Security Requirement of Mobile Application Based Mobile Payment System Hyun-Jung Lee and Dongho Won Information Security Group, School of Information and Communication Engineering, Sungkyunkwan University, 300 Cheoncheon-dong, Jangan-gu, Suwon, Gyeonggi-do 440-746, Korea {hjlee, dhwon}@security.re.kr Abstract. Once a method of payment has achieved widespread use, it will become the target of hackers and thieves. Consider the security dilemmas associated with one of the most popular methods of payment: credit cards. With all the security gaps inherent in credit cards, a mobile platform is even more vulnerable still. Because a mobile platform has the added vulnerability of being a mini-computer, it can be targeted using techniques that are much less obvious than those associated with credit cards. This paper intends to derive necessary security functions of a Mobile App-Based Mobile Payment System based on the Common Criteria V3.1. Keywords: Mobile Payment System, Mobile Device, Protection Profile, Common Criteria, Security Requirement 1 Introduction The mobile payment system eliminates the inconvenience of possessing a large number of cards using the mobile device. Therefore it is expected that more banks and credit card companies will construct mobile payment system in the future. Due to the widespread availability of mobile phones and their extensive usage worldwide, it is a reasonable expectation that payment schemes involving a mobile phone will soon be a dominate force in electronic payments. At the same time, vulnerabilities in secure financial transactions can severely compromise the implementation and future success of mobile payment systems. This paper is organized as follows: Section 2 analyzes the operation of the Mobile Application based Mobile Payment System. Section 3 identifies threats. Section 4 describes security objectives of Mobile Application based Mobile Payment System. Section 5 proposes security requirements of a Mobile Application based Mobile Payment System which applies a methodology based on CC V3.1. And lastly, Section 6 presents the conclusion. ISI 2013, ASTL Vol. 25, pp. 312-316, 2013 SERSC 2013 312
Proceedings, The 2nd International Conference on Information Science for Industry 2 Mobile Payment System Mobile payment is defined as: Payment for products or services between two parties for which a mobile device, such as a mobile phone, plays a key role in the realization of the payment[5]. Mobile payments can be categorized based on the technology used as either one of two types proximity or remote[5]. This paper proposes the threat, security object and security requirement about Mobile application based mobile payment system (MPS) of all remote mobile Payment way. MPS is a way to perform a payment using the Authentication information and Card account information stored in the mobile application. Mobile device security is very important because mobile device store the user's card information, banking information, authentication information, etc. In Addition, We must consider problem that the loss and deodorization of mobile device arise in. 3 Threats This subsection of the security problem definition shows the threats that are to be countered by the MPS. A threat consist of a threat agent, an asset and an adverse action of that threat agent on that asset[1,2,3]. The specification of threats should include all threats detected up to now[4,5,6,7,8,9,10,11,12], if it is not done the MPS may provide inadequate protection. In other words, if the specification of threats is insufficiency, the assets may be exposed to an unacceptable level of risk. The Threats for this paper are described in Table I. Mobile App T.Unauthorized User T.Guessing(1) T.Intercept T.Leakage T.Guessing(2) T.disguise T.Rooting T.Malware T.Hijacking T.Modify T.Stored Data T.Denail Table 1. Threat Threat The threat agent disguised as a legitimate user, and electronic financial transactions can be performed. Authentication information can be inferred by using the feedback information of the authentication process. Mobile Authentication data is intercepted when entered into a mobile device. The threat agents can seize the important information (such as authentication information, card information) is stored in the Mobile device. The threat agent can be inferred authentication information through the exhaustive attack about authentication information. The threat agents disguised as financial institutions and can seize the user's authentication information and card information. Root or jail-break makes the mobile device insecurely. Threat can infect the mobile application with malware or unauthorized application. Threats intercept traffic (e.g. account data) over the air (OTA) transmitted between phone and Service Provider. The threat agent modifies the financial transactions data And transmits the modified data to the Service Provider. The threat agents can forge electronic financial transactions data that stored in the financial institutions. You cannot deny the fact that the electronic financial transactions. 313
Security Requirement of Mobile Application Based Mobile Payment System 4 Proposed Security Objective Security objectives are concise, abstract statements of the intended solution to the problem defined by the security problem definition. The set of security objectives for a MPS form a high-level solution to the security problem. This section identifies the security objectives for the MPS. Table 2. Security Objective Security Objectives O.IA O.FeedBack Protection O.Data Protect O.OTP O.Restrict O.Auth O.Detect Rooting O.SecureStatus T.Secure Communication O.Integrity(1) O.Integrity(2) O.Non-repudiation O.Audit Description Before executing the payment, PSP should clearly authenticate and identify the mobile payment user. Must not be able to guess the authentication information through Authentication failure handling mechanism. Prevent Confidential data (e.g. account data, card data) from compromise while processed or stored within the mobile device. To be Safe from exhaustive attack Should provide a means to generate a different password authentication with dynamic characteristics each time. Must limit the number of authentication failure. Mobile Application has to confirm that PSP are legitimate. Provide the capability for the device to produce an alarm or warning if there is an attempt to root or jail-break the device; Keep a secure status for protecting mobile payment application.(delete the malware and unauthorized application) Prevent account data from interception upon transmission out of the mobile device. The PSP should be able to determine whether the modification and forgery of electronic financial transactions. PSP should protect the saved data (electronic financial transaction data) from unauthorized exposure, alteration and removal. The PSP should provide a means that cannot deny the fact that a legitimate electronic financial transaction. A process should exist for the detection and reporting of the theft or loss of the mobile device. 5 Security Functional Requirements The Security functional requirements substantiate the security objectives. Each security functional requirement must be related to one or more security objectives. These requirements are defined in CC part 2, and protection profile author just chooses and uses appropriate requirements. The security functional requirements for this paper are described in Table III[1,2,3]. 314
Proceedings, The 2nd International Conference on Information Science for Industry Table 3. Security Functional Requirements Functional class Security audit (FAU) Communication(FCO) Cryptographic support(fcs) User data protection (FDP) Identification and authentication (FIA) Security management (FMT) Protection of the TSF(FPT) Anti-Malware(FAM) Functional component FAU_ARP.1, FAU_GEN.1, FAU_GEN.2, FAU_SAA.1, FAU_SAR.1, FAU_STG.1, FAU_STG.3, FAU_STG.4 FCO_NRO.2, FCO_NRR.2 FCS_CKM.1, FCS_CKM.2, FCS_CKM.3, FCS_CKM.4, FCS_COP.1 FDP_ACC.2, FDP_ACF.1, FDP_MDD_EXT.1, FDP_ITT.1, FDP_RIP.2, FDP_SDI.2 FIA_AFL.1, FIA_ATD.1, FIA_SOS.1, FIA_UAU.2, FIA_UAU.3, FIA_UAU.4, FIA_UAU.7, FIA_UID.2 FMT_MOF.1, FMT_MSA.1, FMT_MSA.2, FMT_MSA.3, FMT_MTD.1, FMT_SMF.1, FMT_SMR.1 FPT_ITT.1, FPT_TST.1 FAM_DTM_EXT.1 6 Conclusions This paper proposed security requirements which can be used as a request for a proposal to procure an mobile Payment system, a guideline for developers a secure Mobile Payment system and criteria with evaluators can evaluate the completeness of a developed system. Thus, the Mobile Payment System was analyzed, a threat was modeled, and CC based security requirements were deduced. Moreover, the threat model and security requirements presented in this document can be applied to mobile cloud service environments. Reference 1. Common Criteria, Common Criteria for Information Technology Security Evaluation; part 1: Introduction and general model, Version 3.1 R1, CCMB-2006-09-001(September 2006) 2. Common Criteria, Common Criteria for Information Technology Security Evaluation; part 2: Security functional components, Version 3.1 R2, CCMB-2007-09-002(September 2007) 3. Common Criteria, Common Criteria for Information Technology Security Evaluation; part 3: Security assurance components, Version 3.1 R2, CCMB-2007-09-003(September 2007) 4. Prabu Raju, Anil Gajwani, Prof. T.A. Gonsalves, Ch.Raja: Analysis of Mobile Infrastructure for Secure Mobile Payments, Mobile Payment Forum, India March 2008 5. Ashok Goudar, Mobile Transections and Payment Processing White Paper, MPHASIS an HP Company 6. Security Requirements for Mobile Operating Systems V1.0, Information Assurance Directorate, 2013.1.25 7. PCI Mobile Payment Acceptance Security Guidelines V1.0, Emerging Technologies PCI security Standards Council, 2012.9 8. CSE-302 Mobile Payment, Dr. R. B. Patel 315
Security Requirement of Mobile Application Based Mobile Payment System 9. CollinMulliner, Vulnerability Analysis and Attacks on NFC-enabled Mobile Phones, 2009 International Conference on Availability, Reliability and Security 10. VISA, Visa Security Best Practices for Mobile Payment Acceptance Solutions, Version 2.0, 2012.6.13 11. Yan Liu, Security Proposal on mobile Payment, 13ICCC(2013.9) 12. ISACA, Mobile Paymnet:Risk, Security and Assurance Issues, 2011.11 316