Transcript ExaminingRisk Versus Security for Mobile

Examining
Risk Versus Security
for
Mobile Financial Services
Johann Bezuidenhoudt
Bankable Frontier Associates
[email protected]
+27 83 200 3000
Philippines
African
Safaricom - Kenyan Success Story
Moving from P2P
Airtime Transfers
to
P2P Money
Transfers
Electronic banking channel overlap
Bankers
No electronic channels: 66%
Cellphone
banking
Internet
banking
10%
18%
6%
•10% of bankers use cellphone and internet banking
•Only 6% of all bankers use the internet exclusively
1 KSH = 26 COP
35Trillion COP
transferred in
2 years
Inter Operator Remittances
• From Bahrain to
the Philippines
• Operator branded
service
• Deposit funds
• Send to a G-Cash
account from
handset
• Mobile Subscriber
in the Philippines
uses the value
Markets – an example
Cellphone Banking registrations
1,200,000
1,000,000
800,000
600,000
400,000
200,000
-
First National Bank – a division of FirstRand Bank
Limited.
An Authorised Financial Services and Credit Provider.
16 July 2015
10
Services driving cellphone banking
Balance enquiry
74%
Get notified of transactions
73%
Buy airtime
61%
Statement/mini statement
48%
Get notified of accounts limit
47%
Transfer funds between accounts
35%
Pay accounts
28%
Buy prepaid electricity
24%
Make a purchase
Add beneficiaries
21%
8%
 Balance enquiry
main usage, even an
entry point
 Transaction
notification almost
as important
 Airtime purchases
become the
monetised
transaction used
most widely
Cellphone banking satisfaction
0%
20%
40%
60%
80%
100%
Notifications
The ease of use
Security
Ease of set-up
Transaction range
Help
Transaction cost
Extremely satisfied
Satisfied
Neither satisfied nor unsatisfied
Dissatisfied
Extremely dissatisfied
•Notifications provide highest level of satisfaction, followed by ease of use
•Help available and transaction costs could be improved
Why banked don’t use cellphone banking
TRUST
60%
50%
40%
50%
EASE OF USE
34%
30%
20%
10%
10%
7%
5%
3%
0%
I don't trust I don't know It costs too I can't do all It does not
It is not
it
how to use it
much
things that I work on my offered by
want to
phone
my bank
•Trust is main barrier, followed by know-how
Mobile Technology Use
*120*321#
• USSD will
introduce
Cellphone
Banking into
Africa
• Cellphone
Banking on
WAP is a trend
that is expected
to grow
USSD
Plaintext SMS
FNB mCommerce
WAP
WAP
Thursday, 16 July 2015
NO J2ME14
Real Growth
For August 2009
6 million transactions
USD 100m transferred
What is Send Money?
Send Money allows
any FNB transactional
account holder to
send money to
anyone with a South
African cellphone
FNB mCommerce
Thursday, 16 July 2015
17
Who are we targeting?
“I need to send
money to my family
who lives far away”
FNB mCommerce
“I need to give
someone money
now”
Thursday, 16 July 2015
“I want to purchase
online but don’t have
a credit card”
18
Receiver
Feature highlights
Sender
•
Available 24x7
•
Can be done from various
access points
•
Can send to any South
African cellphone number
•
Money is available real-time
to the receiver
FNB mCommerce
•Does not require a bank account
or card
•Receiver can with all or part of
the available amount:
FREE!
•Withdraw cash at all FNB ATMs
•Purchase Prepaid Airtime
•On-Send to someone else
•Purchase online via Cell Pay
Point
Thursday, 16 July 2015
19
Rest of this presentation
• Identifying The Key Risks Associated With Supporting
Mobile Accessed Financial Services
• Balancing risk and regulation
• Identifying key areas of technical risk and exposure
• Examining technical approaches to enabling the
mobile channel for financial transaction processing
• Understanding the ‘trade-offs’ that can be made
between security versus procedural activities
• Examining the regulatory approaches available
E-Security – what do we mean?
•
•
•
•
•
•
•
•
•
Technology theoretically secure?
Technology built securely by supplier?
Technology installed securely in bank systems?
Technology securely operated by the bank?
Bank Processes use the technology securely?
Bank Processes are secure?
Bank staff are trustworthy and secure?
Customer served securely?
Customer uses the service securely?
Examples of business use of the mobile
channel
1. Internet banking on mobiles
2. Account activity notification
3. Second factor authentication
4. Mobile channel enablement – existing additive
5. Mobile centric banking operations - transformational
MANAGING THE RISK OF MOBILE
BANKING TECHNOLOGIES
• Analyses the mobile technologies available
from a risk perspective
• Looks at tradeoffs of technical choice and
operational control
• Discusses Banking regulatory approaches
• Paper available at:
www.bankablefrontier.com
Components of a Handset
Keyboard
Display
Audio
Core on all
GSM phones
Human Interfaces
Handset Operating System
J2ME
WAP
HTTP/S
Handset
Application
Internet
Browser
IP
data
S@T
WIB
STK
Application
SIM based
SMS USSD DTMF voice
Mobile Radio
Direct
Advanced Features
Bearer
Radio Link
Mobile
Network
Handset Example
General
Size
Display
Sound
Memory
Data
Features
Battery
2G Network
Dimensions
Weight
Type
Size
GSM 900 / 1800
104 x 44 x 16.3 mm
78 g
CSTN, 65K colors
128 x 128 pixels, 1.52 inches
Vibration; Downloadable polyphonic, MP3
Alert types
ringtones
Speakerphone Yes
Phonebook
Yes
Call records 30 dialed, 30 received, 30 missed calls
Internal
2 MB
GPRS
Class 10 (4+1/3+2 slots), 32 - 48 kbps
Messaging
SMS, EMS, MMS
Browser
No
Java
Yes, MIDP 2.0
Stand-by
Up to 450 h
Talk time
Up to 9 h
Samsung B100 - Retail cost ~USD 30-35
http://www.gsmarena.com/samsung_b100-2317.php#
Capability and Independence
Mobile Network Operator
independent
Mobile Capability
Standard (all)
Advanced
Yes
No
USSD, SMS and
IVR
SIMToolkit
HTTPS and WAP
J2ME
Dedicated secure
application environment
in a handset
Examples – Mobile Channel use (prime)
SMS
USSD
SIMtoolkit
Internet Banking
Transformational Branchless
Technology Attributes
Ease of
use
Availability
Security of
Level of
transaction
Security
on handset
A call is made to (or from) an automatic system and the
user receives pre-recorded prompts and responds by
selecting keys
Medium
Standard
None
Low
A SMS text message is sent to the mFSP. The
message is interpreted and acted upon and a response
SMS sent
Low
Standard
None
Low
Medium
Standard
None
Medium
Channel
Technology
Description
IVR
Structured
SMS
Supported
on
Handsets
Standard
Handset
USSD
A number is called from the handset and a menu then
displayed on the handset that the user navigates
through and selects options and enters data
SIM toolkit
(WIB / SAT /
Java /
custom)
Implemented in the SIM of the handset. The
functionality appears as a set of additional handset
menu/s
High
Need to get
special SIM
Provided in
SIM
ATM Grade
J2ME
Applications that can run on the handset
High
Mid and
Upper end
phones
Provided
within the
application
High
WAP
Internet Browsing using a WAP protocol browser. Same
as browsing off a PC. WAP provides optimised (data
Advanced
usage and size of screen presentation) interaction for
Handset
the mobile.
High
Mid and
Upper end
phones
As provided
by the WAP High
Browser
HTTPS –
Internet
browser
Standard Internet browsing off the mobile to the bank’s
web site. Mobile performs the function of a PC
High
Smart
phones
As provided
by the
Internet
Browser
High
Examining Use and Technology
Use Case – The Approach
1.
2.
"Use what is there" Use existing
generic mobile bearer services
provided on all phones accessible
directly by a user
"Use mobile browsing services"
that are provided on phones - not
MNO dependant
Technologies
available
SMS
Voice/IVR
USSD
HTTPS = normal
web browsing
WAP phase 1
Associated Risk
There is no encryption of information so
the channel from the mobile to the
mFSP is open to monitoring, replay,
modification and impersonation
Same risks as for a PC on the Internet.
Channel is less exposed than regular
Internet as much of it is within MNOs
WAP phase 2
3.
4.
"Use advanced application
services" provided on phones not MNO dependant
“Use a secure environment on
the mobile ” provided by the MNO
or MNOs
J2ME
SIMtoolkit
WIB, S@T and
Java cards
Same as client side applications on
PCs. Mobiles less exposed to the
Internet and the threats. However
issues around the trust (integrity and
authenticity) of the applications exist and
need to be managed
The highest technical end-to-end
security as the application runs securely
within the SIM and the encryption keys
are kept within the SIM.
Identify each
VULNERABILITY
Result if
VULNERABILITY is
EXPLOITED
What is the THREAT that the
exploited VULNERABILITY
will bring?
How will this threat
IMPACT on the mFSP
BUSINESS? (H,M,L)
How will this threat
IMPACT on each of the
mFSP’s CUSTOMERs?
(H,M,L)
What is the LIKELIHOOD
of this happening – how
FEASIBLE? (H,M,L)
What is the LIKELIHOOD
of this happening – how
FEASIBLE? (H,M,L)
The RISK to the BUSINESS
( IMPACT x LIHELIHOOD ) of
the VULNERABILITY
(H,M,L)
The RISK to the CUSTOMER
( IMPACT x LIHELIHOOD ) of
the VULNERABILITY
(H,M,L)
Decide on a RESPONSE
for BUSINESS related risk
Decide on a RESPONSE
for INDIVIDUAL related risk
Structured Risk
Evaluation Process
• Business Risk is
DIFFERENT from
Individual Risk
• Evaluate them
separately
Vulnerabilities – UC1 – prompted IVR, SMS and USSD
Weak Areas
Vulnerabilities
Weak PINs
Process
Failure
Theft
Risk to
Business Individual
Countermeasure/s
User choosing weak pin
Low
Medium
Customer Education
Reset of PIN by fraudster
Medium
High
Training of Staff
Linkage of imposter MSISDN
Low
High
Control processes and authorizations
Issuing of PIN to imposter
Low
Medium
Process inspections
Customer Education
Theft of handset
-
High
Accessible and simple theft reporting and mobile channel
locking
Medium
Medium
Low
Medium
Customer Education on what should and should not happen
on the phone
SMS and USSD spoofing
Spoofing
Risk to
SMS,, IVR and USSD PIN
request phishing
Processes at MNO to ensure valid SIM swaps
Credential reroute SIM Swap
Low
High
MNO and mFSP communicating SIM Swap data
mFSP SIM Swap verification processes
OTA capture
Transaction
GSM security
Low
Medium
MNO monitor security settings in network
Channel failure
USSD, IVR or SMS links to the
mFSP fail
High
Low
MNO and mFSP install redundant links and servers
Protection of SMSC and link
Medium
Medium
Protection of USSD and IVR
servers and the links to the
mFSP
High
High
Transaction
harvesting
MNO to control access to SMSC, separate traffic to
dedicated links and ensure cryptographic and physical
security is maintained
Encourage the use of low-end phones
Smart Phones
Infection by malware
Medium
High
Encourage Smart phone users to use secure channels and
© BFA 08
install anti-malware software
Level of
Operational Controls
Level of Mobile Channel
Technical Security
Prudent
mobile
Security
model
end-to-end
Security
model
Use Case 2, 3 and 4
Use Case 1
Adjusted
mobile
Security
model
Custom Implementation
E-channel security model
for Internet
m-channel with less enduser device security
m-channel situational
optimization
Based on Internet banking
security model
Practice based
Regulator and mFSP
agreed
© BFA 08
Less Technology and more Process Control
Summary
• To obtain quick and widespread access to mFSP services with
minimal technical issues consider USSD with SMS notifications
• The tradeoff is that the business risk does go up and the
individual risk rises substantially
• Countermeasures such as volume and value limitation will
reduce individual related risk
• User education is a high priority
• Channel failure obviously halts the mobile operations, if the
mFSP is solely reliant on the mobile channel this is a large risk.
Mobile channels are complex and have many points of failure
that are out of the mFSP’s control
• If high security is needed then introduce SIM based security
Johann Bezuidenhoudt
[email protected]
+27 83 200 3000