strong as its weakest link…

Mobile Payment Risk Assessment In order to make a complete risk assessment it’s important to analyze the entire mobile payment ecosystem Man-in-the-middle attack Replay attacks Repudiation Impersonation Unauthorized access Source: Security Issues in Mobile Payment Systems, University of India Mobile payment Protocol Design flaws in mobile protocols Design flaws in m-payment protocols Weak cryptographic algorithm Platform HW SW Side channel attack SIM cloning Vulnerable APIs/Apps Devices Malware Spyware OS

Mobile Payment Security Issues
Man-in-the-middle attacks - applications may use higher-layer cryptographic protocols such as SSL to establish a secure channel on top of the NFC standard.
Eaves dropping - by interception of the communication
Take over - is related to the impersonation attack. The take over of what is expected from a customer perspective but dealing with a different entity.
Data modification - t is relatively easy to alter data by using an RFID jammer. There is no way currently to prevent such an attack. However, some NFC devices can check the RF field to possibly detect attacks.
Lost property - losing the NFC/RFID card/device will open access to any finder and act as a single-factor authenticating entity. Mobile phones protected by a PIN code act as a single authenticating factor.

Mobile Payment Risks
Frauds (transactions)
Mobile Platform Issues
Mobile Payment Application’s Database threats
SIM Card Application Attacks
App Store Security Issues
Mobile Payment Applications ( IP Based) threats
Mobile Device Security
Major Threats Impacts
Revenue Losses (Fraudulent Transactions)
Confidentiality (Personal Data –Credit/Debit Card Data, PIN, etc.)
Communications Services Misuse
SIM Card & Applications Misuse

Are hackers/fraudsters really interested in mobile payment?

Just some examples…
Last June Mr. Collin Mulliner gave a presentation of attacks to NFC at the NinjaCon/B-Sides Conference in Vienna, Austria http://www.mulliner.org/nfc/feed/nfc_ndef_security_ninjacon_2011.pdf
Some possible attack methods with very low budget equipment were described.
Some hackers have added NFC to IPhone http://www.unplggd.com/unplggd/iphone/add-nfc-payment-to-your-iphone-4-152556
Others are trying to break Android systems (or more specifically, Nexus S users) that already have NFC built into their phones

Let’s take a look at some possible frauds
Identity theft - passports details, ID cards and loyalty cards used to support purchase of goods.
Theft of personal information - “ Nhishing ” ( phishing of NFC) to gain information for use in other frauds
Skimming of transactions at the point of sale using information for small purchases which will be unverified (theft of electronic money)
Monitoring the PIN being entered to a terminal to confirm a high value NFC financial transaction to then be later used with the terminal.
Interception of goods transferred to the terminal such as ring tones etc.
Injecting malware/malicious content from a tag that says it’s something free but it in fact connects and bills to your terminal account using Premium rate URL

Mobile Application Security

Mobile Application Security User Security The final user becomes a central and strategical point for the entire end-to-end ecosystem security Source: Mobile Payment Security, PWC
New customer behaviours
Consumerization
Lost/stolen devices
A new customer awareness in needed

Mobile Application Security Endpoint Security Devices are anywhere and always on, the security perimeter is wider and boundaries are not well defined
Data theft, cloning, malware, device theft
Smartphones with increased computational power
Low level device security

The Secure Element
The secure element is a critical element for the entire mobile payment security.
It stores «in a secure way» applications/datas for service payment and cryptographic keys
Device manufacturers Card companies Mobile Operators

Summary & key messages Market status There has been progress in m-payment trials and deployments in Europe but mass adoption remains to be seen. Market outlook The outlook for m-payment remains positive because of technology availability, an increased sense of urgency amongst key stakeholders to enable m-payment functions, and a growing number of end users being comfortable with m-payment functions. Market expectations M-payment methods will vary across Europe; the dominance of SMS-based m-payment functions will continue but contactless technology may become important over the medium term.

Key success factors Ease of use for the consumer In the absence of any life critical need, m-payment is a new service that requires consumers to change their habits. Convenience of use becomes very critical. Security assurance We strongly believes that the predominant m-payment technology will be the one that provides an appropriate security level proportionate to the m-transacton. Standardisation & Interoperability The eco-system requires further development to reduce complexity in interactions amongst stakeholders. Standardisation and efforts of interoperability are crucial to decrease fragmentation in the eco system.

[email_address] [email_address]

Mobile Payment fraud & risk assessment

by Stefano de Rossi on Sep 28, 2011

Accessibility

Categories

Upload Details

Usage Rights

2 Embeds 10

Statistics

Mobile Payment fraud & risk assessment Presentation Transcript

http://www.artofsmart.it	9
https://si0.twimg.com	1