#RSAC #RSAC Mobile Payment Services: Security Risks, Trends and Countermeasures Suhas Desai Practice Head – Cloud & Mobile Security Aujas Information Risk Services SESSION ID: MBS-T07
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
#RSAC
#RSAC
Mobile Payment Services: Security Risks, Trends and Countermeasures
Suhas Desai Practice Head – Cloud & Mobile Security
Aujas Information Risk Services
SESSION ID: MBS-T07
#RSAC
#RSAC
Agenda Mobile Payments Overview Mobile Channels & Payment Trends Security Risks Securing Mobile Payments
2
#RSAC
Mobile Payments
3
Source: Mobile payment image via Flickr by http://commons.wikimedia.org/wiki/File:Mobile_payment_03.JPG
#RSAC
Mobile Payments Architecture
4
#RSAC
Mobile Channels and Payment Trends
5
#RSAC
Challenges in Mobile Payments
6
• Microfinance vs. Higher payment transfers
• Mobile Payment Transfer Policy Standardization
• Service Providers and Bank dependencies
• Mobile Payment Apps & Mobile Devices compatibility
• Mobile Payment Services Security
• Government Policies for Mobile Payments
#RSAC
Security Risks
7
•Fraudulent Transactions
•Weak Cryptography
•Mobile Application Server threats
•Mobile Payment Application’s Database threats
•SIM Card Application (USSD /DSTK ) Attacks
•Mobile Payment Native Application Security
#RSAC
Business Impact
• Fraudulent Transactions ( Revenue Loss )
• Confidentiality ( Users Sensitive Data – Credit/Debit Card
Data, PIN , User Credentials)
• Communications Services Misuse
• SIM Card & Applications Misuse
8
#RSAC
Mobile App Risks
Code Obfuscation Insecure Local Device database storage Insecure App Permissions Mobile Payment App Reputation
9
#RSAC
Code Obfuscation
10
#RSAC
Insecure Local Device database storage
11
Figure 4. Modified application
Figure 1. Original application Figure 2. Local database modification
Figure 3. Local database modified
#RSAC
Insecure App Permissions
12
Figure 1. Insecure App Permissions
#RSAC
Mobile Application Server Issues
Message Replay Attack
13
Figure 1. Proxy Settings
#RSAC
14
Figure 2. Intercepted Message
#RSAC
15
Figure 3. Message Replay Attack
#RSAC
Communication Channel Risks
16
Note – Performed for traditional mobile app having SMS as a communication channel
Figure 1. SMS R/R Capture
#RSAC
17
Figure 1. USSD Gateway Sample data
#RSAC
18
Figure 1. POS Devices Receipt in Debug Mode
#RSAC
Quiz : Cross Platform Support
19
int i = 7; { printf(“%d”, i++ * i++); }
#RSAC
Secure SDLC Approach
20
Scope Definition &
Info Gathering
Define SOW
Info Gathering
Advisory Services
Secure design and Architect
Secure development
secure development
Code Analysis
Static Code Analysis
Dynamic Code
Analysis
Security Assessment
Client App Assessment
Channels assessment
App Server Assessment
Remediation
Vulnerability Remediation
Secure release
Secure release and deployment
Step I Step II Step III Step IV Step V Step VI Step VII
#RSAC
Securing Mobile Payments
21
Secure data transmission from handheld devices to Application Server Secure data storage on local handheld devices Ensure to implement proper session management in application
Ensure to applications executables security
Validate all trusted and un-trusted (Invalid user inputs e.g. -special characters)
inputs in the application
Ensure to implement strong authentication mechanism in the application Secure web services and Interfaces
Ensure mobile device security in case of device lost and theft
#RSAC
Future of Mobile Payments
• Microfinance for Developing Countries
• Larger Funds Transfer (Substitute for Net Banking)
• Reservation/Bookings for Airlines, Railways & Bus
• Mobile Payments Services for Small Scale Business
• Visibility - Earnings & Taxation
22
#RSAC
#RSAC
Thank you!
Related Documents
