ITU Workshop on “ICT Innovations in Emerging Countries” (New Delhi, India, 14 March 2013) Innovating Cyber Defense Approaches to Combat Online Financial Fraud in Developing Economies Charles Iheagwara, Director, Unatek, Inc. ciheagwara@unatek.com New Delhi, India, 14 March 2013 Mobile World • At the end of 2011, there were 6 billion mobile subscriptions, estimates The International Telecommunication Union (2011). • That is equivalent to 87% of the world population. • is a huge increase from 5.4 billion in 2010 and • 4.7 billion mobile subscriptions in 2009. • • Mobile subscribers in the developed world has reached saturation point with at least one cell phone subscription per person. This means market growth is being driven by demand developing world, led by rapid mobile adoption in China and India, the world's most populous nations. • Mobile World Cont. • • At the end of 2011 there were 4.5 billion mobile subscriptions in the developing world (76 percent of global subscriptions). Mobile penetration in the developing world now is 79 percent, with Africa being the lowest region worldwide at 53 percent. • • Portio Research –free Mobile Factbook 2012 • • Predicts that mobile subscribers worldwide will reach 6.9 billion by the end of 2013 and 8 billion by the end of 2016. estimates that Asia Pacific’s share of the mobile subscribers will rise from 50.7 percent in 2011 to 54.9 percent in 2016. By 2016 Africa and Middle East will overtake Europe as the second largest region for mobile subscribers Africa. New Delhi, India, 14 March 2013 3 Mobile Banking Not all mobile subscribers have bank accounts The estimate of subscribers with mobile phones but no bank accounts could be anywhere from 15 – 40% of all mobile subscribers Banks say, “Let’s use phones to serve these people!” • Several mobile banking services exist today – – – – M-PESA (Kenya) Wizzit (S.A.) GCash (Philippines) > 100 million dollars transacted per day How does it work? • Courtesy: Microsoft Research India A network of human agents mediate transactions – – Run small businesses: mobile recharge, pharmacy etc Commissioned by m-banking provider Courtesy: CKS M-banking outlet in Delhi Courtesy: CKS An m-banking agent sends an SMS to the bank for a deposit transaction How does it work? Hari deposits 100/- “Credit Hari’s a/c with 100/-” Agent Courtesy: Microsoft Research India Bank “Hari’s a/c credited” Hari How does it work? Hari withdraws 100/- “Agent’s a/c credited” Agent Courtesy: Microsoft Research India Bank “Credit agent’s a/c with 100/-” Hari Security Challenges Physical: Phones can be lost or stolen. If stolen, can login credentials be extracted from the memory card? Logical: Banks must authenticate users. How is authentication via wireless medium sure proof Security Challenges Cont. Courtesy: Microsoft Research India Phones can be lost or stolen. Banks must authenticate users. Is this really Hari? Bank “Credit agent’s a/c with 100/-” Hari Challenges • How do we authenticate via a phone like this? • No GPRS, • Can’t install software • Typical m-banking user’s phone Courtesy: EKO • … while also ensuring • A simple interface (want low-literate users to use it) • Low cost (want it to scale) Banking Authentication for Mobile Users • Current practice by banks is not sure proof: • • • • Most banks use PINs to authenticate users For good security, PINs must be protected There is evidence that some banks have holes in the way the implement PIN management Wireless (GSM, etc.) security is grossly inadequate – – The problem is wireless leak of information The security architecture profers Network-layer protection Cyber Attacks on Mobile Banking • Hacking incidents from well-known attacks characterize current mobile banking practice • • – Attacks on network-layer is difficult to track and quantity over wireless media Skimming attacks result to losses by some estimates well over $1 billion in 2009.) Attack type includes shoulder-surfing and phishing attacks. New Delhi, India, 14 March 2013 12 Unatek’s Solution • Unatek’s subsidiary intrusiononline, Inc. (www.intrusiononline.net) is developing a wireless intrusion analytics that aides in analyzing authentication-based applications • A commercial product/service is projected to be released next year • Our approach is to address wireless authentication threat vectors peculiar to delivery of PIN over wireless medium • Current practice mostly center on cryptographic means which have proven to be inadequate New Delhi, India, 14 March 2013 13 Unatek’s Solution • Every user has a PIN & holds a unique codebook – – – Appends a “coat” that is tamper-proof to each transaction message A fresh coat each time The technology addresses network- and application-layers issues • Our approach revolves around the belief that if wireless transaction is carried over a medium that can authenticate the issues mentioned above will be addressed. • We envisage developing an application that will track PINS on cooperating devices and coat them with protective shields both on the fly and at rest on the handsets Conclusion • Mobile banking in developing economies are vulnerable to several attacks resulting into losses worth several billions of dollars • Current Cyber security measures are inadequate to combat the attacks • Unatek is incubating solutions that extends the current strategies into a new and more effective way of combating the attacks.