Upload
suraj-pratap
View
359
Download
4
Embed Size (px)
Citation preview
NULL BANGALORESURAJ PRATAP
Mobile Wallet Security
Agenda
Mobile Wallet intro Statistics Basic feature Build with security Possible security issue
About me
Suraj Pratap. Work as information security
Analyst Bounty hunter ,Got lucky with Google, Microsoft, PayPal, Yahoo etc.
Some Statistics
India has 375 million Internet users in October 2015.
IN share world population 17.50% IN shares of world internet user 6.63 % Online e-commerce users 3.8 % Mobile wallet user 0.57
Statics
Wallet user Age group percentage
18-29 3730-44 3645-59 1760-abv 10
Brands
Paytm Freecharge Mobikwik Airtel money Google pay Apple pay Vodafone M-pesa Chillr Oxigen Wallet Citrus Pay PayUMoney
Mobile wallet
Mobile Application: Financial Tool. Designed to free users from traditional wallet. Replace ATM’s and credit cards Faster Merchant benefits:
Brands to offer a wider variety of payment Easy-to-use payment interface development
Bank and financial institution benefits to offer a consistent payment interface to consumer and merchants
Why mobile wallet
Reference : NTTDATA
Key features
Bill payment services M-brokerage services Mobile money transfers Mobile micro-payments Money spend analyser et
But Wait
Reference: sqs.com
InBuild Protection
Client Side Data encryption at client side- most of them Browser sand-boxing - only 3 Encryption and Hashing used AES256/
SHA2 : most of them . please don't ask key ;-) Propriety protocols
InBuild Protection
Server Side Cloud base Platform (Excepts banks wallet) VPC - virtual private cloud PCI certified : Trust Fraud detection team Data encrypted : yes they all claim
InBuild Protection
In Middle Most of them are on TLS 1.1 and 1.2 only SSL Pinning not implemented by all Encrypt data inside SSL : Yes people
implemented MITM : Yes its possible.
Main Security Concerns
If someone steals my phone, they have access to all my information
I will not be able to pay for purchase if my phone lost / stolen
Someone might be able to steal my info when it is sent wirelessly
My "mobile wallet" provider will share my info with other companies
Too much personal spending info in one place on Smartphone
How to address them
Wipe it remotely. Sophisticated, high-tech security Replace immediately Two way authentication Install app from trusted location Review contract terms and conditions
How to address them
Trust :-) / :-( Cloud
Who got Bug
Paytm Freecharge Oxigen Wallet Citrus Pay Mobikwik Airtel money Google pay
who got affected
Users : Only 2 cases which i found Service providers : All of them
By business logic flaws
Conclusion
Should we adopt it / don't
wallet security
Just “lock" it
Questions