Professional Documents
Culture Documents
Interoperability Security
Universality Usability Privacy Trust Cost Performance
Cross-border payments
MPP
MPP
Bank
Bank
MMID
Was uploaded to MPFI website: 29 Nov, 2010 Request for comments by 15 Dec, 2010
Background
Interoperability Standards for Mobile Payments Technology Sub-Committee for Mobile Payments Security
Discussion Paper on Mobile Payment Security, 7th Feb 2011 Discussion Paper to eventually turn into a Standards Document
Institutions part of the Technology Sub-Committee
Tata Teleservices Ltd IDRBT mCheck Comviva Technologies Ltd ICICI Bank IIT Madras
Identify the main security breach points (1) Mobile device level (2) Application level (3) Channel level Then consider each of the breach points from the perspective of (1) Technology (2) Interoperability Standards (3) Operative guidelines set out by the RBI
Authentication banks providing mobile banking services shall comply with the following security principles and practices for the Authentication of mobile banking transactions:
A. All mobile banking shall be permitted only by validation through a two factor authentication.
B. One of the factors of authentication shall be mPIN, or any other higher standard. C. Where mPIN is used, end-to-end encryption of the mPIN is desirable; i.e. mPIN shall not be in clear text anywhere in the network. D. The mPIN shall be stored in a secure environment.
Interoperability
Customer
Customer
MPP
MPP
Bank
Bank
Wireless Interface
Customer-to-MPP
Wired Interfaces
Case 1. bearer services Case 2. mobile browsing services Case 4. SIM application toolkit
Other aspects
Key concerns Key recommendations
IVR
Base Transceiver Station Base Station Controller Home Location Registry Mobile Payment Provider
IVR
All Handsets
Positive Features
Different levels of literacy Very secure with voice biometrics Easy to use Cost per transaction is low
Other aspects
IVR
key concerns / recommendations
If DTMF tones used to transfer information possibility of tapping and deciphering confidential data
Security of database / transaction logs where confidential information may be stored, either by design or inadvertently
Security audits can eliminate this concern Voice biometrics or other authentication data should be stored in encrypted form
For concerns over called ID and replay attacks, liveness test should be used.
Comviva and Eko Comviva, Voxta, Uniphore Paladion Networks and RS Software
IVR
Samsung
Summary
Next Steps
Develop a thorough, in depth, understanding of all technologies with respect to security and end-to-end performance
Do not store any confidential messages/information on the phone Delete the already sent mobile payment messages that contain sensitive information
Banks
Imposing threshold on the amount of transaction based on the risk perspective Educating the customers on best practices of Mobile payments security
SMS
Positive feature
Other aspects
PIN is usually requested through USSD Payment through SMS SMS are also available for encryption
USSD
Positive feature
Not end to end secure But, less prone to spoofing and hacking compared to SMS
Other aspects
SMS's being sent & received are automatically saved USSD session with AT commands
Channel Level
Weak Encryption
Unilateral Authentication Over-The-Air cracking SMS spoofing
Donot store any confidential messages/information on the phone Delete the already sent mobile payment messages that contain sensitive information
Banks
Imposing threshold on the amount of transaction based on the risk perspective Educating the customers on best practices of Mobile payments security
Base Transceiver Station Base Station Controller Home Location Registry Mobile Payment Provider SMS Message Switching Centre
Positive feature
Other aspects
WAP browser access the websites written in WML WAP based applications use GPRS as the data transport layer and is secured either by
Channel Level
WAP Gateway
Bank
Smaller key size usage in Wireless Transport Layer Security (WTLS) needs to be analyzed Disable the automatic storage of mPIN in the browser for the mobile payment application
Base Transceiver Station Base Station Controller Home Location Registry Mobile Payment Provider SMS Message Switching Centre
Positive feature
Other aspects
Applications in Java (J2ME) for GSM handsets, BREW for CDMA Storage of clients credentials
Information stored in Record Management System (RMS) can be read easily Random numbers used in key generation can be guessed by an alert hacker Authentication check if performed by the client side application poses a serious threat
Channel Level
Base Transceiver Station Base Station Controller Home Location Registry Mobile Payment Provider SMS Message Switching Centre
Positive feature
Other aspects
Bank
Use Symmetric Encryption and store the key inside a SIM in an encrypted format Adopt Wireless Public Key Infrastructure (WPKI)
Summary
Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds. Report and Recommendations, Reserve Bank of India, Jan 2011
Securing Mobile Payments: Modelling, Design, and Analysis by Supakorn Kungpisdan, Lambert Academic Publishing, 2010