Upload
barnaby-lester
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
Security Issues in the Development of a Mobile Money Application
Lorena G. Gómez-Martínez
Tecnológico de Monterrey, México
Kim Mallalieu
University of West Indies, Trinidad &Tobago
Tec de Monterrey
Sistema Tec Tec Monterrey Tec Salud Tec Virtual Tec Milenio
www.itesm.mx
Private University
31 campus20 international offices99,000 students
Undergraduate Degree in CS, ITMaster Program in Software and IT
Motivation
• Security in the curriculum– Information Security– Advanced information security
• Concentration on Security (Networks, Hardware)
• Challenge: To Apply the concepts learned• POL courses
– Software Project (4,5,6)– Capstone Project (7,8)
• Emerging technologies, security issues
Project
• Mobile Money in Support of Micro-economies in LAC
• Funded by LACCIR (LATAM & Caribbean ICT Research)
• Tec de Monterrey /University of West Indies
Motivation: Collaborative ICT4D Research
• Many needs and opportunities in LAC yet limited existing innovations
• Multi-disciplinary action research to solve real problems
• Strengthen diverse research outputs thru critical mass
• Sucessful Mobile Projects in Africa & Asia
Small Scale Fisherfolk as Focal Point
1. Importance to food security, employment and culture
2. High mobile penetration
3. Opportunities for improved market structure and operations.
Preliminary Appraisal
• Surveys of 542 small scale fisherfolk in 14 T&T communities
• 96% use mobile for fisheries work
• 84%: no problems with phone
• 52%: compose and send SMS
Preliminary Appraisal
• Market and operational inefficiencies
• Cash transactions• Desire for training• Concern for environment• At-sea dangers
Mobile Money in LAC
• Haiti– TchoTcho Mobile: Digicel/ Scotia Bank
/World Vision NGO(2010)– $2.5m Gates / US Gov HMMI Award– Cash withdrawals, deposits, transfers,
wage payments
• LATAM: Telefonica/ Mastercard– Services include person-to-person money transfers,
bill payments, mobile airtime reload and retail purchases".
– Value of mobile financial transactions est to reach approx US$63 billion in LA by 2014
Mobile Money Model
General Architecture
Business Layer
.
Application Layer
Access Layer
Device
ApplicationServer
Front End
Virtual Server
Back End Virtual Server
Enterprise Service Bus
PHP WebServer with WSF Framework
Database Server
GSM or WiFi
Network
Mobile Money Application
Basic Mobile Money Functionality
• User– Buy / Sell– Deposit /Withdraw – Transfer– Balance / History
• Administrative– Account Management– Cash Closing
(Daily Balance)
Cash Withdrawal Example
•
4. User Withdrawal request
Mobile Money Service
5. Transaccion Stored
2. QRCode Generated
1. Agent Withdrawal request
3. Capture Quick Response code (QR)
Agent
7. Withdrawal verified
6. Withdrawal confirmed
9. Give Cash to client
8. Withdrawal Confirmed
Client
Agent
User
Important Issues
• Security• Data protection• Performance• Transaction Time• Data on the cloud
ExtraPoints
OrganizationalStandards and Security Best
Practices
Set of
Security
Principles
Sec
uri
ty
Gu
idel
ines
fo
r S
oft
war
e D
esig
n a
nd
V
erif
icat
ion Security Activities
grouped by SDLC phases.
SecureDLC
GenericSDLC
End Users Training Strategy
Framework for the
Implementation Of Data
Security on Software Systems
Co
nte
xtu
aliz
ati
on
Security Patterns
Expert opinion
SecureDLC
SecureDLC
Methodology
Secure Software Development Strategy
DevelopmentInception Delivery
Planning AnalysisDesign CodingTraining
Deployment
Reviews
Testing
Reviews
Coding
Generic SDLC.
P1, P3, P4
P1, P2, P5, P6, P7, P8, P10,
P12, P17, P19, P20
P7, P10, P12, P17, P23, P16, P13, P22, P18, P13, P14, P25, P27
Revisions
P9, P11, P13, P14, P18, P21, P22,
P23
Coding
Training
P25, P27
Deployment
T1 - T5. T20-T25 T6-T19
T26 - T29
T31 - T35
Testing
P23, P24, P26
T36, T37, T38, T39, T40, T41, T42
T43 - T46
P17
T30
DevelopmentInception DeliveryPlan DesignAnalysis
Ptn 6, Ptn 15, Ptn 16, Ptn
36.
Ptn 2, Ptn 3, Ptn 5, Ptn 11, Ptn 12, Ptn 33, Ptn
36.
Ptn10, Ptn 13, Ptn 16, Ptn 18, Ptn 2, Ptn 22, Ptn 27, Ptn 28, Ptn 29, Ptn 30, Ptn 34, Ptn 35, Ptn 37, Ptn 38, Ptn 4, Ptn 7, Ptn 8, Ptn 9.
Ptn 2, Ptn 10, Ptn 14, Ptn 16, Ptn 21, Ptn 26, Ptn 32, Ptn 34, Ptn 38,
Ptn 39.
Ptn 11, Ptn 14, Ptn 24, Ptn 25.
Patrón 20.
Threat Mitigation
• User / transaction authentication– Id, password, pin, transaction code– Public key Infrastructure
• Passwords policies– Different user id and password – Password expires / strong password– Limited number of attempts
• Data protection– Encryption
Each phase is implemented as a cycle in which user progress is monitored so as to provide reinforcement as appropriate. E
nd U
ser
Tra
inin
g S
trat
egy
(Bec
kles
, M
alla
lieu,
Cas
as-B
ayon
a, G
ómez
-Mar
tinez
, 20
13)
Training Phases
Mentoring
Helps users to incorporate good security practice into
their behaviour.
Teaching
Primarily comprises a
course designed to enable users to
understand security concepts
and execute related tasks.
Assesment
Used to demonstrate a
satisfactory level of security knowledge and
skills
Support
Users establish a practical balance
between accomplishing application tasks while maintaining acceptable levels of security and
usability.
Assesment
Cyber-attack exercises are formulated and
executed after a fixed period and results are discussed with users, who may choose to modify their policy
intentions or behaviour accordingly
Education
Teaches users practical ways to secure applications while
increasing their awareness of security risks.
Threat Mitigation• Digital signatures:
– To avoid identity thefts, all messages transferred between application and servers are signed -> identity verification -> Message integrity
• Secure Socket Layer: – SSL Protects communication.
• Security Logs– Logs critical transactions for further analysis (fraud & attack
detection)– TransactionID, Datetime, User, location, Phone number,
International Mobile Subscriber Identity (read from SIM card) International Mobile Equipment Identity (read from phone)
Web Service based
• WebServices– SOAP header encapsulates all important
information, so the data in body SOAP message can be carried across a secure channel that can be read only by the server.
– The server can, also, verify that the message was not modified in between and that was sent by an authorized user
Security Threats
• Spoofing: – Impersonating something or someone else
• Tampering: – Modifying data or code
• Repudiation:– Claiming not to have performed an action
• Information disclosure: – Exposing information to someone
not authorized to see it
• Denial of service: – Denying or degrading service to users
• Elevation of privilege:– gain capabilities without proper authorization
Master Programin Software Engineering
and Information Technologies
Key Aspects• Professional Program• CONACYT accreditation as PNPC Quality Program• Strong relationships with the SEI (Software Engineering
Institute), CMU (Carnegie Mellon University) and corporations such as Microsoft, IBM and Oracle (software licenses, keynote speakers, training and certifications)
• Latin American and Caribbean Collaborative ICT research program (International Projects, Short Stays)
Professional Certifications• PSP (Personal Software Process) Developer Certification from Software
Engineering Institute• Database and Applications Fundamentals Certificate from IBM
MST Program
Full-time students can complete the program in 18 months.
Courses• Software Analysis, Design and Construction • Software Architecture • Methodologies and Disciplines for Software Development • Managing Software Development • Software Testing and Quality Assurance • Leadership for Business Innovation• Project I, II, III (real-world Project)• Elective 1• Elective 2
Elective Courses
Select Two courses• Software Engineering for the Cloud• Software Development for Mobile Applications• Computer Security • Distributed Databases• Parallel and Concurrent Programming• Software Product Lines• Advanced Topics in Computer Science
• Need more courses on Cybersecurity
Plans• Interdisciplinary collaboration• Collaboration with other universities, companies• MST students with CONACYT grants doing short stays in
universities • Cybersecurity Education is a priority
– Students– Community (social programs for kids & Adults)
• Cybersecurity Certifications – Undergraduate– Graduate– Professionals
• Real Projects