Security Issues in the Development of a Mobile Money Application

Lorena G. Gómez-Martínez

Tecnológico de Monterrey, México

Kim Mallalieu

University of West Indies, Trinidad &Tobago

Tec de Monterrey

Sistema Tec Tec Monterrey Tec Salud Tec Virtual Tec Milenio

www.itesm.mx

Private University

31 campus20 international offices99,000 students

Undergraduate Degree in CS, ITMaster Program in Software and IT

Motivation

• Security in the curriculum– Information Security– Advanced information security

• Concentration on Security (Networks, Hardware)

• Challenge: To Apply the concepts learned• POL courses

– Software Project (4,5,6)– Capstone Project (7,8)

• Emerging technologies, security issues

Project

• Mobile Money in Support of Micro-economies in LAC

• Funded by LACCIR (LATAM & Caribbean ICT Research)

• Tec de Monterrey /University of West Indies

Motivation: Collaborative ICT4D Research

• Many needs and opportunities in LAC yet limited existing innovations

• Multi-disciplinary action research to solve real problems

• Strengthen diverse research outputs thru critical mass

• Sucessful Mobile Projects in Africa & Asia

Small Scale Fisherfolk as Focal Point

1. Importance to food security, employment and culture

2. High mobile penetration

3. Opportunities for improved market structure and operations.

Preliminary Appraisal

• Surveys of 542 small scale fisherfolk in 14 T&T communities

• 96% use mobile for fisheries work

• 84%: no problems with phone

• 52%: compose and send SMS

Preliminary Appraisal

• Market and operational inefficiencies

• Cash transactions• Desire for training• Concern for environment• At-sea dangers

Mobile Money in LAC

• Haiti– TchoTcho Mobile: Digicel/ Scotia Bank

/World Vision NGO(2010)– $2.5m Gates / US Gov HMMI Award– Cash withdrawals, deposits, transfers,

wage payments

• LATAM: Telefonica/ Mastercard– Services include person-to-person money transfers,

bill payments, mobile airtime reload and retail purchases".

– Value of mobile financial transactions est to reach approx US$63 billion in LA by 2014

Mobile Money Model

General Architecture

Business Layer

.

Application Layer

Access Layer

Device

ApplicationServer

Front End

Virtual Server

Back End Virtual Server

Enterprise Service Bus

PHP WebServer with WSF Framework

Database Server

GSM or WiFi

Network

Mobile Money Application

Basic Mobile Money Functionality

• User– Buy / Sell– Deposit /Withdraw – Transfer– Balance / History

• Administrative– Account Management– Cash Closing

(Daily Balance)

Cash Withdrawal Example

•

4. User Withdrawal request

Mobile Money Service

5. Transaccion Stored

2. QRCode Generated

1. Agent Withdrawal request

3. Capture Quick Response code (QR)

Agent

7. Withdrawal verified

6. Withdrawal confirmed

9. Give Cash to client

8. Withdrawal Confirmed

Client

Agent

User

Important Issues

• Security• Data protection• Performance• Transaction Time• Data on the cloud

ExtraPoints

OrganizationalStandards and Security Best

Practices

Set of

Security

Principles

Sec

uri

ty

Gu

idel

ines

fo

r S

oft

war

e D

esig

n a

nd

V

erif

icat

ion Security Activities

grouped by SDLC phases.

SecureDLC

GenericSDLC

End Users Training Strategy

Framework for the

Implementation Of Data

Security on Software Systems

Co

nte

xtu

aliz

ati

on

Security Patterns

Expert opinion

SecureDLC

SecureDLC

Methodology

Secure Software Development Strategy

DevelopmentInception Delivery

Planning AnalysisDesign CodingTraining

Deployment

Reviews

Testing

Reviews

Coding

Generic SDLC.

P1, P3, P4

P1, P2, P5, P6, P7, P8, P10,

P12, P17, P19, P20

P7, P10, P12, P17, P23, P16, P13, P22, P18, P13, P14, P25, P27

Revisions

P9, P11, P13, P14, P18, P21, P22,

P23

Coding

Training

P25, P27

Deployment

T1 - T5. T20-T25 T6-T19

T26 - T29

T31 - T35

Testing

P23, P24, P26

T36, T37, T38, T39, T40, T41, T42

T43 - T46

P17

T30

DevelopmentInception DeliveryPlan DesignAnalysis

Ptn 6, Ptn 15, Ptn 16, Ptn

36.

Ptn 2, Ptn 3, Ptn 5, Ptn 11, Ptn 12, Ptn 33, Ptn

36.

Ptn10, Ptn 13, Ptn 16, Ptn 18, Ptn 2, Ptn 22, Ptn 27, Ptn 28, Ptn 29, Ptn 30, Ptn 34, Ptn 35, Ptn 37, Ptn 38, Ptn 4, Ptn 7, Ptn 8, Ptn 9.

Ptn 2, Ptn 10, Ptn 14, Ptn 16, Ptn 21, Ptn 26, Ptn 32, Ptn 34, Ptn 38,

Ptn 39.

Ptn 11, Ptn 14, Ptn 24, Ptn 25.

Patrón 20.

Threat Mitigation

• User / transaction authentication– Id, password, pin, transaction code– Public key Infrastructure

• Passwords policies– Different user id and password – Password expires / strong password– Limited number of attempts

• Data protection– Encryption

Each phase is implemented as a cycle in which user progress is monitored so as to provide reinforcement as appropriate. E

nd U

ser

Tra

inin

g S

trat

egy

(Bec

kles

, M

alla

lieu,

Cas

as-B

ayon

a, G

ómez

-Mar

tinez

, 20

13)

Training Phases

Mentoring

Helps users to incorporate good security practice into

their behaviour.

Teaching

Primarily comprises a

course designed to enable users to

understand security concepts

and execute related tasks.

Assesment

Used to demonstrate a

satisfactory level of security knowledge and

skills

Support

Users establish a practical balance

between accomplishing application tasks while maintaining acceptable levels of security and

usability.

Assesment

Cyber-attack exercises are formulated and

executed after a fixed period and results are discussed with users, who may choose to modify their policy

intentions or behaviour accordingly

Education

Teaches users practical ways to secure applications while

increasing their awareness of security risks.

Threat Mitigation• Digital signatures:

– To avoid identity thefts, all messages transferred between application and servers are signed -> identity verification -> Message integrity

• Secure Socket Layer: – SSL Protects communication.

• Security Logs– Logs critical transactions for further analysis (fraud & attack

detection)– TransactionID, Datetime, User, location, Phone number,

International Mobile Subscriber Identity (read from SIM card) International Mobile Equipment Identity (read from phone)

Web Service based

• WebServices– SOAP header encapsulates all important

information, so the data in body SOAP message can be carried across a secure channel that can be read only by the server.

– The server can, also, verify that the message was not modified in between and that was sent by an authorized user

Security Threats

• Spoofing: – Impersonating something or someone else

• Tampering: – Modifying data or code

• Repudiation:– Claiming not to have performed an action

• Information disclosure: – Exposing information to someone

not authorized to see it

• Denial of service: – Denying or degrading service to users

• Elevation of privilege:– gain capabilities without proper authorization

Master Programin Software Engineering

and Information Technologies

Key Aspects• Professional Program• CONACYT accreditation as PNPC Quality Program• Strong relationships with the SEI (Software Engineering

Institute), CMU (Carnegie Mellon University) and corporations such as Microsoft, IBM and Oracle (software licenses, keynote speakers, training and certifications)

• Latin American and Caribbean Collaborative ICT research program (International Projects, Short Stays)

Professional Certifications• PSP (Personal Software Process) Developer Certification from Software

Engineering Institute• Database and Applications Fundamentals Certificate from IBM

MST Program

Full-time students can complete the program in 18 months.

Courses• Software Analysis, Design and Construction  • Software Architecture • Methodologies and Disciplines for Software Development • Managing Software Development  • Software Testing and Quality Assurance • Leadership for Business Innovation• Project I, II, III (real-world Project)• Elective 1• Elective 2

Elective Courses

Select Two courses• Software Engineering for the Cloud• Software Development for Mobile Applications• Computer Security • Distributed Databases• Parallel and Concurrent Programming• Software Product Lines• Advanced Topics in Computer Science

• Need more courses on Cybersecurity

Plans• Interdisciplinary collaboration• Collaboration with other universities, companies• MST students with CONACYT grants doing short stays in

universities • Cybersecurity Education is a priority

– Students– Community (social programs for kids & Adults)

• Cybersecurity Certifications – Undergraduate– Graduate– Professionals

• Real Projects