ITU Workshop on “ICT Innovations in Emerging Countries ”

advertisement
ITU Workshop on
“ICT Innovations in Emerging
Countries”
(New Delhi, India, 14 March 2013)
Innovating Cyber Defense Approaches to Combat
Online Financial Fraud in Developing Economies
Charles Iheagwara,
Director, Unatek, Inc.
ciheagwara@unatek.com
New Delhi, India, 14 March 2013
Mobile World
•
At the end of 2011, there were 6 billion mobile
subscriptions, estimates The International
Telecommunication Union (2011).
• That is equivalent to 87% of the world
population.
• is a huge increase from 5.4 billion in 2010 and
• 4.7 billion mobile subscriptions in 2009.
•
• Mobile subscribers in the developed world has
reached saturation point with at least one cell
phone subscription per person. This means market
growth is being driven by demand developing
world, led by rapid mobile adoption in China and
India, the world's most populous nations.
•
Mobile World Cont.
•
• At the end of 2011 there were 4.5 billion mobile
subscriptions in the developing world (76 percent of
global subscriptions). Mobile penetration in the
developing world now is 79 percent, with Africa
being the lowest region worldwide at 53 percent.
•
• Portio Research –free Mobile Factbook 2012
•
•
Predicts that mobile subscribers worldwide will reach 6.9
billion by the end of 2013 and 8 billion by the end of 2016.
estimates that Asia Pacific’s share of the mobile subscribers
will rise from 50.7 percent in 2011 to 54.9 percent in 2016.
By 2016 Africa and Middle East will overtake Europe as the
second largest region for mobile subscribers Africa.
New Delhi, India, 14 March 2013
3
Mobile Banking
Not all mobile subscribers have bank
accounts
The estimate of subscribers with mobile
phones but no bank accounts could be
anywhere from 15 – 40% of all mobile
subscribers
Banks say, “Let’s use phones to serve these people!”
•
Several mobile banking services exist
today
–
–
–
–
M-PESA (Kenya)
Wizzit (S.A.)
GCash (Philippines)
> 100 million dollars transacted per day
How does it work?
•
Courtesy: Microsoft Research India
A network of human agents mediate transactions
–
–
Run small businesses: mobile recharge, pharmacy etc
Commissioned by m-banking provider
Courtesy: CKS
M-banking outlet in Delhi
Courtesy: CKS
An m-banking agent sends an SMS to
the bank for a deposit transaction
How does it work?
Hari deposits 100/-
“Credit Hari’s a/c
with 100/-”
Agent
Courtesy: Microsoft Research India
Bank
“Hari’s a/c
credited”
Hari
How does it work?
Hari withdraws 100/-
“Agent’s a/c
credited”
Agent
Courtesy: Microsoft Research India
Bank
“Credit agent’s a/c
with 100/-”
Hari
Security Challenges
Physical: Phones can be lost or stolen.
If stolen, can login credentials be extracted
from the memory card?
Logical: Banks must authenticate
users.
How is authentication via wireless
medium sure proof
Security Challenges Cont.
Courtesy: Microsoft Research India
Phones can be lost or stolen. Banks must
authenticate users.
Is this really Hari?
Bank
“Credit agent’s a/c
with 100/-”
Hari
Challenges
• How do we authenticate via a phone like
this?
• No GPRS,
• Can’t install software
• Typical m-banking user’s
phone
Courtesy: EKO
• … while also ensuring
• A simple interface (want low-literate users to use it)
• Low cost (want it to scale)
Banking Authentication for Mobile
Users
•
Current practice by banks is not sure proof:
•
•
•
•
Most banks use PINs to authenticate users
For good security, PINs must be protected
There is evidence that some banks have holes in the way
the implement PIN management
Wireless (GSM, etc.) security is grossly
inadequate
–
–
The problem is wireless leak of information
The security architecture profers Network-layer
protection
Cyber Attacks on Mobile Banking
•
Hacking incidents from well-known attacks
characterize current mobile banking
practice
•
•
–
Attacks on network-layer is difficult to track
and quantity over wireless media
Skimming attacks result to losses by some
estimates well over $1 billion in 2009.)
Attack type includes shoulder-surfing and
phishing attacks.
New Delhi, India, 14 March 2013
12
Unatek’s Solution
•
Unatek’s subsidiary intrusiononline, Inc.
(www.intrusiononline.net) is developing a
wireless intrusion analytics that aides in
analyzing authentication-based applications
•
A commercial product/service is projected
to be released next year
•
Our approach is to address wireless
authentication threat vectors peculiar to
delivery of PIN over wireless medium
•
Current practice mostly center on cryptographic
means which have proven to be inadequate
New Delhi, India, 14 March 2013
13
Unatek’s Solution
•
Every user has a PIN & holds a unique codebook
–
–
–
Appends a “coat” that is tamper-proof to each transaction
message
A fresh coat each time
The technology addresses network- and application-layers
issues
•
Our approach revolves around the belief that if
wireless transaction is carried over a medium that
can authenticate the issues mentioned above will
be addressed.
•
We envisage developing an application that will
track PINS on cooperating devices and coat them
with protective shields both on the fly and at rest
on the handsets
Conclusion
•
Mobile banking in developing economies are
vulnerable to several attacks resulting into
losses worth several billions of dollars
•
Current Cyber security measures are
inadequate to combat the attacks
•
Unatek is incubating solutions that extends
the current strategies into a new and more
effective way of combating the attacks.
Download