Security Review – Mobile Banking in the Developing World

By cxlt at 1:00 am on March 12, 2009Comments Off on Security Review – Mobile Banking in the Developing World

mobile banking

One of the interesting topics brought up by Microsoft Research India during their Change talk last week was that of mobile banking in the developing world. Managing and distributing money can be a tricky proposition in the developing world – often, people end up entrusting their money to drivers to transfer around the city or country.

Mobile banking through cell phones has proven to be an extremely cost-effective way to avoid these kinds of headaches. Through both downloadable software and text message interfaces, it is possible to efficiently transfer and manage money without the existence of local branches to handle the transaction, with minimal fees and far less obvious physical risk. However, this method has resulted in its own set of idiosyncrasies that would not likely exist with similar systems elsewhere.

Afraid of doing something wrong, many people in these developing areas are reluctant to actually carry out their own banking. Thus, a whole class of middlemen have arisen specifically for mobile banking. People will bring their mobile phones into these middlemen’s stores and tell the store owners what they want done, and the middlemen will then go do it for them. This interesting use case leads to quite a few security implications.

Assets and Security Goals

  • Customers’ money is of course important. The reasons should be fairly obvious – we of course want to protect it from being stolen.
  • Customers’ financial records are also important – financial histories are private, with some exceptions, and they should stay that way. Knowing how much money someone has may put them at risk for a real-life robbery, for instance, or knowing their stock portfolio could cause other problems.

Adversaries and Threats

  • Malicious third parties who would like to steal the customers’ money, perhaps by listening to the airwaves, or physically stealing the phone. A lot can be done with just a few seconds with a phone given a text messaging interface.
  • The middlemen have an extraordinary amount of power given what they have been entrusted with by the end-users. And, since their clients won’t have it any other way, banks have been forced to actually work with these middlemen, including them in the system. A store owner could easily pull off an “Office Space” type scheme, stealing miniscule amounts of money from each customer.

Potential Weaknesses

  • Snooping on peoples’ wireless connections is difficult since the network provides some level of intrinsic security. We’re not experts on this subject, so it’s difficult for us to assess how feasible this approach is in reality.
  • Replay attacks are possible, especially if any actions are carried out via text message, and a malicious user manages to take over the phone physically, or duplicate/forge the SIM card.
  • Physical access is an imminent problem given the prevalence of these middlemen in transactions. Somehow, even with physical access by users other than the clients there needs to be security and accountability.

Potential Defenses

  • For snooping, simply use any of the well-established encryption protocols we discussed this quarter.
  • Replay attacks can be guarded against by confirming each action with a code that can only be used once.
  • The physical access problem is the most difficult problem to address – and the most interesting. Since third parties are allowed access to the system by the clients, it is difficult to enforce anything in the system if the third party is malicious. One way to defend against third party mischief would be to not carry any actions out immediately, but instead to queue them and then confirm them via text message with the client an indeterminate amount of time in the future, on the order of several hours. This way, hopefully clients will be forced to examine and acknowledge all actions away from the influence of the store owners. Malicious middlemen could counter this by requesting to keep the phone until the transaction is complete, but hopefully clients would grow suspicious of this request before long.

Mobile banking is something that hasn’t quite caught on here like it has in other places of the world. Not only is it useful for banking when branches aren’t nearby, the service has in some places, like Japan, evolved to include payments via cell phone rather than credit card, and other technology-enabled services which have security implications. Ultimately, a lot of these problems are already being worked on in the context of their low-tech equivalents (eg transmitting credit card information, etc), but as we can see with the rural banking case study, there can be a lot of unexpected usages which result in unexpected potential problems.

These unexpected issues are likely where we will see the most interesting security issues in the future.

Clint Tseng and Erik Turnquist

Filed under: Physical Security,Policy,Privacy,Security ReviewsComments Off on Security Review – Mobile Banking in the Developing World

Security Review: In-Eye Video Camera

By jimmy at 1:15 pm on March 9, 2009Comments Off on Security Review: In-Eye Video Camera

Rob Spence, a Canadian Filmmaker, is currently developing a prototype to equip his prosthetic eye with a built-in, wireless video camera.  The digital system, while not able to transmit information to his brain, will be able to route the signal through a series of increasingly large transmitters to a remote machine, which could potentially stream that data live on the internet.  As Spence explains, “If you lose your eye and have a hole in your head, then why not stick a camera in there?”
Spence hopes to be able to integrate this recorder seamlessly into his existing prosthetic eye, such that a casual observer would not be able to notice its presence (for a stunning picture of how realistic his current eye looks, and how small his current camera is, see the article linked at the bottom of this post).  He plans to have an on/off switch, so the recording feature can be stopped for private events, theater screenings, or bathroom trips.  Spence and his team are currently working to shrink all of the necessary components such that they are small enough and lightweight enough to fit within the space of an eye-socket, without weighing enough to cause disfigurement.

(Read on …)

Filed under: Ethics,Physical Security,Privacy,Security ReviewsComments Off on Security Review: In-Eye Video Camera

Current Events: UK Company Illegally Sold Worker Data

By jap24 at 8:43 pm on March 6, 2009Comments Off on Current Events: UK Company Illegally Sold Worker Data

According to an article at the Guardian, dozens of companies in the UK had been buying personal information about potential employees from a company called the Consulting Association in violation of British data protection laws.  The Data Protection Act made it illegal to collect and distribute private information about individuals without telling them.  The Consulting Association aggregated information from the companies that subscribed to its services, and in return it gave them data on workers trying to get jobs.  The files kept by the Consulting Association included data on union activity and other private details.  Some workers in the British construction industry have claimed for years that companies have been blacklisting union activists, and one worker may have been blacklisted after filing an unfair dismissal case against an employer. This event represents a violation of privacy of employees, and an attempt to stifle organized labor.

(Read on …)

Filed under: Current Events,Ethics,PrivacyComments Off on Current Events: UK Company Illegally Sold Worker Data

Current Events: $9 million ATM scam

By elenau at 7:58 pm on February 13, 2009 | 6 Comments

 

The FBI is investigating an ATM scam that has occurred within a 30 minute period on November 8th. About 130 different ATM machines have been accessed to withdraw a total of about $9 million dollars. The scam hit 49 cities worldwide, including Moscow, Chicago, New York, Hong Kong and Montreal.

The FBI says that the operation was very well coordinated, and at this time no suspects have been identified.

The description of the attack follows. First, the computer system of the payment processing company called RBS WorldPay was hacked.

“One service of the company is the ability for employers to pay their employees with the money going directly to a card, called payroll cards, a lot like a debit card that can be used in any ATM.”  The hacker was able to access the system and steal all the information needed to create the duplicates of the ATM cards. (Read on …)

Filed under: Current Events,Privacy6 Comments »

Current Event : Privacy is a joke

By kosh at 6:19 pm on | 3 Comments

How many of you have received letters from your banks about a ‘revised’ privacy policy? Have you even bothered to read through this revised policy information? And the .000001% percent of you that have, have you ever found anything objectionable and done anything about it?

Welcome to the new joke called ‘Privacy’. No, I’m not talking about the most intimate information that you already have on facebook (which by the way, facebook now owns and has the rights to share). I’m talking about the numerous merchants/banks/credit companies that you do business with but never really cared about what they do/could do with your information. When you read phrases like ‘shared with affiliates’ and ‘shared with third parties’, have you wondered what the difference between these two are? And besides, have you wondered why on earth, banks would need to share your information with other people in the first place?

Most of us Almost all of us never think twice about how our information is freely passed around(for money of course) in the open market for ‘agencies’ to analyze. Such information is then sold by VISA to other marketing companies for ‘market analysis’ and ad campaign management. I have a friend who works for VISA and he was able to pull up every purchase I’ve ever made on the credit card and all he needed was my credit card number which is easily available (how many of you shred your old credit cards?).

And guess what!!?? you have no control over who they share it with because well, first of all, you never really read their privacy document. Even if you read it when you got the credit card, you never really read it the numerous times that they sent you the revised privacy policy. Now again, to the .00001% that read the document every time, you have no control over how VISA decides who their affiliates/partners and third parties are.

Concerned yet? Privacy in the current state is nothing but a big joke.

The only viable solution seems to be a universal privacy declaration/document issued by the government that the companies can be held responsible to. As much as we all hate a big brother state, trusting a bunch of greedy banks/credit companies/vendors is much worse.

Filed under: Current Events,Privacy3 Comments »

Private information ***LIKE NEW***

By Frung at 2:29 am on | 3 Comments

Ever considered ‘recycling’ your computer without thoroughly wiping your hard drive first? Don’t. A recent study suggests that up to 40% of hard drives that end up on eBay and aren’t explicitly marked as erased may contain easily recoverable data from previous owners.

(Read on …)

Filed under: Current Events,Physical Security,Privacy3 Comments »

Current Event – Mexico Plans to Fingerprint Cell phone Users

By tchan at 6:43 pm on February 12, 2009 | 3 Comments

According to a recent article, Mexico plans to start fingerprinting all cell phone users. A new law will give Mexico cell phone providers a year to create a database with their customer’s information including fingerprints. Providers would also have to store information such as text and voice messages and logs of a customer for one year. Currently, anyone can purchase a prepaid cell phone with a certain amount of minutes without any identification. This would change as new and existing cell phone users would have to be fingerprinted and entered into a database that would allow officials to match cell phones and messages to a customer.
(Read on …)

Filed under: Current Events,Privacy3 Comments »

Current Event: California IDs to have biometrics? The DMV hopes so!

By Orion at 10:12 pm on February 6, 2009Comments Off on Current Event: California IDs to have biometrics? The DMV hopes so!

It seems that in addition to the recently released biometric IDs in the UK, the California Department of Motor Vehicles seems to have recently tried to set up biometric IDs as well. In an otherwise innocuous vendor contract, the DMV included a proposal to create a new governmental database containing facial and fingerprint data. This situation is apparently worsened in light of the fact that the California legislature has not looked highly upon biometrics in the past, so it seems the DMV may have been trying to bypass the legislature entirely.
(Read on …)

Filed under: Current Events,PrivacyComments Off on Current Event: California IDs to have biometrics? The DMV hopes so!

More on Electronic Medical Records

By jap24 at 9:05 pm on Comments Off on More on Electronic Medical Records

As mentioned earlier in the blog in “Security Review: Electronic Medical Records,” Google has started an electronic medical record database called Google Health.  Today, IBM and Google announced that they have made software to allow PDAs to upload information to health care databases such as Google Health.  Google Health centralizes medical records for its users, by storing records entered manually or aggregating data from other related medical databases; the individual users decide who is authorized to access their records.  The new software can allow doctors to update patient information more quickly, and facilitates information sharing between health care providers.  As well as the obvious applications for sharing information between health care providers, the Computerworld article on this technology suggests that the new software would allow authorized people to keep track of the health of an ill family member more easily, as the doctors add updates to the database more quickly.  From the article, it was not obvious whether or not the software would also allow mobile devices to download records from the databases.

(Read on …)

Filed under: Privacy,Security ReviewsComments Off on More on Electronic Medical Records

Security Review: .tel domain

By eyezac at 9:01 pm on | 1 Comment

According to New Scientist, a UK company called Telnic is introducing a new top-level domain, .tel, with the intention of creating a “phonebook for the internet.” Users will only be able to register contact information, and this information will be accessible directly from DNS servers. In addition, Telnic has made available an API that can be used to extract and process this information. While this might make social networking as well as getting in contact with people easier than ever, it poses the possibility of some serious security risks.

(Read on …)

Filed under: Current Events,Privacy,Security Reviews1 Comment »
« Previous PageNext Page »