1 / 30

Security Issues in the Development of a Mobile Money Application

Security Issues in the Development of a Mobile Money Application. Lorena G. Gómez-Martínez Tecnológico de Monterrey, México Kim Mallalieu University of West Indies, Trinidad &Tobago. Tec de Monterrey. Sistema Tec Tec Monterrey Tec Salud Tec Virtual Tec Milenio

wenda
Télécharger la présentation

Security Issues in the Development of a Mobile Money Application

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Issues in the Development of a Mobile Money Application Lorena G. Gómez-Martínez Tecnológico de Monterrey, MéxicoKim Mallalieu University of West Indies, Trinidad &Tobago

  2. Tec de Monterrey Sistema Tec Tec Monterrey Tec Salud Tec Virtual Tec Milenio www.itesm.mx Private University 31 campus 20 international offices 99,000 students Undergraduate Degree in CS, IT Master Program in Software and IT

  3. Motivation • Security in the curriculum • Information Security • Advanced information security • Concentration on Security (Networks, Hardware) • Challenge: To Apply the concepts learned • POL courses • Software Project (4,5,6) • Capstone Project (7,8) • Emerging technologies, security issues

  4. Project • Mobile Money in Support of Micro-economies in LAC • Funded by LACCIR (LATAM & Caribbean ICT Research) • Tec de Monterrey /University of West Indies

  5. Motivation: Collaborative ICT4D Research • Many needs and opportunities in LAC yet limited existing innovations • Multi-disciplinary action research to solve real problems • Strengthen diverse research outputs thru critical mass • Sucessful Mobile Projects in Africa & Asia

  6. Small Scale Fisherfolk as Focal Point • Importance to food security, employment and culture • High mobile penetration • Opportunities for improved market structure and operations.

  7. Preliminary Appraisal • Surveys of 542 small scale fisherfolk in 14 T&T communities • 96% use mobile for fisheries work • 84%: no problems with phone • 52%: compose and send SMS

  8. Preliminary Appraisal • Market and operational inefficiencies • Cash transactions • Desire for training • Concern for environment • At-sea dangers

  9. Mobile Money in LAC • Haiti • TchoTcho Mobile:Digicel/ Scotia Bank /World Vision NGO(2010) • $2.5m Gates / US Gov HMMI Award • Cash withdrawals, deposits, transfers, wage payments • LATAM: Telefonica/ Mastercard • Services include person-to-person money transfers, bill payments, mobile airtime reload and retail purchases". • Value of mobile financial transactions est to reach approx US$63 billion in LA by 2014

  10. Mobile Money Model

  11. General Architecture Access Layer GSM orWiFi Network Business Layer . ApplicationLayer Device Front End Virtual Server Enterprise Service Bus Application Server Back End Virtual Server Database Server PHP WebServerwith WSF Framework Mobile Money Application

  12. Basic Mobile Money Functionality • User • Buy / Sell • Deposit /Withdraw • Transfer • Balance / History • Administrative • Account Management • Cash Closing (Daily Balance)

  13. Cash WithdrawalExample 5. TransaccionStored Mobile Money Service 6. Withdrawalconfirmed 1. AgentWithdrawalrequest 4. UserWithdrawalrequest 8. WithdrawalConfirmed 7. Withdrawalverified Agent 9. Give Cash toclient Client 3. Capture Quick Response code (QR) 2. QRCodeGenerated

  14. Agent User

  15. Important Issues • Security • Data protection • Performance • Transaction Time • Data on the cloud

  16. ExtraPoints

  17. Methodology Set of Security Principles Secure DLC Secure DLC Secure DLC Generic SDLC Expertopinion Organizational Standards and Security BestPractices Security Patterns Security Activitiesgroupedby SDLC phases. Security Guidelinesfor Software Design and Verification Contextualization EndUsers Training Strategy Framework fortheImplementation Of Data Security on Software Systems

  18. Secure Software DevelopmentStrategy Inception Development Delivery Training Coding Planning Design Analysis Reviews Deployment Testing

  19. Generic SDLC. Inception Development Delivery Plan Analysis Design Coding Deployment Ptn 6, Ptn 15, Ptn 16, Ptn 36. Ptn 2, Ptn 3, Ptn 5, Ptn 11, Ptn12, Ptn33, Ptn 36. Ptn10, Ptn13, Ptn16, Ptn18, Ptn2, Ptn22, Ptn27, Ptn28, Ptn29, Ptn30, Ptn 34, Ptn 35, Ptn37, Ptn 38, Ptn4, Ptn7, Ptn8, Ptn 9. Ptn 2, Ptn 10, Ptn 14, Ptn 16, Ptn21, Ptn26, Ptn 32,Ptn34, Ptn38, Ptn39. Ptn 11, Ptn 14, Ptn 24, Ptn 25. T31- T35 T1 - T5. T6-T19 T20-T25 T26 - T29 P25, P27 P1, P3, P4 P7, P10, P12, P17, P23, P16, P13, P22, P18, P13, P14, P25, P27 P1, P2, P5, P6, P7, P8, P10, P12, P17, P19, P20 P9, P11, P13, P14, P18, P21, P22, P23 Revisions P17 T30 T43- T46 Training Testing Patrón 20. T36, T37, T38, T39, T40, T41, T42 P23, P24, P26

  20. ThreatMitigation • User / transaction authentication • Id, password, pin, transaction code • Public key Infrastructure • Passwords policies • Different user id and password • Password expires / strongpassword • Limited number of attempts • Data protection • Encryption

  21. Training Phases Each phase is implemented as a cycle in which user progress is monitored so as to provide reinforcement as appropriate. • Education • Teaches users practical ways to secure applications while increasing their awareness of security risks. Mentoring Helps users to incorporate good security practice into their behaviour. EndUser Training Strategy (Beckles, Mallalieu, Casas-Bayona, Gómez-Martinez, 2013) • Teaching • Primarily comprises a course designed to enable users to understand security concepts and execute related tasks. Assesment Used to demonstrate a satisfactory level of security knowledge and skills Support Users establish a practical balance between accomplishing application tasks while maintaining acceptable levels of security and usability. Assesment Cyber-attack exercises are formulated and executed after a fixed period and results are discussed with users, who may choose to modify their policy intentions or behaviour accordingly

  22. ThreatMitigation • Digital signatures: • To avoid identity thefts, all messages transferred between application and servers are signed -> identity verification -> Message integrity • Secure Socket Layer: • SSL Protects communication. • Security Logs • Logs critical transactions for further analysis (fraud & attack detection) • TransactionID, Datetime, User, location, Phone number,International Mobile Subscriber Identity (read from SIM card) International Mobile Equipment Identity (read from phone)

  23. Web Servicebased • WebServices • SOAP header encapsulates all important information, so the data in body SOAP message can be carried across a secure channel that can be read only by the server. • The server can, also, verify that the message was not modified in between and that was sent by an authorized user

  24. Security Threats • Spoofing: • Impersonating something or someone else • Tampering: • Modifying data or code • Repudiation: • Claiming not to have performed an action • Information disclosure: • Exposing information to someone not authorized to see it • Denial of service: • Denying or degrading service to users • Elevation of privilege: • gain capabilities without proper authorization

  25. Master Programin Software Engineering and Information Technologies

  26. Key Aspects • Professional Program • CONACYT accreditation as PNPC Quality Program • Strong relationships with the SEI (Software Engineering Institute), CMU (Carnegie Mellon University) and corporations such as Microsoft, IBM and Oracle (software licenses, keynote speakers, training and certifications) • Latin American and Caribbean Collaborative ICT research program (International Projects, Short Stays) Professional Certifications • PSP (Personal Software Process) Developer Certification from Software Engineering Institute • Database and Applications Fundamentals Certificate from IBM

  27. MST Program Full-time students can complete the program in 18 months. Courses • Software Analysis, Design and Construction   • Software Architecture  • Methodologies and Disciplines for Software Development  • Managing Software Development   • Software Testing and Quality Assurance  • Leadership for Business Innovation • Project I, II, III (real-world Project) • Elective 1 • Elective 2

  28. Elective Courses Select Two courses • Software Engineering for the Cloud • Software Development for Mobile Applications • Computer Security • Distributed Databases • Parallel and Concurrent Programming • Software Product Lines • Advanced Topics in Computer Science • Need more courses on Cybersecurity

  29. Plans • Interdisciplinary collaboration • Collaboration with other universities, companies • MST students with CONACYT grants doing short stays in universities • Cybersecurity Education is a priority • Students • Community (social programs for kids & Adults) • Cybersecurity Certifications • Undergraduate • Graduate • Professionals • Real Projects

More Related