A cat and mouse game: The future security of mobile money

There has been a lot of discussion recently about the human face of mobile banking and its security problems. Erin Taylor recently wrote about Bill Maurer's USAID webinar discussing how anthropological insight is changing the way we see common social engineering based security risks, so Erin asked me for my input from a technical security standpoint.

The question Erin posed to me was, "With respect to hijacking/hacking mobile phone networks, I'm wondering if it can be done practically?" My response was the question shouldn't be considered a matter of "if", but rather "when", and in actual fact, it has already been done.

The fact of the matter is over-the-air (OTA) communications security, as currently deployed, is flawed by design.  The encryption methods employed can be easily broken, leaving the potential for fraudulent exploitation of mobile money systems wide open.

Now, I want to highlight something here with which to frame the remainder of this discussion. Whether exploitation of a system is or is not currently possible/practical that has no bearing on what will become possible/practical in the future.  As new research and technology comes to the fore, so does the real likelihood that the impossible/impractical will become possible in a practical sense.  

An interesting example of this was evidenced when, in 2006, renowned security expert Bruce Schneier hypothesised that Skype calls are nearly impossible for even the NSA to intercept.

Yet by 2010, this was no longer a valid argument because the Skype network had succumbed to practical exploit.[1] Given how long it takes for changes to filter through global mobile networks, the fact that people have such high levels of confidence in security should be of great concern.

Security of mobile money systems

Most of the discussion I have seen about mobile money security has focused on physical handset security and fraudulent end-user manipulation (social engineering attack vectors).

Personally, what troubles me is the security of the "digital system" as a whole, both communications and back-end infrastructure; or in simpler terms, the encryption between the phone handset and the mobile operator, as well as the databases and software systems that hold the customer's mobile money information and make transactions possible.

The root problem, as I see it, is two-fold. Firstly, there is no such thing as a totally secure system: just look at recent attacks on Google, the;CIA,[2] FBINATO and RSA Security, the latter having been achieved trivially and with potentially frightening consequences. These organisations, and a host of others, recently have had sensitive data boundaries breached by either adversaries, or groups of hackers apparently just looking to cause havoc for their own entertainment.

One would think it reasonable to assume that the organisations I mention above have a far greater interest in protecting their information assets than most, yet they were unable to guarantee their own information security. Ponder that fact and its implications for just a minute.

Secondly, and most importantly, where there is a system for distribution of significant exchangeable value, there will likely be organised crime groups looking to capitalise on weaknesses in that system.  Organised crime syndicates can afford to find and employ the best. They have time as an asset; they have no shareholders to answer to, yet they have the potential to yield large rewards for their efforts with very little capital outlay in relative terms.

With mobile money set to be a multi-billion dollar per year industry, simply finding ways to trim a few cents off a few million transactions per day would be immensely profitable and therefore an attractive target.

The balancing act

What is ultimately left, with respect to protecting the digital security of these networks, is the hope of owners and operators of these networks that the flaws are not known, and that attackers are unlikely to find them.  This is what is known as "security through obscurity."

Over the years in my capacity as an information technology architect, I have constantly warned clients about the inherent dangers of assuming that either "we're not big enough to receive that sort of attention, therefore it won't happen to us," or "if it looks hard to get into, it's safe" attitudes.

These are examples of the concept of security through obscurity.  It is not an uncommon approach for people to use, as I've found with a number of anthropologists in the field. Many have given examples of how they will carry some small valueless items in an obvious place about their person, but hide their actual valuables on their bodies in an obscure location. The theory is that if they are accosted by a thief, they will simply hand over the "obvious," thereby satisfying the thief's goal, but all the while preserving their own physical and material safety.

Of course this approach quickly falls apart if the thief is more sophisticated and anticipates the obscurity.

Management in many organisations often fall victim to this thinking as well.  They tend to assume that spending an extra few percent on doing the security properly isn't worth the risk, yet when that security is ultimately broken the costs to the business can be significant both in real dollars as well as goodwill. It is often seen as a necessary budgetary balancing act.

This approach might be fine if you're eBay and your clients are generally savvy enough to understand the risks, know you're insured and that they will ultimately not be left empty handed. But clients in developing countries are often poor, have very little understanding of technology, and even less ability to seek assistance or compensation if they are victims of fraud.

These clients arguably need mobile money the most, but they could be the fastest to abandon it when problems arise. We need to address these security issues now to ensure that technology that underpins mobile money remains available to - and viable for - the world’s most vulnerable people.

Cat versus mouse

Mobile systems security needs to be approached as a "cat and mouse game," one where mobile technology developers are analogous to the mouse, organised criminals the cat. As new and improved mobile security technology is developed the mouse will have a chance to run away from the cat; however, over time the cat will start to learn the mouse’s new tricks, meaning advantage and safety will be lost.

If prior to this point the mouse becomes innovative and develops a new strategy (stronger/better encryption, etc), he can attempt to ensure his continued safety. Of course any individual mouse is only so smart; his brain is much smaller that that of the cat, but if he employs the collective intelligence of the mouse community, that innovation can happen faster and with presumably fewer errors designed into those new strategies.

Electronic communications underpin modern societies. They should be considered a public good and not a for-profitable-advantage, much in the same way as the US Postal Service of old. Upgrade and expansion of the postal system was not of concern to the consumers of the system; it was guaranteed under the constitution as it was understood that the ability to communicate information held an intangible value that aided economic and social growth.

In my opinion the cat and mouse metaphor needs to be taken more seriously by the companies that develop mobile technologies, economists and policy makers when it comes to designing, funding and regulating.

Much like the Internet, open and inclusive development of mobile security will serve to encourage best of breed security innovation solutions. The standards that define the underlying technologies of mobile networks need to be further decoupled from the economics of the network’s profitability.  The benefit of this approach would be a safer, more secure and attractive platform for mobile banking providers and users.

Unfortunately, with the current model, business continually fail to provide these innovations due to the profit model they apply. I personally feel this is a misguided and out-of-date approach. A better approach is demonstrated in the recent series of articles, "Five Business Case Insights on Mobile Money".

In the final article entitled "Can mobile money be ‘free’?", CGAP looks at how the value chain can be redefined so that strategic full-subsidisation of certain aspects of the product can make overall ventures more profitable in the mobile space.

Schrödinger's cat

The practicality of this debate bears resemblance to Erwin Schrödinger famous thought experiment about a cat in a box.  It could be said that the reality of this problem depends on the observer and that neither side is wrong.  That is, a business manager, economist or policy maker may observe the value proposition one way, i.e. the cat is alive (the threat isn’t real), however, security professionals and consumers might observe the same data from a different angle and perceive that the cat is dead (the threat is very much a reality).

What is needed here is a way to continually develop and deploy new safeguards on existing mobile networks in a cost effective manner, so that these improvements can continue to percolate down the chain to the mobile infrastructure of developing economies.  

Mobile network operators should focus on joint development of systems and software in the open, standards should be set and adopted based on engineering merit rather than commercial one-upmanship; security professionals and academics must be given unfettered access to independently review proposed systems for weaknesses and their criticisms acted upon bearing in mind my point of present versus future practicality, and most importantly, policy makers and economists should encourage this openness.

[1] Skype is a VoIP system and not a mobile one.  However what I am trying to highlight here is the general approach to security of information systems.

[2] The CIA breach was only a website, but the fact still remains that it is theirs to protect, and they should be better equipped than most to do that.