SlideShare a Scribd company logo

Mobile payment-security-risk-and-response

DESMOND YUEN
DESMOND YUEN

Presentation from 2018 RSA Conference Mobile Payment Ecosystem Mobile Payment Risk Analysis How to build secured mobile system QR Code, NFC, Smart card, RFID

Mobile
1 of 28
Download to read offline
SESSION ID: #RSAC Shaoliang Chen MOBILE PAYMENT SECURITY RISK AND RESPONSE MBS-F02 Senior Security Expert
Email:stevenchen2081@gmail.com # R S A C 2 About Me Shaoliang Chen Senior Security Expert Email: stevenchen2081@gmail.com Twitter: @stevenchen2081 WeChat: • Position: Senior Security Expert at PricewaterhouseCoopers(PwC) Beijing office • Security experience: A decade of experience in the information security area • Finance Industry experience: As a Chief Security Architect role in mobile payment system construction • Social activities: Presenter at security and financial conferences • Personal contributions: A series of papers on mobile payment security
Email:stevenchen2081@gmail.com # R S A C 3 • Mobile Payment Ecosystem • Mobile Payment Risk Analysis • How to Build Security Mobile System Agenda
Email:stevenchen2081@gmail.com # R S A C 4 Part 1 Mobile Payment Ecosystem
Email:stevenchen2081@gmail.com # R S A C # R S A C Mobile Payment Definition and Methods 5 Mobile Payment QR code Payment NFC Payment RFID Smart Card Near field communication classical scenarios: Near Field Communication (NFC) technology, POS Remote payment classical scenarios: mobile payment by QR code, sound waves, fingerprint, etc. NFC QR Code Electronic bracelet Smart watch
Email:stevenchen2081@gmail.com # R S A C # R S A C Global Mobile Payment Well-Known Brands 6  China Alipay: NFC, QR code WeChat Pay: QR code UnionPay: NFC, QR code  United States Apple Pay: NFC Google Pay: NFC Square: QR code PayPal: QR code  Other Brands South Korea: Samsung Pay India: Paytm Europe: Wirecard …… reference: xinhuanet.com, Chinadaily.com, various report
Email:stevenchen2081@gmail.com # R S A C 7 Mobile Payment Security Incidents reference: bankinfosecurity.com reference: zdnet.com/blackhat.com
Email:stevenchen2081@gmail.com # R S A C # R S A C 8 Security Issues for Payment Cyber Security 65% Data Privacy 35% Base on Capgemini & BNP Paribas “world-payments- report-2017” Survey revealed that bank executives are most concerned about cybersecurity(65.0%) and data privacy(35.0%) More and more people focus on cyber security for payment reference: www.worldpaymentsreport.com
Email:stevenchen2081@gmail.com # R S A C # R S A C Mobile Payment Architecture—QR payment 9 Mobile Payment User Mobile Payment Device Backend Data Communication Content Communication Mobile Payment APP Online QR Payment Mobile Payment Platform Accounting System Deal System Security Protection Risk Control HardwareNetwork Software Payment Content Module
Email:stevenchen2081@gmail.com # R S A C # R S A C Mobile Payment Process—QR payment 10 1.Open the payment app 2.Scan commodity OR code Server Database Merchant OR code 3. OR code is identified 5.Send payment request 6.1 Return payment result Mobile Payment System Online QR Payment Mobile Payment User Mobile Device Merchant 4.Confirm information
Email:stevenchen2081@gmail.com # R S A C # R S A C Mobile Payment Architecture—NFC payment 11 Mobile Payment User Mobile Payment Device Mobile Payment Platform Accounting System Deal System Security Protection Risk Control Backend Data Communication Content Communication HardwareNetwork Software POS NFC Communication Online NFC Payment NFC Module Payment Content Module Backend Data Communication Merchant
Email:stevenchen2081@gmail.com # R S A C # R S A C Mobile Payment Process- NFC payment 12 1.Open the payment app 2.Send NFC payment request Server Database Merchant POS 5.2 Return payment result Mobile Payment System 3.Read NFC account 4.Send order information and deduct money request 5.1 return payment result Device with NFC ModuleMobile Payment User
Email:stevenchen2081@gmail.com # R S A C 13 Part 2 Risk and Analysis
Email:stevenchen2081@gmail.com # R S A C # R S A C Mobile Payment Risk Demo—QR Payment 14 1.Open the payment app Server Database Merchant OR code 2.Hacker forge fake OR code and decoy victim to scan Hacker website 4.Malware infection/backdoor 5.Hackers control victim account 3.Scan OR code Payment Gateway Hacker Victim Malicious OR code
Email:stevenchen2081@gmail.com # R S A C # R S A C Mobile Payment Risk Demo—Phishing 15 Server Database 2.Send phishing SMS 1.Hacker build fake base station Hacker website 4.Malware infection/backdoor 5.Hackers control user account 3.Open URL in SMS Payment Gateway Hacker Victim Fake base station
Email:stevenchen2081@gmail.com # R S A C # R S A C Risk Analysis — Device 16 • No Passcode • Weak Passcode • Operating System Vulnerability • Software Vulnerability • No Encryption • Weak Encryption • Phishing • Cross Frame • Clickjacking • Man-in-the-Middle • Buffer Overflow • Sensitive Data Storage • No Encryption/Weak Encryption • Improper SSL Certificate Validation • Source Code Vulnerability • Incorrect Default Permissions • Escalated Privileges • Malware • Side Channel Attack • Baseband Attack • SMS Phishing • Device Lost
Email:stevenchen2081@gmail.com # R S A C # R S A C Risk Analysis — Network 17 Protocol Man-in-the-Middle (MITM) Session Hijacking DNS (Domain Name System) Poisoning Fake SSL Certificate Access Wi-Fi (No Encryption/Weak Encryption) Rogue Access Point Packet Sniffing
Email:stevenchen2081@gmail.com # R S A C # R S A C Risk Analysis — Backend System 18 Web Application 01 02 03 Database Server ❖ Platform Vulnerabilities ❖ Brute-Force Attack ❖ OWASP Listed Web Vulnerabilities ❖ SQL Injection ❖ Privilege Escalation ❖ Data Dumping ❖ OS Command Execution ❖ APT Attack ❖ Server Misconfiguration
Email:stevenchen2081@gmail.com # R S A C 19 Part 3 How to build security mobile payment system
Email:stevenchen2081@gmail.com # R S A C 20 Mobile Payment Security Architecture Security Assessment Authentication System Compliance Account Authority Management Security Operation Privacy Protection Security Intelligence Anti-Fraud SDLCData Security Platform Platform People& Device APP Communication Server User Account Risk Control Key requirement Model • Device environment security check • Malware software check • APP source code security • File encryption locally • SDLC • Encryption protocol • Security check of access • Server OS update • Server application update • Anti-DDoS • API • Identity authentication • Strong authentication • User privacy management • User transaction identification • Risk management • Anti-Fraud
Email:stevenchen2081@gmail.com # R S A C Best Practice – Authentication Technology Comparison 21 Technology Features Key Points Security key • Strong encryption • Hardware key/USBkey • Key file (*.key….) • Build the key management system and ensure security • Hardware key/USBkey is proved more secure by now Biometric(fingerprint, facial recognition) • Higher identification rate • User unique • Risk of permanent leakage • Natural person property • Privacy protection and legal compliance Two-Factor Authentication • Hardware tokens • Software tokens • Smartphone tokens • Email, SMS • Mandatory to use when register • Anti-fraud combination Multi-factor Authentication • Multi-dimension • Knowledge,possesion • Various technologies (Security key, SMS, and etc.) • Backend analysis • Risk model judgement National IDs and ePassports • Name • ID number • Verified by public security department • Response whether match between name and ID number • Privacy
Email:stevenchen2081@gmail.com # R S A C Best Practice – Key Points for Security Testing 22 APPDevice Payment Backend Bank1 Bank2  Root  OS version  Access point/wireless/4G  Proxy  SSL certificates  Malware  Communication  Sensitive information  Login identity authentication  Logic check  SQL Injection/OWASP  Database permission  Interfaces  Transaction quota  Data Encryption  Blacklist (IP address or high risk account)  PCI-DSS Sample test scenarios: • Check block mechanism whether effectively deployment of payment process when using proxy IP address. • Check lock mechanism whether effectively deployment of login process with wrong user credential. • Check block mechanism whether effectively deployment of payment process when replacing SSL certificates.
Email:stevenchen2081@gmail.com # R S A C Best Practice – Anti-Fraud 1 23 Anti-Fraud Data Resource Account Behavior habits Abnormal transaction Device Information Big data analysis Account Relationship Account  Account status, active account or not  Black account list  Account risk rate Big data analysis  Frequency statistics  Biggest statistic Suspicious transaction  Abnormal operation, such as quickly transfer to multiple accounts.  Change account payment password in late night Account Relationship  Multiple accounts with the same identified individuals  Geographical position Device information  Device serial number  Device network MAC address  Device IMEI number  Device MEID number Behaviour habit  Trade time  Trade device  Trade amount number  Trade bank credit card
Email:stevenchen2081@gmail.com # R S A C Best Practice – Anti-Fraud 2 24 Flight duration time: 12 hours Scenario: Transaction IP address change in short time for one person with one account. First transaction IP address in China. Second transaction IP address in USA. Cause: Account information has been stolen or used proxy. Solution: 1. Block transaction directly 2. Manual verification 3. Deep analysis/Model Beijing San Francisco
Email:stevenchen2081@gmail.com # R S A C # R S A C 25 Mobile Payment Challenge—Method Selection  Which is more security?  NFC & QR code (Two principles) — Base on your business requirement — Every technology has vulnerabilities Method Security Authentication mode Security Control Reference Standard Main Risk Scenarios NFC • Security SE • Security chip • Password • Small amount transaction(no password and signature) • Backend quota one day one account • GSMA Organization • ECMA Organization • Lost device QR code • Encrypted URL • Security software Transaction amount control one day with one account<500 CNY China UnionPay has independent QR code standard and ecosystem, “EMVCo QR Code Specification for Payment Systems: Consumer Presented Mode 1.0” • Malware • Phishing URL:https://www.emvco.com/emv-technologies/qrcodes
Email:stevenchen2081@gmail.com # R S A C # R S A C 26 Mobile Payment Challenge – Smart Device • Various payment methods • i.e. wearable device payment • More complicated ecosystem • More interfaces • More dimensional attacks • More risk points Reference: csoonline.com
Email:stevenchen2081@gmail.com # R S A C # R S A C 27 Conclusions Identification authentication is the key factor for mobile payment security. New authentication technology does not mean that it is more secure. Pay more attention to privacy protection. Accumulating bad samples is the key to building a risk control model. Machine learning will become good solution to against mobile payment attack in the future. Rules and risk control models must be worked together now.
#RSAC THANK YOU Email: stevenchen2081@gmail.com Twitter: @stevenchen2081 WeChat:

Recommended

Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction pptSubhash Gupta
 
Digital certificates
Digital certificates Digital certificates
Digital certificates Sheetal Verma
 
Digital signature
Digital signatureDigital signature
Digital signatureHossain Md Shakhawat
 
Digital Signature
Digital SignatureDigital Signature
Digital SignatureMohamed Talaat
 
E-Commerce Security
E-Commerce SecurityE-Commerce Security
E-Commerce SecuritySyed Maniruzzaman Pabel
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor AuthenticationNikhil Shaw
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography pptThushara92
 
Digital signature schemes
Digital signature schemesDigital signature schemes
Digital signature schemesravik09783
 

Recommended

Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction pptSubhash Gupta
 
Digital certificates
Digital certificates Digital certificates
Digital certificates Sheetal Verma
 
Digital signature
Digital signatureDigital signature
Digital signatureHossain Md Shakhawat
 
Digital Signature
Digital SignatureDigital Signature
Digital SignatureMohamed Talaat
 
E-Commerce Security
E-Commerce SecurityE-Commerce Security
E-Commerce SecuritySyed Maniruzzaman Pabel
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor AuthenticationNikhil Shaw
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography pptThushara92
 
Digital signature schemes
Digital signature schemesDigital signature schemes
Digital signature schemesravik09783
 
Firewalls
FirewallsFirewalls
FirewallsRam Dutt Shukla
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructurevimal kumar
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocolsOnline
 
Email security
Email securityEmail security
Email securityBaliram Yadav
 
Digital signature
Digital signatureDigital signature
Digital signatureFilipp Kolobov
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacyPawan Arya
 
e-commerce web development project report (Bookz report)
e-commerce web development project report (Bookz report)e-commerce web development project report (Bookz report)
e-commerce web development project report (Bookz report)Mudasir Ahmad Bhat
 
Malicious software
Malicious softwareMalicious software
Malicious softwareDr.Florence Dayana
 
Information and network security 8 security mechanisms
Information and network security 8 security mechanismsInformation and network security 8 security mechanisms
Information and network security 8 security mechanismsVaibhav Khanna
 
Set Secure Electronic Transaction (SET)
Set Secure Electronic Transaction (SET)Set Secure Electronic Transaction (SET)
Set Secure Electronic Transaction (SET)Suraj Dhalwar
 
Message authentication and hash function
Message authentication and hash functionMessage authentication and hash function
Message authentication and hash functionomarShiekh1
 
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...JAINAM KAPADIYA
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Security services and mechanisms
Security services and mechanismsSecurity services and mechanisms
Security services and mechanismsRajapriya82
 
consumer oriented applications
consumer oriented applicationsconsumer oriented applications
consumer oriented applicationspreetikapri1
 
Computer Crimes
Computer CrimesComputer Crimes
Computer CrimesIvy Rose Recierdo
 
Digital Signature ppt
Digital Signature pptDigital Signature ppt
Digital Signature pptOECLIB Odisha Electronics Control Library
 
Seminar ppt on digital signature
Seminar ppt on digital signatureSeminar ppt on digital signature
Seminar ppt on digital signaturejolly9293
 
Online security and payment system
Online security and payment systemOnline security and payment system
Online security and payment systemGc university faisalabad
 
Ec2009 ch10 e commerce security
Ec2009 ch10 e commerce securityEc2009 ch10 e commerce security
Ec2009 ch10 e commerce securityNuth Otanasap
 
Secnet
SecnetSecnet
Secnetarjun roy
 
secnet.ppt
secnet.pptsecnet.ppt
secnet.pptShahidHussain265137
 

More Related Content

What's hot

public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructurevimal kumar
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocolsOnline
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacyPawan Arya
 
e-commerce web development project report (Bookz report)
e-commerce web development project report (Bookz report)e-commerce web development project report (Bookz report)
e-commerce web development project report (Bookz report)Mudasir Ahmad Bhat
 
Information and network security 8 security mechanisms
Information and network security 8 security mechanismsInformation and network security 8 security mechanisms
Information and network security 8 security mechanismsVaibhav Khanna
 
Set Secure Electronic Transaction (SET)
Set Secure Electronic Transaction (SET)Set Secure Electronic Transaction (SET)
Set Secure Electronic Transaction (SET)Suraj Dhalwar
 
Message authentication and hash function
Message authentication and hash functionMessage authentication and hash function
Message authentication and hash functionomarShiekh1
 
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...JAINAM KAPADIYA
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Security services and mechanisms
Security services and mechanismsSecurity services and mechanisms
Security services and mechanismsRajapriya82
 
consumer oriented applications
consumer oriented applicationsconsumer oriented applications
consumer oriented applicationspreetikapri1
 
Seminar ppt on digital signature
Seminar ppt on digital signatureSeminar ppt on digital signature
Seminar ppt on digital signaturejolly9293
 
Ec2009 ch10 e commerce security
Ec2009 ch10 e commerce securityEc2009 ch10 e commerce security
Ec2009 ch10 e commerce securityNuth Otanasap
 

What's hot (20)

Firewalls
FirewallsFirewalls
Firewalls
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocols
 
Email security
Email securityEmail security
Email security
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
 
e-commerce web development project report (Bookz report)
e-commerce web development project report (Bookz report)e-commerce web development project report (Bookz report)
e-commerce web development project report (Bookz report)
 
Malicious software
Malicious softwareMalicious software
Malicious software
 
Information and network security 8 security mechanisms
Information and network security 8 security mechanismsInformation and network security 8 security mechanisms
Information and network security 8 security mechanisms
 
Set Secure Electronic Transaction (SET)
Set Secure Electronic Transaction (SET)Set Secure Electronic Transaction (SET)
Set Secure Electronic Transaction (SET)
 
Message authentication and hash function
Message authentication and hash functionMessage authentication and hash function
Message authentication and hash function
 
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Security services and mechanisms
Security services and mechanismsSecurity services and mechanisms
Security services and mechanisms
 
consumer oriented applications
consumer oriented applicationsconsumer oriented applications
consumer oriented applications
 
Computer Crimes
Computer CrimesComputer Crimes
Computer Crimes
 
Digital Signature ppt
Digital Signature pptDigital Signature ppt
Digital Signature ppt
 
Seminar ppt on digital signature
Seminar ppt on digital signatureSeminar ppt on digital signature
Seminar ppt on digital signature
 
Online security and payment system
Online security and payment systemOnline security and payment system
Online security and payment system
 
Ec2009 ch10 e commerce security
Ec2009 ch10 e commerce securityEc2009 ch10 e commerce security
Ec2009 ch10 e commerce security
 

Similar to Mobile payment-security-risk-and-response

Secure Web Transactions Electronic Commerce Underlying Technologies
Secure Web Transactions Electronic Commerce Underlying TechnologiesSecure Web Transactions Electronic Commerce Underlying Technologies
Secure Web Transactions Electronic Commerce Underlying TechnologiesBangNgoVanCong
 
S.m.o.k.e. technologies
S.m.o.k.e. technologiesS.m.o.k.e. technologies
S.m.o.k.e. technologiesshub99
 
whitelabel mobile payments system 230551927
whitelabel mobile payments system 230551927whitelabel mobile payments system 230551927
whitelabel mobile payments system 230551927Velmie
 
Wallet mobile-ui-presentation
Wallet mobile-ui-presentationWallet mobile-ui-presentation
Wallet mobile-ui-presentationVelmie
 
Balancing Security and Customer Experience
Balancing Security and Customer ExperienceBalancing Security and Customer Experience
Balancing Security and Customer ExperienceTransUnion
 
Faster Payments on the Blockchain
Faster Payments on the BlockchainFaster Payments on the Blockchain
Faster Payments on the BlockchainKaren Hsu
 
Safex pay avantgarde -presentation
Safex pay avantgarde -presentationSafex pay avantgarde -presentation
Safex pay avantgarde -presentationParvezKhan173
 
Digital Payment and 3-D Secure by Netcetera
Digital Payment and 3-D Secure by NetceteraDigital Payment and 3-D Secure by Netcetera
Digital Payment and 3-D Secure by NetceteraNetcetera
 
Risk-Based Approach to Deployment of Omnichannel Biometrics in Sberbank
Risk-Based Approach to Deployment of Omnichannel Biometrics in SberbankRisk-Based Approach to Deployment of Omnichannel Biometrics in Sberbank
Risk-Based Approach to Deployment of Omnichannel Biometrics in SberbankPriyanka Aash
 
Mobile Payments - How is it done?
Mobile Payments - How is it done?Mobile Payments - How is it done?
Mobile Payments - How is it done?Parag Arjunwadkar
 
Adrian Nextel Pki Wireless
Adrian Nextel Pki WirelessAdrian Nextel Pki Wireless
Adrian Nextel Pki WirelessAdrian Levinson
 
The Future of Payments
The Future of PaymentsThe Future of Payments
The Future of PaymentsNetcetera
 
Nice Try, ATO: Use Customers’ Devices to Transparently Enhance Account Security
Nice Try, ATO: Use Customers’ Devices to Transparently Enhance Account SecurityNice Try, ATO: Use Customers’ Devices to Transparently Enhance Account Security
Nice Try, ATO: Use Customers’ Devices to Transparently Enhance Account SecurityTransUnion
 
Secure Web Transaction
Secure Web TransactionSecure Web Transaction
Secure Web Transactionvikisharma24
 

Similar to Mobile payment-security-risk-and-response (20)

Secnet
SecnetSecnet
Secnet
 
secnet.ppt
secnet.pptsecnet.ppt
secnet.ppt
 
secnet.ppt
secnet.pptsecnet.ppt
secnet.ppt
 
Secure Web Transactions Electronic Commerce Underlying Technologies
Secure Web Transactions Electronic Commerce Underlying TechnologiesSecure Web Transactions Electronic Commerce Underlying Technologies
Secure Web Transactions Electronic Commerce Underlying Technologies
 
Secnet
SecnetSecnet
Secnet
 
S.m.o.k.e. technologies
S.m.o.k.e. technologiesS.m.o.k.e. technologies
S.m.o.k.e. technologies
 
whitelabel mobile payments system 230551927
whitelabel mobile payments system 230551927whitelabel mobile payments system 230551927
whitelabel mobile payments system 230551927
 
Wallet mobile-ui-presentation
Wallet mobile-ui-presentationWallet mobile-ui-presentation
Wallet mobile-ui-presentation
 
Balancing Security and Customer Experience
Balancing Security and Customer ExperienceBalancing Security and Customer Experience
Balancing Security and Customer Experience
 
Faster Payments on the Blockchain
Faster Payments on the BlockchainFaster Payments on the Blockchain
Faster Payments on the Blockchain
 
Safex pay avantgarde -presentation
Safex pay avantgarde -presentationSafex pay avantgarde -presentation
Safex pay avantgarde -presentation
 
Digital Payment and 3-D Secure by Netcetera
Digital Payment and 3-D Secure by NetceteraDigital Payment and 3-D Secure by Netcetera
Digital Payment and 3-D Secure by Netcetera
 
m:Cypher overview
m:Cypher overviewm:Cypher overview
m:Cypher overview
 
Risk-Based Approach to Deployment of Omnichannel Biometrics in Sberbank
Risk-Based Approach to Deployment of Omnichannel Biometrics in SberbankRisk-Based Approach to Deployment of Omnichannel Biometrics in Sberbank
Risk-Based Approach to Deployment of Omnichannel Biometrics in Sberbank
 
Mobile Payments - How is it done?
Mobile Payments - How is it done?Mobile Payments - How is it done?
Mobile Payments - How is it done?
 
Adrian Nextel Pki Wireless
Adrian Nextel Pki WirelessAdrian Nextel Pki Wireless
Adrian Nextel Pki Wireless
 
The Future of Payments
The Future of PaymentsThe Future of Payments
The Future of Payments
 
Nice Try, ATO: Use Customers’ Devices to Transparently Enhance Account Security
Nice Try, ATO: Use Customers’ Devices to Transparently Enhance Account SecurityNice Try, ATO: Use Customers’ Devices to Transparently Enhance Account Security
Nice Try, ATO: Use Customers’ Devices to Transparently Enhance Account Security
 
Secure Web Transaction
Secure Web TransactionSecure Web Transaction
Secure Web Transaction
 
E-Business security
E-Business security E-Business security
E-Business security
 

More from DESMOND YUEN

2022-AI-Index-Report_Master.pdf
2022-AI-Index-Report_Master.pdf2022-AI-Index-Report_Master.pdf
2022-AI-Index-Report_Master.pdfDESMOND YUEN
 
Small Is the New Big
Small Is the New BigSmall Is the New Big
Small Is the New BigDESMOND YUEN
 
Intel® Blockscale™ ASIC Product Brief
Intel® Blockscale™ ASIC Product BriefIntel® Blockscale™ ASIC Product Brief
Intel® Blockscale™ ASIC Product BriefDESMOND YUEN
 
Cryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsCryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsDESMOND YUEN
 
Intel 2021 Product Security Report
Intel 2021 Product Security ReportIntel 2021 Product Security Report
Intel 2021 Product Security ReportDESMOND YUEN
 
How can regulation keep up as transformation races ahead? 2022 Global regulat...
How can regulation keep up as transformation races ahead? 2022 Global regulat...How can regulation keep up as transformation races ahead? 2022 Global regulat...
How can regulation keep up as transformation races ahead? 2022 Global regulat...DESMOND YUEN
 
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, More
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, MoreNASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, More
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, MoreDESMOND YUEN
 
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...DESMOND YUEN
 
PUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIES
PUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIESPUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIES
PUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIESDESMOND YUEN
 
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPE
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPEBUILDING AN OPEN RAN ECOSYSTEM FOR EUROPE
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPEDESMOND YUEN
 
An Introduction to Semiconductors and Intel
An Introduction to Semiconductors and IntelAn Introduction to Semiconductors and Intel
An Introduction to Semiconductors and IntelDESMOND YUEN
 
Changing demographics and economic growth bloom
Changing demographics and economic growth bloomChanging demographics and economic growth bloom
Changing demographics and economic growth bloomDESMOND YUEN
 
Intel’s Impacts on the US Economy
Intel’s Impacts on the US EconomyIntel’s Impacts on the US Economy
Intel’s Impacts on the US EconomyDESMOND YUEN
 
2021 private networks infographics
2021 private networks infographics2021 private networks infographics
2021 private networks infographicsDESMOND YUEN
 
Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...
Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...
Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...DESMOND YUEN
 
Accelerate Your AI Today
Accelerate Your AI TodayAccelerate Your AI Today
Accelerate Your AI TodayDESMOND YUEN
 
Increasing Throughput per Node for Content Delivery Networks
Increasing Throughput per Node for Content Delivery NetworksIncreasing Throughput per Node for Content Delivery Networks
Increasing Throughput per Node for Content Delivery NetworksDESMOND YUEN
 
3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...
3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...
3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...DESMOND YUEN
 
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm.""Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."DESMOND YUEN
 
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...Telefónica views on the design, architecture, and technology of 4G/5G Open RA...
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...DESMOND YUEN
 

More from DESMOND YUEN (20)

2022-AI-Index-Report_Master.pdf
2022-AI-Index-Report_Master.pdf2022-AI-Index-Report_Master.pdf
2022-AI-Index-Report_Master.pdf
 
Small Is the New Big
Small Is the New BigSmall Is the New Big
Small Is the New Big
 
Intel® Blockscale™ ASIC Product Brief
Intel® Blockscale™ ASIC Product BriefIntel® Blockscale™ ASIC Product Brief
Intel® Blockscale™ ASIC Product Brief
 
Cryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsCryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable Processors
 
Intel 2021 Product Security Report
Intel 2021 Product Security ReportIntel 2021 Product Security Report
Intel 2021 Product Security Report
 
How can regulation keep up as transformation races ahead? 2022 Global regulat...
How can regulation keep up as transformation races ahead? 2022 Global regulat...How can regulation keep up as transformation races ahead? 2022 Global regulat...
How can regulation keep up as transformation races ahead? 2022 Global regulat...
 
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, More
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, MoreNASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, More
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, More
 
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...
 
PUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIES
PUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIESPUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIES
PUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIES
 
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPE
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPEBUILDING AN OPEN RAN ECOSYSTEM FOR EUROPE
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPE
 
An Introduction to Semiconductors and Intel
An Introduction to Semiconductors and IntelAn Introduction to Semiconductors and Intel
An Introduction to Semiconductors and Intel
 
Changing demographics and economic growth bloom
Changing demographics and economic growth bloomChanging demographics and economic growth bloom
Changing demographics and economic growth bloom
 
Intel’s Impacts on the US Economy
Intel’s Impacts on the US EconomyIntel’s Impacts on the US Economy
Intel’s Impacts on the US Economy
 
2021 private networks infographics
2021 private networks infographics2021 private networks infographics
2021 private networks infographics
 
Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...
Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...
Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...
 
Accelerate Your AI Today
Accelerate Your AI TodayAccelerate Your AI Today
Accelerate Your AI Today
 
Increasing Throughput per Node for Content Delivery Networks
Increasing Throughput per Node for Content Delivery NetworksIncreasing Throughput per Node for Content Delivery Networks
Increasing Throughput per Node for Content Delivery Networks
 
3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...
3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...
3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...
 
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm.""Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."
 
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...Telefónica views on the design, architecture, and technology of 4G/5G Open RA...
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...
 

Recently uploaded

Abortion pills in Riyadh+966572737505 cytotec jeddah
Abortion pills in Riyadh+966572737505 cytotec jeddahAbortion pills in Riyadh+966572737505 cytotec jeddah
Abortion pills in Riyadh+966572737505 cytotec jeddahsamsungultra782445
 
Bromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pure
Bromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pureBromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pure
Bromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pureamy56318795
 
Mobile Application Development- Configuration and Android Installation
Mobile Application Development- Configuration and Android InstallationMobile Application Development- Configuration and Android Installation
Mobile Application Development- Configuration and Android InstallationChandrakantDivate1
 
Mobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s ToolsMobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s ToolsChandrakantDivate1
 
原版定制英国伦敦大学金史密斯学院毕业证原件一模一样
原版定制英国伦敦大学金史密斯学院毕业证原件一模一样原版定制英国伦敦大学金史密斯学院毕业证原件一模一样
原版定制英国伦敦大学金史密斯学院毕业证原件一模一样AS
 
Mobile App Penetration Testing Bsides312
Mobile App Penetration Testing Bsides312Mobile App Penetration Testing Bsides312
Mobile App Penetration Testing Bsides312wphillips114
 
Android Application Components with Implementation & Examples
Android Application Components with Implementation & ExamplesAndroid Application Components with Implementation & Examples
Android Application Components with Implementation & ExamplesChandrakantDivate1
 
Mobile Application Development-Components and Layouts
Mobile Application Development-Components and LayoutsMobile Application Development-Components and Layouts
Mobile Application Development-Components and LayoutsChandrakantDivate1
 

Recently uploaded (9)

Abortion pills in Riyadh+966572737505 cytotec jeddah
Abortion pills in Riyadh+966572737505 cytotec jeddahAbortion pills in Riyadh+966572737505 cytotec jeddah
Abortion pills in Riyadh+966572737505 cytotec jeddah
 
Bromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pure
Bromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pureBromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pure
Bromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pure
 
Mobile Application Development- Configuration and Android Installation
Mobile Application Development- Configuration and Android InstallationMobile Application Development- Configuration and Android Installation
Mobile Application Development- Configuration and Android Installation
 
Mobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s ToolsMobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s Tools
 
原版定制英国伦敦大学金史密斯学院毕业证原件一模一样
原版定制英国伦敦大学金史密斯学院毕业证原件一模一样原版定制英国伦敦大学金史密斯学院毕业证原件一模一样
原版定制英国伦敦大学金史密斯学院毕业证原件一模一样
 
Mobile App Penetration Testing Bsides312
Mobile App Penetration Testing Bsides312Mobile App Penetration Testing Bsides312
Mobile App Penetration Testing Bsides312
 
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
 
Android Application Components with Implementation & Examples
Android Application Components with Implementation & ExamplesAndroid Application Components with Implementation & Examples
Android Application Components with Implementation & Examples
 
Mobile Application Development-Components and Layouts
Mobile Application Development-Components and LayoutsMobile Application Development-Components and Layouts
Mobile Application Development-Components and Layouts
 

Mobile payment-security-risk-and-response

  • 1. SESSION ID: #RSAC Shaoliang Chen MOBILE PAYMENT SECURITY RISK AND RESPONSE MBS-F02 Senior Security Expert
  • 2. Email:stevenchen2081@gmail.com # R S A C 2 About Me Shaoliang Chen Senior Security Expert Email: stevenchen2081@gmail.com Twitter: @stevenchen2081 WeChat: • Position: Senior Security Expert at PricewaterhouseCoopers(PwC) Beijing office • Security experience: A decade of experience in the information security area • Finance Industry experience: As a Chief Security Architect role in mobile payment system construction • Social activities: Presenter at security and financial conferences • Personal contributions: A series of papers on mobile payment security
  • 3. Email:stevenchen2081@gmail.com # R S A C 3 • Mobile Payment Ecosystem • Mobile Payment Risk Analysis • How to Build Security Mobile System Agenda
  • 4. Email:stevenchen2081@gmail.com # R S A C 4 Part 1 Mobile Payment Ecosystem
  • 5. Email:stevenchen2081@gmail.com # R S A C # R S A C Mobile Payment Definition and Methods 5 Mobile Payment QR code Payment NFC Payment RFID Smart Card Near field communication classical scenarios: Near Field Communication (NFC) technology, POS Remote payment classical scenarios: mobile payment by QR code, sound waves, fingerprint, etc. NFC QR Code Electronic bracelet Smart watch
  • 6. Email:stevenchen2081@gmail.com # R S A C # R S A C Global Mobile Payment Well-Known Brands 6  China Alipay: NFC, QR code WeChat Pay: QR code UnionPay: NFC, QR code  United States Apple Pay: NFC Google Pay: NFC Square: QR code PayPal: QR code  Other Brands South Korea: Samsung Pay India: Paytm Europe: Wirecard …… reference: xinhuanet.com, Chinadaily.com, various report
  • 7. Email:stevenchen2081@gmail.com # R S A C 7 Mobile Payment Security Incidents reference: bankinfosecurity.com reference: zdnet.com/blackhat.com
  • 8. Email:stevenchen2081@gmail.com # R S A C # R S A C 8 Security Issues for Payment Cyber Security 65% Data Privacy 35% Base on Capgemini & BNP Paribas “world-payments- report-2017” Survey revealed that bank executives are most concerned about cybersecurity(65.0%) and data privacy(35.0%) More and more people focus on cyber security for payment reference: www.worldpaymentsreport.com
  • 9. Email:stevenchen2081@gmail.com # R S A C # R S A C Mobile Payment Architecture—QR payment 9 Mobile Payment User Mobile Payment Device Backend Data Communication Content Communication Mobile Payment APP Online QR Payment Mobile Payment Platform Accounting System Deal System Security Protection Risk Control HardwareNetwork Software Payment Content Module
  • 10. Email:stevenchen2081@gmail.com # R S A C # R S A C Mobile Payment Process—QR payment 10 1.Open the payment app 2.Scan commodity OR code Server Database Merchant OR code 3. OR code is identified 5.Send payment request 6.1 Return payment result Mobile Payment System Online QR Payment Mobile Payment User Mobile Device Merchant 4.Confirm information
  • 11. Email:stevenchen2081@gmail.com # R S A C # R S A C Mobile Payment Architecture—NFC payment 11 Mobile Payment User Mobile Payment Device Mobile Payment Platform Accounting System Deal System Security Protection Risk Control Backend Data Communication Content Communication HardwareNetwork Software POS NFC Communication Online NFC Payment NFC Module Payment Content Module Backend Data Communication Merchant
  • 12. Email:stevenchen2081@gmail.com # R S A C # R S A C Mobile Payment Process- NFC payment 12 1.Open the payment app 2.Send NFC payment request Server Database Merchant POS 5.2 Return payment result Mobile Payment System 3.Read NFC account 4.Send order information and deduct money request 5.1 return payment result Device with NFC ModuleMobile Payment User
  • 13. Email:stevenchen2081@gmail.com # R S A C 13 Part 2 Risk and Analysis
  • 14. Email:stevenchen2081@gmail.com # R S A C # R S A C Mobile Payment Risk Demo—QR Payment 14 1.Open the payment app Server Database Merchant OR code 2.Hacker forge fake OR code and decoy victim to scan Hacker website 4.Malware infection/backdoor 5.Hackers control victim account 3.Scan OR code Payment Gateway Hacker Victim Malicious OR code
  • 15. Email:stevenchen2081@gmail.com # R S A C # R S A C Mobile Payment Risk Demo—Phishing 15 Server Database 2.Send phishing SMS 1.Hacker build fake base station Hacker website 4.Malware infection/backdoor 5.Hackers control user account 3.Open URL in SMS Payment Gateway Hacker Victim Fake base station
  • 16. Email:stevenchen2081@gmail.com # R S A C # R S A C Risk Analysis — Device 16 • No Passcode • Weak Passcode • Operating System Vulnerability • Software Vulnerability • No Encryption • Weak Encryption • Phishing • Cross Frame • Clickjacking • Man-in-the-Middle • Buffer Overflow • Sensitive Data Storage • No Encryption/Weak Encryption • Improper SSL Certificate Validation • Source Code Vulnerability • Incorrect Default Permissions • Escalated Privileges • Malware • Side Channel Attack • Baseband Attack • SMS Phishing • Device Lost
  • 17. Email:stevenchen2081@gmail.com # R S A C # R S A C Risk Analysis — Network 17 Protocol Man-in-the-Middle (MITM) Session Hijacking DNS (Domain Name System) Poisoning Fake SSL Certificate Access Wi-Fi (No Encryption/Weak Encryption) Rogue Access Point Packet Sniffing
  • 18. Email:stevenchen2081@gmail.com # R S A C # R S A C Risk Analysis — Backend System 18 Web Application 01 02 03 Database Server ❖ Platform Vulnerabilities ❖ Brute-Force Attack ❖ OWASP Listed Web Vulnerabilities ❖ SQL Injection ❖ Privilege Escalation ❖ Data Dumping ❖ OS Command Execution ❖ APT Attack ❖ Server Misconfiguration
  • 19. Email:stevenchen2081@gmail.com # R S A C 19 Part 3 How to build security mobile payment system
  • 20. Email:stevenchen2081@gmail.com # R S A C 20 Mobile Payment Security Architecture Security Assessment Authentication System Compliance Account Authority Management Security Operation Privacy Protection Security Intelligence Anti-Fraud SDLCData Security Platform Platform People& Device APP Communication Server User Account Risk Control Key requirement Model • Device environment security check • Malware software check • APP source code security • File encryption locally • SDLC • Encryption protocol • Security check of access • Server OS update • Server application update • Anti-DDoS • API • Identity authentication • Strong authentication • User privacy management • User transaction identification • Risk management • Anti-Fraud
  • 21. Email:stevenchen2081@gmail.com # R S A C Best Practice – Authentication Technology Comparison 21 Technology Features Key Points Security key • Strong encryption • Hardware key/USBkey • Key file (*.key….) • Build the key management system and ensure security • Hardware key/USBkey is proved more secure by now Biometric(fingerprint, facial recognition) • Higher identification rate • User unique • Risk of permanent leakage • Natural person property • Privacy protection and legal compliance Two-Factor Authentication • Hardware tokens • Software tokens • Smartphone tokens • Email, SMS • Mandatory to use when register • Anti-fraud combination Multi-factor Authentication • Multi-dimension • Knowledge,possesion • Various technologies (Security key, SMS, and etc.) • Backend analysis • Risk model judgement National IDs and ePassports • Name • ID number • Verified by public security department • Response whether match between name and ID number • Privacy
  • 22. Email:stevenchen2081@gmail.com # R S A C Best Practice – Key Points for Security Testing 22 APPDevice Payment Backend Bank1 Bank2  Root  OS version  Access point/wireless/4G  Proxy  SSL certificates  Malware  Communication  Sensitive information  Login identity authentication  Logic check  SQL Injection/OWASP  Database permission  Interfaces  Transaction quota  Data Encryption  Blacklist (IP address or high risk account)  PCI-DSS Sample test scenarios: • Check block mechanism whether effectively deployment of payment process when using proxy IP address. • Check lock mechanism whether effectively deployment of login process with wrong user credential. • Check block mechanism whether effectively deployment of payment process when replacing SSL certificates.
  • 23. Email:stevenchen2081@gmail.com # R S A C Best Practice – Anti-Fraud 1 23 Anti-Fraud Data Resource Account Behavior habits Abnormal transaction Device Information Big data analysis Account Relationship Account  Account status, active account or not  Black account list  Account risk rate Big data analysis  Frequency statistics  Biggest statistic Suspicious transaction  Abnormal operation, such as quickly transfer to multiple accounts.  Change account payment password in late night Account Relationship  Multiple accounts with the same identified individuals  Geographical position Device information  Device serial number  Device network MAC address  Device IMEI number  Device MEID number Behaviour habit  Trade time  Trade device  Trade amount number  Trade bank credit card
  • 24. Email:stevenchen2081@gmail.com # R S A C Best Practice – Anti-Fraud 2 24 Flight duration time: 12 hours Scenario: Transaction IP address change in short time for one person with one account. First transaction IP address in China. Second transaction IP address in USA. Cause: Account information has been stolen or used proxy. Solution: 1. Block transaction directly 2. Manual verification 3. Deep analysis/Model Beijing San Francisco
  • 25. Email:stevenchen2081@gmail.com # R S A C # R S A C 25 Mobile Payment Challenge—Method Selection  Which is more security?  NFC & QR code (Two principles) — Base on your business requirement — Every technology has vulnerabilities Method Security Authentication mode Security Control Reference Standard Main Risk Scenarios NFC • Security SE • Security chip • Password • Small amount transaction(no password and signature) • Backend quota one day one account • GSMA Organization • ECMA Organization • Lost device QR code • Encrypted URL • Security software Transaction amount control one day with one account<500 CNY China UnionPay has independent QR code standard and ecosystem, “EMVCo QR Code Specification for Payment Systems: Consumer Presented Mode 1.0” • Malware • Phishing URL:https://www.emvco.com/emv-technologies/qrcodes
  • 26. Email:stevenchen2081@gmail.com # R S A C # R S A C 26 Mobile Payment Challenge – Smart Device • Various payment methods • i.e. wearable device payment • More complicated ecosystem • More interfaces • More dimensional attacks • More risk points Reference: csoonline.com
  • 27. Email:stevenchen2081@gmail.com # R S A C # R S A C 27 Conclusions Identification authentication is the key factor for mobile payment security. New authentication technology does not mean that it is more secure. Pay more attention to privacy protection. Accumulating bad samples is the key to building a risk control model. Machine learning will become good solution to against mobile payment attack in the future. Rules and risk control models must be worked together now.