mo bile money mo bile problems security analysis of
play

Mo(bile) Money, Mo(bile) Problems: Security Analysis of Branchless - PowerPoint PPT Presentation

Apr 17, 2023 •239 likes •444 views

Mo(bile) Money, Mo(bile) Problems: Security Analysis of Branchless Banking Apps in the Developing World Bradly Reaves, Nolen Scaife, Adam Bates, Patrick Traynor, Kevin Butler University of Florida Published at USENIX Security 2015 Based on

  1. Mo(bile) Money, Mo(bile) Problems: Security Analysis of Branchless Banking Apps in the Developing World Bradly Reaves, Nolen Scaife, Adam Bates, Patrick Traynor, Kevin Butler University of Florida Published at USENIX Security 2015 Based on slides by Bradly Reaves Presenter: Qi Wang 1

  2. Branchless Banking a.k.a Mobile Money • Generally deployed by companies outside of the traditional financial services sector • Their use does not require having a previously established relationship with a bank • They don’t rely on Internet connectivity exclusively, but also use SMS, Unstructured Supplementary Service Data or cellular voice to conduct transactions 2

  3. Why this is important • Millions are relying on mobile money everyday, and even more will continue to do so – As of august 2014, there were 246 mobile services in 88 countries serving 203 million users • The security of mobile money has not been publicly investigated or verified 3

  4. Analysis of mobile money apps • We did an automated analysis of 46 currently available mobile money apps • We did a manual analysis of 7 popular apps 4

  5. Automated Analysis • We used the Mallodroid tool to analyze the TLS implementation of 46 mobile money apps for Android • Over 50% of apps had a SSL/TLS vulnerability 5

  6. Manual Analysis: Apps GCash Phillipines Zuum Brazil MCoin Indonesia Money on Mobile India Mpay Thailand Airtel Money India Oxigen Wallet India About 1.2 million users 6

  7. Manual analysis • Phase 1: Inspection • Phase 2: Reverse engineering • Security analysis of – Registration and login – User authentication after login – Money transfer 7

  8. Findings: High level • 6 out of 7 apps had easily-exploited critical vulnerabilities • 28 Vulnerabilities in 6 of 7 analyzed apps • 13 CWE categories – SSL/TLS & Certificate verification – Non-standard cryptography – Access control – Information leakage 8

  9. Vulnerabilities by App GCash 7 Money on Mobile 6 Oxigen Wallet 6 Mpay 4 MCoin 3 Airtel Money 2 Zuum 0 9

  10. Vulnerabilities by type Number of Apps Number of Error Type Vulnerable Vulnerabilities TLS Certificate 4 4 Verification Non-standard 4 6 Cryptography Access Control 4 7 Information Leakage 5 12 10

  11. TLS: Client side • Some apps overrode Android’s default certificate verification routines • Developers likely did this to silence certificate warnings during development or deployment • mCoin disabled validation routines for the application to function correctly – The server side provides a certificate issued to “localhost” which is expired and self-signed 11

  12. TLS: Server side Qualys App Noteworthy Vulnerability Score GCash C Vulnerable to POODLE attack Money on Mobile N/A No TLS Oxigen Wallet F SSL 2 support, MD5 cipher suite SSL 2, Client-initiated Mpay F renegotiation, POODLE Attack Expired, self-signed certificate for MCoin N/A localhost Airtel Money A- Uses SHA-1 with RSA Zuum A- Uses SHA-1 with RSA 12

  13. DIY cryptography: MoneyOnMobile All messages are sent over plaintext HTTP . 13

  14. DIY cryptography: Airtel • This key is used to encrypt the user PIN, used to authenticate with the service • All of these fields are available in previous messages “protected” by broken TLS • Because TLS certificate validation is effectively disabled, we can get this account 14

  15. Access control • Oxigen Wallet allows password reset with an unauthenticated SMS sent from a user’s phone • MoneyOnMobile only checked the PIN to move between screens in the app • mPay accepts and performs unauthenticated commands from its server • … 15

  16. Information leakage • Logging – mPay logs include user credentials, personal identifiers, and card numbers – MoneyOnMobile logs include server responses and account balances • Preference storage – GCash stores the users’ PIN in the preference – mCoin stores the user’s name, birthday, and certain financial infromation. 16

  17. Terms of Service • User is responsible for all authenticated transactions – When these systems are attacked, the user pays the price 17

  18. Conclusion • Mobile money applications improve the standard of living for many in the developing world • However, significant vulnerabilities are identified in mobile money applications • Dramatic improvements to the security of mobile money applications are needed to protect these systems 18

  19. Discussion • What’s the contribution of this paper? • Anyone has experience with mobile money? Is there any security flaw in the mobile money model? • What’s the reasons for the vulnerabilities in the apps? • Does regulations help improve finance security? • How to improve the security of mobile money systems? 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bile salt synthesis Hepatic Transporter Proteins involved in Bile Formation Basolateral membrane

Bile salt synthesis Hepatic Transporter Proteins involved in Bile Formation Basolateral membrane

Bile salt synthesis Hepatic Transporter Proteins involved in Bile Formation Basolateral membrane transporter proteins fx: NTCP uptake of bile salts OATP bulky organic anions Canalicular membrane transporter proteins fx: BSEP ATP dependent

389 views • 34 slides
Bile acid abnormalities in peroxisomal disorders Sacha Ferdinandusse Lab. Genetic Metabolic

Bile acid abnormalities in peroxisomal disorders Sacha Ferdinandusse Lab. Genetic Metabolic

Bile acid abnormalities in peroxisomal disorders Sacha Ferdinandusse Lab. Genetic Metabolic Diseases Academic Medical Center Amsterdam Peroxisomes play an important role in bile acid biosynthesis Bile acid biosynthesis involves:

529 views • 31 slides
Ia Iatr trogenic ogenic bile duct bile duct injur injury Eduard Jonas Surgical

Ia Iatr trogenic ogenic bile duct bile duct injur injury Eduard Jonas Surgical

Ia Iatr trogenic ogenic bile duct bile duct injur injury Eduard Jonas Surgical Gastroenterology Unit University of Cape Town and Groote Schuur Hospital Cape Town, South Africa Conflict of Interest I declare I have no conflict of interest

961 views • 36 slides
Gallbladder & Bile Ducts Anatomy Biliary Disease and Pancreatitis Mr Panagiotis Georgiou MD,

Gallbladder & Bile Ducts Anatomy Biliary Disease and Pancreatitis Mr Panagiotis Georgiou MD,

29/01/2013 Gallbladder & Bile Ducts Anatomy Biliary Disease and Pancreatitis Mr Panagiotis Georgiou MD, MRCS Academic Clinical Fellow in General Surgery Date: 29/01/2013 Physiology Congenital Abnormalities Bile Salts Liver

78 views • 7 slides
Post-translational Post-translational Modifications to Human Bile Modifications to Human Bile

Post-translational Post-translational Modifications to Human Bile Modifications to Human Bile

Post-translational Post-translational Modifications to Human Bile Modifications to Human Bile Acid CoA:Amino Acid N- Acid CoA:Amino Acid N- acyltransferase acyltransferase Erin Shonsey UAB Graduate Student September 12, 2006 Conjugation

395 views • 20 slides
Cha Challeng Challeng Cha nges in nges in n Mobi n Mobi bile Web bile Web b b Usa

Cha Challeng Challeng Cha nges in nges in n Mobi n Mobi bile Web bile Web b b Usa

Cha Challeng Challeng Cha nges in nges in n Mobi n Mobi bile Web bile Web b b Usa Usability Usa Usability y for y for for an Ec for an Ec Ecomme Ecomme ommerce ommerce Compa Co Co Compa pany pany ny ny @ blue tomato

754 views • 32 slides
sodium-dependent bile acid transporter inhibitor maralixibat in children with progressive familial

sodium-dependent bile acid transporter inhibitor maralixibat in children with progressive familial

Phase 2 open-label efficacy and safety study of the apical sodium-dependent bile acid transporter inhibitor maralixibat in children with progressive familial intrahepatic cholestasis: 48-week interim efficacy analysis Richard J Thompson King's

317 views • 18 slides
Synthesis and characterization of new tail-to-tail dimers of bile acids with different spacers

Synthesis and characterization of new tail-to-tail dimers of bile acids with different spacers

[f007] Synthesis and characterization of new tail-to-tail dimers of bile acids with different spacers lvaro Antelo, Mercedes lvarez Alcalde, Aida Jover, Francisco Meijide, and Jos Vzquez Tato Departamento de Qumica Fsica, Facultad de

374 views • 10 slides
Theoretical calculations on conformations of bile-acid based dimers. Interactions with ibuprofen

Theoretical calculations on conformations of bile-acid based dimers. Interactions with ibuprofen

[f008] Theoretical calculations on conformations of bile-acid based dimers. Interactions with ibuprofen lvaro Antelo, Mercedes lvarez Alcalde, Aida Jover, Francisco Meijide, and Jos Vzquez Tato Departamento de Qumica Fsica, Facultad

259 views • 6 slides
in in Mo Mobi bile le De Devices ices FAST 2015 Daeho Jeong *+ , Youngjae Lee + , Jin-Soo

in in Mo Mobi bile le De Devices ices FAST 2015 Daeho Jeong *+ , Youngjae Lee + , Jin-Soo

Boost Bo sting ing Qu Quasi si-Asynchr Asynchronous onous I/O /O for Bet Better er Res espo ponsiv nsiveness eness in in Mo Mobi bile le De Devices ices FAST 2015 Daeho Jeong *+ , Youngjae Lee + , Jin-Soo Kim * Samsung Co.,

824 views • 45 slides
Spontaneous Rupture of the Bile Duct Associated with Pancreatitis. A Rare Presentation Mahesh K

Spontaneous Rupture of the Bile Duct Associated with Pancreatitis. A Rare Presentation Mahesh K

JOP. J Pancreas (Online) 2011 Mar 9; 12(2):149-151. CASE REPORT Spontaneous Rupture of the Bile Duct Associated with Pancreatitis. A Rare Presentation Mahesh K Goenka, Bhaswati C Acharyya, Pradeepta K Sethy, Usha Goenka Institute of

310 views • 3 slides
Serum bile acid profiles distinguish severe alcoholic hepatitis from decompensated

Serum bile acid profiles distinguish severe alcoholic hepatitis from decompensated

Serum bile acid profiles distinguish severe alcoholic hepatitis from decompensated alcohol-related cirrhosis Luke D Tyson , Stephen Atkinson, Alex Pechlivanis, Elaine Holmes, Nikhil Vergis, Rooshi Nathwani, James Maurice, Simon Taylor-Robinson,

447 views • 23 slides
Primary Biliary Cholangitis (PBC) Formerly known as primary biliary cirrhosis Chronic,

Primary Biliary Cholangitis (PBC) Formerly known as primary biliary cirrhosis Chronic,

Primary Biliary Cholangitis (PBC) Formerly known as primary biliary cirrhosis Chronic, autoimmune disease of the liver that slowly destroys the medium-sized bile ducts (intrahepatic bile ducts) Eventually causes cholestasis

639 views • 15 slides
he Wo Wow RFMS M Mobi bile App e Apps Bring the Factor to y o you our Showroom! 1

he Wo Wow RFMS M Mobi bile App e Apps Bring the Factor to y o you our Showroom! 1

he Wo Wow RFMS M Mobi bile App e Apps Bring the Factor to y o you our Showroom! 1 Customer E Expe pect ctations ns While in Y Your S Showroom Salesperson has product knowledge Salesperson is accommodating, NOT

209 views • 16 slides
Role of Acid and Bile in Esophageal Mucosal Damage Michael F. Vaezi, MD, PhD Center for

Role of Acid and Bile in Esophageal Mucosal Damage Michael F. Vaezi, MD, PhD Center for

Role of Acid and Bile in Esophageal Mucosal Damage Michael F. Vaezi, MD, PhD Center for Swallowing and Esophageal Disorders Department of Gastroenterology Cleveland Clinic Foundation Objective: At the end of this presentation the participants

277 views • 4 slides
An Unusual Presentation of a Carcinoid Tumor of the Common Bile Duct Ashif Jethava 1 , Visvanathan

An Unusual Presentation of a Carcinoid Tumor of the Common Bile Duct Ashif Jethava 1 , Visvanathan

JOP. J Pancreas (Online) 2013 Jan 10; 14(1):85-87. CASE REPORT An Unusual Presentation of a Carcinoid Tumor of the Common Bile Duct Ashif Jethava 1 , Visvanathan Muralidharan 2 , Thalia Mesologites 3 , Elena Stoica-Mustafa 5 , Constantin A Dasanu

369 views • 3 slides
BIOE 301 group are real Type I Error: (False Positive) Mistakenly conclude there is a

BIOE 301 group are real Type I Error: (False Positive) Mistakenly conclude there is a

Review of Last Time Sample size calculations Ensure differences between treatment & control BIOE 301 group are real Type I Error: (False Positive) Mistakenly conclude there is a difference between the two groups, when in

276 views • 5 slides
EFFECT OF EARLY-LIFE UNDERNUTRITION ON THE GUT MICROBIOTA Geoffrey A. Preidis, M.D., Ph.D.

EFFECT OF EARLY-LIFE UNDERNUTRITION ON THE GUT MICROBIOTA Geoffrey A. Preidis, M.D., Ph.D.

EFFECT OF EARLY-LIFE UNDERNUTRITION ON THE GUT MICROBIOTA Geoffrey A. Preidis, M.D., Ph.D. Assistant Professor of Pediatrics Section of Gastroenterology, Hepatology, and Nutrition Department of Pediatrics Baylor College of Medicine Texas

665 views • 48 slides
Liver & Gallbladder Health Dr Elisabeth Philipps PhD

Liver & Gallbladder Health Dr Elisabeth Philipps PhD

04/05/16 Liver & Gallbladder Health Dr Elisabeth Philipps PhD BSc Nut Med FNTP www.hartwellnutriAon.co.uk Aims of Webinar Overview of liver

269 views • 16 slides
2013 1 C. In testing for DILI in vivo it is common to monitor blood for an aminotransferase

2013 1 C. In testing for DILI in vivo it is common to monitor blood for an aminotransferase

20.201 Review of Q2 2013 1 C. In testing for DILI in vivo it is common to monitor blood for an aminotransferase (e.g. ALT, AST, etc.), but this fails when the drug causes cholestasis, and testing for alkaline phosphatase is the preferred

532 views • 14 slides
Gallstone Diseases Stephen Chang Associate Professor, National University of Singapore Lead,

Gallstone Diseases Stephen Chang Associate Professor, National University of Singapore Lead,

Gallstone Diseases Stephen Chang Associate Professor, National University of Singapore Lead, Snr Consultant Liver Tumor Group, National University Cancer Institute Singapore Division of Hepatopancreatobiliary Surgery and Liver Transplant

1.01k views • 51 slides
Update July 21, 2020 Safe Harbor Statement This presentation contains forward-looking

Update July 21, 2020 Safe Harbor Statement This presentation contains forward-looking

IW-3718 Program Update July 21, 2020 Safe Harbor Statement This presentation contains forward-looking statements. Investors are cautioned not to place undue reliance on these forward-looking statements, including statements our plans to stop

418 views • 10 slides
UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis from Build It, Break It, Fix

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis from Build It, Break It, Fix

UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE Qualitative Analysis from Build It, Break It, Fix It Daniel Votipka, Kelsey Fulton, James Parker, Matthew Hou, Michelle Mazurek, and Mike Hicks University of Maryland MANY REAL VULNERABILITIES

611 views • 34 slides
Overview of Outcomes Research Methods for Imagers Stella Kang, MD, MSc Director, Comparative

Overview of Outcomes Research Methods for Imagers Stella Kang, MD, MSc Director, Comparative

Overview of Outcomes Research Methods for Imagers Stella Kang, MD, MSc Director, Comparative Effectiveness & Outcomes Research Assistant Professor Department of Radiology Department of Population Health NYU Langone Health What are we

1.08k views • 45 slides

More recommend