Mpfi Raina

7/31/2019 Mpfi Raina

1/40

1. Amendments to Interoperability Standards forMobile Payments

2. Discussion paper on Security for Mobile payments

Dr Gaurav RainaDepartment of Electrical EngineeringIIT Madras

E-mail : [email protected]


2/40

Challenges for Mobile Payments

InteroperabilitySecurityUniversalityUsabilityPrivacyTrust

CostPerformance

Cross-border payments


3/40

Interoperability Standards V1.10

TSP Telecommunication Service Provider

MPP Mobile Payment Provider


4/40

Interoperability Standards V1.A

MMID Mobile Money Identifier

Was uploaded to MPFI website: 29 Nov, 2010

Request for comments by 15 Dec, 2010

Bank

Customer

MPP

Each mobile number will be linkedto a bank account

Central Switch/ settlement agency

Bank

Customer

MPPBeneficiarys mobile number,MMID, Amount

Core BankingSystem (CBS)



5/40


6/40

Discussion paper onSecurity for Mobile payments


7/40

BackgroundInteroperability Standards for Mobile Payments

Technology Sub-Committee for Mobile Payments Security Discussion Paper on Mobile Payment Security, 7 th Feb 2011 Discussion Paper to eventually turn into a Standards Document

Institutions part of the Technology Sub-Committee

Tata Teleservices Ltd

IDRBT

mCheck

Comviva Technologies LtdICICI Bank

IIT Madras


8/40

Objectives and scope of Discussion Paper To undertake an assessment of the key security concerns for mobile

payments

Identify the threats and vulnerabilities for mobile payments

Recommendations for minimizing/eliminating the identified threats

Identify the main security breach points

(1) Mobile device level

(2) Application level

(3) Channel level

Then consider each of the breach points from the perspective of(1) Technology

(2) Interoperability Standards

(3) Operative guidelines set out by the RBI


9/40

RBI Security Guidelines

Authentication banks providing mobile banking services shallcomply with the following security principles and practices forthe Authentication of mobile banking transactions:

A. All mobile banking shall be permitted only by validation througha two factor authentication.

B. One of the factors of authentication shall be mPIN, or any otherhigher standard.

C. Where mPIN is used, end-to-end encryption of the mPIN isdesirable; i.e. mPIN shall not be in clear text anywhere in thenetwork.

D. The mPIN shall be stored in a secure environment.


10/40

Interoperability

Bank

Customer

MPP

Each mobile number will be linkedto a bank account

Central Switch/ settlement agency

Bank

Customer

MPPBeneficiarys mobile number,MMID, Amount




11/40

Interfaces in a Transaction flow

Wireless Interface

Customer-to-MPP

Wired InterfacesMPP-to-Bank

Bank-to-CBS

Bank-to-Bank


12/40


13/40

Template for evaluating alltechnologies

Capability of the phone

Positive features

Compliance with RBI guidelines

Other aspectsKey concerns

Key recommendations

CustomersBanks

Etc.


14/40

IVR

BTS Base Transceiver Station

BSC Base Station Controller

HLR Home Location Registry


SMSC SMS Message Switching Centre


15/40

IVRCapability of the phone

All Handsets

Positive Features

Different levels of literacy

Very secure with voice biometrics

Easy to use

Cost per transaction is low

Compliance with RBI guidelines

Yes, with voice biometrics

Other aspects

Voice biometrics not standardized

Different implementations / solutions could have different performance

Interact through the use of voice & DTMF keypad inputs


16/40

IVR

key concerns / recommendations

If DTMF tones used to transfer information possibility of tapping anddeciphering confidential data

Recommended to use voice biometrics

Security of database / transaction logs where confidential information maybe stored, either by design or inadvertently

Security audits can eliminate this concern

Voice biometrics or other authentication data should be stored inencrypted form

For concerns over called ID and replay attacks, liveness test should beused.


17/40

Sub working groupsSMS and USSD

Comviva and Eko

IVR

Comviva, Voxta, Uniphore

Mobile browsing services Paladion Networks and RS Software

Advanced application services (J2ME)

Comviva, Paladion Networks, RS Software and VoxtaSim application ToolKit (STK)

Syscom

Emerging Technologies (NFC)

Samsung


18/40

Other relevant documents

1. Working Group on Information Security, Electronic Banking, Technology RiskManagement and Cyber Frauds.

Report and Recommendations , Reserve Bank of India, Jan 2011

2. Amended IT Act 2008

Request for someone in MPFI who has a strong technological and legalunderstanding to work with the TSC to assess the relevance of therecommendations in the context of the Amended IT Act, and vice versa.

Example, recommended to adopt Wireless PKI.

Q: Does this meet the reliability criteria as given in the Amended IT Act, 2008?

If yes, the MPFI can recommend Department of Information Technology to includeWPKI legality while framing and notifying rules for Electronic Signature.


19/40

Summary


20/40

Next Steps

Develop a thorough, in depth, understanding of all technologieswith respect to security and end-to-end performance

Review all recommendations in the context of the Amended IT Act,2008

Work towards a Standards Document


21/40


22/40


23/40


24/40


25/40

Case 1. bearer services (SMS, USSD, IVR)

key concerns

Mobile Device Level

SMS's being sent & received are automatically saved

USSD session with AT commands

Channel Level

Security might be compromised in

Telecom Switching network

Database level

Real Threat lies in Transaction logs

Weak Encryption

Unilateral Authentication

Over-The-Air cracking

SMS spoofing


26/40

Case 1. bearer services (SMS, USSD, IVR)

key recommendations

Customer

Donot store any confidential messages/information on the phoneDelete the already sent mobile payment messages that containsensitive information

Banks

Imposing threshold on the amount of transaction based on the riskperspective

Educating the customers on best practices of Mobile paymentssecurity


27/40

Case 2. mobile browsing services (HTTPS, WAP)







28/40

Wireless Application Protocol (WAP)

Capability of the phone

Only in advanced handsets

Positive feature

Open standard for application layer network communicationsCompliance with RBI guidelines

End to end security possible

Other aspects

WAP browser access the websites written in WML

WAP based applications use GPRS as the data transport layer and issecured either by

Encryption provided by GPRS

Wireless Transport Layer Security (WTLS)


29/40


30/40


31/40

Case 3. advanced application services (J2ME )






M bil t li ti


32/40

Mobile payment application:in phone memory

Capability of the phoneToday, most handsets support Java (J2ME)

Positive feature

Easy to use, menu drivenCompliance with RBI guidelines

End to end security possible

Other aspectsApplications in Java (J2ME) for GSM handsets, BREW for CDMA

Storage of clients credentials

Inside the SIM

RMS (record management system)


33/40

Case 3. advanced application services (J2ME)

key concerns

Mobile Device Level

Information stored in Record Management System (RMS) can beread easily

Random numbers used in key generation can be guessed by analert hacker

Authentication check if performed by the client side applicationposes a serious threat

Channel Level


34/40

Case 3. advanced application services (J2ME)

key recommendations

Bank

Store the sensitive information in an encrypted format

Symmetric key encryption can be used if shared key can bestored in a secure environment

Hybrid Protocols like SSL (Employs both Symmetric & Asymmetrickey Encryption) is preferred

Authenticity check should be performed at the server side

Timestamps/One-time-password can be used to counter replayattacks


35/40

Case 4. SIM application toolkit (STK)






Mobile pa ment application:


36/40

Mobile payment application:embedded in the SIM

Capability of the phoneCan be implemented in all handsets

Positive feature

Easy to use, no need to install applicationCompliance with RBI guidelines

End to end secure

Other aspectsInformation in SIM is protected using crypto algorithms & keys

Applications developed using SIM Application Toolkit (SAT) & JavaCard

Application can be stamped either in

Manufacturing phase or Dynamically installed through Over The Air


37/40

Case 4 . SIM application toolkit (STK)

key concerns

Mobile Device Level

Downloading of Applets is a time consuming process

Slowness of the Key generation & Signature process

Generated signatures may not be qualified

Mobile malware like keylogging trojan


38/40

Case 4. SIM application toolkit (STK)

key recommendations

Customer

Ensuring mobile handset free from virus by having an up to date Anti-virus

Bank Use Symmetric Encryption and store the key inside a SIM in anencrypted format

Adopt Wireless Public Key Infrastructure (WPKI)

Telecommunication Service Provider (TSP)Increase the processing abilities a SIM card


39/40


40/40

Some recent references

Working Group on Information Security, Electronic Banking,Technology Risk Management and Cyber Frauds.Report and Recommendations , Reserve Bank of India, Jan 2011

Securing Mobile Payments: Modelling, Design, and Analysisby Supakorn Kungpisdan, Lambert Academic Publishing, 2010

Mpfi Raina

Documents

Transcript of Mpfi Raina