Mo(bile) Money, Mo(bile) Problems: Security Analysis of Branchless - - PowerPoint PPT Presentation

mo bile money mo bile problems security analysis of
SMART_READER_LITE
LIVE PREVIEW

Mo(bile) Money, Mo(bile) Problems: Security Analysis of Branchless - - PowerPoint PPT Presentation

Apr 17, 2023 239 likes •452 views

Mo(bile) Money, Mo(bile) Problems: Security Analysis of Branchless Banking Apps in the Developing World Bradly Reaves, Nolen Scaife, Adam Bates, Patrick Traynor, Kevin Butler University of Florida Published at USENIX Security 2015 Based on

slide-1
SLIDE 1

Mo(bile) Money, Mo(bile) Problems: Security Analysis of Branchless Banking Apps in the Developing World

Bradly Reaves, Nolen Scaife, Adam Bates, Patrick Traynor, Kevin Butler University of Florida

1

Presenter: Qi Wang Published at USENIX Security 2015 Based on slides by Bradly Reaves

slide-2
SLIDE 2

Branchless Banking a.k.a Mobile Money

  • Generally deployed by companies outside of

the traditional financial services sector

  • Their use does not require having a

previously established relationship with a bank

  • They don’t rely on Internet connectivity

exclusively, but also use SMS, Unstructured Supplementary Service Data or cellular voice to conduct transactions

2

slide-3
SLIDE 3

Why this is important

  • Millions are relying on mobile money

everyday, and even more will continue to do so

– As of august 2014, there were 246 mobile services in 88 countries serving 203 million users

  • The security of mobile money has not

been publicly investigated or verified

3

slide-4
SLIDE 4

Analysis of mobile money apps

  • We did an automated analysis of 46

currently available mobile money apps

  • We did a manual analysis of 7 popular

apps

4

slide-5
SLIDE 5

Automated Analysis

  • We used the Mallodroid tool to analyze the

TLS implementation of 46 mobile money apps for Android

  • Over 50% of apps had a SSL/TLS

vulnerability

5

slide-6
SLIDE 6

Manual Analysis: Apps

6

GCash Zuum MCoin Money on Mobile Mpay Airtel Money Oxigen Wallet Phillipines Brazil Indonesia India Thailand India India

About 1.2 million users

slide-7
SLIDE 7

Manual analysis

  • Phase 1: Inspection
  • Phase 2: Reverse engineering
  • Security analysis of

– Registration and login – User authentication after login – Money transfer

7

slide-8
SLIDE 8

Findings: High level

  • 6 out of 7 apps had easily-exploited critical

vulnerabilities

  • 28 Vulnerabilities in 6 of 7 analyzed apps
  • 13 CWE categories

– SSL/TLS & Certificate verification – Non-standard cryptography – Access control – Information leakage

8

slide-9
SLIDE 9

Vulnerabilities by App

9

GCash Money on Mobile Oxigen Wallet Mpay MCoin Airtel Money Zuum 7 6 6 4 3 2

slide-10
SLIDE 10

Vulnerabilities by type

10

Error Type Number of Apps Vulnerable Number of Vulnerabilities TLS Certificate Verification 4 4 Non-standard Cryptography 4 6 Access Control 4 7 Information Leakage 5 12

slide-11
SLIDE 11

TLS: Client side

  • Some apps overrode Android’s default certificate

verification routines

  • Developers likely did this to silence certificate

warnings during development or deployment

  • mCoin disabled validation routines for the

application to function correctly

– The server side provides a certificate issued to “localhost” which is expired and self-signed

11

slide-12
SLIDE 12

TLS: Server side

12

App Qualys Score Noteworthy Vulnerability GCash C Vulnerable to POODLE attack Money on Mobile N/A No TLS Oxigen Wallet F SSL 2 support, MD5 cipher suite Mpay F SSL 2, Client-initiated renegotiation, POODLE Attack MCoin N/A Expired, self-signed certificate for localhost Airtel Money A- Uses SHA-1 with RSA Zuum A- Uses SHA-1 with RSA

slide-13
SLIDE 13

DIY cryptography: MoneyOnMobile

13

All messages are sent over plaintext HTTP .

slide-14
SLIDE 14

DIY cryptography: Airtel

  • This key is used to encrypt the user PIN,

used to authenticate with the service

  • All of these fields are available in previous

messages “protected” by broken TLS

  • Because TLS certificate validation is

effectively disabled, we can get this account

14

slide-15
SLIDE 15

Access control

  • Oxigen Wallet allows password reset with

an unauthenticated SMS sent from a user’s phone

  • MoneyOnMobile only checked the PIN to

move between screens in the app

  • mPay accepts and performs

unauthenticated commands from its server

15

slide-16
SLIDE 16

Information leakage

  • Logging

– mPay logs include user credentials, personal identifiers, and card numbers – MoneyOnMobile logs include server responses and account balances

  • Preference storage

– GCash stores the users’ PIN in the preference – mCoin stores the user’s name, birthday, and certain financial infromation.

16

slide-17
SLIDE 17

Terms of Service

  • User is responsible for all authenticated

transactions

– When these systems are attacked, the user pays the price

17

slide-18
SLIDE 18

Conclusion

  • Mobile money applications improve the standard
  • f living for many in the developing world
  • However, significant vulnerabilities are identified

in mobile money applications

  • Dramatic improvements to the security of mobile

money applications are needed to protect these systems

18

slide-19
SLIDE 19

Discussion

  • What’s the contribution of this paper?
  • Anyone has experience with mobile money? Is

there any security flaw in the mobile money model?

  • What’s the reasons for the vulnerabilities in the

apps?

  • Does regulations help improve finance security?
  • How to improve the security of mobile money

systems?

19