Mahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
1. Security @ Mobile VAS
Ltcdr. Pawan Desai, CISA, CISSP
Derisk your business
contact@mahindrassg.com www.mahindrassg.com
2. Agenda
What comprises VAS
Current Trends
Need for Security
Vulnerabilities
Risk Matrix
Domains of Mitigation
Mittigation Steps
3. What is mobile VAS
Includes services like:
Short Messaging Service
Multimedia media messaging service (MMS)
Caller ring back
Wallpapers
Screensavers
Other downloads
Mobile Banking
4. Current Trends
M-VAS is set to Grow 70% YOY
The combined market for all types of mobile payments is expected to
reach more than 18000 Cr globally by 2013
The registered user base for mobile banking in India is around 25 mn,
while the active users are only 2.5 mn
Mobile banking active user base is expected to reach 2% by 2012, up from
the current 0.2%
35% of online banking households will use mobile banking by 2010, up
from less than 1% at present
70% of bank center call volume is slated to come from mobile phones
VAS constitutes 7% of the total total telecom revenue for Indian operators
Digital music and ringtones constitutes 35% of VAS revenue
5. VAS Revenues by Category
* Source: http://www.pluggd.in/indian-telecom-industry/mobile-vas-numbers-india-revenu
6. Need for Security
AT STAKE – INR 16,520 Cr Business
35% of online banking households will be using mobile banking by 2010,
up from less than 1% in 2007
2005: first malicious mobile virus attack was recorded
2006: 60 mobile viruses
2007: > 400 mobile viruses + Snoopware + spyware + scripts specially
written for "camera mobiles“
2009: Anybody’s guess !!!
"The biggest challenge - ensuring malware - free content"
8. Vulnerabilities of the Mobile Channel
"Curse of Silence Attacks" or "Curse SMS"
Reset of PIN/ Password by fraudsters
Increased "SIM Swop" Scam
IMEI (International Mobile Equipment Identity) duplicity
Lack of user knowledge leading to the prevelence of unsafe mobile usage practices
Denial of Services (DoS)
Virus Propagation
Overbilling Attack
Malware attacks - Ransomeware
9. Vulnerabilities of the Mobile Channel.. Cont…
Relating to the Handset
Easily lost or handset change frequently so authentication and authorisation
are challenging
Limited keypads Limited choice of PINS
Related to Mobile Channel
Encryption not necessarily end-to-end
Related to VAS applications
Often Outsourced – Interface with provider may create additional
vulnerabilities
10. Risk Matrix
Threats
Vulnerability Result
Fraudulent Privacy Service
transaction loss Denial
Reset of PIN by Known PIN and MSISDN and can initiate
fraudster transactions off a stolen phone √ √ √
Lack of user Mis-formatted messages - DoS, invalid
knowledge / exp attempts - PIN lock. User asks others for help √ √ √
and exposes PIN
SIM swap The valid MSISDN is moved to another
handset. The user has no access to their
account and receives no notifications. The √ √ √
user with the other handset, on knowing the
PIN, can transact on the account
Movement of Funds gone and not retrievable
funds beyond
defined √ √ -
beneficiaries
Infection by virus 3rd party can see and send transactions
- Advanced through device - act as relay for transactions,
Feature and Smart PIN sent to 3rd party, information sent to 3rd √ √ √
Phones party, replay of transactions, stop valid
transactions, stop notification messages
11. Domains of Mitigation
Mitigation
Domain Example Action
Strategy
Technology Change and / or Plaintext PIN exposure Move from no security on the
modify the mobile to security on the
technology to mobile (from structured SMS
reduce the risk with PIN to SIM Toolkit with
PIN)
Process Implement Movement of funds to a - Require pre-registration of a
process controls random beneficiary allows a beneficiary via the call centre
to block process thief to send money to where the user‘s identity is
paths that can whoever they want authenticated by asking
be exploited questions.
- Limit or set the value that can
be sent to a beneficiary Fraud
monitoring processes to look
for out of normal transactions
Environment Train and inform Theft / borrowing of mobile -Train users to not hand out
users to handset and knowledge of the their PINs so as to let others
influence PIN by thief. (This cannot be use their mobile
behaviour stopped by technical or - Vigorous follow-up and
process means) prosecution
12. Mitigation steps
For users:
Observe caution while using Bluetooth
Have an AV running
Know your IMEI number
For service providers
Ensure that connections to and from users are over secure channels.
All connections from and to other service providers must also be secured
Implement strong authentication
For regulators and service providers
Work together to secure the mobile infrastructure
Create implementable laws that minimize the instances of fraud