MPayment and Security Challenges Hassan Khan Head of Security Practice (MEA)

mPayment and Security Challenges

Hassan KhanHead of Security Practice (MEA)

2 © Nokia Siemens Networks GS CSI Security, Hassan Khan

Content

What are mobile payments 1

3How to secure the business

2How to exploit the opportunity


Overall, the mobile payment market falls logically in four categories or domains

Source: Ovum, Mobile payments: progressing towards large-scale deployment, 10 March 2008

Near FieldCommunicationbased payments • Credit/debit card

embedded in NFC –enabled phone

• ‘Touch and pay’ POS and vending

Money transfers In developingcountries• Person-to-person • Payment of utilities

and prepaid airtime • International

remittances

Mobile banking • Bank and credit

card accounts • Account transfers • Bill payments • Stored-value

account top-ups

Mobile commerce strategies in retail • Shopping on mobile

websites • Mobile coupons and

loyalty cards • Mobile ticketing


In addition to money transfers, mobile channel benefits banking both in the developed markets…

End-user benefits

• e- and mBanking

• Anywhere, any time access to basic banking services

• Personal, interactive service

• On-the-spot handing of payments

• Mobile PoS / NFC

• Convenient, fast payment for public transport, parking, fast food, tickets

• No need for coins & cash

• Mobile terminal as an electronic wallet

• Consolidated management of cards, tickets, vouchers, rebates

• Electronic ID more secure than cards

Benefits for merchant

• Payment solution suitable fordemanding environments (moving, outdoors, public spaces)

• 50% faster transaction than with debit cards

• Less cash -> increased security

• More efficient marketing and CRM


… as well as in the developing markets

End-user benefits• Low cost and fast money transfers

(also fast response to emergency needs)• Trustworthy and secure place

to keep money• Convenience of nearby prepaid merchant

for making deposits and withdrawals compared to long lines and poor serviceat distant retail bank branch

• Increased disposable income at receiving end

• Earn interest on deposits• Access to financing at reasonable rates• Convenient and fast payment of bills

Benefits for merchant / prepaid agent

• More sales

• More customer visits to store

• Larger purchases – more money available

• Incremental revenue from transaction fees

• Long term: increased security as cash economy transitions to electronic funds


Key success factors: trust/brand, network effects and effective partnering

Trust and brand

• 1st mover often establishes a de facto payment platform

• Leverage trusted provider position

Network effects

• Enable as many connections between users as possible

• Interoperability with other payment and banking systems

• Good coverage of agent network, and retail POS

Partnering

• To fill gaps in the value chain and to create successful ecosystem

• For required financial services functions and processes

• International retail channel

• Training, motivation and management of retail partners


Content





…The key is to identify the opportunities where communications service providers can excel

• What will be allowed within existing license

• Are banking licenses needed, can a communi-cations service provider hold one

• Additional requirements & domestic vs international transactions

• Where the service provider can be competitive in creating and capturing value

• What to do itself, what to source or partner

• What roles and positions are available and attractive to a service provider

• Who will drive the development, who are needed as partners

• What needs are underserved or latent

• Which segments to focus

• What other requirements do they have

Key questions and analyses

Opportunity space

Ecosy

stem

Regulation

Customer

needsServi

ce

provi

der

stre

ngths

Technology platforms


Mobile Payments opportunities arise from creating superior value to the transacting parties

Required business components

• Retail agent / merchant / POS network

• Mobile payment platform operator

• Payment clearing / account settlement

• Account / stored value / billing relationship

• Cash management

Communications service providers key strengths

• Large base of capable terminals

• Core infrastructure

• Retail partners for distribution

• Wide geographic reach

• Credit rating for post paid subs

• Elaborate value storing in pre paid

• Customer care

Customer Needs • Lower cost of transaction

• Wide reach through high mobile penetration

• Easy access regardless of location and time

• Low / no additional cost terminal

• Reduced cash management needs


M-PESA Kenya– Money Transfers


• Enables users to transfer money through mobile

• Targeted mainly at those without a bank account; offers an alternative method of money transfer

• Users have to register for an M-PESA account to send money

• Users can send approximately EUR 1 to EUR 360 worth money using the service

• 20,000 registered customers within first month of launch; more than four million customers by October 2008

• No joining fee or minimum balance required; users pay commission on transactions

Source: Safaricom; Safaricom Annual Report 2008, CGAP; MIT Press Journals

M-PESA KenyaEasy-to-use Mobile Money Transfer Service

Safaricom launched its mobile money transfer service M-PESA in March 2007

Service Highlights

M-PESA enables users to:• Deposit money• Transfer money• Withdraw money• Buy airtime• Check account information

Service Offerings

Young, Male, Urban migrant workers are the ‘Early Adopters’ of the service

• Banks, Financial Institutions

• More than 3,500 M-PESA agents across Kenya

Key Partners

Service SuccessService Success

Approximately 2,500 users registered to the M-PESA service everyday in 2007.

M-PESA Registered Users

0.2

1.62.0

2.3

4.0

0.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

4.0

4.5

Reg

iste

red

Use

rs (

mill

ion)

Jul-2007 Mar-2008 Oct-2008Feb-2008 Jun-2008

M-PESA has facilitated approximately KES 9.4 billion (EUR 96 million) in person-to-person transactions by the end of March 2008

• Transactions worth KES 3 billion (EUR 30 million) in March 2008

Note: Exchange rate – KES 1 (Kenyan Shilling) = EUR 0.01027, as of 31 March 2008


M-PESA KenyaMoving the Money Around Using M-PESA

M-PESA offers an easy registration process to the users; Cash transfer and withdrawal are SMS-based

Sending Money Using M-PESA Withdrawing Money Using M-PESA

M-PESA

Mobile Network

M-PESA Account Manager

User Family

SMS Instruction

Send money to family

SMS Notice

Money received

M-PESA

Mobile Network

M-PESA Account Manager

User Agent

SMS Instruction

Withdraw money from

agent Send money to user

SMS Instruction

M-PESA Account Manager moves the

money between customers in response

to SMS instructions

User goes to M-PESA agent

Upgrades the SIM for free, if required

Provides details such as name, DOB, phone number and ID

Registers for M-PESA

No additional bank account details are required for registration

Source: Safaricom; Safaricom Annual Report 2008

Money deposited by users is held safely in a bank account run by M-

PESA on their behalf

User goes to M-PESA agent

Provides details such as phone number, amount and ID

M-PESA agent deposits money using their mobile

Activates M-PESA menu phone

Depositing money using M-PESA

Note: Exchange rate – KES 1 (Kenyan Shilling) = EUR 0.01027, as of 31 March 2008

Registered M-PESA customers have a ‘virtual money’ account attached to their Safaricom mobile phone number, backed up by an equal amount of money held in a Kenyan bank


M-PESA KenyaM-PESA Customer Charge Rates

Users are charged a commission of up to KES 170 (EUR 1.7) for sending or withdrawing money in the range of KES 100 – KES 35,000 (EUR 1 – EUR 360)

Source: Safaricom; Safaricom Annual Report 2008

Transaction Type Transaction Range (KES) Consumer Charge (KES)

Deposit cash 100 – 35,000 0

Send money to M-PESA user 100 – 35,000 30

Send money to non M-PESA user 100 – 35,000 75 – 400*

Withdraw cash by non M-PESA user

100 – 35,000 25 – 170*

Receive money 100 – 35,000 0

* Note: Consumer charges vary depending upon the actual amount of money sent or withdrawn

• Customers are only charged for the transactions they initiate; services such as SIM swap are free

• All charges are deducted from the user’s M-PESA account

• Customers do not pay any charges to the M-PESA agents for transactions

• All SMS sent to and from M-PESA are free to the users

• A non M-PESA customer can also receive money through M-PESA

Buy airtime (for self or other) 20 – 10,000 0


Content





Why Protection:Theft of 100 Million Credit card records.

The Washington Post is reporting this afternoon that a security breach at the payment processor Heartland Payment Systems of Princeton, New Jersey late last year may have resulted in the theft of 100 million credit and debit card accounts. According to Heartland's website, "Heartland Payment Systems, Inc., a NYSE company trading under the symbol HPY, delivers credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide."In a company press release today, Heartland's president and chief financial officer Robert H.B. Baldwin, Jr., said, "We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands. We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice.""No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms."The Post story said that Heartland "began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments... 40 percent of transactions the company processes are from small to mid-sized restaurants across the country."The Post noted that many IT security folks are curious (as am I) as to why the announcement was made today - the day where 99% of the news is about the US inauguration.More than a bit suspicious, I think, and it makes you wonder if there is more to the story than what Heartland is disclosing, or whether their public relation's department is tone deaf. We will keep a close eye on this - given the history of large scale data breaches, other shoes will be dropping shortly.


Protect the network from attacks:Perimeter security and Deep Packet Inspection

VAS DomainWapGW

IPTV

music

email MMSC

portal

GRX networkOther PLMN

Other PLMN

GI

GP FW

GN

GP DNS

GN DNS

BGW

IMSOSS Center

GN/GP Domain

GI Domain

GGSN

GI DNS

Charging/SupportingServices Domain

CGW

DCS DHCPAAA

SGSN

SGSNDPI

Corporate PDN

Corporate PDN

BGWGI FW

OSS FW

OBS FW

IMS FW

VAS FW

SIEM

NOC SOC mPayment


Solution• Clear security domain concept

• Layered defense

• Customer data are highly protected

• Clear access control between domains

• Dedicated protection of publicly reachable services interfaces

• Blocking of manipulation of subscriber data

• Prevention of eavesdropping during transmission

• Central view of security incidences

Challenges• Main interfaces are exposed to outside

• Integrity and confidentiality of subscriber data not granted

• Attacks from internal and external sources against services and infrastructure

• Service outages lead to loss of revenue and reputation

Subscriber data is your most important asset: How to protect and provide confidentiality

Application Traffic

Database Traffic

OAM Traffic

CSDB: Common Subscriber Data Base


Professional Security Operation Center to ensure high availability and compliance

Security Operation Center (SOC) is a system that includes facilities, technology, process and persons in order to protect information assets:

Detection and Reaction

Incident Management

Infrastructure Management

Centralized auditing functions (vulnerability scanning, SLA monitoring, compliance monitoring…)


Competitive advantage through combination of extensive telco -, IT- and security knowledge

A worldwide network of security experts supports the success

More than 130 commercial contracts closed

Satisfied customers:

One-stop-shopping throughstrong ecosystem of best-of-breed partners

Covering the full lifecycle fromsecurity consulting to support

Nokia Siemens Networks has proven its extensive security experience in more than 130 customer projects

Real security from Nokia Siemens Networks

…

Inspired thinking,innovative solutions

Back-up – mPayment


Prepaid

Subs d-base

Technical solutions supporting Mobile Payments are widely available…

mPayment application

USSDGWY

Agent Agent

Bank

PoS, ATM

ISO8583

SMSGWY

InternetBanking

Optional

RN RN

MPayment and Security Challenges Hassan Khan Head of Security Practice (MEA)

Documents

Transcript of MPayment and Security Challenges Hassan Khan Head of Security Practice (MEA)