The Mobile VAS SUMMIT 2009 was LIVE Photo Blogged at the Official Media Blog: http://paritoshsharma.com

1. Security @ Mobile VAS
Ltcdr. Pawan Desai, CISA, CISSP
Derisk your business
contact@mahindrassg.com www.mahindrassg.com

2. Agenda
 What comprises VAS
 Current Trends
 Need for Security
 Vulnerabilities
 Risk Matrix
 Domains of Mitigation
 Mittigation Steps

3. What is mobile VAS
 Includes services like:
 Short Messaging Service
 Multimedia media messaging service (MMS)
 Caller ring back
 Wallpapers
 Screensavers
 Other downloads
 Mobile Banking

4. Current Trends
 M-VAS is set to Grow 70% YOY
 The combined market for all types of mobile payments is expected to
reach more than 18000 Cr globally by 2013
 The registered user base for mobile banking in India is around 25 mn,
while the active users are only 2.5 mn
 Mobile banking active user base is expected to reach 2% by 2012, up from
the current 0.2%
 35% of online banking households will use mobile banking by 2010, up
from less than 1% at present
 70% of bank center call volume is slated to come from mobile phones
 VAS constitutes 7% of the total total telecom revenue for Indian operators
 Digital music and ringtones constitutes 35% of VAS revenue

5. VAS Revenues by Category
* Source: http://www.pluggd.in/indian-telecom-industry/mobile-vas-numbers-india-revenu

6. Need for Security
 AT STAKE – INR 16,520 Cr Business
 35% of online banking households will be using mobile banking by 2010,
up from less than 1% in 2007
 2005: first malicious mobile virus attack was recorded
 2006: 60 mobile viruses
 2007: > 400 mobile viruses + Snoopware + spyware + scripts specially
written for "camera mobiles“
 2009: Anybody’s guess !!!
"The biggest challenge - ensuring malware - free content"

7. The Value Chain

8. Vulnerabilities of the Mobile Channel
 "Curse of Silence Attacks" or "Curse SMS"
 Reset of PIN/ Password by fraudsters
 Increased "SIM Swop" Scam
 IMEI (International Mobile Equipment Identity) duplicity
 Lack of user knowledge leading to the prevelence of unsafe mobile usage practices
 Denial of Services (DoS)
 Virus Propagation
 Overbilling Attack
 Malware attacks - Ransomeware

9. Vulnerabilities of the Mobile Channel.. Cont…
Relating to the Handset
 Easily lost or handset change frequently so authentication and authorisation
are challenging
 Limited keypads Limited choice of PINS
Related to Mobile Channel
 Encryption not necessarily end-to-end
Related to VAS applications
 Often Outsourced – Interface with provider may create additional
vulnerabilities

10. Risk Matrix
Threats
Vulnerability Result
Fraudulent Privacy Service
transaction loss Denial
Reset of PIN by Known PIN and MSISDN and can initiate
fraudster transactions off a stolen phone √ √ √
Lack of user Mis-formatted messages - DoS, invalid
knowledge / exp attempts - PIN lock. User asks others for help √ √ √
and exposes PIN
SIM swap The valid MSISDN is moved to another
handset. The user has no access to their
account and receives no notifications. The √ √ √
user with the other handset, on knowing the
PIN, can transact on the account
Movement of Funds gone and not retrievable
funds beyond
defined √ √ -
beneficiaries
Infection by virus 3rd party can see and send transactions
- Advanced through device - act as relay for transactions,
Feature and Smart PIN sent to 3rd party, information sent to 3rd √ √ √
Phones party, replay of transactions, stop valid
transactions, stop notification messages

11. Domains of Mitigation
Mitigation
Domain Example Action
Strategy
Technology Change and / or Plaintext PIN exposure Move from no security on the
modify the mobile to security on the
technology to mobile (from structured SMS
reduce the risk with PIN to SIM Toolkit with
PIN)
Process Implement Movement of funds to a - Require pre-registration of a
process controls random beneficiary allows a beneficiary via the call centre
to block process thief to send money to where the user‘s identity is
paths that can whoever they want authenticated by asking
be exploited questions.
- Limit or set the value that can
be sent to a beneficiary Fraud
monitoring processes to look
for out of normal transactions
Environment Train and inform Theft / borrowing of mobile -Train users to not hand out
users to handset and knowledge of the their PINs so as to let others
influence PIN by thief. (This cannot be use their mobile
behaviour stopped by technical or - Vigorous follow-up and
process means) prosecution

12. Mitigation steps
 For users:
 Observe caution while using Bluetooth
 Have an AV running
 Know your IMEI number
 For service providers
 Ensure that connections to and from users are over secure channels.
 All connections from and to other service providers must also be secured
 Implement strong authentication
 For regulators and service providers
 Work together to secure the mobile infrastructure
 Create implementable laws that minimize the instances of fraud

13. The Value Chain

14. Thank You…
India Europe Singapore
Mumbai London 30 Raffles Place
3rd floor, Landmark Building, 4 New Square # 23-00 Caltex House
next to Mahindra Towers, Bedfont Lakes, Feltham Singapore 048622
Worli, Middlesex TW14 8HA Ph: +65– 6233-6853 / 54
Mumbai 400 018. India. Phone: +44 20 8818 0920
Ph: +91-22-24901441 Fax: +44 20 8818 0921
New Delhi Germany
2-A, Mahindra Towers, Bhikaji GMBH. Partnerport -
Cama Place, Altrottstrabe 31, D-69190
New Delhi - 110 066, India Waldorf, Germany
P: +91 (11)-4122 0300 Ph:+49 (0) 6227 381 106
Bangalore
#150, Tower No. B-2, Level-I,
Diamond District,
Airport Road,
Bangalore - 560 008, India.
Phone: +91 80 4135 3200
www.mahindrassg.com