Addressing fraud and risk issue surrounding mobile payment using NFC technology. Barcellona 2011 Mobile Payment conference

1. Detailing the fraud & security issues surrounding mobile payments Barcellona, 28.09.2011 Stefano Maria De' Rossi Francesco Magini

2. Agenda Mobile payment overview Brief overview of Mobile Fraud Mobile payment threat management Key takeaways

3. What are mobile payments ?

4. Mobile payment: a definition Mobile Payments Mobile Financial services Mobile Banking Mobile Commerce Mobile Money transfer

6. SEPA set apart 2 types of mobile payments SUB POINT Remote payments SEPA mobile payment framework Proximity payments

9. 5 types of Mobile Payments

10. MOBILE AT THE POINT OF SALE (the mobile wallet) It’s paying for things at a store with a mobile device using NFC or “tap & go” or some other yet to be hyped method

11. MOBILE AS THE POINT OF SALE (every smartphone is a cash register) This is merchant using a mobile device to process credit card payments. Do not confuse this with mobile payment. They are not the same thing

12. MOBILE PAYMENT PLATFORM (everything else mobile payment) This is a “catch all” category for product that let consumer send money to merchants or even each other (p2p) using mobile device. It might be at the point of sales, it might be on line.

13. DIRECT CARRIER BILLING (Put it on my phone bill) This is consumer buying ringtones or games or digital content by putting the charges on their cell phone bill

14. CLOSED LOOP MOBILE PAYMENT (the return of the store credit card: now it’s mobile) If a company doesn’t want to wait for someone else to build a wallet or a platform, it can always build it’s own. Starbucks did 3 million transaction in their first two months.

15. Mobile Money Initiative within GSMA Mobile Ticketing

17. Pillar 1 - UICC The UICC is considered the most appropriate NFC secure element for the mobile phone The UICC (Universal Integrated Circuit Card) is also known as the “SIM Card”) The SIM card is used as a multi-application Secure Element to perform trusted transactions with a contactless terminal.

18. Pillar 2 - Near Field Communications NFC, or near-field communications, is a short-wave radio communications technology that provides a way for two devices to communicate small amounts of data when they're placed about four inches apart. NFC is the technology of choice for the mobile industry to enable proximity-based services using the mobile phone

21. That’s the technology… but what about the money ?

22. M-payment is positioned as a potentially lucrative revenue stream Time Market Volume Low Introduction Growth Maturity Decline High Fixed telephony Mobile communications Enhanced TV services Fixed broad-band Source: Frost & Sullivan Broadcast mobile TV services NB: bubble size approximates revenue accruing to communications service providers Mobile payments (excluding SMS-based) Quad-Play services Mobile broadband Triple Play services

23. Mobile payments are growing

24. A €6 billion opportunity by 2013 in Western Europe The market is expected to grow at an average of 25 per cent annually over the next five years

26. The bad news – mobile fraud losses (*) www.cfca.org Communications Fraud Control Association (*)

27. Mobile Phone Frauds Mobile phone fraud is not a new topic and today’s mobile security reflects the industry’s experience of fighting against fraud Analog Cellular mobile cloning Magnetic Stripe skimming Radio Telephony 1950 1970 1990 2000 2010 3G 4G mobile tampering Evolution of technical threats against mobiles and cards Analog Cellular mobile cloning 1G Digital Cellular 2G SIM USIM EMV Magnetic Stripe Embossing skimming counterfeiting 1980 Chip and PIN

28. Evolution of fraud scenario Phreaking fraud Vishing fraud

29. TLC market: new services trend Changes in the telco world are affected by radical evolutions starting from new technologies up to new services linked to different markets (Internet, media, banking) New types of threats and frauds are on the rise

30. What are the big concerns regarding mobile payments? Source: Mobile Money Market: Key Market Drivers & Restraints (2010-2015) Lack of regulation on mobile transactions Quality of service Lack of collaboration between players High cost of solution Better user awareness Ease of payment Secure network Interoperability across networks and platforms Efficiency and speed of mobile networks Drivers Restraints Security will remain a key inhibitor Security concerns

31. Mobile Payment Risks Mobile payment services need a complex architecture involving many players with different roles… Mobile Payment application Source: Aujas

32. A chain is only as strong as its weakest link…

33. Mobile Payment Risk Assessment In order to make a complete risk assessment it’s important to analyze the entire mobile payment ecosystem Man-in-the-middle attack Replay attacks Repudiation Impersonation Unauthorized access Source: Security Issues in Mobile Payment Systems, University of India Mobile payment Protocol Design flaws in mobile protocols Design flaws in m-payment protocols Weak cryptographic algorithm Platform HW SW Side channel attack SIM cloning Vulnerable APIs/Apps Devices Malware Spyware OS

36. Are hackers/fraudsters really interested in mobile payment?

39. Mobile Application Security

43. Summary & key messages Market status There has been progress in m-payment trials and deployments in Europe but mass adoption remains to be seen. Market outlook The outlook for m-payment remains positive because of technology availability, an increased sense of urgency amongst key stakeholders to enable m-payment functions, and a growing number of end users being comfortable with m-payment functions. Market expectations M-payment methods will vary across Europe; the dominance of SMS-based m-payment functions will continue but contactless technology may become important over the medium term.

44. Key success factors Ease of use for the consumer In the absence of any life critical need, m-payment is a new service that requires consumers to change their habits. Convenience of use becomes very critical. Security assurance We strongly believes that the predominant m-payment technology will be the one that provides an appropriate security level proportionate to the m-transacton. Standardisation & Interoperability The eco-system requires further development to reduce complexity in interactions amongst stakeholders. Standardisation and efforts of interoperability are crucial to decrease fragmentation in the eco system.

46. [email_address] [email_address]