220 likes | 378 Views
MOBILE BANKING SECURITY (MBS) ISSUES & DEVELOPMENTS. Dr. V.N.Sastry Professor, IDRBT & Executive Secretary, MPFI vnsastry@idrbt.ac.in +91-40-23534981 to 84. Main Points. MBS Issues Common Specific Developments MPFI TSG on Mobile Banking Security (MBS) IBA-IDRBT WG on MBS
E N D
MOBILE BANKING SECURITY (MBS) ISSUES & DEVELOPMENTS Dr. V.N.Sastry Professor, IDRBT & Executive Secretary, MPFI vnsastry@idrbt.ac.in +91-40-23534981 to 84
Main Points • MBS Issues • Common • Specific • Developments • MPFI TSG on Mobile Banking Security (MBS) • IBA-IDRBT WG on MBS • IDRBT MBS Lab • WPKI
MBS Issues • Awareness and Education on MBS • As per the users background • In his/her native language • Specific to the Mobile Phone Features • Enabling Secure Banking Services • Through multiple Mobile Communication Channels ( SMS, USSD, IVRS, GPRS, NFC ) • On different Types of Mobile Phones ( Low End, Medium Type and High End ) • Using the features supported by the Mobile Phone
MBS Issues Contd.. • Developing Customized Mobile Banking Applications as per the OS • Testing of each of the Mobile Banking applications • Handling of complaints on side channel and malware attacks on Mobile Phones • Taking measures for fraud detection and prevention mechanisms • Scalability issues to support high volume and real time Transactions of Mobile Payments • Verification of MBS models and protocols in a simulated and testing environment.
MBS Problems • Verification of Security Properties • Authentication and Key Agreement Protocols • Access Control Models • Cryptographic Techniques • Secure Mobile Payments : IMPS, AEPS, Mobile Wallet, • NFC based Mobile Payments • Mobile Banking Services (SaaS) in a Secure Banking Cloud Framework • Autonomic Computing (Self Healing and Self Protecting ) in Securing Mobile Operating Systems and Mobile Banking Applications • IVRS based Customer Education Service in all Indian Languages • MANETS for Financial Inclusion. • Formal Methods for Design and Analysis of Secure Mobile Payment Protocols • Testing of Mobile Banking Application : Functionality, Security and Compliance
Mobile Banking Security • Device Level Security • Communication Level Security • Application Level Security
Major 3 Sections of a Mobile Phone • Power Section • Power distribution • Charging section • Radio Section • Band Switching • RF Power Amplification • Transmitter • Receiver • Computer Section • CPU (central processing unit) • Memory (RAM,FLASH,COMBO CHIP: SIM, USIM) • Interfaces
Classification of Mobile Attacks Behavior based Environment based Virus Channel based Application Based Worm SMS Trojan NFC System External Wi-Fi (OS) (Mob. Ban. App) Spyware Bluetooth GPRS IVRS USSD
Attacks by Type of Malware (Q1 2012) Virus: Malicious code that gets attached to a host file and replicates when the host software runs. Worm: Self-replicating code that automatically spreads across a network Trojan: A program that exhibits to be useful application but actually harbors hidden malicious code Spyware: Software that reveals private information about the user or computer system to eavesdroppers
Some reported attacks on Mobile Phones • Cabir (First in 2004 ) • Comwar • Skulls • Windows CE virus • Phishing • Botnet • Fake Player • Trojan horse • Bluejacking ( Symbian ) • BlueBug • BlueSnarfing • BluePrinting
WIRELESS PUBLIC KEY INFRASTRUCTURE (WPKI) • Certificate Authority • Validation Authority 3) Registration Authority 4) Certificate Repository 5) Digital Certificate 6) Digital Signature
WPKI Implementation for MBS Requires • ECC (Elliptic Curve cryptography) • Crypto SIM enabled Mobile Phone • SLC (Short Lived Certificate) • OCSP (Online Certificate Status Protocol) for certificate validation
ELLIPTIC CURVE CRYPTOGRAPHY (ECC) • ECC is a public key cryptography. • One main advantage of ECC is its small key size. • A 160-bit key in ECC is considered to be as secured as 1024-bit key in RSA. • It uses Elliptic Curve Digital Signature Algorithm (ECDSA). • ECDSA does Signature Generation and Signature Verification .
IVRS BASED EDUCATION SERVICE ON MOBILE BANKING AND ITS SECURITY BY MBSL,IDRBT-HYDERABADCALL : 040-30139900
MBS TESTING Functional Testing Security Testing Test Case Writing & Execution Interface Mapping Secure Storage Compliance Testing Verification of Security Properties Transactions, Behaviour & Performance Secure Communication Levels of Security Compliance Testing
Mobile ad-hoc Networks (MANET) for Mobile Banking and Financial Inclusion • It is a Mobile wireless network. • MANET nodes are rapidly deployable, self configuring and capable of doing autonomous operation in the network. • Nodes co-operate to provide Connectivity and Services. • Operates without base station and centralized administration. • Nodes exhibit mobility and the topology is dynamic. • Nodes must be able to relay traffic sense. • A MANET can be a standalone network or it can be connected to external networks(Internet).