SlideShare a Scribd company logo

Secure mobile payment

Download as PPTX, PDF
Ahmed Kamel Taha
Ahmed Kamel Taha

Secure mobile payment

Software
1 of 44
Secure Mobile Payment By: Ahmed Kamel Taha Submitted To: Dr. Ayman Adel
What is mobile payment? Mobile payment generally refer to payment services operated under financial regulation and performed from or via a mobile device,Instead of paying with cash, cheque (or check), or credit cards, a consumer can use a mobile phone to pay for a wide range of services and digital or hard goods.
Mobile Payment Models • Mobile wallets • Card-based payments • Carrier billing (Premium SMS or direct carrier billing) • Contactless payments NFC (Near Field Communication) • Direct transfers P2P
Classification of Mobile Payments Based on Value Micro Payments Based on Charging method Based on Location Based on the validation of the tokens exchanged Macro Payments Mini Payments Proximity Payments Remote Payments Pre-paid Post-paid Online Payments Offline Payments (ex: e-coins in P2P transfers)
Enabling Mobile Technologies User Interface Security enablers Transport Short- range Long- range GSM GPRS RFID Bluetooth Infrared 3G Voice SMS USSD WAPDual slot phones WPKI/ WIM SIM 4G NFC Also there is Barcode & QR code
Services 1. Person – to – Person transfer using mobile device 2. Mobile banking (including deposits and bill payment) 3. POS purchases processed using a mobile device 4. POS purchases made using a mobile device 5. Purchases over the internet using mobile device
Comparison
Payment Process
Traditional Methods of Payment Acceptance
New Players to the Traditional Payment Acceptance Card Brand (Visa, MasterCard, AmEx, etc.) Acquiring Bank Merchant / RetailerCardholding Consumer Issuing Bank(Bank that issues credit card to the consumer. Citibank, Chase, etc.) 1. App presented for payment 2. App collects transaction data. 3. Transaction authorization request4. Transaction routed to card issuer 5. Authorization response 6. Authorization response routed to acquirer 7. Authorization response routed to merchant 8. Transaction completed; terminal issues receipt.
Apple Pay Card Enrolment Process
Apple Pay Payment Process
Mobile payment threats
Legal Landscape • Responsibility for privacy and data security of transaction information are typically set by contract. Payment Card Industry Data Standard (“PCI DSS”)
PCI Mobile Payment Acceptance Security Guidelines Objectives and Guidance for the Security of a Payment Transaction ⚫Objective 1: Prevent account data from being intercepted when entered into a mobile device. ⚫Objective 2: Prevent account data from compromise while processed or stored within the mobile device. ⚫Objective 3: Prevent account data from interception upon transmission out of the mobile device. Guidance for Securing the Mobile Device ⚫Prevent unauthorized physical device access ⚫Prevent unauthorized logical device access ⚫Protect the mobile device from malware ⚫Ensure the mobile device is in a secure state ⚫Disable unnecessary device functions ⚫Detect loss or theft ⚫Ensure the secure disposal of old devices
Contact and Contactless Interfaces • Contact Interface ⚫Connects the SE to the phone itself • Contactless Interface ⚫Connected to the NFC radio ⚫Used to communicate with Point-of-Sale (POS) terminals
EMV chip cards EMV stands for Europay, MasterCard and Visa, a global standard for inter-operation of integrated circuit cards (IC cards or "chip cards") and IC card capable point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit and debit card transactions. Key Security Advantages: ▪ Information stored in a more secure microprocessor chip – Instead of a less secure magnetic stripe ▪ Personalization of EMV cards is done using issuer-specific keys ▪ Card creates unique transaction data – Any captured data cannot be used to execute new transactions (prevents card skimming and card cloning) ▪ Cardholder verification – Terminal will prompt the customer to sign or enter a PIN to validate their identity. – Also supports other cardholder verification methods: offline PIN, online PIN, signature, or no cardholder verification method.
NFC • Near-field communication (NFC) is a set of communication protocols that enable two electronic devices, one of which is usually a portable device such as a smartphone, to establish communication by bringing them within 4 cm (1.6 in) of each other. Electromagnetic fields can be used to transmit data or induce electrical currents in a receiving device. Passive NFC devices draw power from the fields produced by active devices, but the range is only short
NFC interaction styles and operating modes
Secure Element (SE) • Core of the mobile payment platform • Secure storage of sensitive information • Embedded SE contained within the mobile device ⚫Galaxy Nexus • UICC aka SIM card ⚫Universal Integrated Circuit Card ⚫Another SE form factor API exposing only functions, not data Similar to physical contactless card • Memory • Processor • Applet (javacard)
Host-based Card Emulation (HCE) Android >=4.4, Blackberry OS, Windows Phone Software can emulate any contactless smart card • No direct communication between app and NFC • NFC communication implemented in OS API No API nor requirements for storing card data and for secure transmission Security should be explicitly implemented by app
SE and HCE architecture comparison
NFC Relay attack Same risk profile as for any contactless card • Very close proximity (mostly will not work through the bag) • Short window of NFC Proxy opportunity
NFC Relay attack Secure Element • The NFC usually works also with the phone turned off (even dead battery). • Easier to approach unsuspecting victim's phone. Host Card Emulation • NFC works only with the screen turned on (and – optionally – unlocked). • More difficult to attack without the victim's notice Additional risk mitigations • Business/UX decisions: enforce PIN for every transaction, SE: activate NFC antenna only on demand HCE: activate NFC antenna on screen unlock • Communication delays due to proxing could be detected
Steal card data in transit
Steal card data in transit Secure Element on SIM • Card data transmitted OTA by GSM network. • Theoretical possibility to intercept GSM communication. Host Card Emulation • Usually tokenized card data pushed to device from the "cloud", e.g. by Google Cloud Messaging Risk: low • The card data is transmitted only once to mobile device. • Intercepting GSM is still not trivial Risk: depends on implementation details • Encryption layers • Authentication, device fingerprinting... • Various application features
Popular malware (no root) Most popular mobile malware at this moment does not utilize "root" access. Attack involves displaying overlay on top of targeted mobile app to steal credentials Secure Element • Mobile application does not have access to card data. Stealing app credentials will not reveal card data. • Malware will not be able to invoke applet API, as it verifies the mobile application signing key. Host Card Emulation • Depending on implementation, stealing mobile app credentials may help with access to card data • Mobile application vulnerabilities (e.g. IPC, data storage) can be exploited by other applications on the same device
Malware with root access Secure Element • Card data is not accessible for mobile operating system. Root access does not help to steal the PAN. • Malware as "proxy" between SE and NFC? Rather not possible, applet should verify source of communication Host Card Emulation • Root can access mobile application storage, including card data. • The attacker has all the information necessary to "clone" the card on a different physical device
Tokenization Many one-time random "surrogate" card numbers (tokens) replacing single static PAN • Generated server-side, distributed to mobile application ("secure element in the cloud") • Mobile application stores several consecutive values (for offline use) • The token can be limited – specific merchant or channel – time – capped to max amount
Google Wallet Vulnerabilities
PIN Storage Vulnerability • PIN entry required for transactions • Only six tries permitted • But an attacker who steals a device and then roots it can extract the PIN from the salted hash – Because it's not stored on the SE – Storing it on the SE would make banks liable for breaches due to stolen PINs
PIN Storage • PIN is salted with a 64-bit random value and hashed with one round of SHA-256
Storage of Hash • Salt and hash stored in a SQLite database in Google Wallet's /data directory – /data/data/com.google.android.apps.walletnfcrel/ databases/walletDatastore • "Wallet Cracker" simply tries all 10,000 four- digit PINs to find PIN from the hash
Relay Attacks (MITM) • "Mole" reader gets close to target mobile device • Attacker's mobile gets near POS terminal • APDUs are passed via TCP/IP
Relay Attack Limitations • Target's mobile payment app must be unlocked • Google Wallet requires entry of a PIN to unlock
Relay Through a Malicious App • Works against Google Wallet • Because it exposes payment credentials to the contact interface • Requires root privileges to bypass SE API signature authentication
Relay Attack Countermeasures • Contactless POS terminals should enforce a time-out on all transactions ⚫Relay attack requires network communications which slows it down ⚫Not very practical because errors can cause delays in legitimate transactions • Use location information to flag suspicious transactions ⚫Target mobile is not really near the POS ⚫Requires target GPS to be active and consumer's consent • Google Wallet is no longer vulnerable to the second attack ⚫It no longer exposes payment applets over the contact interface
Square Vulnerabilities
Square • Square Register – Mobile app • Magnetic stripe reader – Plugs into audio jack – Free • Allows anyone to take credit card transactions – Charging 2.75% of each transaction
Skimming • Any app that can receive audio data can steal the magnetic data from the Square device • VeriFone released an app to do this – In order to compete with Square
Skimming Countermeasures • Manual skimming requires the card – Same as skimmers that have been used for years • A software attack against the reader could do more harm • In 2012, Square modified their reader to encrypt the audio stream – Encrypted data is sent to Square's servers and decrypted there – Prevents rogue apps getting the credit card #
Replay Attack • Malicious app could record audio stream and replay is back to make another purchase • Demonstrated by Adam Laurie and Zac Franken at Black Hat in 2011 – Also reverse-engineered the format Square reader uses for data from credit card – They could manufacture correct audio streams from magnetic Track 2 data, which can be purchased on the black market • They could therefore use Square to perform mass fraud – Instead of manufacturing fake credit cards
Replay Attack Countermeasures • Square's encryption prevents this • Textbook author verified that replaying an encrypted audio stream is not accepted as a valid Square transaction anymore • So Square is changing the key, or using a nonce, or something similar
Any Questions? Thank You

Recommended

Mobile Payment fraud & risk assessment
Mobile Payment fraud & risk assessmentMobile Payment fraud & risk assessment
Mobile Payment fraud & risk assessment
Stefano Maria De' Rossi
 
Overview of Mobile Payment Systems
Overview of Mobile Payment SystemsOverview of Mobile Payment Systems
Overview of Mobile Payment Systems
Amit Naik
 
Mobile payment
Mobile paymentMobile payment
Mobile payment
Software Park Thailand
 
Mobile payments: A history of [in]security
Mobile payments: A history of [in]securityMobile payments: A history of [in]security
Mobile payments: A history of [in]security
CanadianCIO (IT World Canada)
 
Mobile Money Business Track: understanding the Model and Market
Mobile Money Business Track: understanding the Model and MarketMobile Money Business Track: understanding the Model and Market
Mobile Money Business Track: understanding the Model and Market
Arief Gunawan
 
Mobile Payments Framework
Mobile Payments FrameworkMobile Payments Framework
Mobile Payments Framework
Lakshmana Kattula
 
Mobile Payments
Mobile PaymentsMobile Payments
Mobile Payments
Mike Batton
 
e-wallet , The future of Cards and Money
e-wallet , The future of Cards and Moneye-wallet , The future of Cards and Money
e-wallet , The future of Cards and Money
Vikram Dahiya
 

Recommended

Mobile Payment fraud & risk assessment
Mobile Payment fraud & risk assessmentMobile Payment fraud & risk assessment
Mobile Payment fraud & risk assessment
Stefano Maria De' Rossi
 
Overview of Mobile Payment Systems
Overview of Mobile Payment SystemsOverview of Mobile Payment Systems
Overview of Mobile Payment Systems
Amit Naik
 
Mobile payment
Mobile paymentMobile payment
Mobile payment
Software Park Thailand
 
Mobile payments: A history of [in]security
Mobile payments: A history of [in]securityMobile payments: A history of [in]security
Mobile payments: A history of [in]security
CanadianCIO (IT World Canada)
 
Mobile Money Business Track: understanding the Model and Market
Mobile Money Business Track: understanding the Model and MarketMobile Money Business Track: understanding the Model and Market
Mobile Money Business Track: understanding the Model and Market
Arief Gunawan
 
Mobile Payments Framework
Mobile Payments FrameworkMobile Payments Framework
Mobile Payments Framework
Lakshmana Kattula
 
Mobile Payments
Mobile PaymentsMobile Payments
Mobile Payments
Mike Batton
 
e-wallet , The future of Cards and Money
e-wallet , The future of Cards and Moneye-wallet , The future of Cards and Money
e-wallet , The future of Cards and Money
Vikram Dahiya
 
MasterCard and Penrillian Partnership in NFC
MasterCard and Penrillian Partnership in NFCMasterCard and Penrillian Partnership in NFC
MasterCard and Penrillian Partnership in NFC
NFC Forum
 
Mobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseMobile payment-security-risk-and-response
Mobile payment-security-risk-and-response
DESMOND YUEN
 
The User Experience of Near Field Communication
The User Experience of Near Field CommunicationThe User Experience of Near Field Communication
The User Experience of Near Field Communication
Memi Beltrame
 
NFC Presentation [Compatibility Mode]
NFC Presentation [Compatibility Mode]NFC Presentation [Compatibility Mode]
NFC Presentation [Compatibility Mode]
Khaled Hasan
 
All the 12 Payment Enabling Technologies & 54 Illustrative Companies
All the 12 Payment Enabling Technologies & 54 Illustrative CompaniesAll the 12 Payment Enabling Technologies & 54 Illustrative Companies
All the 12 Payment Enabling Technologies & 54 Illustrative Companies
MEDICI admin
 
Co Je A Bude Nfc Jan Nemec Gemalto
Co Je A Bude Nfc Jan Nemec GemaltoCo Je A Bude Nfc Jan Nemec Gemalto
Co Je A Bude Nfc Jan Nemec Gemalto
TUESDAY Business Network
 
NFC wallet
NFC walletNFC wallet
NFC wallet
Katerina Kovarskaya
 
Contactless payment technology
Contactless payment technologyContactless payment technology
Contactless payment technology
Law of Compounding
 
Gemalto NFC
Gemalto NFCGemalto NFC
Gemalto NFC
MobileMonday Beijing
 
NFC: Shaping the Future of the Connected Customer Experience
NFC: Shaping the Future of the Connected Customer ExperienceNFC: Shaping the Future of the Connected Customer Experience
NFC: Shaping the Future of the Connected Customer Experience
NFC Forum
 
What is a Trusted Service Manager?
What is a Trusted Service Manager?What is a Trusted Service Manager?
What is a Trusted Service Manager?
Rambus Inc
 
Paper id 252014116
Paper id 252014116Paper id 252014116
Paper id 252014116
IJRAT
 
SBVLC: Secure Barcode-based Visible Light Communication for Smart phones
SBVLC: Secure Barcode-based Visible Light Communication for Smart phonesSBVLC: Secure Barcode-based Visible Light Communication for Smart phones
SBVLC: Secure Barcode-based Visible Light Communication for Smart phones
Kamal Spring
 
Pay-Cloak:Biometric
Pay-Cloak:BiometricPay-Cloak:Biometric
Pay-Cloak:Biometric
ijtsrd
 
Beyond cards, phones and terminals: New payment form factors
Beyond cards, phones and terminals: New payment form factorsBeyond cards, phones and terminals: New payment form factors
Beyond cards, phones and terminals: New payment form factors
NXPSemiconductors
 
Vodafone Cash Service - NFC tag
Vodafone Cash Service - NFC tagVodafone Cash Service - NFC tag
Vodafone Cash Service - NFC tag
Deyaa Ahmed
 
NFC And HCE 2016 - What’s Next?
NFC And HCE 2016 - What’s Next?NFC And HCE 2016 - What’s Next?
NFC And HCE 2016 - What’s Next?
NFC Forum
 
Emerging Technologies in Payment Industry
Emerging Technologies in Payment IndustryEmerging Technologies in Payment Industry
Emerging Technologies in Payment Industry
Erfan Moradian
 
Near Field Communication (NFC Architecture and Operating Modes)
Near Field Communication (NFC Architecture and Operating Modes)Near Field Communication (NFC Architecture and Operating Modes)
Near Field Communication (NFC Architecture and Operating Modes)
Deepak Kl
 
Near field communication
Near field communicationNear field communication
Near field communication
Nishank Magoo
 
E walllet / Digital Wallet
E walllet / Digital WalletE walllet / Digital Wallet
E walllet / Digital Wallet
Subhash Vadadoriya
 
CNIT 128: 9: Mobile payments
CNIT 128: 9: Mobile paymentsCNIT 128: 9: Mobile payments
CNIT 128: 9: Mobile payments
Sam Bowne
 

More Related Content

What's hot

The User Experience of Near Field Communication
The User Experience of Near Field CommunicationThe User Experience of Near Field Communication
The User Experience of Near Field Communication
Memi Beltrame
 
NFC Presentation [Compatibility Mode]
NFC Presentation [Compatibility Mode]NFC Presentation [Compatibility Mode]
NFC Presentation [Compatibility Mode]
Khaled Hasan
 
NFC: Shaping the Future of the Connected Customer Experience
NFC: Shaping the Future of the Connected Customer ExperienceNFC: Shaping the Future of the Connected Customer Experience
NFC: Shaping the Future of the Connected Customer Experience
NFC Forum
 
What is a Trusted Service Manager?
What is a Trusted Service Manager?What is a Trusted Service Manager?
What is a Trusted Service Manager?
Rambus Inc
 
Paper id 252014116
Paper id 252014116Paper id 252014116
Paper id 252014116
IJRAT
 
SBVLC: Secure Barcode-based Visible Light Communication for Smart phones
SBVLC: Secure Barcode-based Visible Light Communication for Smart phonesSBVLC: Secure Barcode-based Visible Light Communication for Smart phones
SBVLC: Secure Barcode-based Visible Light Communication for Smart phones
Kamal Spring
 
Pay-Cloak:Biometric
Pay-Cloak:BiometricPay-Cloak:Biometric
Pay-Cloak:Biometric
ijtsrd
 
Near Field Communication (NFC Architecture and Operating Modes)
Near Field Communication (NFC Architecture and Operating Modes)Near Field Communication (NFC Architecture and Operating Modes)
Near Field Communication (NFC Architecture and Operating Modes)
Deepak Kl
 

What's hot (20)

MasterCard and Penrillian Partnership in NFC
MasterCard and Penrillian Partnership in NFCMasterCard and Penrillian Partnership in NFC
MasterCard and Penrillian Partnership in NFC
 
Mobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseMobile payment-security-risk-and-response
Mobile payment-security-risk-and-response
 
The User Experience of Near Field Communication
The User Experience of Near Field CommunicationThe User Experience of Near Field Communication
The User Experience of Near Field Communication
 
NFC Presentation [Compatibility Mode]
NFC Presentation [Compatibility Mode]NFC Presentation [Compatibility Mode]
NFC Presentation [Compatibility Mode]
 
All the 12 Payment Enabling Technologies & 54 Illustrative Companies
All the 12 Payment Enabling Technologies & 54 Illustrative CompaniesAll the 12 Payment Enabling Technologies & 54 Illustrative Companies
All the 12 Payment Enabling Technologies & 54 Illustrative Companies
 
Co Je A Bude Nfc Jan Nemec Gemalto
Co Je A Bude Nfc Jan Nemec GemaltoCo Je A Bude Nfc Jan Nemec Gemalto
Co Je A Bude Nfc Jan Nemec Gemalto
 
NFC wallet
NFC walletNFC wallet
NFC wallet
 
Contactless payment technology
Contactless payment technologyContactless payment technology
Contactless payment technology
 
Gemalto NFC
Gemalto NFCGemalto NFC
Gemalto NFC
 
NFC: Shaping the Future of the Connected Customer Experience
NFC: Shaping the Future of the Connected Customer ExperienceNFC: Shaping the Future of the Connected Customer Experience
NFC: Shaping the Future of the Connected Customer Experience
 
What is a Trusted Service Manager?
What is a Trusted Service Manager?What is a Trusted Service Manager?
What is a Trusted Service Manager?
 
Paper id 252014116
Paper id 252014116Paper id 252014116
Paper id 252014116
 
SBVLC: Secure Barcode-based Visible Light Communication for Smart phones
SBVLC: Secure Barcode-based Visible Light Communication for Smart phonesSBVLC: Secure Barcode-based Visible Light Communication for Smart phones
SBVLC: Secure Barcode-based Visible Light Communication for Smart phones
 
Pay-Cloak:Biometric
Pay-Cloak:BiometricPay-Cloak:Biometric
Pay-Cloak:Biometric
 
Beyond cards, phones and terminals: New payment form factors
Beyond cards, phones and terminals: New payment form factorsBeyond cards, phones and terminals: New payment form factors
Beyond cards, phones and terminals: New payment form factors
 
Vodafone Cash Service - NFC tag
Vodafone Cash Service - NFC tagVodafone Cash Service - NFC tag
Vodafone Cash Service - NFC tag
 
NFC And HCE 2016 - What’s Next?
NFC And HCE 2016 - What’s Next?NFC And HCE 2016 - What’s Next?
NFC And HCE 2016 - What’s Next?
 
Emerging Technologies in Payment Industry
Emerging Technologies in Payment IndustryEmerging Technologies in Payment Industry
Emerging Technologies in Payment Industry
 
Near Field Communication (NFC Architecture and Operating Modes)
Near Field Communication (NFC Architecture and Operating Modes)Near Field Communication (NFC Architecture and Operating Modes)
Near Field Communication (NFC Architecture and Operating Modes)
 
Near field communication
Near field communicationNear field communication
Near field communication
 

Similar to Secure mobile payment

Digital wallet (e-wallet)
Digital wallet (e-wallet)Digital wallet (e-wallet)
Digital wallet (e-wallet)
Krishna Kumar
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
Pragati Rai
 

Similar to Secure mobile payment (20)

E walllet / Digital Wallet
E walllet / Digital WalletE walllet / Digital Wallet
E walllet / Digital Wallet
 
CNIT 128: 9: Mobile payments
CNIT 128: 9: Mobile paymentsCNIT 128: 9: Mobile payments
CNIT 128: 9: Mobile payments
 
Digital wallet (e-wallet)
Digital wallet (e-wallet)Digital wallet (e-wallet)
Digital wallet (e-wallet)
 
Blockchains.My - Decentralised Mobile Wallet App
Blockchains.My - Decentralised Mobile Wallet AppBlockchains.My - Decentralised Mobile Wallet App
Blockchains.My - Decentralised Mobile Wallet App
 
E wallet
E wallet E wallet
E wallet
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Managing & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengManaging & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee Seng
 
Product Architecture of Hardware Wallet - Without Sequence Diagrams.pdf
Product Architecture of Hardware Wallet - Without Sequence Diagrams.pdfProduct Architecture of Hardware Wallet - Without Sequence Diagrams.pdf
Product Architecture of Hardware Wallet - Without Sequence Diagrams.pdf
 
Product Architecture of Hardware Wallet - Without Sequence Diagrams.pdf
Product Architecture of Hardware Wallet - Without Sequence Diagrams.pdfProduct Architecture of Hardware Wallet - Without Sequence Diagrams.pdf
Product Architecture of Hardware Wallet - Without Sequence Diagrams.pdf
 
Unit-3.pptx
Unit-3.pptxUnit-3.pptx
Unit-3.pptx
 
Cybercrime Mobile and Wireless Devices.pptx
Cybercrime Mobile and Wireless Devices.pptxCybercrime Mobile and Wireless Devices.pptx
Cybercrime Mobile and Wireless Devices.pptx
 
Pay4 Any
Pay4 AnyPay4 Any
Pay4 Any
 
E banking & security concern
E banking & security concernE banking & security concern
E banking & security concern
 
Overcome Security Threats Affecting Mobile Financial Solutions 2020
Overcome Security Threats Affecting Mobile Financial Solutions 2020Overcome Security Threats Affecting Mobile Financial Solutions 2020
Overcome Security Threats Affecting Mobile Financial Solutions 2020
 
Digital wallet
Digital walletDigital wallet
Digital wallet
 
Wireless Payment System
Wireless Payment SystemWireless Payment System
Wireless Payment System
 
87559489 auth
87559489 auth87559489 auth
87559489 auth
 
E-Business security
E-Business security E-Business security
E-Business security
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 

More from Ahmed Kamel Taha

More from Ahmed Kamel Taha (19)

Beyond vegetarianism
Beyond vegetarianismBeyond vegetarianism
Beyond vegetarianism
 
5 spy devices
5 spy devices5 spy devices
5 spy devices
 
5 spy software
5 spy software5 spy software
5 spy software
 
PRINCIPLES OF SOFTWARE ARCHITECTURE
PRINCIPLES OF SOFTWARE ARCHITECTUREPRINCIPLES OF SOFTWARE ARCHITECTURE
PRINCIPLES OF SOFTWARE ARCHITECTURE
 
Owasp & php
Owasp & phpOwasp & php
Owasp & php
 
Exam quistions
Exam quistionsExam quistions
Exam quistions
 
Questions
QuestionsQuestions
Questions
 
Choices
ChoicesChoices
Choices
 
Atm
AtmAtm
Atm
 
Software Requirements (3rd Edition) summary
Software Requirements (3rd Edition) summarySoftware Requirements (3rd Edition) summary
Software Requirements (3rd Edition) summary
 
Distributed voting system
Distributed voting systemDistributed voting system
Distributed voting system
 
Owasp & php
Owasp & phpOwasp & php
Owasp & php
 
Functional reactive programming
Functional reactive programmingFunctional reactive programming
Functional reactive programming
 
Design patterns
Design patternsDesign patterns
Design patterns
 
Tcp congestion avoidance
Tcp congestion avoidanceTcp congestion avoidance
Tcp congestion avoidance
 
Offline db
Offline dbOffline db
Offline db
 
Mining apps for anomalies
Mining apps for anomaliesMining apps for anomalies
Mining apps for anomalies
 
Week 6 planning
Week 6 planningWeek 6 planning
Week 6 planning
 
[Software Requirements] Chapter 20: Agile Projects
[Software Requirements] Chapter 20: Agile Projects [Software Requirements] Chapter 20: Agile Projects
[Software Requirements] Chapter 20: Agile Projects
 

Recently uploaded

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 

Recently uploaded (20)

SHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationSHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions Presentation
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Generic or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 

Secure mobile payment

  • 1. Secure Mobile Payment By: Ahmed Kamel Taha Submitted To: Dr. Ayman Adel
  • 2. What is mobile payment? Mobile payment generally refer to payment services operated under financial regulation and performed from or via a mobile device,Instead of paying with cash, cheque (or check), or credit cards, a consumer can use a mobile phone to pay for a wide range of services and digital or hard goods.
  • 3. Mobile Payment Models • Mobile wallets • Card-based payments • Carrier billing (Premium SMS or direct carrier billing) • Contactless payments NFC (Near Field Communication) • Direct transfers P2P
  • 4. Classification of Mobile Payments Based on Value Micro Payments Based on Charging method Based on Location Based on the validation of the tokens exchanged Macro Payments Mini Payments Proximity Payments Remote Payments Pre-paid Post-paid Online Payments Offline Payments (ex: e-coins in P2P transfers)
  • 6. Services 1. Person – to – Person transfer using mobile device 2. Mobile banking (including deposits and bill payment) 3. POS purchases processed using a mobile device 4. POS purchases made using a mobile device 5. Purchases over the internet using mobile device
  • 9. Traditional Methods of Payment Acceptance
  • 10. New Players to the Traditional Payment Acceptance Card Brand (Visa, MasterCard, AmEx, etc.) Acquiring Bank Merchant / RetailerCardholding Consumer Issuing Bank(Bank that issues credit card to the consumer. Citibank, Chase, etc.) 1. App presented for payment 2. App collects transaction data. 3. Transaction authorization request4. Transaction routed to card issuer 5. Authorization response 6. Authorization response routed to acquirer 7. Authorization response routed to merchant 8. Transaction completed; terminal issues receipt.
  • 11. Apple Pay Card Enrolment Process
  • 12. Apple Pay Payment Process
  • 14. Legal Landscape • Responsibility for privacy and data security of transaction information are typically set by contract. Payment Card Industry Data Standard (“PCI DSS”)
  • 15. PCI Mobile Payment Acceptance Security Guidelines Objectives and Guidance for the Security of a Payment Transaction ⚫Objective 1: Prevent account data from being intercepted when entered into a mobile device. ⚫Objective 2: Prevent account data from compromise while processed or stored within the mobile device. ⚫Objective 3: Prevent account data from interception upon transmission out of the mobile device. Guidance for Securing the Mobile Device ⚫Prevent unauthorized physical device access ⚫Prevent unauthorized logical device access ⚫Protect the mobile device from malware ⚫Ensure the mobile device is in a secure state ⚫Disable unnecessary device functions ⚫Detect loss or theft ⚫Ensure the secure disposal of old devices
  • 16. Contact and Contactless Interfaces • Contact Interface ⚫Connects the SE to the phone itself • Contactless Interface ⚫Connected to the NFC radio ⚫Used to communicate with Point-of-Sale (POS) terminals
  • 17. EMV chip cards EMV stands for Europay, MasterCard and Visa, a global standard for inter-operation of integrated circuit cards (IC cards or "chip cards") and IC card capable point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit and debit card transactions. Key Security Advantages: ▪ Information stored in a more secure microprocessor chip – Instead of a less secure magnetic stripe ▪ Personalization of EMV cards is done using issuer-specific keys ▪ Card creates unique transaction data – Any captured data cannot be used to execute new transactions (prevents card skimming and card cloning) ▪ Cardholder verification – Terminal will prompt the customer to sign or enter a PIN to validate their identity. – Also supports other cardholder verification methods: offline PIN, online PIN, signature, or no cardholder verification method.
  • 18. NFC • Near-field communication (NFC) is a set of communication protocols that enable two electronic devices, one of which is usually a portable device such as a smartphone, to establish communication by bringing them within 4 cm (1.6 in) of each other. Electromagnetic fields can be used to transmit data or induce electrical currents in a receiving device. Passive NFC devices draw power from the fields produced by active devices, but the range is only short
  • 19. NFC interaction styles and operating modes
  • 20. Secure Element (SE) • Core of the mobile payment platform • Secure storage of sensitive information • Embedded SE contained within the mobile device ⚫Galaxy Nexus • UICC aka SIM card ⚫Universal Integrated Circuit Card ⚫Another SE form factor API exposing only functions, not data Similar to physical contactless card • Memory • Processor • Applet (javacard)
  • 21. Host-based Card Emulation (HCE) Android >=4.4, Blackberry OS, Windows Phone Software can emulate any contactless smart card • No direct communication between app and NFC • NFC communication implemented in OS API No API nor requirements for storing card data and for secure transmission Security should be explicitly implemented by app
  • 22. SE and HCE architecture comparison
  • 23. NFC Relay attack Same risk profile as for any contactless card • Very close proximity (mostly will not work through the bag) • Short window of NFC Proxy opportunity
  • 24. NFC Relay attack Secure Element • The NFC usually works also with the phone turned off (even dead battery). • Easier to approach unsuspecting victim's phone. Host Card Emulation • NFC works only with the screen turned on (and – optionally – unlocked). • More difficult to attack without the victim's notice Additional risk mitigations • Business/UX decisions: enforce PIN for every transaction, SE: activate NFC antenna only on demand HCE: activate NFC antenna on screen unlock • Communication delays due to proxing could be detected
  • 25. Steal card data in transit
  • 26. Steal card data in transit Secure Element on SIM • Card data transmitted OTA by GSM network. • Theoretical possibility to intercept GSM communication. Host Card Emulation • Usually tokenized card data pushed to device from the "cloud", e.g. by Google Cloud Messaging Risk: low • The card data is transmitted only once to mobile device. • Intercepting GSM is still not trivial Risk: depends on implementation details • Encryption layers • Authentication, device fingerprinting... • Various application features
  • 27. Popular malware (no root) Most popular mobile malware at this moment does not utilize "root" access. Attack involves displaying overlay on top of targeted mobile app to steal credentials Secure Element • Mobile application does not have access to card data. Stealing app credentials will not reveal card data. • Malware will not be able to invoke applet API, as it verifies the mobile application signing key. Host Card Emulation • Depending on implementation, stealing mobile app credentials may help with access to card data • Mobile application vulnerabilities (e.g. IPC, data storage) can be exploited by other applications on the same device
  • 28. Malware with root access Secure Element • Card data is not accessible for mobile operating system. Root access does not help to steal the PAN. • Malware as "proxy" between SE and NFC? Rather not possible, applet should verify source of communication Host Card Emulation • Root can access mobile application storage, including card data. • The attacker has all the information necessary to "clone" the card on a different physical device
  • 29. Tokenization Many one-time random "surrogate" card numbers (tokens) replacing single static PAN • Generated server-side, distributed to mobile application ("secure element in the cloud") • Mobile application stores several consecutive values (for offline use) • The token can be limited – specific merchant or channel – time – capped to max amount
  • 31. PIN Storage Vulnerability • PIN entry required for transactions • Only six tries permitted • But an attacker who steals a device and then roots it can extract the PIN from the salted hash – Because it's not stored on the SE – Storing it on the SE would make banks liable for breaches due to stolen PINs
  • 32. PIN Storage • PIN is salted with a 64-bit random value and hashed with one round of SHA-256
  • 33. Storage of Hash • Salt and hash stored in a SQLite database in Google Wallet's /data directory – /data/data/com.google.android.apps.walletnfcrel/ databases/walletDatastore • "Wallet Cracker" simply tries all 10,000 four- digit PINs to find PIN from the hash
  • 34. Relay Attacks (MITM) • "Mole" reader gets close to target mobile device • Attacker's mobile gets near POS terminal • APDUs are passed via TCP/IP
  • 35. Relay Attack Limitations • Target's mobile payment app must be unlocked • Google Wallet requires entry of a PIN to unlock
  • 36. Relay Through a Malicious App • Works against Google Wallet • Because it exposes payment credentials to the contact interface • Requires root privileges to bypass SE API signature authentication
  • 37. Relay Attack Countermeasures • Contactless POS terminals should enforce a time-out on all transactions ⚫Relay attack requires network communications which slows it down ⚫Not very practical because errors can cause delays in legitimate transactions • Use location information to flag suspicious transactions ⚫Target mobile is not really near the POS ⚫Requires target GPS to be active and consumer's consent • Google Wallet is no longer vulnerable to the second attack ⚫It no longer exposes payment applets over the contact interface
  • 39. Square • Square Register – Mobile app • Magnetic stripe reader – Plugs into audio jack – Free • Allows anyone to take credit card transactions – Charging 2.75% of each transaction
  • 40. Skimming • Any app that can receive audio data can steal the magnetic data from the Square device • VeriFone released an app to do this – In order to compete with Square
  • 41. Skimming Countermeasures • Manual skimming requires the card – Same as skimmers that have been used for years • A software attack against the reader could do more harm • In 2012, Square modified their reader to encrypt the audio stream – Encrypted data is sent to Square's servers and decrypted there – Prevents rogue apps getting the credit card #
  • 42. Replay Attack • Malicious app could record audio stream and replay is back to make another purchase • Demonstrated by Adam Laurie and Zac Franken at Black Hat in 2011 – Also reverse-engineered the format Square reader uses for data from credit card – They could manufacture correct audio streams from magnetic Track 2 data, which can be purchased on the black market • They could therefore use Square to perform mass fraud – Instead of manufacturing fake credit cards
  • 43. Replay Attack Countermeasures • Square's encryption prevents this • Textbook author verified that replaying an encrypted audio stream is not accepted as a valid Square transaction anymore • So Square is changing the key, or using a nonce, or something similar