Security of Mobile Banking
Security of Mobile Banking
Security of Mobile Banking
Rondebosch 7701
In the past decade, the number of online banking users has increased rapidly. This has led to
developers investigating on more convenient methods for bank customers to perform financial
transactions. This has in turn resulted in the introduction of mobile banking. Mobile banking is a
new convenient scheme for customers to perform banking transactions across nations without
location boundary. The usages of mobile banking are predicted to increase as the number of
cellular phone users are increasing and mobile usage are foreseen to revolutionize payment
The security architecture for cellular network is not entirely secure. As described in [2], GSM
(Global System for Mobile communication) network infrastructure was proven to be insecure and
many possible attacks have been discovered and protection discretions were not considered,
therefore sending protective banking information across open mobile phone networkis insecure.
In this project, we propose to investigate on the security issues within mobile banking through
cellular phone network (GSM). The goal is to build portable device applications that ensure users
can securely send their banking information via the mobile network.
Our objective for this project is to investigate security issues in each level of the mobile network
architecture. At each level we intend on investigating how messages and signals are sent across
from user s cellular phone to mobile network (the overall security architecture of mobile network,
message encryptions) to bank server. We will inspect the flaws of securities within cellular
networks, the current international standards and practices for mobile banking and we will
examine some existing security protocols for mobile transactions. Details will be discussed in
section 3.2.
We will investigate the current security within SMS banking and GPRS banking. For each
solution, we will focus on its economical advantages and disadvantages, its end-to-end security
Secure protocol applications using SMS/GPRS will be developed to simulate protected mobile
banking procedures.
V
The initial idea of mobile transactions is to provide a convenient and cost effective way for
customers to pay and perform banking transactions. Mobile banking (m-banking) service is a
modified version of internet banking using cellular technology and the GSM network as a
The mobile transaction architecture consists of three main components i.e. the user, the device
and the mobile transaction provider. [1]. The user is the client who is requesting for the service,
the device is the mobile device which connects the client and the service provider through the
wireless network, and the mobile transaction provider could be a cellular operator, a bank or a
combination of both [1]. Figure 1 below outlines the summarization of modular architecture of
v , the user sends his/her unique identification information to the server via a
cellular device network for verification. Identification component can consist of user s
, the service provider should authenticate the transaction from users via an
, the transaction is performed on the service provider side. The service
provider has the responsibility to ensure the requested transaction is performed under a secure
In 2005, South African First National Bank launched a new service for their customers to perform
banking transaction across any location in South Africa. Customers use mobile phones to send
banking requests via SMS (short message service) technology to the banking server. FNB mobile
banking allows customers to purchase cellular phone airtime, check account balance, get bank
statements, transfer money to other accounts and etc. This service is initiated by the customer
providing a banking instruction by sending the keyword to a specific number and followed by the
customerdialing a specific string attached with a PIN (Personal Identification Number, selected
during registration process) code to identify the cellular phone user. Once the PIN is
authenticated for the phone number, the bank will reply with the request output for the customer,
for full instructions, refer to [3]. This is a convenient method for customers to do banking, as the
user does not require traveling to a physical location to interact with a bank teller and this service
V" #c
GPRS based mobile banking is fairly new in South Africa, with most leading banks offering the
service. According to Paul Vecchiatto and Tracy burrows of ITalk Investec private bank and
Absa, they are offering mobile banking over GPRS. [8] Standard bank has a similar offering; they
provide cell phone internet banking over GPRS and EDGE technology and their cell phone
banking options use HTTPS SSL 128-bit encryption.
FNB launched a WAP (mobile Internet) banking offered a few years ago, but result it had very
few FNB customers use such service, for this reason the CEO of FNB Mobile and Transact
Services claims that the bank is focusing more on making cell phone banking available to all its
customers, on any phone, on any network using their current menu and SMS cell phone banking
offering. [8]
v!
Regarded as one of the most innovative banks in the world, Investec Private Bank, a division of
international specialist banking group Investec plc (INP, INL), is now introducing a capability
that will enable clients to manage their finances anywhere, anytime, from a secure platform. [7]
Investec private bank introduced mobile banking in March 2006; its mobile banking service is
based on its web banking service. Investecmobile uses GPRS, Edge, and 3G technology.
Investecmobile boasts of its multilayered security approach and its application to cellular phone
technology. It also boasts of its detective and preventative security measures that they have
implemented so as to achieve a secure channel between the mobile station and the bank.
[5] has indicated that the GSM network does not provide important security facilities such as
authentication, end-to-end security, non-repudiation and anonymity. In the GSM network, mobile
SMS text content is sent over in clear text format or in a breakable encrypted format [2], which
consequently makes sensitive text messages sent across the cellular network insecure. This
vulnerability enables an attacker with the right equipment to eavesdrop on the information being
sent, therefore a better SMS communication protocol is needed to transmit text data between
Ratshinanga [5], have suggested establishing an encrypted protocol connection using public keys
and session keys between clients to server. The client initiates the connection by sending its
username and a salt number1 encrypted using the server s public key to the server. When the
server receives the client message it is decrypted using the server s private key. The server
retrieves the salt number and username from the received message, and retrieves the relative user
PIN from the database; the server can calculate a session key for the client by using hash
functions. Once the session key is calculated, the server replies and establishes connection with
client. The client can calculate the session key in parallel, once the client receives a reply from
The session key is generated individually by hashing the username, salt number and the shared
PIN number. Attackers cannot generate a session key without knowing the PIN for the specified
username. The salt value provides a more secure session key generation as the salt number is 128
bits long [5], it increases difficulty for attacker to break the session key. To prevent replays, a SQ
(sequence number) is used. This number is incremented by one each time when the message
reaches the destination. The client or the server can check if SQ is incremented by one, if not the
This protocol generates a secure communication channel between client and server via SMS. It
ensures confidentiality and integrity of SMS communication [5], in contrast the encryption and
keys generation causes the protocol to operate very slowly causing inefficiency.
V%&
c ! ! '
Fundamo is a company which provides mobile applications and business solutions for
corporations that intend on offering mobile transaction services. Fundamo builds applications for
1 Salt is an initialization vector of a block cipher. Often specifically salt is an initialization vector used
to
In August 2005, Standard Bank and Fundamo agreed on a joint venture with MTN to introduce a
new banking service that allows customers to access their accounts via their cellular hand sets [6].
This service offers SMS alert, Person-to-Person alert payment, fund transfer, bill payment and
etc. Fundamo uses a three layers security to achieve protection against fraud. It requires the user s
SIM (Subscriber Identity Module) in the user s mobile phone, a PIN (selected by user) and the
user s voice print [6]. The transaction is tied to these three security means. The customer s
request is only granted when the user is authenticated. The three layers of security provide a
unique protection mechanism, the SIM card provides as a physical security key, the PIN as a
password security and the voice print verification act as bio-metric security.
"(
"c
"c )
The outcome of the project in the software section will comprises of three main parts i.e.
The subset of banking services will encompass some of the banking services that exist in current
architectures like SMS banking or ATM banking. Some of these banking services include balance
enquiries and money transfers between two different accounts. The final implementation of the
banking services will follow the architecture illustrated in figure 2 below. Instead of updating
proper bank servers we will implement a simulated banking server which we can test on. We
intend on implementing the banking services to communicate with both GPRS and SMS
connections.
Vv
Figure 3 below illustrates a basic banking GPRS protocol. Our secure banking protocol will build
on this protocol.
WAP application
GPRS
Bank Server
c cc
$cc
Figure 4 above shows the overview layers of mobile banking using SMS as communication
protocol
oÎ is the application layer that the users interface interacts with to the bank
server.
o
layer provides a secure communication channel using SMS messages to
o is the cell phone specification that is specified by the mobile phone
manufacturer.
o layer is specified by the GSM network, this layer
transmits SMS messages across the mobile network using SM-RP (Short Message Rely
oÎ is the bank server which authenticates users, accepts user s banking
"V*
Some of the noteworthy features in our mobile banking solution will include:
o Session handling
o Key management
o Encryption algorithms
o End-to-end architecture
o GPRS solution should be accessible through a number of transaction channels, i.e. it should be
o Any security implementations on the Bank server should have a plug-in option into existing
bank servers.
WAP application
GPRS
Bank Server
"V+
We plan on investigate the different security protocols on offer by the various solutions and their
underlying technologies, from the research we are determined to produce a thorough paper on
these security protocols and their underlying security detailing their strengths and weaknesses.
We intend on analyzing and exploring the transactions at every link from the cell phone to the
bank server and back. Our research will comprise of analysis of the encryption algorithms used,
density (number of users) of base towers and a risk analysis of the security vs. reward at each
stage. We also intend on investigating the international practices and how they relate to the South
African context.
A huge section of our research will involve investigating the possible alternatives to SMS
banking, and how security objectives such as confidentiality, integrity can be achieved using
these alternatives.
""
From the project we expect to produce a complete secure protocol for mobile banking which will
cater for all network security requirements i.e. authentication, non repudiation, authorization,
availability, integrity, confidentiality, and access control. Depending on the insecurity of existing
protocol, we expect to produce attacks that can unravel flaws in existing mobile banking
protocols.
"$*
$c
$
Appendix A has a detailed Gantt chart with the start date, end date and duration for each task.
o GSM modem
o Collaboration with banks with existing solutions like FNB and Standard bank.
12Implimentation runningOctober 19
20Porjectdemostrations to supervisors
$$
o Implement user interface to interact with mobile bank server through GPRS
o Implement a mobile phone application that has a user interface and uses the SMS protocol.
o Research on current architecture of mobile network i.e. GSM network (mainly focus on
o Design and build architecture model for mobile banking (secure banking transaction using
mobile phones)
o Compare results and discuss on efficiency, cost factor, advantages and disadvantages using
each solution
o Design poster
o Design webpage
-
[1] Herzberg, A. 2003. Payments and banking with mobile personal devices.
i
iVolume 46, Issue 5 (May 2003) Wireless networking
[2] Lord, S. 2003. Trouble at Telco: When GSM Goes Bad.
. Issue 1, Page
10 -12.
https://www.fnb.co.za/personal/transact/accessyouraccounts/cellHowDoI.html
http://www.itweb.co.za/sections/business/2005/0503101110.asp?S=Telecoms&A=TEL&
O=FRGN
i
i
!
(Online) http://polelo.cs.up.ac.za/papers/SecureSMS.pdf
http://www.fundamo.com/index.asp?pgid=54
[7] INet-Bridge-v
(Website)
http://www.mybroadband.co.za