Security Requirement of Mobile Application Based Mobile Payment System



Similar documents
Criteria Requirements of Mobile Payment Application

Common Criteria for Information Technology Security Evaluation. Part 2: Security functional components. September Version 3.

Common Criteria for Information Technology Security Evaluation. Part 2: Security functional requirements. August Version 2.

Voice-over-IP Risk Analysis.

Common Criteria Requirement of Data Leakage Protection System

Firewall Protection Profile V

SECURITY TARGET FOR FORTIANALYZER V4.0 MR3 CENTRALIZED REPORTING

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

COMMON CRITERIA PROTECTION PROFILE. for SECURE COMMUNICATION MODULE FOR WATER TRACKING SYSTEM (SCM-WTS PP)

U.S. Government Protection Profile for Application-level Firewall In Basic Robustness Environments

COMMON CRITERIA PROTECTION PROFILE. for NEW GENERATION CASH REGISTER FISCAL APPLICATON SOFTWARE (NGCRFAS PP) TSE-CCCS/PP-002

IMPP. Identity Management Protection Profile BSI-PP-0024

MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN

EMC Corporation Data Domain Operating System Version Security Target. Evaluation Assurance Level (EAL): EAL2+ Document Version: 0.

Network Intrusion Prevention System Protection Profile V1.1

MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN

How To Manage Security In A Network Security System (Tsi)

Security Target SQL Server 2012 Team

Protection Profile for Single-level Operating Systems in Environments Requiring Medium Robustness

Common Criteria Evaluation for a Trusted Entrust/PKI

How To Understand The Toe

Teradata Database Version 2 Release (V2R6.1.0) Security Target

Certification Report

MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN CERTIFICATION REPORT

EMC Documentum. EMC Documentum Content Server TM V5.3. and EMC Documentum Administrator TM V5.3. Security Target V2.0

Protection Profile Secure Signature-Creation Device Type 3

Security Target. McAfee Enterprise Mobility Management 9.7. Document Version 0.9. July 5, 2012

Certification Report

McAfee Web Gateway Version EAL 2 + ALC_FLR.2 Security Target

U.S. DoD. Remote Access. Protection Profile. for. High Assurance Environments

AppGate Security Server, Version Security Target. Document Version: 2.9 Date:

EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION

SenSage, Inc. SenSage Security Target. Evaluation Assurance Level: EAL2+ Document Version: 1.2

COMMERCIAL IN CONFIDENCE

MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN CERTIFICATION REPORT

Author: Roger French Version: 1.2 Date:

McAfee Web Gateway Version EAL 2 + ALC_FLR.2 Security Target

Cisco 800, 1900, 2900, 3900 Series Integrated Service Routers (ISR) Security Target

Security Target. Security Target SQL Server 2008 Team. Author: Roger French Version: 1.04 Date:

Protection Profile for Portable Storage Media (PSMPP) Common Criteria Protection Profile BSI-CC-PP Version 1.0

Intrusion Detection System System Protection Profile

Security Target: Symantec Endpoint Protection Version 11.0

Security Target Microsoft SQL Server Team

IBM Security Access Manager for Enterprise Single Sign-On Version 8.2 with IMS Server Interim Fix 4 and AccessAgent Fix Pack 22 Security Target

HP StoreOnce Backup System Generation 3 Version Security Target

Huawei BSC6900 Multimode Base Station Controller Software Security Target

CERTIFICATION REPORT

Firewall Protection Profile

Check Point Endpoint Security Media Encryption Security Target

Check Point Endpoint Security Full Disk Encryption Security Target

Security Target. McAfee Enterprise Mobility Management Document Version 1.16

Trustwave Secure Web Gateway Security Target

Trust Technology Assessment Program. Validation Report

GuardianEdge Data Protection Framework with GuardianEdge Hard Disk Encryption and GuardianEdge Removable Storage Encryption 3.0.

Microsoft Windows Server 2003 Certificate Server Security Target (EAL4 augmented with ALC_FLR.3 and AVA_VLA.4)

Microsoft Forefront UAG 2010 Common Criteria Evaluation Security Target Microsoft Forefront Unified Access Gateway Team

Low Assurance Protection Profile for a Software Based Personal Firewall for home Internet use

LogLogic v4.6.1 Open Log Management Platform Security Target. Release Date: 30 June 2009 Version: 2.0

IronMail Secure Gateway Software Version Security Target April 27, 2006 Document No. CipherTrust E2-IM4.0.0

Common Criteria Protection Profile for Inspection Systems (IS) BSI-CC-PP Version 1.01 (15 th April 2010)

How To Protect Your Computer From Being Hacked

RSA, The Security Division of EMC RSA Data Loss Prevention Suite v6.5. Security Target

BSI-PP for. Smart Card Security User Group Smart Card Protection Profile (SCSUG-SCPP) Version 3.0. developed by

BMC Real End User Experience Monitoring and Analytics 2.5. Security Target

Faculty of Informatics Masaryk University Application-Level Firewall Protection Profile for High Robustness Environments Initial Considerations

CA CA, Inc. Identity Manager 12.5 Identity Manager r12.1 Security Target

Samsung SCX-5637FR/SCX-5639FR Control Software V

Protection Profile for Wireless Local Area Network (WLAN) Access Systems

FOR EAL2 AUGMENTED WITH ALC_FLR.1. Version: 1.2 November 20, 2013

Mobile Billing System Security Target

IBM WebSphere Message Broker Security Target

Smart Card Open Platform Protection Profile V2.1 Certification Report

Protection Profile for Mobile Device Management

McAfee Firewall Enterprise v8.2.0 and McAfee Firewall Enterprise Control Center v5.2.0 Security Target

DataPower XS40 XML Security Gateway and DataPower XI50 Integration Appliance Version 3.6. Security Target Version 0.75

CERTIFICATION REPORT

Citrix Systems, Inc. NetScaler Platinum Edition Load Balancer Version 9.1 Security Target

Multi-Functional Printer (Digital Copier) 7222/7322/7228/7235 Series Security Target Version 10

CardOS V4.4 CNS. Edition 04/2010. Security Target CardOS V4.4 CNS with Application for QES

RSA, The Security Division of EMC envision platform v4.0 SP 1. Security Target

Blue Coat Systems, Inc. ProxySG v running on SG510, SG810, and SG8100. Security Target

Natek Network Access Control (NAC)

Security Target for Citrix Presentation Server 4.0 For Windows

Top Layer Networks IPS 5500 E Security Target

LINQUS USIM 128K Smartcard

Security Target. McAfee Data Loss Prevention Endpoint 9.4 and epolicy Orchestrator Document Version 1.0

CERTIFICATION REPORT

U.S. Government Protection Profile for Database Management Systems

Extended Package for Mobile Device Management Agents

Security Target: Symantec Mail Security 8300 Series Appliances Version 5.0

Commercial Database Management System Protection Profile (C.DBMS PP)

JMCS Northern Light Video Conferencing System Security Target

Xceedium GateKeeper Version Security Target

EXTOL epassport Suite v2.5 Security Target v2.0. ECSB/MyCC/JL/002 Common Criteria EAL1 Certification

How To Evaluate A Security Target Of Evaluation (Toe)

Security Target. NetIQ Access Manager 4.0. Document Version August 7, Security Target: NetIQ Access Manager 4.0

Low Assurance Protection Profile for a VoIP Infrastructure

Security Target. Symantec TM Network Access Control Version Document Version February 14, 2013

PROTECTION PROFILE DEVELOPMENT

Security Target for BorderWare Firewall Server 6.5

Transcription:

Security Requirement of Mobile Application Based Mobile Payment System Hyun-Jung Lee and Dongho Won Information Security Group, School of Information and Communication Engineering, Sungkyunkwan University, 300 Cheoncheon-dong, Jangan-gu, Suwon, Gyeonggi-do 440-746, Korea {hjlee, dhwon}@security.re.kr Abstract. Once a method of payment has achieved widespread use, it will become the target of hackers and thieves. Consider the security dilemmas associated with one of the most popular methods of payment: credit cards. With all the security gaps inherent in credit cards, a mobile platform is even more vulnerable still. Because a mobile platform has the added vulnerability of being a mini-computer, it can be targeted using techniques that are much less obvious than those associated with credit cards. This paper intends to derive necessary security functions of a Mobile App-Based Mobile Payment System based on the Common Criteria V3.1. Keywords: Mobile Payment System, Mobile Device, Protection Profile, Common Criteria, Security Requirement 1 Introduction The mobile payment system eliminates the inconvenience of possessing a large number of cards using the mobile device. Therefore it is expected that more banks and credit card companies will construct mobile payment system in the future. Due to the widespread availability of mobile phones and their extensive usage worldwide, it is a reasonable expectation that payment schemes involving a mobile phone will soon be a dominate force in electronic payments. At the same time, vulnerabilities in secure financial transactions can severely compromise the implementation and future success of mobile payment systems. This paper is organized as follows: Section 2 analyzes the operation of the Mobile Application based Mobile Payment System. Section 3 identifies threats. Section 4 describes security objectives of Mobile Application based Mobile Payment System. Section 5 proposes security requirements of a Mobile Application based Mobile Payment System which applies a methodology based on CC V3.1. And lastly, Section 6 presents the conclusion. ISI 2013, ASTL Vol. 25, pp. 312-316, 2013 SERSC 2013 312

Proceedings, The 2nd International Conference on Information Science for Industry 2 Mobile Payment System Mobile payment is defined as: Payment for products or services between two parties for which a mobile device, such as a mobile phone, plays a key role in the realization of the payment[5]. Mobile payments can be categorized based on the technology used as either one of two types proximity or remote[5]. This paper proposes the threat, security object and security requirement about Mobile application based mobile payment system (MPS) of all remote mobile Payment way. MPS is a way to perform a payment using the Authentication information and Card account information stored in the mobile application. Mobile device security is very important because mobile device store the user's card information, banking information, authentication information, etc. In Addition, We must consider problem that the loss and deodorization of mobile device arise in. 3 Threats This subsection of the security problem definition shows the threats that are to be countered by the MPS. A threat consist of a threat agent, an asset and an adverse action of that threat agent on that asset[1,2,3]. The specification of threats should include all threats detected up to now[4,5,6,7,8,9,10,11,12], if it is not done the MPS may provide inadequate protection. In other words, if the specification of threats is insufficiency, the assets may be exposed to an unacceptable level of risk. The Threats for this paper are described in Table I. Mobile App T.Unauthorized User T.Guessing(1) T.Intercept T.Leakage T.Guessing(2) T.disguise T.Rooting T.Malware T.Hijacking T.Modify T.Stored Data T.Denail Table 1. Threat Threat The threat agent disguised as a legitimate user, and electronic financial transactions can be performed. Authentication information can be inferred by using the feedback information of the authentication process. Mobile Authentication data is intercepted when entered into a mobile device. The threat agents can seize the important information (such as authentication information, card information) is stored in the Mobile device. The threat agent can be inferred authentication information through the exhaustive attack about authentication information. The threat agents disguised as financial institutions and can seize the user's authentication information and card information. Root or jail-break makes the mobile device insecurely. Threat can infect the mobile application with malware or unauthorized application. Threats intercept traffic (e.g. account data) over the air (OTA) transmitted between phone and Service Provider. The threat agent modifies the financial transactions data And transmits the modified data to the Service Provider. The threat agents can forge electronic financial transactions data that stored in the financial institutions. You cannot deny the fact that the electronic financial transactions. 313

Security Requirement of Mobile Application Based Mobile Payment System 4 Proposed Security Objective Security objectives are concise, abstract statements of the intended solution to the problem defined by the security problem definition. The set of security objectives for a MPS form a high-level solution to the security problem. This section identifies the security objectives for the MPS. Table 2. Security Objective Security Objectives O.IA O.FeedBack Protection O.Data Protect O.OTP O.Restrict O.Auth O.Detect Rooting O.SecureStatus T.Secure Communication O.Integrity(1) O.Integrity(2) O.Non-repudiation O.Audit Description Before executing the payment, PSP should clearly authenticate and identify the mobile payment user. Must not be able to guess the authentication information through Authentication failure handling mechanism. Prevent Confidential data (e.g. account data, card data) from compromise while processed or stored within the mobile device. To be Safe from exhaustive attack Should provide a means to generate a different password authentication with dynamic characteristics each time. Must limit the number of authentication failure. Mobile Application has to confirm that PSP are legitimate. Provide the capability for the device to produce an alarm or warning if there is an attempt to root or jail-break the device; Keep a secure status for protecting mobile payment application.(delete the malware and unauthorized application) Prevent account data from interception upon transmission out of the mobile device. The PSP should be able to determine whether the modification and forgery of electronic financial transactions. PSP should protect the saved data (electronic financial transaction data) from unauthorized exposure, alteration and removal. The PSP should provide a means that cannot deny the fact that a legitimate electronic financial transaction. A process should exist for the detection and reporting of the theft or loss of the mobile device. 5 Security Functional Requirements The Security functional requirements substantiate the security objectives. Each security functional requirement must be related to one or more security objectives. These requirements are defined in CC part 2, and protection profile author just chooses and uses appropriate requirements. The security functional requirements for this paper are described in Table III[1,2,3]. 314

Proceedings, The 2nd International Conference on Information Science for Industry Table 3. Security Functional Requirements Functional class Security audit (FAU) Communication(FCO) Cryptographic support(fcs) User data protection (FDP) Identification and authentication (FIA) Security management (FMT) Protection of the TSF(FPT) Anti-Malware(FAM) Functional component FAU_ARP.1, FAU_GEN.1, FAU_GEN.2, FAU_SAA.1, FAU_SAR.1, FAU_STG.1, FAU_STG.3, FAU_STG.4 FCO_NRO.2, FCO_NRR.2 FCS_CKM.1, FCS_CKM.2, FCS_CKM.3, FCS_CKM.4, FCS_COP.1 FDP_ACC.2, FDP_ACF.1, FDP_MDD_EXT.1, FDP_ITT.1, FDP_RIP.2, FDP_SDI.2 FIA_AFL.1, FIA_ATD.1, FIA_SOS.1, FIA_UAU.2, FIA_UAU.3, FIA_UAU.4, FIA_UAU.7, FIA_UID.2 FMT_MOF.1, FMT_MSA.1, FMT_MSA.2, FMT_MSA.3, FMT_MTD.1, FMT_SMF.1, FMT_SMR.1 FPT_ITT.1, FPT_TST.1 FAM_DTM_EXT.1 6 Conclusions This paper proposed security requirements which can be used as a request for a proposal to procure an mobile Payment system, a guideline for developers a secure Mobile Payment system and criteria with evaluators can evaluate the completeness of a developed system. Thus, the Mobile Payment System was analyzed, a threat was modeled, and CC based security requirements were deduced. Moreover, the threat model and security requirements presented in this document can be applied to mobile cloud service environments. Reference 1. Common Criteria, Common Criteria for Information Technology Security Evaluation; part 1: Introduction and general model, Version 3.1 R1, CCMB-2006-09-001(September 2006) 2. Common Criteria, Common Criteria for Information Technology Security Evaluation; part 2: Security functional components, Version 3.1 R2, CCMB-2007-09-002(September 2007) 3. Common Criteria, Common Criteria for Information Technology Security Evaluation; part 3: Security assurance components, Version 3.1 R2, CCMB-2007-09-003(September 2007) 4. Prabu Raju, Anil Gajwani, Prof. T.A. Gonsalves, Ch.Raja: Analysis of Mobile Infrastructure for Secure Mobile Payments, Mobile Payment Forum, India March 2008 5. Ashok Goudar, Mobile Transections and Payment Processing White Paper, MPHASIS an HP Company 6. Security Requirements for Mobile Operating Systems V1.0, Information Assurance Directorate, 2013.1.25 7. PCI Mobile Payment Acceptance Security Guidelines V1.0, Emerging Technologies PCI security Standards Council, 2012.9 8. CSE-302 Mobile Payment, Dr. R. B. Patel 315

Security Requirement of Mobile Application Based Mobile Payment System 9. CollinMulliner, Vulnerability Analysis and Attacks on NFC-enabled Mobile Phones, 2009 International Conference on Availability, Reliability and Security 10. VISA, Visa Security Best Practices for Mobile Payment Acceptance Solutions, Version 2.0, 2012.6.13 11. Yan Liu, Security Proposal on mobile Payment, 13ICCC(2013.9) 12. ISACA, Mobile Paymnet:Risk, Security and Assurance Issues, 2011.11 316

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information