Mobile Money Services - Telecoms Risk Management

Transcription

1 Mobile Money Services - Telecoms Risk Management A Præsidium Business Consultancy White Paper February 2012

2 A Præsidium Business Consultancy White Paper 2 Table of Contents Introduction 3 Background 4 What will be offered and who owns the risk? 5 Will the area of risk change? 6 Types of Fraud & Security Attacks & CSP Requirements 7 Considerations for a Successful Risk Management Strategy 8 Summary 9

3 Introduction With the advancements in technology relating to a broad range of financial services that will eventually encompass a global demographic, this will provide an untapped resource for Communication Service Providers (CSPs). A recent survey highlighted there are more than 3 billion mobile phones against 1 billion bank accounts globally. This position therefore presents a tremendous opportunity for CSPs to incorporate Mobile Money (MM) services into their product portfolio ranging from; M-Commerce, M-Payments, M-Remittances and M-Banking. So what will be the implications for effective risk management to meet the challenges for delivering secure and revenue protected MM Services? Some of the answers to these questions will depend on; how the services are offered, the demographics of the target market and the risk appetite of the individual CSPs and their Partners. The types of risks and what will ultimately be required to respond to these new business challenges must be vigorously examined before product launch to understand the potential levels of exposure.

4 A Præsidium Business Consultancy White Paper 4 Background Mobile payments generally involve three key elements; mobile devices, a merchant and the financial sector provider or trusted third party (TTP). The TTP is normally an established entity accepted by all parties to a contractual agreement, deal, or transaction. The TTP, in most instances, has responsibility for authenticating and authorising users in order to secure a payment transaction. They will act as the intermediary for the settlement of payments and any issues arising once a transaction has been processed. For CSPs, MM is being seen as one of the solutions for offsetting the decline witnessed in the more traditional voice revenues. Organisations such as the TM Forum have stated that CSPs are looking to get more from high margin information and services, so M- payments are now very much on the agenda. Mobile payments already encompass a number of categories, including mobile bill payment, mobile point of sale, m-commerce and mobile contactless such as Near Field Communications (NFC). In a number of countries, especially Africa where the adoption of MM is already a lucrative alternative for increasing revenues, the customer has truly embraced the experience of using banking services. There have been a host of new entrants into this financial space looking to challenge the market position of the established players like PayPal and Google, as they realise the real potential for increased services and revenues and how they need to work with the telecommunication industry. There will be further increased competition as CSPs, web players and the financial sector battle for pole position in the mobile payments revenue chain. The consumer will be continuing to seek out these facilitators for providing feature rich services and will expect fraud and security resilience to be in place to protect them. There will also be the criminal element who will be seeking out the service vulnerabilities to exploit them for their own financial gain, whether this relates to physical device to device transactions or SMS transfer of funds. Personal and financial information will be targeted. In a number of countries, especially Africa where the adoption of MM is already a lucrative alternative for increasing revenues, the customer has truly embraced the experience of using banking services The criminal fraternity are innovative and forward thinking when deploying their attacks on MM services. Experience has already clearly demonstrated some high profile fraud and security breaches. The most talked about being that of SIM Swap fraud which has engulfed certain countries and resulted in extremely negative public relations. Consumers will not consider or care about the fraudster s methods, all consumers will remember is that it was the CSP s SIM card that facilitated the fraud to extract their funds. Fraudsters simply assessed the level of exposure to fraud and exploited the features by remaining focused in obtaining exactly what they wanted control over the bank account with the method for achieving this being the SIM card. CSPs must learn from these experiences and not become complacent or forget that these are highly organised fraudsters. They operate their own businesses with their business model spanning all types of technology and crossing international boundaries. They inherently rely on the CSP s inability to respond and recover to fraud and security breaches in a timely manner.

5 A Præsidium Business Consultancy White Paper 5 What will be offered and who owns the risk? The breadth of services available will vary, but the most commonly recognised areas will include: mobile payments, mobile commerce and mobile remittances and mobile banking. The range of activities can be further broken down to include basic bank account management conducted via information alerts to performing payment transactions and purchases via devices. The aspects of mobile payments can relate to specific goods or services from different points of sale, to performing remote payments via person to person transfer, with the mobile banking element in essence acting as the wallet. The latter will involve activities being conducted in-country and may extend across international boundaries where the applicable rules and laws relating to anti money laundering (AML) will need to be applied by the CSP. The controls of Know Your Customer (KYC) will also be relevant in this environment and make the necessity for true customer identity even more essential. Vendors, retailers, merchants, content providers, CSPs and banks are all actively establishing new services and schemes and for each aspect there will be a requirement to consider the risk and who has responsibility for protecting their specific part. The introduction of these new players will mean ownership and accountability for risk will need to be determined at each point in the service delivery mechanism. For example, if SMS is used as the delivery channel, SMS traffic will increase so the CSP s fraud team will need to fully understand SMS and be in a position to monitor user s profiles for signs of abuse. If USSD is used as the delivery mechanism, then sufficient protection will need to be developed around the platform and associated processes. Each area of technology and the associated processes must be assessed to carry the MM service, with risk protection considered from an end-to-end perspective. The aspects of mobile payments can relate to specific goods or services from different points of sale, to performing remote payments via person to person transfer, with the mobile banking element in essence acting as the wallet. NFC is emerging as a major enabler for items such as electronic money, ticketing, document transfer, configuration of terminals in different locations and even tracking movement. The technology is compatible with existing contactless payment terminals already installed at retail outlets worldwide and therefore is a very attractive proposition for CSPs. It will also attract the criminal element as it is open to social & technical security and fraud risks. There are situations now where chip-based passports are being targeted and attacked by criminal groups to steal identities. The software to do this is available on the web using the same radio frequency identification (RFID) technology as NFC.

6 Will the area of risk change? There will always be risks associated with providing MM services but there will be varying and different levels of risk. Questions will be asked over ownership and accountability of the risk. Should it be a concern for the mobile customer or will the merchant take responsibility? In addition, the consumer will need to be increasingly aware of the risks associated to using a mobile phone for payments, realising that now the real value of the phone increases as it uses these enriched services and becomes a more valuable commodity to fraudsters and hackers. Where consumers utilise the proposed full range of MM services, then in essence the mobile will replace the traditional wallet or purse and will need to be protected accordingly. Consumers will need to keep track of exactly where their phone is at all times and allow caution when visiting websites using the phone s browser, clicking on links, or responding to text messages. There must be trust and integrity of all transactions. MM solutions will encompass a range of devices and end to end services involving multiple entities who in some instances will be partnering for the first time. This will present some of the traditional risks facing Telcos as well as introducing new ones and will result in even more formation of strategic partnerships, and therefore, from a risk perspective, increased reliance on these third party providers. CSPs must consider the implications and requirements to enable them to minimize their exposure to fraud and security risks and for actually assuring their revenues associated to devices, applications, processes and different business models....the consumer will need to be increasingly aware of the risks associated to using a mobile phone for payments, realising that now the real value of the phone increases as it uses these enriched services and becomes a more valuable commodity to fraudsters and hackers. Essentially, when considering risks, this will mean different things to different parties depending on where they are within the service delivery chain. CSPs need to consider the existing fraud threats that can manifest themselves in the MM arena, for example, subscription fraud, revenue share fraud, account credits and adjustments. This means evaluating their existing fraud type exposure to determine which areas will be impacted and either increase, reduce or result in new fraud risks. For the Revenue Assurance (RA) professional, they will need to consider the new data sources, credit balance mismatching, failed/missing transactions, refund settlements, revenue share model and dispute management. Financial institutions have a relatively strong track record relating to effective security management, however, their knowledge and understanding of Telecoms systems and associated risk management is still in its infancy. Co-operation and education will be a fundamental requirement when considering both the security and fraud management coverage of a CSP s MM products and services portfolio. Developing coherent and effective revenue protection strategies will be essential.

7 A Præsidium Business Consultancy White Paper 7 Types of Fraud & Security Attacks & CSP Requirements So what can we expect to see? What type of attacks have already happened or are likely to manifest themselves as consumer uptake grows? Some of the risks will be evolutions of existing risk types, so applying old techniques to new products and services in the MM market. These will include risks related to: Fraudulent Customer Application applicant falsifies identity to obtain a credit card Account takeover - criminal gathers pertinent documents to take over an account Trojans & Viruses applications downloaded by SMS or via App stores used to steal information or run programs to defraud customers Lost and Stolen illegal use of a credit card Skimming data stored in a mobile is copied to another mobile Spoofing - cloning of sites or webpages from which orders can be placed False merchant sites - designed to get people to hand over their credit card details Snooping - Intercepting unencrypted or encrypted data (access to Key/PIN) Phishing illegal interception of personal details e.g. credit card numbers Cloning copying of electronic customer information on to another device or terminal Billboard Phishing - unique threat to NFC to capture data MiM (Man In The Middle) capturing data over the air during transfer Pretexting - Social engineering to perform an unauthorised transaction Internal Fraud Persistent risk among operators/financial institutions Partner Fraud additional third parties leading to potential risk When the value of the services offered in the lucrative MM market increases, it is certain that the level and amount of concerted attacks by criminal groups will increase. The fraudsters will gravitate to these offerings due to the anonymity and geographical freedom they can offer.

8 A Præsidium Business Consultancy White Paper 8 Considerations for a Successful Risk Management Strategy What defences can be defined? A through and logical review of what and how the MM service is put to market will be critical to its success. Just one or two well publicised breaches in security will cause significant damage to the adoption of the service. From a control perspective, there are several key areas that must be considered by CSPs before launching services. Service Offering & Management Customer Identification and Registration Processes Financial Deposits & Transaction Management Data Storage & Usability for Fraud Management Customer Terms & Conditions and Liabilities Potential Fraud Controls - prevention, monitoring, investigation, reporting, KPIs Product Design & Technology Integrator Initiatives controls, visibility of activities Technical Controls control validations Third party Interfaces Product Management pilot phase through to full delivery Security Considerations authentication certification (standards & testing) Customer Monitoring Internal Fraud Persistent risk among operators/financial institutions Partner Fraud additional third parties leading to potential risk

9 A Præsidium Business Consultancy White Paper 9 Summary While the opportunities for MM services are great, providing a new lucrative potential revenue stream for CSPs, the risks can be even greater. It s no longer just the cost of carrying a call, but real money. The battle against fraudsters will never be won due to the fast moving telecoms environment and the drive to launch more complex products and services quickly to attract market share and maintain that competitive edge. With effective risk management, strong mitigation can be put in place. Evaluating the effectiveness of planned controls & initiatives ranging from technical, people and process related perspectives is an essential starting block to launch the service. Praesidium is able to offer expert support by combining it s deep telecoms security expertise with a solid understanding of risk management and experience in MM for new technology, products and services offered by CSPs. It can provide the depth of knowledge to review the Mobile Money Service in place or being proposed from a risk and security perspective. This includes assessing the proposed solution s architectural design for technical controls and the secure delivery mechanisms of the service and interface to the bearers (e.g. IVR, SMS, WAP, Data, Internet, NFC, etc) used to convey the transaction. Evaluating the effectiveness of planned controls & initiatives ranging from technical, people and process related perspectives is an essential starting block to launch the service. Determining the required controls for securing the service points of measurement, reconciliation and reporting are the essential elements to maintain and grow a profitable MM service. Effective risk management relating to the envisaged changes and introduction of new risks can be a time consuming and overwhelming activity especially for those CSPs who are not yet mature, or do not have MM expertise in the development of fraud and security control and prevention strategies related to these services. Præsidium is able to support CSPs in this space, having served over 100 clientes worldwide to review, advise upon and implement fraud and security strategies, train risk management personnel, or deliver and optimise risk management solutions.

10 A Præsidium Business Consultancy White Paper 10 About Præsidium About WeDo Technologies Præsidium is a Global Business Assurance consultancy. Founded in 1997, the company has successfully provided risk management consultancy to more than 100 Communication Service Providers in over 80 countries on 6 continents. Præsidium has gained solid recognition in the market amongst its substantial customer base and among global standards agencies. These include the GSMA Security Group & Fraud Forum, the Telemanagement Forum and ETSI. Offices: United Kingdom Davidson House, Forbury Square, Reading, RG1 3EU, Tel: Fax: Portugal Edifício Picoas Plaza Rua do Viriato, 13E núcleo 6-4º andar Lisbon Tel: Fax: Brazil Torre Rio Sul, Rua Lauro Muller 116; 27º Andar Sala 2701 CEP: Botafogo Rio de Janeiro Tel: Fax: Spain Edifício Cuzco IV Paseo de la Castellana, 141 8ª planta Madrid Tel: Fax: Ireland Maple House,Temple Road, Blackrock, Co. Dublin Tel: (0) Fax: (0) On the Web General Information info@praesidium.com WeDo Technologies is the number one preferred supplier for revenue andbusiness assurance software and services. Present in 15 countries on 5 continents, with more than 100 innovative bluechip customers in more than 70 countries, the company has a solid and envious project management track record of being on-time and within budget while achieving superior customer satisfaction. Business Assurance RAID, WeDo Technologies flagship software suite covering Revenue Assurance, Fraud Management Business Processes Control has been implemented in a number of different industries where it has delivered significant business results and powerful return on investment. WeDo Technologies pioneered the telecom revenue assurance space in 2002 and is now breaking new ground in the enlarged business assurance arena in Telecom, while also servicing the Retail, Energy and Finance industries. Offices: Portugal _ Lisbon Portugal _ Braga Australia _ Sydney Brazil _ Rio Janeiro Brazil _ Florianopolis Chile _ Santiago Egypt _ Cairo France _ Paris Ireland _ Dublin Malaysia _ Kuala Lumpur Mexico _ Mexico City Panama _ Panama City Poland _ Poznan Poland _ Warsaw Singapore _ Singapore Spain _ Madrid Spain _ Barcelona UK _ Reading USA _ Chicago On the Web