Security @ Mobile VAS




Ltcdr. Pawan Desai, CISA, CISSP
                                                  Derisk your bu...
Agenda
   What comprises VAS
   Current Trends
   Need for Security
   Vulnerabilities
   Risk Matrix
   Domains of ...
What is mobile VAS

   Includes services like:
       Short Messaging Service
       Multimedia media messaging service...
Current Trends
   M-VAS is set to Grow 70% YOY
   The combined market for all types of mobile payments is expected to
  ...
VAS Revenues by Category




 * Source: http://www.pluggd.in/indian-telecom-industry/mobile-vas-numbers-india-revenu
Need for Security
    AT STAKE – INR 16,520 Cr Business
    35% of online banking households will be using mobile bankin...
The Value Chain
Vulnerabilities of the Mobile Channel

      "Curse of Silence Attacks" or "Curse SMS"
      Reset of PIN/ Password by f...
Vulnerabilities of the Mobile Channel.. Cont…

   Relating to the Handset
        Easily lost or handset change frequentl...
Risk Matrix
                                                                                         Threats
      Vulnera...
Domains of Mitigation
                          Mitigation
              Domain                                Example    ...
Mitigation steps
    For users:
        Observe caution while using Bluetooth
        Have an AV running
        Know ...
The Value Chain
Thank You…




         India                            Europe                      Singapore
         Mumbai            ...
Upcoming SlideShare
Loading in …5
×

Mahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight

965 views

Published on

The Mobile VAS SUMMIT 2009 was LIVE Photo Blogged at the Official Media Blog:
http://paritoshsharma.com

Published in: Technology, Business
  • Be the first to comment

Mahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight

  1. 1. Security @ Mobile VAS Ltcdr. Pawan Desai, CISA, CISSP Derisk your business contact@mahindrassg.com www.mahindrassg.com
  2. 2. Agenda  What comprises VAS  Current Trends  Need for Security  Vulnerabilities  Risk Matrix  Domains of Mitigation  Mittigation Steps
  3. 3. What is mobile VAS  Includes services like:  Short Messaging Service  Multimedia media messaging service (MMS)  Caller ring back  Wallpapers  Screensavers  Other downloads  Mobile Banking
  4. 4. Current Trends  M-VAS is set to Grow 70% YOY  The combined market for all types of mobile payments is expected to reach more than 18000 Cr globally by 2013  The registered user base for mobile banking in India is around 25 mn, while the active users are only 2.5 mn  Mobile banking active user base is expected to reach 2% by 2012, up from the current 0.2%  35% of online banking households will use mobile banking by 2010, up from less than 1% at present  70% of bank center call volume is slated to come from mobile phones  VAS constitutes 7% of the total total telecom revenue for Indian operators  Digital music and ringtones constitutes 35% of VAS revenue
  5. 5. VAS Revenues by Category * Source: http://www.pluggd.in/indian-telecom-industry/mobile-vas-numbers-india-revenu
  6. 6. Need for Security  AT STAKE – INR 16,520 Cr Business  35% of online banking households will be using mobile banking by 2010, up from less than 1% in 2007  2005: first malicious mobile virus attack was recorded  2006: 60 mobile viruses  2007: > 400 mobile viruses + Snoopware + spyware + scripts specially written for "camera mobiles“  2009: Anybody’s guess !!! "The biggest challenge - ensuring malware - free content"
  7. 7. The Value Chain
  8. 8. Vulnerabilities of the Mobile Channel  "Curse of Silence Attacks" or "Curse SMS"  Reset of PIN/ Password by fraudsters  Increased "SIM Swop" Scam  IMEI (International Mobile Equipment Identity) duplicity  Lack of user knowledge leading to the prevelence of unsafe mobile usage practices  Denial of Services (DoS)  Virus Propagation  Overbilling Attack  Malware attacks - Ransomeware
  9. 9. Vulnerabilities of the Mobile Channel.. Cont… Relating to the Handset  Easily lost or handset change frequently so authentication and authorisation are challenging  Limited keypads Limited choice of PINS Related to Mobile Channel  Encryption not necessarily end-to-end Related to VAS applications  Often Outsourced – Interface with provider may create additional vulnerabilities
  10. 10. Risk Matrix Threats Vulnerability Result Fraudulent Privacy Service transaction loss Denial Reset of PIN by Known PIN and MSISDN and can initiate fraudster transactions off a stolen phone √ √ √ Lack of user Mis-formatted messages - DoS, invalid knowledge / exp attempts - PIN lock. User asks others for help √ √ √ and exposes PIN SIM swap The valid MSISDN is moved to another handset. The user has no access to their account and receives no notifications. The √ √ √ user with the other handset, on knowing the PIN, can transact on the account Movement of Funds gone and not retrievable funds beyond defined √ √ - beneficiaries Infection by virus 3rd party can see and send transactions - Advanced through device - act as relay for transactions, Feature and Smart PIN sent to 3rd party, information sent to 3rd √ √ √ Phones party, replay of transactions, stop valid transactions, stop notification messages
  11. 11. Domains of Mitigation Mitigation Domain Example Action Strategy Technology Change and / or Plaintext PIN exposure Move from no security on the modify the mobile to security on the technology to mobile (from structured SMS reduce the risk with PIN to SIM Toolkit with PIN) Process Implement Movement of funds to a - Require pre-registration of a process controls random beneficiary allows a beneficiary via the call centre to block process thief to send money to where the user‘s identity is paths that can whoever they want authenticated by asking be exploited questions. - Limit or set the value that can be sent to a beneficiary Fraud monitoring processes to look for out of normal transactions Environment Train and inform Theft / borrowing of mobile -Train users to not hand out users to handset and knowledge of the their PINs so as to let others influence PIN by thief. (This cannot be use their mobile behaviour stopped by technical or - Vigorous follow-up and process means) prosecution
  12. 12. Mitigation steps  For users:  Observe caution while using Bluetooth  Have an AV running  Know your IMEI number  For service providers  Ensure that connections to and from users are over secure channels.  All connections from and to other service providers must also be secured  Implement strong authentication  For regulators and service providers  Work together to secure the mobile infrastructure  Create implementable laws that minimize the instances of fraud
  13. 13. The Value Chain
  14. 14. Thank You… India Europe Singapore Mumbai London 30 Raffles Place 3rd floor, Landmark Building, 4 New Square # 23-00 Caltex House next to Mahindra Towers, Bedfont Lakes, Feltham Singapore 048622 Worli, Middlesex TW14 8HA Ph: +65– 6233-6853 / 54 Mumbai 400 018. India. Phone: +44 20 8818 0920 Ph: +91-22-24901441 Fax: +44 20 8818 0921 New Delhi Germany 2-A, Mahindra Towers, Bhikaji GMBH. Partnerport - Cama Place, Altrottstrabe 31, D-69190 New Delhi - 110 066, India Waldorf, Germany P: +91 (11)-4122 0300 Ph:+49 (0) 6227 381 106 Bangalore #150, Tower No. B-2, Level-I, Diamond District, Airport Road, Bangalore - 560 008, India. Phone: +91 80 4135 3200 www.mahindrassg.com

×