SlideShare ist ein Scribd-Unternehmen logo
1 von 14
Security @ Mobile VAS




Ltcdr. Pawan Desai, CISA, CISSP
                                                  Derisk your business


contact@mahindrassg.com                             www.mahindrassg.com
Agenda
   What comprises VAS
   Current Trends
   Need for Security
   Vulnerabilities
   Risk Matrix
   Domains of Mitigation
   Mittigation Steps
What is mobile VAS

   Includes services like:
       Short Messaging Service
       Multimedia media messaging service (MMS)
       Caller ring back
       Wallpapers
       Screensavers
       Other downloads
       Mobile Banking
Current Trends
   M-VAS is set to Grow 70% YOY
   The combined market for all types of mobile payments is expected to
    reach more than 18000 Cr globally by 2013
   The registered user base for mobile banking in India is around 25 mn,
    while the active users are only 2.5 mn
   Mobile banking active user base is expected to reach 2% by 2012, up from
    the current 0.2%
   35% of online banking households will use mobile banking by 2010, up
    from less than 1% at present
   70% of bank center call volume is slated to come from mobile phones
   VAS constitutes 7% of the total total telecom revenue for Indian operators
   Digital music and ringtones constitutes 35% of VAS revenue
VAS Revenues by Category




 * Source: http://www.pluggd.in/indian-telecom-industry/mobile-vas-numbers-india-revenu
Need for Security
    AT STAKE – INR 16,520 Cr Business
    35% of online banking households will be using mobile banking by 2010,
     up from less than 1% in 2007




    2005: first malicious mobile virus attack was recorded
    2006: 60 mobile viruses
    2007: > 400 mobile viruses + Snoopware + spyware + scripts specially
     written for "camera mobiles“
    2009: Anybody’s guess !!!


         "The biggest challenge - ensuring malware - free content"
The Value Chain
Vulnerabilities of the Mobile Channel

      "Curse of Silence Attacks" or "Curse SMS"
      Reset of PIN/ Password by fraudsters
      Increased "SIM Swop" Scam
      IMEI (International Mobile Equipment Identity) duplicity
      Lack of user knowledge leading to the prevelence of unsafe mobile usage practices
      Denial of Services (DoS)
      Virus Propagation
      Overbilling Attack
      Malware attacks - Ransomeware
Vulnerabilities of the Mobile Channel.. Cont…

   Relating to the Handset
        Easily lost or handset change frequently so authentication and authorisation
         are challenging
        Limited keypads       Limited choice of PINS
   Related to Mobile Channel
        Encryption not necessarily end-to-end
   Related to VAS applications
        Often Outsourced – Interface with provider may create additional
         vulnerabilities
Risk Matrix
                                                                                         Threats
      Vulnerability                           Result
                                                                           Fraudulent     Privacy   Service
                                                                           transaction      loss    Denial
    Reset of PIN by      Known PIN and MSISDN and can initiate
    fraudster            transactions off a stolen phone                       √             √        √
    Lack of user         Mis-formatted messages - DoS, invalid
    knowledge / exp      attempts - PIN lock. User asks others for help        √             √        √
                         and exposes PIN
    SIM swap             The valid MSISDN is moved to another
                         handset. The user has no access to their
                         account and receives no notifications. The            √             √        √
                         user with the other handset, on knowing the
                         PIN, can transact on the account
    Movement of          Funds gone and not retrievable
    funds beyond
    defined                                                                    √             √        -
    beneficiaries
    Infection by virus   3rd party can see and send transactions
    - Advanced           through device - act as relay for transactions,
    Feature and Smart    PIN sent to 3rd party, information sent to 3rd        √             √        √
    Phones               party, replay of transactions, stop valid
                         transactions, stop notification messages
Domains of Mitigation
                          Mitigation
              Domain                                Example                            Action
                           Strategy

    Technology         Change and / or    Plaintext PIN exposure          Move from no security on the
                       modify the                                         mobile to security on the
                       technology to                                      mobile (from structured SMS
                       reduce the risk                                    with PIN to SIM Toolkit with
                                                                          PIN)
    Process            Implement          Movement of funds to a          - Require pre-registration of a
                       process controls   random beneficiary allows a     beneficiary via the call centre
                       to block process   thief to send money to          where the user‘s identity is
                       paths that can     whoever they want               authenticated by asking
                       be exploited                                       questions.
                                                                          - Limit or set the value that can
                                                                          be sent to a beneficiary Fraud
                                                                          monitoring processes to look
                                                                          for out of normal transactions
    Environment        Train and inform   Theft / borrowing of mobile     -Train users to not hand out
                       users to           handset and knowledge of the    their PINs so as to let others
                       influence          PIN by thief. (This cannot be   use their mobile
                       behaviour          stopped by technical or         - Vigorous follow-up and
                                          process means)                  prosecution
Mitigation steps
    For users:
        Observe caution while using Bluetooth
        Have an AV running
        Know your IMEI number
    For service providers
        Ensure that connections to and from users are over secure channels.
        All connections from and to other service providers must also be secured
        Implement strong authentication
        For regulators and service providers
        Work together to secure the mobile infrastructure
        Create implementable laws that minimize the instances of fraud
The Value Chain
Thank You…




         India                            Europe                      Singapore
         Mumbai                           London                      30 Raffles Place
         3rd floor, Landmark Building,    4 New Square                # 23-00 Caltex House
         next to Mahindra Towers,         Bedfont Lakes, Feltham      Singapore 048622
         Worli,                           Middlesex TW14 8HA          Ph: +65– 6233-6853 / 54
         Mumbai 400 018. India.           Phone: +44 20 8818 0920
         Ph: +91-22-24901441              Fax: +44 20 8818 0921


         New Delhi                        Germany
         2-A, Mahindra Towers, Bhikaji    GMBH. Partnerport -
         Cama Place,                      Altrottstrabe 31, D-69190
         New Delhi - 110 066, India       Waldorf, Germany
         P: +91 (11)-4122 0300            Ph:+49 (0) 6227 381 106


         Bangalore
         #150, Tower No. B-2, Level-I,
         Diamond District,
         Airport Road,
         Bangalore - 560 008, India.
         Phone: +91 80 4135 3200




                                         www.mahindrassg.com

Weitere ähnliche Inhalte

Was ist angesagt?

52 mobile phone cloning
52 mobile phone cloning52 mobile phone cloning
52 mobile phone cloning
SALMAN SHAIKH
 

Was ist angesagt? (20)

Cse mobile phone cloning ppt
Cse mobile phone cloning pptCse mobile phone cloning ppt
Cse mobile phone cloning ppt
 
Mobile cloning
Mobile cloningMobile cloning
Mobile cloning
 
Mobile phone-cloning
Mobile phone-cloningMobile phone-cloning
Mobile phone-cloning
 
Mobile phone cloning
Mobile phone cloningMobile phone cloning
Mobile phone cloning
 
Mobile cloning paper
Mobile cloning paperMobile cloning paper
Mobile cloning paper
 
Cloning. (4)
Cloning. (4)Cloning. (4)
Cloning. (4)
 
Cell phone cloning
Cell phone cloningCell phone cloning
Cell phone cloning
 
Mobile Phone Cloning
Mobile Phone CloningMobile Phone Cloning
Mobile Phone Cloning
 
Mobile Cloning
Mobile Cloning Mobile Cloning
Mobile Cloning
 
Mobile cloning
Mobile cloningMobile cloning
Mobile cloning
 
Final gsm1
Final gsm1Final gsm1
Final gsm1
 
CNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular networkCNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular network
 
Financial Risks to Internet Security
Financial Risks to Internet SecurityFinancial Risks to Internet Security
Financial Risks to Internet Security
 
Mobile ph cloning
Mobile ph cloningMobile ph cloning
Mobile ph cloning
 
52 mobile phone cloning
52 mobile phone cloning52 mobile phone cloning
52 mobile phone cloning
 
Mobile cloning
Mobile cloningMobile cloning
Mobile cloning
 
Mobile Phone Cloning By: Ritik Nagar
Mobile Phone Cloning By: Ritik NagarMobile Phone Cloning By: Ritik Nagar
Mobile Phone Cloning By: Ritik Nagar
 
Mobile Cloning Technology
Mobile Cloning TechnologyMobile Cloning Technology
Mobile Cloning Technology
 
Mobile cloning report
Mobile cloning reportMobile cloning report
Mobile cloning report
 
Mobile Cloning Technology
Mobile Cloning TechnologyMobile Cloning Technology
Mobile Cloning Technology
 

Andere mochten auch

Zorgdomotica In De Praktijk
Zorgdomotica In De PraktijkZorgdomotica In De Praktijk
Zorgdomotica In De Praktijk
Elles Lohuis
 

Andere mochten auch (11)

El tabaquismo: "Tratamiento de la adicción de la Nicotina"
El tabaquismo: "Tratamiento de la adicción de la Nicotina"El tabaquismo: "Tratamiento de la adicción de la Nicotina"
El tabaquismo: "Tratamiento de la adicción de la Nicotina"
 
Tugas 2
Tugas 2Tugas 2
Tugas 2
 
Mukhosh manush
Mukhosh manushMukhosh manush
Mukhosh manush
 
Vs lancering
Vs lanceringVs lancering
Vs lancering
 
Job card Lovro Gracin
Job card Lovro GracinJob card Lovro Gracin
Job card Lovro Gracin
 
An Introduction to Colposcopy Grothuesmann
An Introduction to Colposcopy GrothuesmannAn Introduction to Colposcopy Grothuesmann
An Introduction to Colposcopy Grothuesmann
 
Google Scholar and Web of Science: Similarities and Differences in Citation A...
Google Scholar and Web of Science: Similarities and Differences in Citation A...Google Scholar and Web of Science: Similarities and Differences in Citation A...
Google Scholar and Web of Science: Similarities and Differences in Citation A...
 
Colposcopy training part 1 ,DR. SHARDA JAIN Dr. Jyoti Agarwal / Dr. Jyoti Bha...
Colposcopy training part 1 ,DR. SHARDA JAIN Dr. Jyoti Agarwal / Dr. Jyoti Bha...Colposcopy training part 1 ,DR. SHARDA JAIN Dr. Jyoti Agarwal / Dr. Jyoti Bha...
Colposcopy training part 1 ,DR. SHARDA JAIN Dr. Jyoti Agarwal / Dr. Jyoti Bha...
 
Famous philosophers
Famous philosophersFamous philosophers
Famous philosophers
 
Zorgdomotica In De Praktijk
Zorgdomotica In De PraktijkZorgdomotica In De Praktijk
Zorgdomotica In De Praktijk
 
Itac training disciplines, International Tactical and Canine Training Centre.
Itac training disciplines, International Tactical and Canine Training Centre.Itac training disciplines, International Tactical and Canine Training Centre.
Itac training disciplines, International Tactical and Canine Training Centre.
 

Ähnlich wie Mahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight

Ransombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch smsRansombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch sms
Martin Vigo
 
7.2 gsm-association-fraud-forum
7.2 gsm-association-fraud-forum7.2 gsm-association-fraud-forum
7.2 gsm-association-fraud-forum
kkvences
 
Optimising mobile signature v4
Optimising mobile signature v4Optimising mobile signature v4
Optimising mobile signature v4
moldovaictsummit
 

Ähnlich wie Mahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight (20)

Managing & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengManaging & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee Seng
 
All the 12 Payment Enabling Technologies & 54 Illustrative Companies
All the 12 Payment Enabling  Technologies & 54  Illustrative CompaniesAll the 12 Payment Enabling  Technologies & 54  Illustrative Companies
All the 12 Payment Enabling Technologies & 54 Illustrative Companies
 
Llevando la autenticación de sus clientes a un siguiente nivel
Llevando la autenticación de sus clientes a un siguiente nivelLlevando la autenticación de sus clientes a un siguiente nivel
Llevando la autenticación de sus clientes a un siguiente nivel
 
Combating Financial Fraud and Cyber-Crime on Mobile
Combating Financial Fraud and Cyber-Crime on MobileCombating Financial Fraud and Cyber-Crime on Mobile
Combating Financial Fraud and Cyber-Crime on Mobile
 
Overcome Security Threats Affecting Mobile Financial Solutions 2020
Overcome Security Threats Affecting Mobile Financial Solutions 2020Overcome Security Threats Affecting Mobile Financial Solutions 2020
Overcome Security Threats Affecting Mobile Financial Solutions 2020
 
Ransombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch smsRansombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch sms
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Mobile Strategy Partners Mobile Security
Mobile Strategy Partners Mobile SecurityMobile Strategy Partners Mobile Security
Mobile Strategy Partners Mobile Security
 
Mobile Payment fraud & risk assessment
Mobile Payment fraud & risk assessmentMobile Payment fraud & risk assessment
Mobile Payment fraud & risk assessment
 
ISACA Mobile Payments Forum presentation
ISACA Mobile Payments Forum presentationISACA Mobile Payments Forum presentation
ISACA Mobile Payments Forum presentation
 
Mobile Financial Services
Mobile Financial Services Mobile Financial Services
Mobile Financial Services
 
7.2 gsm-association-fraud-forum
7.2 gsm-association-fraud-forum7.2 gsm-association-fraud-forum
7.2 gsm-association-fraud-forum
 
Mobile Practices European Release Final 27 04 11
Mobile Practices European Release Final 27 04 11Mobile Practices European Release Final 27 04 11
Mobile Practices European Release Final 27 04 11
 
Optimising mobile signature v4
Optimising mobile signature v4Optimising mobile signature v4
Optimising mobile signature v4
 
Merging fraud in a full IP environment
Merging fraud in a full IP environmentMerging fraud in a full IP environment
Merging fraud in a full IP environment
 
The Fact-Finding Security Examination in NFC-enabled Mobile Payment System
The Fact-Finding Security Examination in NFC-enabled Mobile Payment System The Fact-Finding Security Examination in NFC-enabled Mobile Payment System
The Fact-Finding Security Examination in NFC-enabled Mobile Payment System
 
Where do we go from here?
Where do we go from here?Where do we go from here?
Where do we go from here?
 
Where Do We Go From Here?
Where Do We Go From Here?Where Do We Go From Here?
Where Do We Go From Here?
 
Unit-3.pptx
Unit-3.pptxUnit-3.pptx
Unit-3.pptx
 
5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem
 

Mehr von Paritosh Sharma

MTNL Represented at The Mobile VAS SUMMIT 20009
MTNL Represented at The Mobile VAS SUMMIT 20009MTNL Represented at The Mobile VAS SUMMIT 20009
MTNL Represented at The Mobile VAS SUMMIT 20009
Paritosh Sharma
 
IMRB Represented at The Mobile VAS SUMMIT 2009
IMRB Represented at The Mobile VAS SUMMIT 2009IMRB Represented at The Mobile VAS SUMMIT 2009
IMRB Represented at The Mobile VAS SUMMIT 2009
Paritosh Sharma
 
Google Represented at The Mobile VAS 2009
Google Represented at The Mobile VAS 2009Google Represented at The Mobile VAS 2009
Google Represented at The Mobile VAS 2009
Paritosh Sharma
 
CMAI at The Mobile VAS SUMMIT 2009 by Virtue Insight
CMAI at The Mobile VAS SUMMIT 2009 by Virtue InsightCMAI at The Mobile VAS SUMMIT 2009 by Virtue Insight
CMAI at The Mobile VAS SUMMIT 2009 by Virtue Insight
Paritosh Sharma
 
Ce WiT Represented at The Mobile VAS SUMMIT 2009 by Vitue Insight
Ce WiT Represented at The Mobile VAS SUMMIT 2009 by Vitue InsightCe WiT Represented at The Mobile VAS SUMMIT 2009 by Vitue Insight
Ce WiT Represented at The Mobile VAS SUMMIT 2009 by Vitue Insight
Paritosh Sharma
 
BT Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
BT Represented at The Mobile VAS SUMMIT 2009 by Virtue InsightBT Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
BT Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
Paritosh Sharma
 
Bay Talkitec Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
Bay Talkitec Represented at The Mobile VAS SUMMIT 2009 by Virtue InsightBay Talkitec Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
Bay Talkitec Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
Paritosh Sharma
 
Airtel Represented at The Mobile VAS SUMMIT 2009
Airtel Represented at The Mobile VAS SUMMIT 2009Airtel Represented at The Mobile VAS SUMMIT 2009
Airtel Represented at The Mobile VAS SUMMIT 2009
Paritosh Sharma
 
Aircel-Wipro Represented at The Mobile VAS Summit 2009
Aircel-Wipro Represented at The Mobile VAS Summit 2009Aircel-Wipro Represented at The Mobile VAS Summit 2009
Aircel-Wipro Represented at The Mobile VAS Summit 2009
Paritosh Sharma
 

Mehr von Paritosh Sharma (13)

Telecom Industry Consultants at the Mobile VAS SUMMIT 2009 by Virtue Insight
Telecom Industry Consultants at the Mobile VAS SUMMIT 2009 by Virtue InsightTelecom Industry Consultants at the Mobile VAS SUMMIT 2009 by Virtue Insight
Telecom Industry Consultants at the Mobile VAS SUMMIT 2009 by Virtue Insight
 
TCS Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
TCS Represented at The Mobile VAS SUMMIT 2009 by Virtue InsightTCS Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
TCS Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
 
TATA Telecom Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
TATA Telecom Represented at The Mobile VAS SUMMIT 2009 by Virtue InsightTATA Telecom Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
TATA Telecom Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
 
MTNL Represented at The Mobile VAS SUMMIT 20009
MTNL Represented at The Mobile VAS SUMMIT 20009MTNL Represented at The Mobile VAS SUMMIT 20009
MTNL Represented at The Mobile VAS SUMMIT 20009
 
IMRB Represented at The Mobile VAS SUMMIT 2009
IMRB Represented at The Mobile VAS SUMMIT 2009IMRB Represented at The Mobile VAS SUMMIT 2009
IMRB Represented at The Mobile VAS SUMMIT 2009
 
Google Represented at The Mobile VAS 2009
Google Represented at The Mobile VAS 2009Google Represented at The Mobile VAS 2009
Google Represented at The Mobile VAS 2009
 
CMAI at The Mobile VAS SUMMIT 2009 by Virtue Insight
CMAI at The Mobile VAS SUMMIT 2009 by Virtue InsightCMAI at The Mobile VAS SUMMIT 2009 by Virtue Insight
CMAI at The Mobile VAS SUMMIT 2009 by Virtue Insight
 
Ce WiT Represented at The Mobile VAS SUMMIT 2009 by Vitue Insight
Ce WiT Represented at The Mobile VAS SUMMIT 2009 by Vitue InsightCe WiT Represented at The Mobile VAS SUMMIT 2009 by Vitue Insight
Ce WiT Represented at The Mobile VAS SUMMIT 2009 by Vitue Insight
 
BT Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
BT Represented at The Mobile VAS SUMMIT 2009 by Virtue InsightBT Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
BT Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
 
Bay Talkitec Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
Bay Talkitec Represented at The Mobile VAS SUMMIT 2009 by Virtue InsightBay Talkitec Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
Bay Talkitec Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight
 
Airtel Represented at The Mobile VAS SUMMIT 2009
Airtel Represented at The Mobile VAS SUMMIT 2009Airtel Represented at The Mobile VAS SUMMIT 2009
Airtel Represented at The Mobile VAS SUMMIT 2009
 
Aircel-Wipro Represented at The Mobile VAS Summit 2009
Aircel-Wipro Represented at The Mobile VAS Summit 2009Aircel-Wipro Represented at The Mobile VAS Summit 2009
Aircel-Wipro Represented at The Mobile VAS Summit 2009
 
It Pays To Invest In Education
It Pays To Invest In EducationIt Pays To Invest In Education
It Pays To Invest In Education
 

Kürzlich hochgeladen

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Kürzlich hochgeladen (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine  KG and Vector search for  enhanced R...Workshop - Best of Both Worlds_ Combine  KG and Vector search for  enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Mahindra Represented at The Mobile VAS SUMMIT 2009 by Virtue Insight

  • 1. Security @ Mobile VAS Ltcdr. Pawan Desai, CISA, CISSP Derisk your business contact@mahindrassg.com www.mahindrassg.com
  • 2. Agenda  What comprises VAS  Current Trends  Need for Security  Vulnerabilities  Risk Matrix  Domains of Mitigation  Mittigation Steps
  • 3. What is mobile VAS  Includes services like:  Short Messaging Service  Multimedia media messaging service (MMS)  Caller ring back  Wallpapers  Screensavers  Other downloads  Mobile Banking
  • 4. Current Trends  M-VAS is set to Grow 70% YOY  The combined market for all types of mobile payments is expected to reach more than 18000 Cr globally by 2013  The registered user base for mobile banking in India is around 25 mn, while the active users are only 2.5 mn  Mobile banking active user base is expected to reach 2% by 2012, up from the current 0.2%  35% of online banking households will use mobile banking by 2010, up from less than 1% at present  70% of bank center call volume is slated to come from mobile phones  VAS constitutes 7% of the total total telecom revenue for Indian operators  Digital music and ringtones constitutes 35% of VAS revenue
  • 5. VAS Revenues by Category * Source: http://www.pluggd.in/indian-telecom-industry/mobile-vas-numbers-india-revenu
  • 6. Need for Security  AT STAKE – INR 16,520 Cr Business  35% of online banking households will be using mobile banking by 2010, up from less than 1% in 2007  2005: first malicious mobile virus attack was recorded  2006: 60 mobile viruses  2007: > 400 mobile viruses + Snoopware + spyware + scripts specially written for "camera mobiles“  2009: Anybody’s guess !!! "The biggest challenge - ensuring malware - free content"
  • 8. Vulnerabilities of the Mobile Channel  "Curse of Silence Attacks" or "Curse SMS"  Reset of PIN/ Password by fraudsters  Increased "SIM Swop" Scam  IMEI (International Mobile Equipment Identity) duplicity  Lack of user knowledge leading to the prevelence of unsafe mobile usage practices  Denial of Services (DoS)  Virus Propagation  Overbilling Attack  Malware attacks - Ransomeware
  • 9. Vulnerabilities of the Mobile Channel.. Cont… Relating to the Handset  Easily lost or handset change frequently so authentication and authorisation are challenging  Limited keypads Limited choice of PINS Related to Mobile Channel  Encryption not necessarily end-to-end Related to VAS applications  Often Outsourced – Interface with provider may create additional vulnerabilities
  • 10. Risk Matrix Threats Vulnerability Result Fraudulent Privacy Service transaction loss Denial Reset of PIN by Known PIN and MSISDN and can initiate fraudster transactions off a stolen phone √ √ √ Lack of user Mis-formatted messages - DoS, invalid knowledge / exp attempts - PIN lock. User asks others for help √ √ √ and exposes PIN SIM swap The valid MSISDN is moved to another handset. The user has no access to their account and receives no notifications. The √ √ √ user with the other handset, on knowing the PIN, can transact on the account Movement of Funds gone and not retrievable funds beyond defined √ √ - beneficiaries Infection by virus 3rd party can see and send transactions - Advanced through device - act as relay for transactions, Feature and Smart PIN sent to 3rd party, information sent to 3rd √ √ √ Phones party, replay of transactions, stop valid transactions, stop notification messages
  • 11. Domains of Mitigation Mitigation Domain Example Action Strategy Technology Change and / or Plaintext PIN exposure Move from no security on the modify the mobile to security on the technology to mobile (from structured SMS reduce the risk with PIN to SIM Toolkit with PIN) Process Implement Movement of funds to a - Require pre-registration of a process controls random beneficiary allows a beneficiary via the call centre to block process thief to send money to where the user‘s identity is paths that can whoever they want authenticated by asking be exploited questions. - Limit or set the value that can be sent to a beneficiary Fraud monitoring processes to look for out of normal transactions Environment Train and inform Theft / borrowing of mobile -Train users to not hand out users to handset and knowledge of the their PINs so as to let others influence PIN by thief. (This cannot be use their mobile behaviour stopped by technical or - Vigorous follow-up and process means) prosecution
  • 12. Mitigation steps  For users:  Observe caution while using Bluetooth  Have an AV running  Know your IMEI number  For service providers  Ensure that connections to and from users are over secure channels.  All connections from and to other service providers must also be secured  Implement strong authentication  For regulators and service providers  Work together to secure the mobile infrastructure  Create implementable laws that minimize the instances of fraud
  • 14. Thank You… India Europe Singapore Mumbai London 30 Raffles Place 3rd floor, Landmark Building, 4 New Square # 23-00 Caltex House next to Mahindra Towers, Bedfont Lakes, Feltham Singapore 048622 Worli, Middlesex TW14 8HA Ph: +65– 6233-6853 / 54 Mumbai 400 018. India. Phone: +44 20 8818 0920 Ph: +91-22-24901441 Fax: +44 20 8818 0921 New Delhi Germany 2-A, Mahindra Towers, Bhikaji GMBH. Partnerport - Cama Place, Altrottstrabe 31, D-69190 New Delhi - 110 066, India Waldorf, Germany P: +91 (11)-4122 0300 Ph:+49 (0) 6227 381 106 Bangalore #150, Tower No. B-2, Level-I, Diamond District, Airport Road, Bangalore - 560 008, India. Phone: +91 80 4135 3200 www.mahindrassg.com