NULL BANGALORESURAJ PRATAP

Mobile Wallet Security

Agenda

Mobile Wallet intro Statistics Basic feature Build with security Possible security issue

About me

Suraj Pratap. Work as information security

Analyst Bounty hunter ,Got lucky with Google, Microsoft, PayPal, Yahoo etc.

surajraghuvanshi@gmail.com

Some Statistics

India has 375 million Internet users in October 2015.

IN share world population 17.50% IN shares of world internet user 6.63 % Online e-commerce users 3.8 % Mobile wallet user 0.57

Statics

Wallet user Age group percentage

18-29 3730-44 3645-59 1760-abv 10

Brands

Paytm Freecharge Mobikwik Airtel money Google pay Apple pay Vodafone M-pesa Chillr Oxigen Wallet Citrus Pay PayUMoney

Mobile wallet

Mobile Application: Financial Tool. Designed to free users from traditional wallet. Replace ATM’s and credit cards Faster Merchant benefits:

Brands to offer a wider variety of payment Easy-to-use payment interface development

Bank and financial institution benefits to offer a consistent payment interface to consumer and merchants

Why mobile wallet

Reference : NTTDATA

Key features

Bill payment services M-brokerage services Mobile money transfers Mobile micro-payments Money spend analyser et

But Wait

Reference: sqs.com

InBuild Protection

Client Side Data encryption at client side- most of them Browser sand-boxing - only 3 Encryption and Hashing used AES256/

SHA2 : most of them . please don't ask key ;-) Propriety protocols

InBuild Protection

Server Side Cloud base Platform (Excepts banks wallet) VPC - virtual private cloud PCI certified : Trust Fraud detection team Data encrypted : yes they all claim

InBuild Protection

In Middle Most of them are on TLS 1.1 and 1.2 only SSL Pinning not implemented by all Encrypt data inside SSL : Yes people

implemented MITM : Yes its possible.

Main Security Concerns

If someone steals my phone, they have access to all my information

I will not be able to pay for purchase if my phone lost / stolen

Someone might be able to steal my info when it is sent wirelessly

My "mobile wallet" provider will share my info with other companies

Too much personal spending info in one place on Smartphone

How to address them

Wipe it remotely. Sophisticated, high-tech security Replace immediately Two way authentication Install app from trusted location Review contract terms and conditions

How to address them

Trust :-) / :-( Cloud

Who got Bug

Paytm Freecharge Oxigen Wallet Citrus Pay Mobikwik Airtel money Google pay

who got affected

Users : Only 2 cases which i found Service providers : All of them

By business logic flaws

Conclusion

Should we adopt it / don't

wallet security

Just “lock" it

Questions