Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright, 1995-2007 1 Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong.

Published byBlaise Corse Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright, 1995-2007 1 Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong."— Presentation transcript:

1 Copyright, 1995-2007 1 Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong Kong, Cyberspace Law & Policy at U.N.S.W., Computer Science at A.N.U. http://www.anu.edu.au/people/Roger.Clarke/...... / EC/MPS-080501 {.html,.ppt} Victoria Uni. of Wellington – 1 May 2008

2 Copyright, 1995-2007 2 4.Security Analysis [ Extended Version ] Threats + Vulnerabilities - Safeguards => Harm Second-Party Threats Third-Party Threats Consumer Device: Threats Vulnerabilities Key Categories of Harm Key Safeguards Required

3 Copyright, 1995-2007 3 Mainstream Security Model Vague Threats Become Actual Threatening Events, Impinge on Vulnerabilities, Overcome Safeguards & Cause Harm Security is an (unusual) condition in which Harm does not arise because Threats are countered by Safeguards

4 Copyright, 1995-2007 4 Unauthorised Transactions Aren’t Just Theory Design Flaw: Octopus customer started to add value to their card at self-service add-value points located in MTR and KCR stations Customer cancelled the transaction But the bank accounts were debited The flaw existed from at least 2000, but was not discovered until 2007! HK$ 3.7 million deducted from 15,270 accounts http://en.wikipedia.org/wiki/Octopus_card#EPS_add-value_glitch http://www.rthk.org.hk/rthk/news/englishnews/20070204/... news_20070204_56_376306.htm

5 Copyright, 1995-2007 5 Second-Party Threats Situations of Threat: Banks Telcos / Mobile Phone Providers Toll-Road eTag Providers Intermediaries Devices Safeguards: Terms of Contract Risk Allocation Enforceability Consumer Rights

6 Copyright, 1995-2007 6 Third-Party Threats – Within the System (Who else can get at you, where, and how?) Points-of-Payment Physical: Observation Coercion Points-of-Payment Electronic: Rogue Devices Rogue Transactions Keystroke Loggers Private Key Reapers Network Electronic Interception Decryption Man-in-the-Middle Attacks Points-of-Processing Rogue Employee Rogue Company Error

7 Copyright, 1995-2007 7 Third-Party Threats – Within the Device Physical Intrusion Social Engineering Confidence Tricks Phishing Masquerade Abuse of Privilege Hardware Software Data Electronic Intrusion Interception Cracking / ‘Hacking’ Bugs Trojans Backdoors Masquerade Distributed Denial of Service (DDOS) Infiltration by Software with a Payload

8 Copyright, 1995-2007 8 Third-Party Threats – Infiltration by Malware (Software with a Malicious Payload) Software (the ‘Vector’) Pre-Installed User-Installed Virus Worm... Payload Trojan: Documented or Undocumented Bot / Zombie Spyware: Software Monitor Adware Keystroke Logger...

9 Copyright, 1995-2007 9 Consumer Device Vulnerabilities The Environment Physical Surroundings Organisational Context Social Engineering The Device Hardware, Systems Software Applications Server-Driven Apps (ActiveX, Java, AJAX) The Device's Functions: Known, Unknown, Hidden Software Installation Software Activation Communications Transaction Partners Data Transmission Intrusions Malware Vectors Malware Payloads Hacking, incl. Backdoors, Botnets

10 Copyright, 1995-2007 10 MPayments – Key Categories of Harm Unauthorised Conduct of Transactions Acquisition of Identity Authenticators Credit-Card Details (card-number as identifier, plus the associated identity authenticators) Username (identifier) plus Password/PIN/Passphrase/Private Signing Key (identity authenticator) [Later – Biometrics capture and replay] Interference with Legitimate Transactions Use of a Consumer Device as a Tool in a fraud perpetrated on another party

11 Copyright, 1995-2007 11 Key Safeguards Required Two-Sided Device Authentication, i.e. by Payee’s Chip of Payer’s Chip by Payer’s Chip of Payee’s Chip Notification to Payer of: Fact of Payment (e.g. Audio-Ack) Amount of Payment At least one Authenticator Protection of the Authenticator(s) A Voucher (Physical and/or Electronic) Regular Account Reconciliation by Payers

12 Copyright, 1995-2007 12 Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong Kong, Cyberspace Law & Policy at U.N.S.W., Computer Science at A.N.U. http://www.anu.edu.au/people/Roger.Clarke/...... / EC/MPS-080501 {.html,.ppt} Victoria Uni. of Wellington – 1 May 2008

Download ppt "Copyright, 1995-2007 1 Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong."

Similar presentations

A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong Kong, Cyberspace.

A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong Kong, Cyberspace.
Copyright 2008-12 1 COMP 3410 – I.T. in Electronic Commerce eSecurity Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U.

Copyright COMP 3410 – I.T. in Electronic Commerce eSecurity Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U.
Copyright 1996-2008 1 B2C Distrust Factors in the Prosumer Era Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor in eCommerce, Uni. of.

Copyright B2C Distrust Factors in the Prosumer Era Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor in eCommerce, Uni. of.
Copyright, 1995-2006 1 The Malware Menagerie Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce.

Copyright, The Malware Menagerie Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce.
Copyright, 1995-2007 1 Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong.

Copyright, Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong.
Copyright 2008-11 1 A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science at.

Copyright A Risk Assessment Framework for Mobile Payments Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science at.
ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.

ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.

© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.

7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Copyright 2013-15 1 COMP 2410 – Networked Information Systems SC3 – Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U.

Copyright COMP 2410 – Networked Information Systems SC3 – Mobile Security Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
McGraw-Hill © 2008 The McGraw-Hill Companies, Inc. All rights reserved. Chapter 8 Threats and Safeguards Chapter 8 PROTECTING PEOPLE AND INFORMATION Threats.

McGraw-Hill © 2008 The McGraw-Hill Companies, Inc. All rights reserved. Chapter 8 Threats and Safeguards Chapter 8 PROTECTING PEOPLE AND INFORMATION Threats.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Similar presentations

Ads by Google