MPayment and Security Challenges Hassan Khan Head of Security Practice (MEA)
-
date post
19-Dec-2015 -
Category
Documents
-
view
218 -
download
1
Transcript of MPayment and Security Challenges Hassan Khan Head of Security Practice (MEA)
mPayment and Security Challenges
Hassan KhanHead of Security Practice (MEA)
2 © Nokia Siemens Networks GS CSI Security, Hassan Khan
Content
What are mobile payments 1
3How to secure the business
2How to exploit the opportunity
3 © Nokia Siemens Networks GS CSI Security, Hassan Khan
Overall, the mobile payment market falls logically in four categories or domains
Source: Ovum, Mobile payments: progressing towards large-scale deployment, 10 March 2008
Near FieldCommunicationbased payments • Credit/debit card
embedded in NFC –enabled phone
• ‘Touch and pay’ POS and vending
Money transfers In developingcountries• Person-to-person • Payment of utilities
and prepaid airtime • International
remittances
Mobile banking • Bank and credit
card accounts • Account transfers • Bill payments • Stored-value
account top-ups
Mobile commerce strategies in retail • Shopping on mobile
websites • Mobile coupons and
loyalty cards • Mobile ticketing
4 © Nokia Siemens Networks GS CSI Security, Hassan Khan
In addition to money transfers, mobile channel benefits banking both in the developed markets…
End-user benefits
• e- and mBanking
• Anywhere, any time access to basic banking services
• Personal, interactive service
• On-the-spot handing of payments
• Mobile PoS / NFC
• Convenient, fast payment for public transport, parking, fast food, tickets
• No need for coins & cash
• Mobile terminal as an electronic wallet
• Consolidated management of cards, tickets, vouchers, rebates
• Electronic ID more secure than cards
Benefits for merchant
• Payment solution suitable fordemanding environments (moving, outdoors, public spaces)
• 50% faster transaction than with debit cards
• Less cash -> increased security
• More efficient marketing and CRM
5 © Nokia Siemens Networks GS CSI Security, Hassan Khan
… as well as in the developing markets
End-user benefits• Low cost and fast money transfers
(also fast response to emergency needs)• Trustworthy and secure place
to keep money• Convenience of nearby prepaid merchant
for making deposits and withdrawals compared to long lines and poor serviceat distant retail bank branch
• Increased disposable income at receiving end
• Earn interest on deposits• Access to financing at reasonable rates• Convenient and fast payment of bills
Benefits for merchant / prepaid agent
• More sales
• More customer visits to store
• Larger purchases – more money available
• Incremental revenue from transaction fees
• Long term: increased security as cash economy transitions to electronic funds
6 © Nokia Siemens Networks GS CSI Security, Hassan Khan
Key success factors: trust/brand, network effects and effective partnering
Trust and brand
• 1st mover often establishes a de facto payment platform
• Leverage trusted provider position
Network effects
• Enable as many connections between users as possible
• Interoperability with other payment and banking systems
• Good coverage of agent network, and retail POS
Partnering
• To fill gaps in the value chain and to create successful ecosystem
• For required financial services functions and processes
• International retail channel
• Training, motivation and management of retail partners
7 © Nokia Siemens Networks GS CSI Security, Hassan Khan
Content
What are mobile payments 1
3How to secure the business
2How to exploit the opportunity
8 © Nokia Siemens Networks GS CSI Security, Hassan Khan
…The key is to identify the opportunities where communications service providers can excel
• What will be allowed within existing license
• Are banking licenses needed, can a communi-cations service provider hold one
• Additional requirements & domestic vs international transactions
• Where the service provider can be competitive in creating and capturing value
• What to do itself, what to source or partner
• What roles and positions are available and attractive to a service provider
• Who will drive the development, who are needed as partners
• What needs are underserved or latent
• Which segments to focus
• What other requirements do they have
Key questions and analyses
Opportunity space
Ecosy
stem
Regulation
Customer
needsServi
ce
provi
der
stre
ngths
Technology platforms
9 © Nokia Siemens Networks GS CSI Security, Hassan Khan
Mobile Payments opportunities arise from creating superior value to the transacting parties
Required business components
• Retail agent / merchant / POS network
• Mobile payment platform operator
• Payment clearing / account settlement
• Account / stored value / billing relationship
• Cash management
Communications service providers key strengths
• Large base of capable terminals
• Core infrastructure
• Retail partners for distribution
• Wide geographic reach
• Credit rating for post paid subs
• Elaborate value storing in pre paid
• Customer care
Customer Needs • Lower cost of transaction
• Wide reach through high mobile penetration
• Easy access regardless of location and time
• Low / no additional cost terminal
• Reduced cash management needs
10 © Nokia Siemens Networks GS CSI Security, Hassan Khan
M-PESA Kenya– Money Transfers
11 © Nokia Siemens Networks GS CSI Security, Hassan Khan
• Enables users to transfer money through mobile
• Targeted mainly at those without a bank account; offers an alternative method of money transfer
• Users have to register for an M-PESA account to send money
• Users can send approximately EUR 1 to EUR 360 worth money using the service
• 20,000 registered customers within first month of launch; more than four million customers by October 2008
• No joining fee or minimum balance required; users pay commission on transactions
Source: Safaricom; Safaricom Annual Report 2008, CGAP; MIT Press Journals
M-PESA KenyaEasy-to-use Mobile Money Transfer Service
Safaricom launched its mobile money transfer service M-PESA in March 2007
Service Highlights
M-PESA enables users to:• Deposit money• Transfer money• Withdraw money• Buy airtime• Check account information
Service Offerings
Young, Male, Urban migrant workers are the ‘Early Adopters’ of the service
• Banks, Financial Institutions
• More than 3,500 M-PESA agents across Kenya
Key Partners
Service SuccessService Success
Approximately 2,500 users registered to the M-PESA service everyday in 2007.
M-PESA Registered Users
0.2
1.62.0
2.3
4.0
0.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
4.5
Reg
iste
red
Use
rs (
mill
ion)
Jul-2007 Mar-2008 Oct-2008Feb-2008 Jun-2008
M-PESA has facilitated approximately KES 9.4 billion (EUR 96 million) in person-to-person transactions by the end of March 2008
• Transactions worth KES 3 billion (EUR 30 million) in March 2008
Note: Exchange rate – KES 1 (Kenyan Shilling) = EUR 0.01027, as of 31 March 2008
12 © Nokia Siemens Networks GS CSI Security, Hassan Khan
M-PESA KenyaMoving the Money Around Using M-PESA
M-PESA offers an easy registration process to the users; Cash transfer and withdrawal are SMS-based
Sending Money Using M-PESA Withdrawing Money Using M-PESA
M-PESA
Mobile Network
M-PESA Account Manager
User Family
SMS Instruction
Send money to family
SMS Notice
Money received
M-PESA
Mobile Network
M-PESA Account Manager
User Agent
SMS Instruction
Withdraw money from
agent Send money to user
SMS Instruction
M-PESA Account Manager moves the
money between customers in response
to SMS instructions
User goes to M-PESA agent
Upgrades the SIM for free, if required
Provides details such as name, DOB, phone number and ID
Registers for M-PESA
No additional bank account details are required for registration
Source: Safaricom; Safaricom Annual Report 2008
Money deposited by users is held safely in a bank account run by M-
PESA on their behalf
User goes to M-PESA agent
Provides details such as phone number, amount and ID
M-PESA agent deposits money using their mobile
Activates M-PESA menu phone
Depositing money using M-PESA
Note: Exchange rate – KES 1 (Kenyan Shilling) = EUR 0.01027, as of 31 March 2008
Registered M-PESA customers have a ‘virtual money’ account attached to their Safaricom mobile phone number, backed up by an equal amount of money held in a Kenyan bank
13 © Nokia Siemens Networks GS CSI Security, Hassan Khan
M-PESA KenyaM-PESA Customer Charge Rates
Users are charged a commission of up to KES 170 (EUR 1.7) for sending or withdrawing money in the range of KES 100 – KES 35,000 (EUR 1 – EUR 360)
Source: Safaricom; Safaricom Annual Report 2008
Transaction Type Transaction Range (KES) Consumer Charge (KES)
Deposit cash 100 – 35,000 0
Send money to M-PESA user 100 – 35,000 30
Send money to non M-PESA user 100 – 35,000 75 – 400*
Withdraw cash by non M-PESA user
100 – 35,000 25 – 170*
Receive money 100 – 35,000 0
* Note: Consumer charges vary depending upon the actual amount of money sent or withdrawn
• Customers are only charged for the transactions they initiate; services such as SIM swap are free
• All charges are deducted from the user’s M-PESA account
• Customers do not pay any charges to the M-PESA agents for transactions
• All SMS sent to and from M-PESA are free to the users
• A non M-PESA customer can also receive money through M-PESA
Buy airtime (for self or other) 20 – 10,000 0
14 © Nokia Siemens Networks GS CSI Security, Hassan Khan
Content
What are mobile payments 1
3How to secure the business
2How to exploit the opportunity
15 © Nokia Siemens Networks GS CSI Security, Hassan Khan
Why Protection:Theft of 100 Million Credit card records.
The Washington Post is reporting this afternoon that a security breach at the payment processor Heartland Payment Systems of Princeton, New Jersey late last year may have resulted in the theft of 100 million credit and debit card accounts. According to Heartland's website, "Heartland Payment Systems, Inc., a NYSE company trading under the symbol HPY, delivers credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide."In a company press release today, Heartland's president and chief financial officer Robert H.B. Baldwin, Jr., said, "We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands. We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice.""No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms."The Post story said that Heartland "began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments... 40 percent of transactions the company processes are from small to mid-sized restaurants across the country."The Post noted that many IT security folks are curious (as am I) as to why the announcement was made today - the day where 99% of the news is about the US inauguration.More than a bit suspicious, I think, and it makes you wonder if there is more to the story than what Heartland is disclosing, or whether their public relation's department is tone deaf. We will keep a close eye on this - given the history of large scale data breaches, other shoes will be dropping shortly.
16 © Nokia Siemens Networks GS CSI Security, Hassan Khan
Protect the network from attacks:Perimeter security and Deep Packet Inspection
VAS DomainWapGW
IPTV
music
email MMSC
portal
GRX networkOther PLMN
Other PLMN
GI
GP FW
GN
GP DNS
GN DNS
BGW
IMSOSS Center
GN/GP Domain
GI Domain
GGSN
GI DNS
Charging/SupportingServices Domain
CGW
DCS DHCPAAA
SGSN
SGSNDPI
Corporate PDN
Corporate PDN
BGWGI FW
OSS FW
OBS FW
IMS FW
VAS FW
SIEM
NOC SOC mPayment
17 © Nokia Siemens Networks GS CSI Security, Hassan Khan
Solution• Clear security domain concept
• Layered defense
• Customer data are highly protected
• Clear access control between domains
• Dedicated protection of publicly reachable services interfaces
• Blocking of manipulation of subscriber data
• Prevention of eavesdropping during transmission
• Central view of security incidences
Challenges• Main interfaces are exposed to outside
• Integrity and confidentiality of subscriber data not granted
• Attacks from internal and external sources against services and infrastructure
• Service outages lead to loss of revenue and reputation
Subscriber data is your most important asset: How to protect and provide confidentiality
Application Traffic
Database Traffic
OAM Traffic
CSDB: Common Subscriber Data Base
18 © Nokia Siemens Networks GS CSI Security, Hassan Khan
Professional Security Operation Center to ensure high availability and compliance
Security Operation Center (SOC) is a system that includes facilities, technology, process and persons in order to protect information assets:
Detection and Reaction
Incident Management
Infrastructure Management
Centralized auditing functions (vulnerability scanning, SLA monitoring, compliance monitoring…)
19 © Nokia Siemens Networks GS CSI Security, Hassan Khan
Competitive advantage through combination of extensive telco -, IT- and security knowledge
A worldwide network of security experts supports the success
More than 130 commercial contracts closed
Satisfied customers:
One-stop-shopping throughstrong ecosystem of best-of-breed partners
Covering the full lifecycle fromsecurity consulting to support
Nokia Siemens Networks has proven its extensive security experience in more than 130 customer projects
Real security from Nokia Siemens Networks
…
Inspired thinking,innovative solutions
Back-up – mPayment
22 © Nokia Siemens Networks GS CSI Security, Hassan Khan
Prepaid
Subs d-base
Technical solutions supporting Mobile Payments are widely available…
mPayment application
USSDGWY
Agent Agent
Bank
PoS, ATM
ISO8583
SMSGWY
InternetBanking
Optional
RN RN