Mo(bile) Money, Mo(bile) Problems

Mobile money, also known as branchless banking, leverages ubiquitous cellular networks to bring much-needed financial services to the unbanked in the developing world. These services are often deployed as smartphone apps, and although marketed as secure, these applications are often not regulated as strictly as traditional banks, leaving doubt about the truth of such claims. In this article, we evaluate these claims and perform the first in-depth measurement analysis of branchless banking applications. We first perform an automated analysis of all 46 known Android mobile money apps across the 246 known mobile money providers from 2015. We then perform a comprehensive manual teardown of the registration, login, and transaction procedures of a diverse 15% of these apps. We uncover pervasive vulnerabilities spanning botched certification validation, do-it-yourself cryptography, and other forms of information leakage that allow an attacker to impersonate legitimate users, modify transactions, and steal financial records. These findings show that the majority of these apps fail to provide the protections needed by financial services. In an expanded re-evaluation one year later, we find that these systems have only marginally improved their security. Additionally, we document our experiences working in this sector for future researchers and provide recommendations to improve the security of this critical ecosystem. Finally, through inspection of providers’ terms of service, we also discover that liability for these problems unfairly rests on the shoulders of the customer, threatening to erode trust in branchless banking and hinder efforts for global financial inclusion.

[1]  Ignacio Mas,et al.  Mobile Payments Go Viral: M-PESA in Kenya , 2010 .

[2]  Kevin R. B. Butler,et al.  Securing SSL Certificate Verification through Dynamic Linking , 2014, CCS.

[3]  Baraka W. Nyamtiga,et al.  Enhanced Security Model For Mobile Banking Systems In Tanzania , 2013 .

[4]  Thomas F. La Porta,et al.  Security for Telecommunications Networks , 2008, Advances in Information Security.

[5]  Richard J. Anderson,et al.  Let's Talk Money: Evaluating the Security Challenges of Mobile Money in the Developing World , 2016, ACM DEV.

[6]  Lakshminarayanan Subramanian,et al.  Secure branchless banking , 2009 .

[7]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[8]  de Almeida,et al.  [8WashJLTech&Arts0347] M-Payments in Brazil: Notes on How a Country’s Background May Determine Timing and Design of a Regulatory Model , 2013 .

[9]  Matthew Green,et al.  Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice , 2015, CCS.

[10]  Punam Chuhan-Pole,et al.  Yes Africa Can: Success Stories from a Dynamic Continent , 2011 .

[11]  Matthew Smith,et al.  Rethinking SSL development in an appified world , 2013, CCS.

[12]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[13]  Blase Ur,et al.  Can long passwords be secure and usable? , 2014, CHI.

[14]  Saurabh Panjwani,et al.  Towards end-to-end security in branchless banking , 2011, HotMobile '11.

[15]  Thomas F. La Porta,et al.  Exploiting open functionality in SMS-capable cellular networks , 2005, CCS '05.

[16]  Byung-Gon Chun,et al.  TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones , 2014, Commun. ACM.

[17]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[18]  Patrick Traynor,et al.  Trust No One Else: Detecting MITM Attacks against SSL/TLS without Third-Parties , 2012, ESORICS.

[19]  Ming Ki Chong Usable authentication for mobile banking , 2009 .

[20]  Keith Mayes,et al.  Using the Smart Card Web Server in Secure Branchless Banking , 2013, NSS.

[21]  Baraka W. Nyamtiga,et al.  Security Perspectives For USSD Versus SMS In Conducting Mobile Transactions: A Case Study Of Tanzania , 2013 .

[22]  Michael Paik Stragglers of the herd get eaten: security concerns for GSM mobile banking applications , 2010, HotMobile '10.

[23]  Anthony Desnos Android: From Reversing to Decompilation , 2011 .

[24]  Mike Bond,et al.  2010 IEEE Symposium on Security and Privacy Chip and PIN is Broken , 2022 .

[25]  Patrick Traynor,et al.  Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World , 2015, USENIX Security Symposium.

[26]  Peng Liu,et al.  Achieving accuracy and scalability simultaneously in detecting application clones on Android markets , 2014, ICSE.

[27]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[28]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[29]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[30]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[31]  Maria Augusti Integrating Multimedia in ODL materials and Enhanced Access through Mobile Phones , 2013 .

[32]  Patrick Traynor,et al.  *droid , 2016, ACM Comput. Surv..

[33]  Patrick Traynor,et al.  [8WashJLTech&Arts0245] Privacy and Security Concerns Associated with Mobile Money Applications in Africa , 2013 .

[34]  Patrick Traynor,et al.  Sending Out an SMS: Characterizing the Security of the SMS Ecosystem with Public Gateways , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[35]  Edward Cutrell,et al.  Usably secure, low-cost authentication for mobile banking , 2010, SOUPS.

[36]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[37]  Nitin Gurbani Let’s Encrypt , 2015 .

[38]  Patrick Traynor,et al.  An Empirical Evaluation of Security Indicators in Mobile Web Browsers , 2015, IEEE Transactions on Mobile Computing.