Security proposal on mobile payment
Security proposal on mobile payment
Yan Liu ,
[email protected],atsec
Yan Liu ,
[email protected], atsec China
CISSP,CCEvaluator,ISO/IEC27001LA,
CNAS Auditor, PCI QSA, PA DSS QSA, ASV
CNASAuditor,PCIQSA,PADSSQSA,ASV
Sep2012,13ICCC,Paris
atsec public
Content
Whatismobilepaymentandwhysecurityisimportant
Introductiononthepaymentcardindustry
• Paymentindustryterminologyandroles
y
y
gy
• InformationsharingaboutMobilepaymentsecurity
atsecproposalonmobilepayment
p p
p y
• Physicalandnetworkenvironmentsecurity
• Paymentapplicationsecurity
• Organizationalsecurity
Conclusion
atsec public
©atsec informationsecurity,2012
2
E perience on Mobile Pa ment
ExperienceonMobilePayment
Theconvenienceandfastofmobilepayment
The convenience and fast of mobile payment
atsec public
©atsec informationsecurity,2012
3
TheDefinition– FromWikipedia
Mobile
Mobilepayment,alsoreferredtoasmobilemoney,mobilebanking,
payment also referred to as mobile money mobile banking
mobilemoneytransfer,andmobilewalletgenerallyrefertopayment
servicesoperatedunderfinancialregulationandperformedfromorviaa
mobiledevice.
Financial institutions andcredit card companies aswellasInternet
companiessuchasGoogleandanumberofmobilecommunication
companies such as mobile network operators and major
companies,suchasmobilenetworkoperatorsandmajor
telecommunicationsinfrastructureandhandsetmultinationalssuchas
Ericssonhaveimplementedmobilepaymentsolutions.
Mobile
Mobilepaymentisanalternativepaymentmethod.Insteadofpayingwith
payment is an alternative payment method Instead of paying with
cash,check,orcreditcards,aconsumercanuseamobilephonetopay
forawiderangeofservicesanddigitalorhardgoods.
Th
Therearefour primary models formobilepayments:PremiumSMS
f
i
d l f
bil
t P
i
SMS
basedtransactionalpayments,DirectMobileBilling,Mobileweb
payments(WAP),ContactlessNFC(NearFieldCommunication).
atsec public
©atsec informationsecurity,2012
4
WhyMobilePayment?
y
y
-- Commonargumentsfromliterature
Agility
Security
Cost
Wait – Security???
Sustainability
Scalability
atsec public
Location
independence
Reliability
©atsecinformationsecurity,2012
5
WhySecuringMobilePayments
• Currentmobiledeviceshavelimitedsecuritysafeguardsfor
paymentacceptance. Moreandmorevulnerabilitieswere
foundonmobiledevicelikeAndriodsystem.
y
• Responsibilitiesforsecurityinthemobileinfrastructure
spanmultipleparticipants.
• P
Protectingpaymentcarddataisrequiredandprotectsall
t ti
t
dd t i
i d d
t t ll
entitiesinthepaymentecosystem.
• Securemobileacceptancesupportscustomerconfidence.
atsec public
©atsecinformationsecurity,2012
6
PaymentCardIndustryandItsRelated
Roles
PCI(PaymentCardIndustry)
PCI (Payment Card Industry)
PCI roles
– Cardholders
– Issuers
– Merchants
– Acquirers
i
– PaymentorCardBrands
– ServiceProviders
Service Providers
Paymentprocessing
Authorization
Clearing
Settlement
atsec public
©atsecinformationsecurity,2012
7
KeyPCIStandards
InformationSourcefromPCISSC
o at o Sou ce o
C SSC
atsec public
©atsecinformationsecurity,2012
8
Mobilepayment– fromPCISSC
SinceJune2011,PCISSCannouncedrelatedguidelineon"Mobile
paymentAcceptanceApplicationandPADSS”.
Threedefinedcategoriesofmobilepaymentapplications(seealso
nextpage.)
MobileTaskForceisaforumforPCISSCcollaborationand
consultationwithindustrygroups,includingOWASPMobile
Project,Globalplatform,GSMA,BITS,NISTandANSI/ISO.
March,2012,workshop“TheFutureofMoney:HowMobile
PaymentsCouldChangeFinancialServices”
May2012,“AcceptingmobilepaymentswithaSmartphoneor
tablet"wasannounced.P2PEsolutionsmayhelptoprotectthe
communication.
atsec public
©atsec informationsecurity,2012
9
MobilePaymentApplications
Applicationsfor
category3devices
pendingdevelopment
di
d
l
t
offurtherguidance
and/orstandards
Applicationsfor
category1and2
devicesareeligiblefor
PA-DSS
Category 1:
PTSApprovedPED
Devices
Category 2:
PurposeBuiltPOS
Devices
Category 3:
GeneralPurposeSmart
Device
atsec public
©atsec informationsecurity,2012
10
Brief Introduction on Our Proposal
on Mobile Payment
on Mobile Payment
atsec public
©atsecinformationsecurity,2012
11
New/keyTechnologiesonMobile
y
g
Payment
Tokenization
Encryption
yp
Wireless
EMV
Virtualization
Mobile
SomefiguresinthispagearesourcefromPCISSC
atsec public
ITBaseInfrastructure
Web and Client Application Security
Windows
Base Applications
Apache,
Netscape
Oracle
Database
Unix
Applications
MySQL
Database
Database
SuSE Linux
S
Sun
S l i
Solaris
Firewalls
Terminal Server
SQL
Server
IIS
Windows
A li ti
Applications
Microsoft
Windows
NT
Secure Administration
Ba
ackup and R
Recovery
Middleware
Bas
se OS
ecurity
Connectivity Se
System Ma
anagement
Unix Base Applications
Network and Protocols
Physical Infrastructure
IdeasourcefromatsecGermany
atsec public
©atsecinformationsecurity,2012
13
PhysicalandNetworkEnvironment
y
Security
PCIDSSasabestpractice.
PCI DSS as a best practice.
Sensitivedatashouldbeencryptedusingindustry-standardmethodswhenstored
ondiskortransmittedoverpublicnetworks.
Cryptographicprotocols(suchasSSLv3.0)fordatatransmission;thewebsiteand
protocols (such as SSL v3 0) for data transmission; the website and
Cryptographic
interfaceareaccessibleviacertificatesissuedbyauthorizedparties.
Strongcryptographicalgorithmsandwell-designandimplementedkey
g
(
g
p
)
management(FIPS140-2couldbeconsideredduringtheimplementation)
Installssecurityupdatesandpatchesonallsystemcomponents.
Securityhardening,settingsofapplicationsanddevicesaretunedtoensure
app op ate e e s o p otect o .
appropriatelevelsofprotection.
Networksarestrictlysegregatedandstrongaccesscontrolsareinplace,e.g.
restrictivefirewallsprotectallconnectionsbetweennetworks.
Audit management and security monitor
Auditmanagementandsecuritymonitor
Authentication:passwordcomplexity,two-factorauthenticationforremoteaccess,
etc.
Physical security
Physicalsecurity
atsec public
©atsecinformationsecurity,2012
14
Prioritized Approach
PrioritizedApproach
MS1: Remove
sensitive
authentication
date and limit
d
d li i
data
MS3: Secure
payment card
d
applications
MS2: Protect
the perimeter,
internal, and
i
l
d
wireless
networks
MS4: Monitor
and control
access to your
systems
Percent Complete by Milestone –
100.00%
90.00%
80.00%
70.00%
60.00%
50.00%
40.00%
30.00%
20.00%
10 00%
10.00%
0.00%
MS5: Protect
stored
cardholder
dh ld
data
Sample
MS6: Finalize
remaining
compliance
li
efforts, and
ensure all
controls are in
p
place
Estimated date of completion
by milestone - Sample
12-Oct-2012
l
4-Jul-2012
26-Mar-2012
17-Dec-2011
8-Sep-2011
MS 1
MS 2
31 Mar 2012
31-Mar-2012
30-Jan-2012
MS 3
MS 4
MS 5
MS 6
31-May-2011
MS 1
MS 2
MS 3
MS 4
MS 5
MS 6
atsec public
SometextaresourcefromPCISSC
©atsec informationsecurity,2012
15
PaymentApplicationSecurity
PCIPayment
y
ApplicationData
Security
Standard(PADSS)Pin
)
Transaction
Security(PTS)
couldbe
consideredas
bestpractice.
Prohibitthe
Prohibit
the
storageofcard
numbers,
magneticstripe
data and
dataand
securitycodes
onpayment
applicationand
mobile devices
mobiledevices.
Applications
pp
developmentis
subjecttostrict
qualitytesting
andsecurity
y
review(CC
assurance
requirementALC
couldbe
considered).
Industrystandardsecure
coding
guidelines,
g
,
especiallyweb
application
(OWASPcould
beconsidered).
Implementation
guideonhowto
installand
configurethe
applicationin
securemanner.
ItissuggestedtodevelopaProtectionProfilewithrespecttothemobile
payment application which is accepted by the industry
paymentapplication,whichisacceptedbytheindustry.
atsec public
©atsecinformationsecurity,2012
16
OrganizationalSecurityg
y Example
p
LEVEL 1(Policy)
Informatione
exchangeand
mediamanagementpolicy
Asset manage
ement Policy
Third-parties management
m
poliicy
Roles and re
esponsibility
Log manage
ement policy
Vulnerability management
m
poliicy
Account and pa
assword policy
Softwarese
ecurityrequire
Vulnerab
bility ranking
Anti-viruss procedure
Firewall configuration
c
Software development
d
Managem
ment review
Third-partiess management
Physicale
environment
mana
agement
Vulnerabilityy management
Logsecurity
ymanagement
Third-partiess management
proccedure
Log securityy management
Accoun
nt security
Assetma
anagement
proc
cedure
Media management
m
proccedure
System configuration
c
Incidentt response
Risks asssessment
Informationsecurity
aining
tra
Security co
oding guideline
Documen
nt and record
co
ontrol
Human
nresource
proc
cedure
Paymen
nt business
desc
cription
17
©atsecinformationsecurity,2012
atsec public
Anti-virus policy
Networksecurity
entpolicy
manageme
Access con
ntrol policy
Dataprotec
ctionpolicy
Logsecurritypolicy
Changecon
ntrolpolicy
Securitytesstingpolicy
Softwared
designand
developme
entpolicy
Encryptio
onPolicy
Physicalenvironment
entpolicy
manageme
Networkinffrastructure
securityma
anagement
policy
Managementsystempolicy
Level 2 (Procedures)
Level 2 (Procedures)
atsecmethodology:Integratedand
atsec
methodology: Integrated and
unifiedManagementSystem
Establishcommon
managementsystem
management
system
(Configuration
Management),perform
assets/business
orientedrisk
assessment
Theuseofcryptographic
algorithms
KeyManagement
FIPS 140-2
Cryptograp
hic security
y
Common
Mobile
ISO 9001
Criteria
payment
Quality
Q
y
Secure
d
data
manageme
developme
security
nt
nt
PCI & PA
Supply
DSS
chain
Payment
security
application
security
i
ISO/IEC
27001 ISMS
Improvequality
management
Supplychain
security
atsec public
IntroducingCC
standardsecure
developmentidea,risk
assessment process
assessmentprocess
andalsotheideaofPP
PCIDSSandPA
DSStoprotect
cardholderand
sensitivedata
©atsecinformationsecurity,2012
18
SensitiveDataDiscovery
Penetrationtestingmethodologyandforensic
tools
Sensitivedatacouldbestoredindifferent
locations Typical location includes:
locations.Typicallocationincludes:
Typicalsystemthatstoretrackdata:
• Commercialoropensource
tools
• Database,flatfiles,logfiles,
g
debugfiles
• Paperrecepts
• POS
systems POS servers
POSsystems,POSservers,
Authorizationservers.
Ifanenvironmentdoesnothavecardswip readersorreceivedata
fromface-to-facemerchantswithacardswip reader,itisunlikely(but
not impossible) that they will have the track data.
notimpossible)thattheywillhavethetrackdata.
atsec public
©atsec informationsecurity,2012
19
Affected areas
Affectedareas
IT Infrastructure
Intranet /
Remote Connection
Internet
Firewall
Applications
Network
Central Server
Firewall
WebApp Mail
SMS
Local Server
Secuity Firewall
IT Infrastructure
IT Process
Organization
Documentation
SourcefromatsecGermany
atsec public
©atsec informationsecurity,2012
20
atsec’sPlaceinMobilePayment
Our knowledge
Virtualization
Encryption/
key
management
Security
monitoring
Other
expertise
Security
architecture
Largescale
riskanalysis
Penetration
testing
Independent
thirdparty
audit
dit
External
security
scanning
Security
assessment
Technical
expertise
atsec public
In-depth
security
analysis
Conclusion
The
Theaffectedbusinessareasforthesecuritysolutionsonmobile
affected business areas for the security solutions on mobile
paymentcoverITinfrastructure,ITprocess,Organizationand
alsodocumentation.
Astandards-combinedapproachisusedfortheoverallsecurity
proposalincludingstandardslikeCC(introducedsecurity
developmentandriskmanagementmethodology),FIPS140
p
g
gy)
(cryptographicmoduleandkeymanagement),PCIDSS
(paymentindustrybestpractice),ISO/IEC27001(Information
security management system), etc.
securitymanagementsystem),etc.
Varioustechnicalexpertiseandservicesarerequired,including
virtualization,encryption/keymanagement,securitymonitor,
securityarchitecture,largescaleriskassessment,penetration
it
hit t
l
l i k
t
t ti
testing,andin-depthsecurityanalysis.
atsec public
©atsecinformationsecurity,2012
22
Conclusion– count.
Independentsecurityaudit,testingandevaluationare
important,neverthelessdifferentvalidationrequirements
p
,
q
couldbeconsideredfordifferentsecuritylevels.
Aprotectionprofileonmobilepaymentapplicationcould
be drafted based on this paper and proposed further by
bedraftedbasedonthispaper,andproposedfurtherby
theCCandpaymentindustry.
atsec public
©atsecinformationsecurity,2012
23
Thanks
http://www.atsec.cn/
p //
/
atsec public
©atsecinformationsecurity,2012
24