Download - Mpfi Raina
-
7/31/2019 Mpfi Raina
1/40
1. Amendments to Interoperability Standards forMobile Payments
2. Discussion paper on Security for Mobile payments
Dr Gaurav RainaDepartment of Electrical EngineeringIIT Madras
E-mail : [email protected]
-
7/31/2019 Mpfi Raina
2/40
Challenges for Mobile Payments
InteroperabilitySecurityUniversalityUsabilityPrivacyTrust
CostPerformance
Cross-border payments
-
7/31/2019 Mpfi Raina
3/40
Interoperability Standards V1.10
TSP Telecommunication Service Provider
MPP Mobile Payment Provider
-
7/31/2019 Mpfi Raina
4/40
Interoperability Standards V1.A
MMID Mobile Money Identifier
Was uploaded to MPFI website: 29 Nov, 2010
Request for comments by 15 Dec, 2010
Bank
Customer
MPP
Each mobile number will be linkedto a bank account
Central Switch/ settlement agency
Bank
Customer
MPPBeneficiarys mobile number,MMID, Amount
Core BankingSystem (CBS)
Core BankingSystem (CBS)
-
7/31/2019 Mpfi Raina
5/40
-
7/31/2019 Mpfi Raina
6/40
Discussion paper onSecurity for Mobile payments
-
7/31/2019 Mpfi Raina
7/40
BackgroundInteroperability Standards for Mobile Payments
Technology Sub-Committee for Mobile Payments Security Discussion Paper on Mobile Payment Security, 7 th Feb 2011 Discussion Paper to eventually turn into a Standards Document
Institutions part of the Technology Sub-Committee
Tata Teleservices Ltd
IDRBT
mCheck
Comviva Technologies LtdICICI Bank
IIT Madras
-
7/31/2019 Mpfi Raina
8/40
Objectives and scope of Discussion Paper To undertake an assessment of the key security concerns for mobile
payments
Identify the threats and vulnerabilities for mobile payments
Recommendations for minimizing/eliminating the identified threats
Identify the main security breach points
(1) Mobile device level
(2) Application level
(3) Channel level
Then consider each of the breach points from the perspective of(1) Technology
(2) Interoperability Standards
(3) Operative guidelines set out by the RBI
-
7/31/2019 Mpfi Raina
9/40
RBI Security Guidelines
Authentication banks providing mobile banking services shallcomply with the following security principles and practices forthe Authentication of mobile banking transactions:
A. All mobile banking shall be permitted only by validation througha two factor authentication.
B. One of the factors of authentication shall be mPIN, or any otherhigher standard.
C. Where mPIN is used, end-to-end encryption of the mPIN isdesirable; i.e. mPIN shall not be in clear text anywhere in thenetwork.
D. The mPIN shall be stored in a secure environment.
-
7/31/2019 Mpfi Raina
10/40
Interoperability
Bank
Customer
MPP
Each mobile number will be linkedto a bank account
Central Switch/ settlement agency
Bank
Customer
MPPBeneficiarys mobile number,MMID, Amount
Core BankingSystem (CBS)
Core BankingSystem (CBS)
-
7/31/2019 Mpfi Raina
11/40
Interfaces in a Transaction flow
Wireless Interface
Customer-to-MPP
Wired InterfacesMPP-to-Bank
Bank-to-CBS
Bank-to-Bank
-
7/31/2019 Mpfi Raina
12/40
-
7/31/2019 Mpfi Raina
13/40
Template for evaluating alltechnologies
Capability of the phone
Positive features
Compliance with RBI guidelines
Other aspectsKey concerns
Key recommendations
CustomersBanks
Etc.
-
7/31/2019 Mpfi Raina
14/40
IVR
BTS Base Transceiver Station
BSC Base Station Controller
HLR Home Location Registry
MPP Mobile Payment Provider
SMSC SMS Message Switching Centre
-
7/31/2019 Mpfi Raina
15/40
IVRCapability of the phone
All Handsets
Positive Features
Different levels of literacy
Very secure with voice biometrics
Easy to use
Cost per transaction is low
Compliance with RBI guidelines
Yes, with voice biometrics
Other aspects
Voice biometrics not standardized
Different implementations / solutions could have different performance
Interact through the use of voice & DTMF keypad inputs
-
7/31/2019 Mpfi Raina
16/40
IVR
key concerns / recommendations
If DTMF tones used to transfer information possibility of tapping anddeciphering confidential data
Recommended to use voice biometrics
Security of database / transaction logs where confidential information maybe stored, either by design or inadvertently
Security audits can eliminate this concern
Voice biometrics or other authentication data should be stored inencrypted form
For concerns over called ID and replay attacks, liveness test should beused.
-
7/31/2019 Mpfi Raina
17/40
Sub working groupsSMS and USSD
Comviva and Eko
IVR
Comviva, Voxta, Uniphore
Mobile browsing services Paladion Networks and RS Software
Advanced application services (J2ME)
Comviva, Paladion Networks, RS Software and VoxtaSim application ToolKit (STK)
Syscom
Emerging Technologies (NFC)
Samsung
-
7/31/2019 Mpfi Raina
18/40
Other relevant documents
1. Working Group on Information Security, Electronic Banking, Technology RiskManagement and Cyber Frauds.
Report and Recommendations , Reserve Bank of India, Jan 2011
2. Amended IT Act 2008
Request for someone in MPFI who has a strong technological and legalunderstanding to work with the TSC to assess the relevance of therecommendations in the context of the Amended IT Act, and vice versa.
Example, recommended to adopt Wireless PKI.
Q: Does this meet the reliability criteria as given in the Amended IT Act, 2008?
If yes, the MPFI can recommend Department of Information Technology to includeWPKI legality while framing and notifying rules for Electronic Signature.
-
7/31/2019 Mpfi Raina
19/40
Summary
-
7/31/2019 Mpfi Raina
20/40
Next Steps
Develop a thorough, in depth, understanding of all technologieswith respect to security and end-to-end performance
Review all recommendations in the context of the Amended IT Act,2008
Work towards a Standards Document
-
7/31/2019 Mpfi Raina
21/40
-
7/31/2019 Mpfi Raina
22/40
-
7/31/2019 Mpfi Raina
23/40
-
7/31/2019 Mpfi Raina
24/40
-
7/31/2019 Mpfi Raina
25/40
Case 1. bearer services (SMS, USSD, IVR)
key concerns
Mobile Device Level
SMS's being sent & received are automatically saved
USSD session with AT commands
Channel Level
Security might be compromised in
Telecom Switching network
Database level
Real Threat lies in Transaction logs
Weak Encryption
Unilateral Authentication
Over-The-Air cracking
SMS spoofing
-
7/31/2019 Mpfi Raina
26/40
Case 1. bearer services (SMS, USSD, IVR)
key recommendations
Customer
Donot store any confidential messages/information on the phoneDelete the already sent mobile payment messages that containsensitive information
Banks
Imposing threshold on the amount of transaction based on the riskperspective
Educating the customers on best practices of Mobile paymentssecurity
-
7/31/2019 Mpfi Raina
27/40
Case 2. mobile browsing services (HTTPS, WAP)
BTS Base Transceiver Station
BSC Base Station Controller
HLR Home Location Registry
MPP Mobile Payment Provider
SMSC SMS Message Switching Centre
-
7/31/2019 Mpfi Raina
28/40
Wireless Application Protocol (WAP)
Capability of the phone
Only in advanced handsets
Positive feature
Open standard for application layer network communicationsCompliance with RBI guidelines
End to end security possible
Other aspects
WAP browser access the websites written in WML
WAP based applications use GPRS as the data transport layer and issecured either by
Encryption provided by GPRS
Wireless Transport Layer Security (WTLS)
-
7/31/2019 Mpfi Raina
29/40
-
7/31/2019 Mpfi Raina
30/40
-
7/31/2019 Mpfi Raina
31/40
Case 3. advanced application services (J2ME )
BTS Base Transceiver Station
BSC Base Station Controller
HLR Home Location Registry
MPP Mobile Payment Provider
SMSC SMS Message Switching Centre
M bil t li ti
-
7/31/2019 Mpfi Raina
32/40
Mobile payment application:in phone memory
Capability of the phoneToday, most handsets support Java (J2ME)
Positive feature
Easy to use, menu drivenCompliance with RBI guidelines
End to end security possible
Other aspectsApplications in Java (J2ME) for GSM handsets, BREW for CDMA
Storage of clients credentials
Inside the SIM
RMS (record management system)
-
7/31/2019 Mpfi Raina
33/40
Case 3. advanced application services (J2ME)
key concerns
Mobile Device Level
Information stored in Record Management System (RMS) can beread easily
Random numbers used in key generation can be guessed by analert hacker
Authentication check if performed by the client side applicationposes a serious threat
Channel Level
-
7/31/2019 Mpfi Raina
34/40
Case 3. advanced application services (J2ME)
key recommendations
Bank
Store the sensitive information in an encrypted format
Symmetric key encryption can be used if shared key can bestored in a secure environment
Hybrid Protocols like SSL (Employs both Symmetric & Asymmetrickey Encryption) is preferred
Authenticity check should be performed at the server side
Timestamps/One-time-password can be used to counter replayattacks
-
7/31/2019 Mpfi Raina
35/40
Case 4. SIM application toolkit (STK)
BTS Base Transceiver Station
BSC Base Station Controller
HLR Home Location Registry
MPP Mobile Payment Provider
SMSC SMS Message Switching Centre
Mobile pa ment application:
-
7/31/2019 Mpfi Raina
36/40
Mobile payment application:embedded in the SIM
Capability of the phoneCan be implemented in all handsets
Positive feature
Easy to use, no need to install applicationCompliance with RBI guidelines
End to end secure
Other aspectsInformation in SIM is protected using crypto algorithms & keys
Applications developed using SIM Application Toolkit (SAT) & JavaCard
Application can be stamped either in
Manufacturing phase or Dynamically installed through Over The Air
-
7/31/2019 Mpfi Raina
37/40
Case 4 . SIM application toolkit (STK)
key concerns
Mobile Device Level
Downloading of Applets is a time consuming process
Slowness of the Key generation & Signature process
Generated signatures may not be qualified
Mobile malware like keylogging trojan
-
7/31/2019 Mpfi Raina
38/40
Case 4. SIM application toolkit (STK)
key recommendations
Customer
Ensuring mobile handset free from virus by having an up to date Anti-virus
Bank Use Symmetric Encryption and store the key inside a SIM in anencrypted format
Adopt Wireless Public Key Infrastructure (WPKI)
Telecommunication Service Provider (TSP)Increase the processing abilities a SIM card
-
7/31/2019 Mpfi Raina
39/40
-
7/31/2019 Mpfi Raina
40/40
Some recent references
Working Group on Information Security, Electronic Banking,Technology Risk Management and Cyber Frauds.Report and Recommendations , Reserve Bank of India, Jan 2011
Securing Mobile Payments: Modelling, Design, and Analysisby Supakorn Kungpisdan, Lambert Academic Publishing, 2010