10. MOBILE AT THE POINT OF SALE (the mobile wallet) It’s paying for things at a store with a mobile device using NFC or “tap & go” or some other yet to be hyped method
11. MOBILE AS THE POINT OF SALE (every smartphone is a cash register) This is merchant using a mobile device to process credit card payments. Do not confuse this with mobile payment. They are not the same thing
12. MOBILE PAYMENT PLATFORM (everything else mobile payment) This is a “catch all” category for product that let consumer send money to merchants or even each other (p2p) using mobile device. It might be at the point of sales, it might be on line.
13. DIRECT CARRIER BILLING (Put it on my phone bill) This is consumer buying ringtones or games or digital content by putting the charges on their cell phone bill
14. CLOSED LOOP MOBILE PAYMENT (the return of the store credit card: now it’s mobile) If a company doesn’t want to wait for someone else to build a wallet or a platform, it can always build it’s own. Starbucks did 3 million transaction in their first two months.
17. Pillar 1 - UICC The UICC is considered the most appropriate NFC secure element for the mobile phone The UICC (Universal Integrated Circuit Card) is also known as the “SIM Card”) The SIM card is used as a multi-application Secure Element to perform trusted transactions with a contactless terminal.
18. Pillar 2 - Near Field Communications NFC, or near-field communications, is a short-wave radio communications technology that provides a way for two devices to communicate small amounts of data when they're placed about four inches apart. NFC is the technology of choice for the mobile industry to enable proximity-based services using the mobile phone
22. M-payment is positioned as a potentially lucrative revenue stream Time Market Volume Low Introduction Growth Maturity Decline High Fixed telephony Mobile communications Enhanced TV services Fixed broad-band Source: Frost & Sullivan Broadcast mobile TV services NB: bubble size approximates revenue accruing to communications service providers Mobile payments (excluding SMS-based) Quad-Play services Mobile broadband Triple Play services
24. A €6 billion opportunity by 2013 in Western Europe The market is expected to grow at an average of 25 per cent annually over the next five years
25.
26. The bad news – mobile fraud losses (*) www.cfca.org Communications Fraud Control Association (*)
27. Mobile Phone Frauds Mobile phone fraud is not a new topic and today’s mobile security reflects the industry’s experience of fighting against fraud Analog Cellular mobile cloning Magnetic Stripe skimming Radio Telephony 1950 1970 1990 2000 2010 3G 4G mobile tampering Evolution of technical threats against mobiles and cards Analog Cellular mobile cloning 1G Digital Cellular 2G SIM USIM EMV Magnetic Stripe Embossing skimming counterfeiting 1980 Chip and PIN
29. TLC market: new services trend Changes in the telco world are affected by radical evolutions starting from new technologies up to new services linked to different markets (Internet, media, banking) New types of threats and frauds are on the rise
30. What are the big concerns regarding mobile payments? Source: Mobile Money Market: Key Market Drivers & Restraints (2010-2015) Lack of regulation on mobile transactions Quality of service Lack of collaboration between players High cost of solution Better user awareness Ease of payment Secure network Interoperability across networks and platforms Efficiency and speed of mobile networks Drivers Restraints Security will remain a key inhibitor Security concerns
31. Mobile Payment Risks Mobile payment services need a complex architecture involving many players with different roles… Mobile Payment application Source: Aujas
32. A chain is only as strong as its weakest link…
33. Mobile Payment Risk Assessment In order to make a complete risk assessment it’s important to analyze the entire mobile payment ecosystem Man-in-the-middle attack Replay attacks Repudiation Impersonation Unauthorized access Source: Security Issues in Mobile Payment Systems, University of India Mobile payment Protocol Design flaws in mobile protocols Design flaws in m-payment protocols Weak cryptographic algorithm Platform HW SW Side channel attack SIM cloning Vulnerable APIs/Apps Devices Malware Spyware OS
43. Summary & key messages Market status There has been progress in m-payment trials and deployments in Europe but mass adoption remains to be seen. Market outlook The outlook for m-payment remains positive because of technology availability, an increased sense of urgency amongst key stakeholders to enable m-payment functions, and a growing number of end users being comfortable with m-payment functions. Market expectations M-payment methods will vary across Europe; the dominance of SMS-based m-payment functions will continue but contactless technology may become important over the medium term.
44. Key success factors Ease of use for the consumer In the absence of any life critical need, m-payment is a new service that requires consumers to change their habits. Convenience of use becomes very critical. Security assurance We strongly believes that the predominant m-payment technology will be the one that provides an appropriate security level proportionate to the m-transacton. Standardisation & Interoperability The eco-system requires further development to reduce complexity in interactions amongst stakeholders. Standardisation and efforts of interoperability are crucial to decrease fragmentation in the eco system.
1) some short information about Telecom Italia 2) a mobile payment definition overview 3) an overview of mobile fraud 4) mobile payment threat management
1) some short information about Telecom Italia 2) a mobile payment definition overview 3) an overview of mobile fraud 4) mobile payment threat management
build up a common definiton…what are, how can we define the so called mobile payment??
if you think about the so called mobile financial services for a while we do have a spread of several different words fying around… Are these all business the same ? Do they have the same meaning ?
Mobile Payment is a composite payment model which encompasses different paradigms, all characterized by the use of the Mobile phone as their primary means of interaction. There is a shift from paying “up close” in which the phone "emulates" a payment card (Mobile Proximity Payment), and the payment of services from a distance (remote) via SMS or Applications (Mobile Remote Payment), to managing in a broad sense, the entire process of purchase and payment remotely (mobile commerce) and the transfer of money between users or between users and financial institutions (Mobile Money Transfer). The common feature of these paradigms is the use of the phone and its distinctive features to innovate the payment methods: the huge population penetration (more than 5 billion devices worldwide), mobility, extreme portability and interactivity. We can evaluate the different types of mobile payment.
Having in mind what we have said we can identify 5 types of mobile payment
One upstart is called Square, which offers a smartphone app and a small piece of free hardware that plugs into a phone. The hardware swipes the credit card and charges $2.75 plus 15 cents for a swipe, or 3.5 percent plus 15 cents for a keyed-in credit-card entry. There are no contracts, no set-up fees, no monthly fees, and no monthly minimums. It has served as an alternative to payment gateways that charge higher fees.
EBay estimates the value of goods sold via its eBay iPhone app topped $400 million this year alone.
There are four major initiatives in the field of mobile money led by the GSM Association
Pay buy mobile is the NFC technology based project chosen to enable proximity based services by the mobile industry
Let’s start from the beginning…le’ts build up a common definiton…what are, how can we define the so called mobile payment??
MOBILE PAYMENTS ARE GROWING ,BUT ARE SO FAR USED MOSTLY FOR LOW-VALUE TRANSACTIONS Frost & Sullivan estimate the value of global m-payments at €140 billion at the end of 2012 and more over the total payment value for NFC globally will reach more than €110 billion in 2015.
T he mobile money market in Western Europe is forecast to increase up to €6 billion by 201.
Let’s start from the beginning…le’ts build up a common definiton…what are, how can we define the so called mobile payment??
Early analog technology was plagued by fraud Credit Card Fraud, Skimming, Chip PIN 1990, 2004
If we take a look at the service from the customer point of view, we can affirm that one of the biggest concerns for consumers is certainly security. Security is traditionally regarded as a very straightforward matter in the eyes of consumers, namely allowing only intended purchases and preventing theft
Security is of paramount importance in an e-payment system. As a first step in designing a cell phone-based e-payment system, it is important to analyze the various security issues that may arise from the choice of platform and of technologies. The truth, however, is that security is quite a complicated area in the mobile payments industry due to its complex architecture made of many players with different roles. In particular, retail and transit payments with a mobile phone require wireless carriers, retailers, transport providers and banks to all work together.
Because we all know that a system is only as secure as the weakest link in the security chain so it is important to analyze every single link of the chain
In order to perform a security analysis of a mobile-payment scheme it is necessary to understand the underlying standards, technologies, protocols and platforms used. An accurate security analysis is possible only if we take a holistic view of the vulnerabilities at each dimension instead of considering only a specific dimension of the m-payment system Based on some academic papers we used a taxonomy of some of vulnerabilities at different layers and their effects. This work it’s useful to examine how existing or proposed m-payment systems could be affected by them. Therefore, we started assessing the design flaws in protocols and standard in mobile network and m-payment system. We then assessed platforms from the hardware and software point of view and finally we analyzed devices especially taking into consideration new generations of malware and spyware.
Let’s now take a look at some potential security issues affecting mobile payments. In 2008 Collin Mulliner demonstrated that the NFC technology can be attacked using man in the middle. So the connection should be protected using strong cryptographic algorithms at higher levels Nowadays it’s largely demosntrated that with low-cost equipement it’s possible to eavsdrop calls by cracking the A5/1 alogrithm used in the GSM network. The takeover is related to impersonation attack types. In this case it happens what is expected from a customer perspective but dealing with a different entity. Data modification and lost of an NFC/RFID device are quite self-explicative from the security point of view.
We’re now aware of the major threats related to mobile payments Now let’s take a look at the possible impacts. They move from Revenue Losses in case of fraudolent transactions, to Loss of confidentiality especially associated to some information such as credit card datas, PINs etc. up to communication services and SIM card misuses
Up to know we just described some theory and academic works even if we used a very pragmatic approach. But now we need to understand if someone, and I’m talking about hackers or fradusters are interested in mobile payment. The answer is, unfortunatley yes, and you don’t need to throw a dice… the rationale is always the same, fradusters will always follow the money and with mobile payments we’re just managing what they want.
Everything it’s real and it’s already happening… Let me just give you some examples: last June Mr. Collin Mulliner gave a presentation of attacks to NFC at the hacker conference NinjaCon. What surprised the audience was that he did it using a very low-budget equipment which makes it even more risky. By the way, all the Operating System are impacted: Some hackers have added NFC to IPhone and others are trying to break Android systems with NFC embedded
These types of threats and vulnerabilities will open the door to new fraud scenarios. Some evergreen frauds such as the identity theft and the skimming of transactions will be used to make purchase of goods. We’ll also have some convergence also from payment and mobile frauds: just imagine downloading malware/malicious codes hidde in a tag able to make calls or send SMS to Premium Rate Numbers in a complete transparent manner from the customer point of view.
So we understood that security is a very complex matter in mobile payments because every link in the chain must be properly secured.
Let’s now take a deeper look at some of these elements from the customer point of view. The final user becomes a central and strategical point for the entire end-to-end ecosystem security. What’s new from the user perspective? Certainly new behaviours so a new customer awareness is needed in order to increase the attention to security
Also the endpoint is evolving. Devices anywhere and always on make difficult to define a perimeter so a new security apporach is needed…
And here comes the security element. It is a critical element for the mobile payment security. Depending on where it is located, we can have different players involved in the security pattern. If i’s embedded the device manufaturer will be the protagonist, if it’s in the SD card of course will be a card company and if we choose the sim card option the mobile operator will be involved…
Thank you very much for your attention
And please if you have any question Stefano and I will be more than pleased to answer you now or during the coffe break