Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2008-11 1 A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science at.

Published byMelissa Bentley Modified over 10 years ago

Similar presentations

Presentation on theme: "Copyright 2008-11 1 A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science at."— Presentation transcript:

1 Copyright 2008-11 1 A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science at ANU and in Cyberspace Law & Policy at UNSW http://www.rogerclarke.com/EC/MP-RAF-1102 {.html,.ppt} Bond University – 11 February 2011

2 Copyright 2008-11 2

3 Copyright 2008-11 3 A Risk Assessment Framework for Mobile Payments Agenda 1.Motivation 2.Scope 3.Lessons from the Past 4.Elements of the Framework 5.Some Inferences

4 Copyright 2008-11 4 A Risk Assessment Framework for Mobile Payments The Motivation eCommerce was sl-o-o-o-o-w MCommerce was even slower Distrust about security is a major factor, especially when its about money To overcome the Distrust Impediment, constructive measures are needed Risk Assessment and Management would seem to be a good place to start

5 Copyright 2008-11 5 MPayments Security The Existing Literature Scornavacca (2007) – http://www.m-lit.org/ Over 1,400 references 31 with 'security' in the title 46 with 'payment' in the title 1 with both security and payment in the title (Linck et al. – Augsburg – ECIS 2006, open-ended question What would you require to feel secure about using mobile payments?) Little else of consequence via Google Scholar

6 Copyright 2008-11 6 Mobile Devices 'Any device that provides users with the capacity to participate in Transactions with Adjacent and Remote devices by Wireless Means' Mobiles / Smartphones Handheld Computing Devices PDAs, games machines, music-players, 'converged' / multi-function devices, Tablets esp. iPad but now many followers Wearable Computing Devices Watches, finger-rings, key-rings, glasses, necklaces, bracelets, anklets, body-piercings Processing Capabilities in Other 'Form Factors' Credit-cards, RFID tags, subcutaneous chips ? Nomadic / Untethered PCs

7 Copyright 2008-11 7 Wireless Means Wide Area Networks – Satellite Geosynchronous (2 second latency) Low-Orbit (Iridium) Wide Area Networks – Cellular (0.5 to 20km per cell) 1 – Analogue Cellular 2 – Digital Cellular, e.g. GSM, CDMA 2.5 – e.g. GSM/GPRS,... 3 – e.g. CDMA2000, UMTS/HSPA,... Wide Area Networks – WiMax / IEEE 802.16; iBurst Local Area Networks – WiFi / 802.11x (10-100m radius) Personal Area Networks – Bluetooth (1-10 m radius) Contactless Cards / RFID Tags / NFC (1-10cm radius)

8 Copyright 2008-11 8 Categories of Mobile Payment Commerce Purchases of physical goods and services, at physical POS, road tolls (Contactless Chips, NFC)

9 Copyright 2008-11 9 Categories of Mobile Payment Commerce Purchases of physical goods and services, at physical POS, road tolls (Contactless Chips, NFC) eCommerce Purchases of physical goods and services at virtual points of sale (Internet, Cellular phone)

10 Copyright 2008-11 10 Categories of Mobile Payment Commerce Purchases of physical goods and services, at physical POS, road tolls (Contactless Chips, NFC) eCommerce Purchases of physical goods and services at virtual points of sale (Internet, Cellular phone) MCommerce Purchases of digital goods and services, such as image, audio and video, and location-specific data

11 Copyright 2008-11 11 Categories of Mobile Payment Commerce Purchases of physical goods and services, at physical POS, road tolls (Contactless Chips, NFC) eCommerce Purchases of physical goods and services at virtual points of sale (Internet, Cellular phone) MCommerce Purchases of digital g&s, such as image, audio and video, and location-specific data Consumer-to-Consumer (C2C) Transfers of value between individuals

12 Copyright 2008-11 12 A Risk Assessment Framework for Mobile Payments Agenda 1.Motivation 2.Scope 3.Lessons from the Past 4.Elements of the Framework 5.Trial Applications

13 Copyright 2008-11 13 Categories of Prior Payment Mechanisms Pre-Electronic Money Cheque Money Order Periodic Payment Authority Charge-Card voucher at POS Credit-Card voucher at POS Cr-Card Not Present – Mail (CNP MO) Early Electronic Telegraphic Transfer (TT) Wired transfer Direct Credit Giro Telco Account Cr-Card Not Present – Telephone (CNP TO)

14 Copyright 2008-11 14 Payment by Cash

15 Copyright 2008-11 15 Payment by Cheque

16 Copyright 2008-11 16 Direct Credit Giro, 'TT', Salary Payments

17 Copyright 2008-11 17 Credit Cards and Charge- Cards (in 'Meatspace' Transactions)

18 Copyright 2008-11 18 The Security Profile of Meatspace Credit-Card Transactions Two-factor Authentication: have a token know (a secret?) Vulnerable to cloning, forgery, card&PIN-capture Relies on: card-holder retention of the card production of the card at POS performance of a signature facsimile or PIN consumer reconciliation of their accounts self-insurance by merchants (banks issue charge-backs)

19 Copyright 2008-11 19 The Improved Security Profile of Meatspace Credit-Card Transactions with Contact-Based Chip-Card / EMV Two-factor Authentication: have a token know (a secret?) Vulnerable to cloning, forgery, card&PIN-capture Relies on: card-holder retention of the card production of the card at POS performance of a signature facsimile or PIN consumer reconciliation of their accounts self-insurance by merchants (banks issue charge-backs)

20 Copyright 2008-11 20 The (In)Security Profile of Card-Not-Present (CNP/MOTO) Transactions Single-Factor Authentication: have credit card details not have the card no know a secret factor Vulnerable to lying, cloning, forgery, carddetails-capture Relies on: secrecy of credit-card details [??] general levels of honesty consumer reconciliation of their accounts self-insurance by merchants (banks issue charge-backs)

21 Copyright 2008-11 21 The Very Slightly Improved (In)Security Profile of Card-Not-Present (CNP/MOTO) Transactions with Contact-Based Chip-Card / EMV Single-Factor Authentication: have credit card details not have the card no know a secret factor Vulnerable to lying, cloning, forgery, carddetails-capture Relies on: secrecy of credit-card details [??] general levels of honesty consumer reconciliation of their accounts self-insurance by merchants (banks issue charge-backs)

22 Copyright 2008-11 22 Contactless Chip-Cards as Payment Devices RFID / NFC chip embedded in card Wireless operation, up to 5cm from a terminal Visa Paywave and MasterCard PayPass Up to $100 and $35 resp. (cf. original $25)

23 Copyright 2008-11 23 Contactless Chip-Cards as Payment Devices RFID / NFC chip embedded in card Wireless operation, up to 5cm from a terminal Visa Paywave and MasterCard PayPass Up to $100 and $35 resp. (cf. original $25) Presence of chip in card is not human-visible, but Logo / Brand may be visible No choice whether it's activated Operation of chip in card is not human-apparent No action required when within 5cm range, i.e. automatic payment No receipt is the norm Used as Cr-Card: Unauthenticated auto-lending Used as Dr-Card: PIN-less charge to bank account

24 Copyright 2008-11 24 The (In)Security Profile of Contactless Chip-Card Payment Transactions Single-Factor Authentication: have the card, within a device's field, when that device is ready to charge money for something Vulnerable to card-capture, rogue devices, rogue transactions by legitimate devices,... Relies on: general levels of honesty among merchants and FIs (consumer reconciliation is infeasible – no vouchers, and either very long statements or no statements) invisibility of fraudulent transactions self-insurance by consumers

25 Copyright 2008-11 25 A Risk Assessment Framework for Mobile Payments Agenda 1.Motivation 2.Scope 3.Lessons from the Past 4.Elements of the Framework 5.Trial Applications

26 Copyright 2008-11 26 Risk Assessment for I.T.-Based Schemes An established business process Described in Text-Books Peltier 2005, Landoll 2005, Slay & Koronios 2006 Specified (loosely) in Industry Standards - AS/NZS 3931-1998 -AS/NZS 4360-1999 -ISO 27005-2008

27 Copyright 2008-11 27 Mainstream Security Model Abstract Threats Become Actual Threatening Events, Impinge on Vulnerabilities, Overcome Safeguards & Cause Harm Security is a (desirable) condition in which Harm does not arise because Threats are countered by Safeguards

28 Copyright 2008-11 28 The Risk Assessment Framework for Mobile Payments

29 Copyright 2008-11 29 The Technical Architecture Indicative Model

30 Copyright 2008-11 30 Commercial Architecture Customer/Payer Seller/Payee Payment Handler Delivery Handler Customer Support Internet Online Trading Protocol (IOTP):

31 Copyright 2008-11 31 Commercial Architecture Customer/Payer Seller/Payee Payment Handler Delivery Handler Customer Support BUT ALSO... Internet Access Providers (IAPs) Carriage Service Providers (CSPs) Commercial Intermediaries, e.g. Paypal Transaction Service Providers e.g. banks and credit-card companies Payment Services Providers, e.g. deposit-holders, lenders and insurers Regulators and complaints bodies e.g. financial services ombudsmen Consumer Rights representative and advocacy organisations Consumer Segments, e.g. the mobility- disadvantaged, the sight-impaired, people with limited financial assets Internet Online Trading Protocol (IOTP):

32 Copyright 2008-11 32 The Transaction Process Aspect From Herzberg (2003), p. 56

33 Copyright 2008-11 33 The Harm Aspect Injury to Persons Damage to Property Financial Loss Loss of Value of an Asset Breach of Personal Data Security, or Privacy more generally Inconvenience and Consequential Costs arising from Identity Fraud Serious Inconvenience and Consequential Costs arising from Identity Theft Loss of Reputation and Confidence

34 Copyright 2008-11 34 Threat Aspects – Second-Party Situations of Threat: Banks Telcos / Mobile Phone Providers Toll-Road eTag Providers Intermediaries Devices Safeguards: Terms of Contract Risk Allocation Enforceability Consumer Rights

35 Copyright 2008-11 35 Threat Aspects – Third-Party, Within the System (Who else can get at you, where, and how?) Points-of-Payment Physical: Observation Coercion Points-of-Payment Electronic: Rogue Devices Rogue Transactions Keystroke Loggers Private Key Reapers Network Electronic Interception Decryption Man-in-the- Middle Attacks Points-of-Processing Rogue Employee Rogue Company Error

36 Copyright 2008-11 36 Threat Aspects – Third-Party, Within the Device Physical Intrusion Social Engineering Confidence Tricks Phishing Masquerade Abuse of Privilege Hardware Software Data Electronic Intrusion Interception Cracking / Hacking Bugs Trojans Backdoors Masquerade Distributed Denial of Service (DDOS) Infiltration by Software with a Payload

37 Copyright 2008-11 37 Threat Aspects – Third-Party, Within the Device Infiltration by Software with a Payload Software (the Vector) Pre-Installed User-Installed Virus Worm... Payload Trojan: Spyware Performative Communicative Bot / Zombie Spyware: Software Monitor Adware Keystroke Logger...

38 Copyright 2008-11 38 The Vulnerability Aspect The Environment Physical Surroundings Organisational Context Social Engineering The Device Hardware, Systems Software Applications Server-Driven Apps (ActiveX, Java, AJAX) The Device's Functions: Known, Unknown, Hidden Software Installation Software Activation Communications Transaction Partners Data Transmission Intrusions Malware Vectors Malware Payloads Hacking, incl. Backdoors, Botnets

39 Copyright 2008-11 39 A Risk Assessment Framework for Mobile Payments Agenda 1.Motivation 2.Scope 3.Lessons from the Past 4.Elements of the Framework 5.Trial Applications

40 Copyright 2008-11 40 Payments in the Network Era Initially Wired, Increasingly Unwired Secure Models ATMs EFTPOS – Dr Tx Internet Banking Debit Tx over the Internet Insecure Models EFTPOS – Cr Tx Credit Card Tx over the Internet (CNP / MOTO) Highly Insecure Models Contactless-Chip/ RFID / NFC

41 Copyright 2008-11 41 Act of Consent – None / Unclear / Clear e.g. Tap the Pad in Response to Display of Fare Notification – None / Audio / Display If 'None', then enables surreptitious payment extraction Receipt / Voucher – None / Option or Online / Y Octopus, Drive-Through eTags for Road-Tolls UK RingGo Parking Payment Scheme Authentication – None / A Non-Secret / For Higher-Value Transactions Only UK RingGo Parking Payment Scheme – last 4 digits PIN for Telstra/NAB/Visa payWave above US$ 25? 100?? Key Safeguards for Chip Payment Schemes

42 Copyright 2008-11 42 Act of Consent – None / Unclear / Clear If the card is within 5cm of a device, whether seen or not Notification – None? / Audio / Display If 'None', then enables surreptitious payment extraction Receipt / Voucher – None? / Option / Y Authentication – None / A Non-Secret / For High-Value Transactions Only? Visa PayWave and MCard Paypass

43 Copyright 2008-11 43 Key Threat / Vulnerability Combinations Acquisition of Identity Authenticators e.g. Cr-Card Details (card-number as identifier, plus the associated identity authenticators) e.g. Username (identifier) plus Password/PIN/ Passphrase/Private Signing Key (id authenticator) e.g. Biometrics capture and comparison Unauthorised Conduct of Transactions Interference with Legitimate Transactions Use of a Consumer Device as a Tool in a fraud perpetrated on another party

44 Copyright 2008-11 44 Key Safeguards Required Two-Sided Device Authentication, i.e. by Payees Chip of Payers Chip by Payers Chip of Payees Chip Notification to Payer of: Fact of Payment (e.g. Audio-Ack) Amount of Payment At least one Authenticator Protection of the Authenticator(s) A Voucher (Physical and/or Electronic) Regular Account Reconciliation by Payers

45 Copyright 2008-11 45 Australian Consumers' Security Practices When using the Internet, [do you] use hard to guess passwords which are changed regularly? Always – 18%Never – 58%

46 Copyright 2008-11 46 Australian Consumers' Security Practices When using the Internet, [do you] use hard to guess passwords which are changed regularly? Always – 18%Never – 58% [Do you] use, and change regularly, passwords on your main mobile device? Always – 37%Never – 29%

47 Copyright 2008-11 47 Australian Consumers' Security Practices When using the Internet, [do you] use hard to guess passwords which are changed regularly? Always – 18%Never – 58% [Do you] use, and change regularly, passwords on your main mobile device? Always – 37%Never – 29% Unisys Security Index (October 2010) Supplementary Questions to their standard push-poll

48 Copyright 2008-11 48

49 Copyright 2008-11 49 A Risk Assessment Framework for Mobile Payments Agenda 1.Motivation 2.Scope 3.Lessons from the Past 4.Elements of the Framework 5.Some Inferences

50 Copyright 2008-11 50 A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science at ANU and in Cyberspace Law & Policy at UNSW http://www.rogerclarke.com/EC/MP-RAF-1102 {.html,.ppt} Bond University – 11 February 2011

51 Copyright 2008-11 51 Drill-Down on Security Analysis The ATM Model ATMs Debit-Cards over EFTPOS Internet Banking Debit-Cards over the Internet The Credit-Card Model Credit-Cards over EFTPOS Credit-Cards over the Internet Ready-SET-Dont Go 3D-Secure?

52 Copyright 2008-11 52 ATMs 2-factor: have card know the PIN PIN keyed into secure PIN-pad, in a manner which makes it difficult to observe [?] Hash of PIN transmitted and compared So the know part is protected from both physical and electronic observation

53 Copyright 2008-11 53 Debit-Cards over EFTPOS Networks Followed ATMs and the ATM Security Model 2-factor: have card know the PIN PIN keyed into secure PIN-pad, in a manner which makes it difficult to observe [?] Hash of PIN transmitted and compared So the know part is protected from both physical and electronic observation

54 Copyright 2008-11 54 Internet Banking – Various Implementations 2-factor or 3-factor authentication, e.g. know account details / login-id know PIN various third factors: pre-registered IP-addresses only know One-Time Password (OTP) receive and key OTP sent at the time over another channel (e.g. SMS msg) Authenticator(s) keyed into insecure key-pad, in a manner which makes it difficult to observe So the know part is protected from physical, and partly from electronic, observation

55 Copyright 2008-11 55 Debit Transactions over the Internet Customer is at a merchants payment page Customer is re-directed to a specialised version of their own banks online-banking services Customer uses their own banks Internet Banking service to authorise the transaction, including an encrypted channel (SSL/https) Customer is redirected to the merchant Canadas scheme is called Interac Online: http://www.interaconline.com/ This leverages on a well-trusted infrastructure, but requires careful interfacing from merchants

56 Copyright 2008-11 56 Credit-Cards over EFTPOS Networks Did *NOT* Follow the ATM Security Model 2-factor: have card reproduce signature pre-recorded on-card No PIN Some improvement through stop-list being automated on-line rather than manual The primary purpose was not security, but the transfer of data-capture costs to merchants

57 Copyright 2008-11 57 Credit Card Tx over the Internet Worse Yet – Applied the CNP/MOTO Model The have factor is not have the card but merely have credit card details No second-factor such as know a secret Relies on: an encrypted channel (SSL/https) secrecy of credit-card details [??] general levels of honesty consumers reconciling their accounts self-insurance by merchants (banks issue charge-backs)

58 Copyright 2008-11 58 Ready – SET – Dont Go Secure Electronic Transaction Processing for Internet Credit Cards Card-Holder states that he wishes to make a payment Merchant acknowledges Card-Holder provides payment amount, digital certificate Merchant requests an authorisation from the Payment- Processing Organisation (via a Payment Gateway / Acquirer) Existing EFTS networks process the authorisation Merchant receives authorisation Merchant sends capture request (to commit the transaction) Merchant receives confirmation the transaction is accepted Merchant sends Card-Holder confirmation

59 Copyright 2008-11 59 Credit-Card Transactions over the Internet 3-D Secure A Visa Initiative, but licensed to others: Verified by Visa MasterCard SecureCode JCB J/Secure For merchants and financial institutions, specifies authentication and processing procedures Requires some form of card-holder authentication, at this stage generally keying of a password/PIN May require EMV-chip and smartcard reader http://en.wikipedia.org/wiki/3-D_Secure https://partnernetwork.visa.com/vpn/global/......retrieve_document.do?documentRetrievalId=118

60 Copyright 2008-11 60 Credit-Card Payments in the MCommerce Mobile / Handheld / Unwired Era Inherits weaknesses of MOTO / Internet Less visible payee, no footprint Less visible process, perhaps invisible Less visible transaction data? Notification record / transaction voucher? Any improvement may depend on mobile devices incorporating a smartcard-reader

61 Copyright 2008-11 61 Debit-Card Payments in the MCommerce Mobile / Handheld / Wireless Era Less visible payee, no footprint Less visible process, perhaps invisible Less visible transaction data? Notification record / transaction voucher? Vulnerability of Authenticators when processed on mobile devices Transmission of PIN or hash w/- SSL?

Download ppt "Copyright 2008-11 1 A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science at."

Similar presentations

Jack Jedwab Association for Canadian Studies September 27 th, 2008 Canadian Post Olympic Survey.

Jack Jedwab Association for Canadian Studies September 27 th, 2008 Canadian Post Olympic Survey.
Symantec 2010 Windows 7 Migration EMEA Results. Methodology Applied Research performed survey 1,360 enterprises worldwide SMBs and enterprises Cross-industry.

Symantec 2010 Windows 7 Migration EMEA Results. Methodology Applied Research performed survey 1,360 enterprises worldwide SMBs and enterprises Cross-industry.
Symantec 2010 Windows 7 Migration Global Results.

Symantec 2010 Windows 7 Migration Global Results.
1 A B C 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52.

1 A B C
Basic accounting I recap.

Basic accounting I recap.
A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong Kong, Cyberspace.

A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong Kong, Cyberspace.
Copyright, 1995-2008 1 Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong.

Copyright, Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong.
Copyright 2008-12 1 COMP 3410 – I.T. in Electronic Commerce eSecurity Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U.

Copyright COMP 3410 – I.T. in Electronic Commerce eSecurity Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U.
Copyright 1987-2009 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor – Cyberspace Law & Policy UNSW and at the ANU and the Uni. of.

Copyright Roger Clarke Xamax Consultancy, Canberra Visiting Professor – Cyberspace Law & Policy UNSW and at the ANU and the Uni. of.
AP STUDY SESSION 2.

AP STUDY SESSION 2.
1

1
Copyright 2008-12 1 COMP 3410 / 6341 – I.T. in Electronic Commerce E-Trading 3.Electronic Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor,

Copyright COMP 3410 / 6341 – I.T. in Electronic Commerce E-Trading 3.Electronic Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor,
Copyright, 1995-2006 1 The Malware Menagerie Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce.

Copyright, The Malware Menagerie Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce.
Copyright, 1995-2007 1 Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong.

Copyright, Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong.
Select from the most commonly used minutes below.

Select from the most commonly used minutes below.
Copyright © 2003 Pearson Education, Inc. Slide 7-1 Created by Cheryl M. Hughes The Web Wizards Guide to XML by Cheryl M. Hughes.

Copyright © 2003 Pearson Education, Inc. Slide 7-1 Created by Cheryl M. Hughes The Web Wizards Guide to XML by Cheryl M. Hughes.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.
STATISTICS HYPOTHESES TEST (I)

STATISTICS HYPOTHESES TEST (I)
September 2013 ASTM Officers Training Workshop September 2013 ASTM Officers Training Workshop ASTM Member Website Tools September 2013 ASTM Officers Training.

September 2013 ASTM Officers Training Workshop September 2013 ASTM Officers Training Workshop ASTM Member Website Tools September 2013 ASTM Officers Training.
David Burdett May 11, 2004 Package Binding for WS CDL.

David Burdett May 11, 2004 Package Binding for WS CDL.

Similar presentations

Ads by Google