innovating cyber defense approaches to combat online financial fraud in developing economies
DESCRIPTION
ITU Workshop on “ICT Innovations in Emerging Countries ” (New Delhi, India, 14 March 2013). Innovating Cyber Defense Approaches to Combat Online Financial Fraud in Developing Economies. Charles Iheagwara, Director, Unatek, Inc. [email protected]. Mobile World. - PowerPoint PPT PresentationTRANSCRIPT
New Delhi, India, 14 March 2013
Innovating Cyber Defense Approaches to Combat Online Financial Fraud in Developing Economies
Charles Iheagwara,Director, Unatek, Inc.
ITU Workshop on “ICT Innovations in Emerging
Countries”(New Delhi, India, 14 March 2013)
Mobile World• At the end of 2011, there were 6 billion mobile
subscriptions, estimates The International Telecommunication Union (2011). • That is equivalent to 87% of the world population. • is a huge increase from 5.4 billion in 2010 and • 4.7 billion mobile subscriptions in 2009.
•• Mobile subscribers in the developed world has reached saturation point with at least one cell phone subscription per person. This means market growth is being driven by demand developing world, led by rapid mobile adoption in China and India, the world's most populous nations.
•
Mobile World Cont.• • At the end of 2011 there were 4.5 billion mobile
subscriptions in the developing world (76 percent of global subscriptions). Mobile penetration in the developing world now is 79 percent, with Africa being the lowest region worldwide at 53 percent.
• • Portio Research –free Mobile Factbook 2012• Predicts that mobile subscribers worldwide will reach 6.9
billion by the end of 2013 and 8 billion by the end of 2016.• estimates that Asia Pacific’s share of the mobile subscribers
will rise from 50.7 percent in 2011 to 54.9 percent in 2016. By 2016 Africa and Middle East will overtake Europe as the second largest region for mobile subscribers Africa.
New Delhi, India, 14 March 2013 3
Mobile BankingNot all mobile subscribers have bank accountsThe estimate of subscribers with mobile phones but no bank accounts could be anywhere from 15 – 40% of all mobile subscribers
Banks say, “Let’s use phones to serve these people!”• Several mobile banking services exist
today– M-PESA (Kenya)– Wizzit (S.A.)– GCash (Philippines)– > 100 million dollars transacted per day
How does it work? Courtesy: Microsoft Research India
• A network of human agents mediate transactions– Run small businesses: mobile recharge, pharmacy etc– Commissioned by m-banking provider
M-banking outlet in Delhi An m-banking agent sends an SMS to the bank for a deposit transaction
Courtesy: CKSCourtesy: CKS
How does it work? Courtesy: Microsoft Research India
Agent
BankHari deposits 100/-
“Credit Hari’s a/c with 100/-”
“Hari’s a/c credited”
Hari
How does it work? Courtesy: Microsoft Research India
Agent
BankHari withdraws 100/-
“Credit agent’s a/c with 100/-”
“Agent’s a/c
credited”
Hari
Security Challenges
Physical: Phones can be lost or stolen. If stolen, can login credentials be extracted from the memory card?
Logical: Banks must authenticate users.
How is authentication via wireless medium sure proof
Security Challenges Cont. Courtesy: Microsoft Research India
Phones can be lost or stolen. Banks must authenticate users.
Hari
Bank“Credit agent’s a/c with 100/-”
Is this really Hari?
‘
Challenges
Courtesy: EKO
Banking Authentication for Mobile Users
• Current practice by banks is not sure proof:• Most banks use PINs to authenticate users• For good security, PINs must be protected• There is evidence that some banks have holes in the way
the implement PIN management• Wireless (GSM, etc.) security is grossly
inadequate– The problem is wireless leak of information– The security architecture profers Network-layer
protection
Cyber Attacks on Mobile Banking
• Hacking incidents from well-known attacks characterize current mobile banking practice• Attacks on network-layer is difficult to track
and quantity over wireless media• Skimming attacks result to losses by some
estimates well over $1 billion in 2009.)– Attack type includes shoulder-surfing and
phishing attacks.
New Delhi, India, 14 March 2013 12
Unatek’s Solution• Unatek’s subsidiary intrusiononline, Inc.
(www.intrusiononline.net) is developing a wireless intrusion analytics that aides in analyzing authentication-based applications
• A commercial product/service is projected to be released next year
• Our approach is to address wireless authentication threat vectors peculiar to delivery of PIN over wireless medium
• Current practice mostly center on cryptographic means which have proven to be inadequate
New Delhi, India, 14 March 2013 13
Unatek’s Solution
• Every user has a PIN & holds a unique codebook– Appends a “coat” that is tamper-proof to each transaction
message – A fresh coat each time– The technology addresses network- and application-layers
issues
• Our approach revolves around the belief that if wireless transaction is carried over a medium that can authenticate the issues mentioned above will be addressed.
• We envisage developing an application that will track PINS on cooperating devices and coat them with protective shields both on the fly and at rest on the handsets
Conclusion• Mobile banking in developing economies
are vulnerable to several attacks resulting into losses worth several billions of dollars
• Current Cyber security measures are inadequate to combat the attacks
• Unatek is incubating solutions that extends the current strategies into a new and more effective way of combating the attacks.