Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless ...· Mo(bile) Money, Mo(bile) Problems:
Embed Size (px)
Transcript of Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless ...· Mo(bile) Money, Mo(bile) Problems:
This paper is included in the Proceedings of the 24th USENIX Security Symposium
August 1214, 2015 Washington, D.C.
Open access to the Proceedings of the 24th USENIX Security Symposium
is sponsored by USENIX
Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications
in the Developing WorldBradley Reaves, Nolen Scaife, Adam Bates, Patrick Traynor,
and Kevin R.B. Butler, University of Florida
USENIX Association 24th USENIX Security Symposium 17
Mo(bile) Money, Mo(bile) Problems:Analysis of Branchless Banking Applications in the Developing World
Bradley ReavesUniversity of Florida
Nolen ScaifeUniversity of Florida
Adam BatesUniversity of Floridaadammbates@ufl.edu
Patrick TraynorUniversity of Floridatraynor@cise.ufl.edu
Kevin R.B. ButlerUniversity of Florida
AbstractMobile money, also known as branchless banking, bringsmuch-needed financial services to the unbanked in thedeveloping world. Leveraging ubiquitous cellular net-works, these services are now being deployed as smartphone apps, providing an electronic payment infrastruc-ture where alternatives such as credit cards generally donot exist. Although widely marketed as a more secureoption to cash, these applications are often not subjectto the traditional regulations applied in the financial sec-tor, leaving doubt as to the veracity of such claims. Inthis paper, we evaluate these claims and perform the firstin-depth measurement analysis of branchless banking ap-plications. We first perform an automated analysis of all46 known Android mobile money apps across the 246known mobile money providers and demonstrate that au-tomated analysis fails to provide reliable insights. Wesubsequently perform comprehensive manual teardownof the registration, login, and transaction procedures ofa diverse 15% of these apps. We uncover pervasiveand systemic vulnerabilities spanning botched certifica-tion validation, do-it-yourself cryptography, and myriadother forms of information leakage that allow an attackerto impersonate legitimate users, modify transactions inflight, and steal financial records. These findings confirmthat the majority of these apps fail to provide the pro-tections needed by financial services. Finally, throughinspection of providers terms of service, we also dis-cover that liability for these problems unfairly rests onthe shoulders of the customer, threatening to erode trustin branchless banking and hinder efforts for global finan-cial inclusion.
The majority of modern commerce relies on cashlesspayment systems. Developed economies depend on thenear instantaneous movement of money, often across
great distances, in order to fuel the engines of indus-try. These rapid, regular, and massive exchanges havecreated significant opportunities for employment andprogress, propelling forward growth and prosperity inparticipating countries. Unfortunately, not all economieshave access to the benefits of such systems and through-out much of the developing world, physical currency re-mains the de facto means of exchange.
Mobile money, also known as branchless banking, ap-plications attempt to fill this void. Generally deployedby companies outside of the traditional financial servicessector (e.g., telecommunications providers), branchlessbanking systems rely on the near ubiquitous deploy-ment of cellular networks and mobile devices aroundthe world. Customers can not only deposit their physi-cal currency through a range of independent vendors, butcan also perform direct peer-to-peer payments and con-vert credits from such transactions back into cash. Overthe past decade, these systems have helped to raise thestandard of living and have revolutionized the way inwhich money is used in developing economies. Over30% of the GDP in many such nations can now be at-tributed to branchless banking applications , manyof which now perform more transactions per month thantraditional payment processors, including PayPal .
One of the biggest perceived advantages of these ap-plications is security. Whereas carrying large amountsof currency long distances can be dangerous to physi-cal security, branchless banking applications can allowfor commercial transactions to occur without the risk oftheft. Accordingly, these systems are marketed as a se-cure new means of enabling commerce. Unfortunately,the strength of such claims from a technical perspectivehas not been publicly investigated or verified. Such ananalysis is therefore critical to the continued growth ofbranchless banking systems.
In this paper, we perform the first comprehensive anal-ysis of branchless banking applications. Through theseefforts, we make the following contributions:
18 24th USENIX Security Symposium USENIX Association
Analysis of Branchless Banking Applications:We perform the first comprehensive security anal-ysis of branchless banking applications. First, weuse a well-known automated analysis tool on all 46known Android mobile money apps across all 246known mobile money systems. We then method-ically select seven Android-based branchless bank-ing applications from Brazil, India, Indonesia, Thai-land, and the Phillipines with a combined user baseof millions. We then develop and execute a com-prehensive, reproducible methodology for analyz-ing the entire application communication flow. Inso doing, we create the first snapshot of the globalstate of security for such applications.
Identifications of Systemic Vulnerabilities: Ouranalysis discovers pervasive weaknesses and showsthat six of the seven applications broadly fail to pre-serve the integrity of their transactions. We thencompare our results to those provided through auto-mated analysis and show that current tools do not re-liably indicate severe, systemic security faults. Ac-cordingly, neither users nor providers can reasonabout the veracity of requests by the majority ofthese systems.
Analysis of Liability: We combine our technicalfindings with the assignment of liability describedwithin every applications terms of service, and de-termine that users of these applications have no re-course for fraudulent activity. Therefore, it is ourbelief that these applications create significant fi-nancial dangers for their users.
The remainder of this paper is organized as follows:Section 2 provides background information on branch-less banking and describes how these applications com-pare to other mobile payment systems; Section 3 detailsour methodology and analysis architecture; Section 4presents our findings and categorizes them in terms of theCWE classification system; Section 5 delivers discussionand recommendations for technical remediation; Sec-tion 6 offers an analysis of the Terms of Service and theassignment of liability; Section 7 discusses relevant re-lated work; and Section 8 provides concluding remarks.
2 Mobile Money in the Developing World
The lack of access to basic financial services is a con-tributing factor to poverty throughout the world .Millions live without access to basic banking services,such as value storage and electronic payments, simplybecause they live hours or days away from the nearestbank branch. Lacking this access makes it more difficultfor the poor to save for future goals or prepare for future
(a) mPAY (b) GCash
(c) Oxigen Wallet
Figure 1: Mobile money apps are heavily marketed as be-ing safe to use. These screenshots from providers mar-keting materials show the extent of these claims.
setbacks, conduct commerce remotely, or protect moneyagainst loss or theft. Accordingly, providing bankingthrough mobile phone networks offers the promise ofdramatically improving the lives of the worlds poor.
The M-Pesa system in Kenya  pioneered the mo-bile money service model, in which agents (typically lo-cal shopkeepers) act as intermediaries for deposits, with-drawals, and sometimes registration. Both agents andusers interact with the mobile money system using SMSor a special application menu enabled by code on a SIMcard, enabling users to send money, make bill payments,top up airtime, and check account balances. The keyfeature of M-Pesa and other systems is that their usedoes not require having a previously established rela-tionship with a bank. In effect, mobile money systemsare bootstrapping an alternative banking infrastructurein areas where traditional banking is impractical, uneco-nomic due to minimum balances, or simply non-existent.M-Pesa has not yet released a mobile app, but is ar-guably the most impactful mobile money system andhighlights the promise of branchless banking for devel-oping economies.
Mobile money has become ubiquitous and essential.M-Pesa boasts more than 18.2 million registrations in acountry of 43.2 million . In Kenya and eight othercountries, there are more mobile money accounts thanbank accounts. As of August 2014, there were a totalof 246 mobile money services in 88 countries servinga total of over 203 million registered accounts, continu-ing a trend  up from 219 services in December 2013.Note that these numbers explicitly exclude services thatare simply a mobile interface for existing banking sys-tems. Financial security, and trust in branchless bank-ing systems, depends on the assurances that these sys-tems are secure against fraud and attack. Several of theapps that we study offer strong assurances of security intheir promotional materials. Figure 1 provides examples
USENIX Association 24th USENIX Security Symposium 19