490 likes | 1.03k Views
Security of Mobile Banking. Presented by: Ming Ki Chong mchong@cs.uct.ac.za Kelvin Chikomo kchikomo@cs.uct.ac.za Supervisor: Alapan Arnab, Andrew Hutchison. Overview. Introduction SMS Banking GPRS Banking Conclusion. Introduction. Hypothesis.
E N D
Security of Mobile Banking Presented by: Ming Ki Chong mchong@cs.uct.ac.za Kelvin Chikomo kchikomo@cs.uct.ac.za Supervisor: Alapan Arnab, Andrew Hutchison
Overview • Introduction • SMS Banking • GPRS Banking • Conclusion Ming Ki Chong & Kelvin Chikomo
Hypothesis • There are currently many flaws in the present mobile banking implementations. • We believe we can build a more secure banking implementation using both SMS and GPRS protocols Ming Ki Chong & Kelvin Chikomo
Project Outcomes • Developed application should abide to the following security principles: • Confidentiality • Authenticity • Integrity • Non-repudiation • Availability • Comparison of SMS and GPRS implementations Ming Ki Chong & Kelvin Chikomo
Timeline Ming Ki Chong & Kelvin Chikomo
Work Division • Ming Ki Chong • SMS Banking • Kelvin Chikomo • GPRS Banking Ming Ki Chong & Kelvin Chikomo
Work Division GSM + GPRS Architecture GSM + SMS Architecture Secure GPRS Banking Secure SMS Banking Secure SMS Banking Server Secure GPRS Banking Server Secure Mobile Banking Ming Ki Chong & Kelvin Chikomo
SMS Banking Overview • Back Ground Research • GSM Architecture • SMS Scenarios • Current SMS banking • What I Propose to Research • What I Propose to Implement • Concerns Ming Ki Chong & Kelvin Chikomo
GMSC SMSC BSC ISC BSC OMC BTS BTS VLR HLR EIR MSC AUC MS MS MS Mobile Station BTS Base Transceiver Station BSC Base Station Controller MSC Mobile Switching Centre GMSC Gateway MSC SMSC Short Message Service Centre OMC Operation and Maintenance Centre ISC International Switching Centre EIREquipment Identity Centre AUCAuthentication Centre HLRHome Location Register VLRVisitor Location Register GSM Architecture Ming Ki Chong & Kelvin Chikomo
SMS Security Flaws SMS is stored in plain text Short Message Entity SME SMSC HLR MSC VLR MS Access & Authenticate 1. Msg Transfer 2. Verify Restrictions 3. Forward Short Msg 4. Submit 5. Delivery Report 6. Delivery Report Ming Ki Chong & Kelvin Chikomo
Current Mobile Banking • WIZZIT • MTN Mobile Banking • Standard Bank • FNB • ABSA Use WIG (Wireless Internet Gateway) Ming Ki Chong & Kelvin Chikomo
What I Propose to Research • Different Protocols for SMS Banking • Security of using SMSes to Perform Transactions • SMS Encryption • Authentication • Possible Attacks Ming Ki Chong & Kelvin Chikomo
Bank Server Mobile Phone Database What I propose to Implement • Mobile Banking Application Using J2ME • Secure SMS protocol • SMS Banking Server • Secure Connection between the Bank Server and the Database Ming Ki Chong & Kelvin Chikomo
Banking Application Secure SMS Protocol Mobile Phone Interface Short Message Transport Protocol GSM Network Banking Application Secure SMS Protocol Bank Server Interface Short Message Transport Protocol GSM Network Bank Server Mobile Phone GSM Architecture Protocol Layers Ming Ki Chong & Kelvin Chikomo
Concerns • Cost • J2ME vs. WIG • Security vs. Performance • Security vs. Functionality • Hardware Platform (Compatibility) • Usability (User Interface) Ming Ki Chong & Kelvin Chikomo
Overview GPRS architecture • Data route • Security implementations and shortfalls Bank implementations (WAP) • Handshakes • Authentication mechanisms (Pins Voice prints) • Security shortfalls What I propose to do Ming Ki Chong & Kelvin Chikomo
Data route Ming Ki Chong & Kelvin Chikomo
GPRS security shortfalls • Authentication Center (RAND, Kc, Ki, SRES) • Denial of service attack, using the RAND value. • Problems with the A3/A8 authentication algorithm • Problems with A5 algorithm Look at note Ming Ki Chong & Kelvin Chikomo
Bank implementations (WAP) • Handshakes • Authentication mechanisms (Pins Voice prints) • Security shortfalls Ming Ki Chong & Kelvin Chikomo
Handshakes Ming Ki Chong & Kelvin Chikomo
Authentication mechanisms • Secret passwords • Voice prints • SIM verification codes Ming Ki Chong & Kelvin Chikomo
Security Shortfalls • There is no end-to-end encryption between client and bank server. • Public key cryptosystems key sizes offered by the WTLS standard are not strong enough. • Anonymous key exchange suites offered by the WTLS handshake are not considered secure. Ming Ki Chong & Kelvin Chikomo
Present implementations My proposal implementation Ming Ki Chong & Kelvin Chikomo
What I propose to do • Build a WAP Gateway, that links the mobile station to the bank Server from the GPRS network. • Either implement a Wap Browser plugin or J2ME App that will ensure Full Mutual Authentication during handshake protocol • The Plugin or J2ME app should also update and maintain network settings Ming Ki Chong & Kelvin Chikomo
If time permits • Look into using different key sizes, and encryption algorithms like blow fish. Ming Ki Chong & Kelvin Chikomo
Possible hindrances • Time could be limited • GPRS Access Point Ming Ki Chong & Kelvin Chikomo
Future research • Lawful tapping • Session ID management on Bank Server side. (In case of abbreviated handshake) Ming Ki Chong & Kelvin Chikomo
Outcome • Two secure mobile banking solutions. • SMS solution • GPRS solution • Secure banking server • Research Paper citing shortfalls in current systems and our new implementation. Ming Ki Chong & Kelvin Chikomo