1 / 32

Security of Mobile Banking

Security of Mobile Banking. Presented by: Ming Ki Chong mchong@cs.uct.ac.za Kelvin Chikomo kchikomo@cs.uct.ac.za Supervisor: Alapan Arnab, Andrew Hutchison. Overview. Introduction SMS Banking GPRS Banking Conclusion. Introduction. Hypothesis.

wesley
Download Presentation

Security of Mobile Banking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security of Mobile Banking Presented by: Ming Ki Chong mchong@cs.uct.ac.za Kelvin Chikomo kchikomo@cs.uct.ac.za Supervisor: Alapan Arnab, Andrew Hutchison

  2. Overview • Introduction • SMS Banking • GPRS Banking • Conclusion Ming Ki Chong & Kelvin Chikomo

  3. Introduction

  4. Hypothesis • There are currently many flaws in the present mobile banking implementations. • We believe we can build a more secure banking implementation using both SMS and GPRS protocols Ming Ki Chong & Kelvin Chikomo

  5. Project Outcomes • Developed application should abide to the following security principles: • Confidentiality • Authenticity • Integrity • Non-repudiation • Availability • Comparison of SMS and GPRS implementations Ming Ki Chong & Kelvin Chikomo

  6. Timeline Ming Ki Chong & Kelvin Chikomo

  7. Work Division • Ming Ki Chong • SMS Banking • Kelvin Chikomo • GPRS Banking Ming Ki Chong & Kelvin Chikomo

  8. Work Division GSM + GPRS Architecture GSM + SMS Architecture Secure GPRS Banking Secure SMS Banking Secure SMS Banking Server Secure GPRS Banking Server Secure Mobile Banking Ming Ki Chong & Kelvin Chikomo

  9. SMS Banking

  10. SMS Banking Overview • Back Ground Research • GSM Architecture • SMS Scenarios • Current SMS banking • What I Propose to Research • What I Propose to Implement • Concerns Ming Ki Chong & Kelvin Chikomo

  11. GMSC SMSC BSC ISC BSC OMC BTS BTS VLR HLR EIR MSC AUC MS MS MS Mobile Station BTS Base Transceiver Station BSC Base Station Controller MSC Mobile Switching Centre GMSC Gateway MSC SMSC Short Message Service Centre OMC Operation and Maintenance Centre ISC International Switching Centre EIREquipment Identity Centre AUCAuthentication Centre HLRHome Location Register VLRVisitor Location Register GSM Architecture Ming Ki Chong & Kelvin Chikomo

  12. SMS Security Flaws SMS is stored in plain text Short Message Entity SME SMSC HLR MSC VLR MS Access & Authenticate 1. Msg Transfer 2. Verify Restrictions 3. Forward Short Msg 4. Submit 5. Delivery Report 6. Delivery Report Ming Ki Chong & Kelvin Chikomo

  13. Current Mobile Banking • WIZZIT • MTN Mobile Banking • Standard Bank • FNB • ABSA Use WIG (Wireless Internet Gateway) Ming Ki Chong & Kelvin Chikomo

  14. What I Propose to Research • Different Protocols for SMS Banking • Security of using SMSes to Perform Transactions • SMS Encryption • Authentication • Possible Attacks Ming Ki Chong & Kelvin Chikomo

  15. Bank Server Mobile Phone Database What I propose to Implement • Mobile Banking Application Using J2ME • Secure SMS protocol • SMS Banking Server • Secure Connection between the Bank Server and the Database Ming Ki Chong & Kelvin Chikomo

  16. Banking Application Secure SMS Protocol Mobile Phone Interface Short Message Transport Protocol GSM Network Banking Application Secure SMS Protocol Bank Server Interface Short Message Transport Protocol GSM Network Bank Server Mobile Phone GSM Architecture Protocol Layers Ming Ki Chong & Kelvin Chikomo

  17. Concerns • Cost • J2ME vs. WIG • Security vs. Performance • Security vs. Functionality • Hardware Platform (Compatibility) • Usability (User Interface) Ming Ki Chong & Kelvin Chikomo

  18. GPRS Banking

  19. Overview GPRS architecture • Data route • Security implementations and shortfalls Bank implementations (WAP) • Handshakes • Authentication mechanisms (Pins Voice prints) • Security shortfalls What I propose to do Ming Ki Chong & Kelvin Chikomo

  20. Data route Ming Ki Chong & Kelvin Chikomo

  21. GPRS security shortfalls • Authentication Center (RAND, Kc, Ki, SRES) • Denial of service attack, using the RAND value. • Problems with the A3/A8 authentication algorithm • Problems with A5 algorithm Look at note Ming Ki Chong & Kelvin Chikomo

  22. Bank implementations (WAP) • Handshakes • Authentication mechanisms (Pins Voice prints) • Security shortfalls Ming Ki Chong & Kelvin Chikomo

  23. Handshakes Ming Ki Chong & Kelvin Chikomo

  24. Authentication mechanisms • Secret passwords • Voice prints • SIM verification codes Ming Ki Chong & Kelvin Chikomo

  25. Security Shortfalls • There is no end-to-end encryption between client and bank server. • Public key cryptosystems key sizes offered by the WTLS standard are not strong enough. • Anonymous key exchange suites offered by the WTLS handshake are not considered secure. Ming Ki Chong & Kelvin Chikomo

  26. Present implementations My proposal implementation Ming Ki Chong & Kelvin Chikomo

  27. What I propose to do • Build a WAP Gateway, that links the mobile station to the bank Server from the GPRS network. • Either implement a Wap Browser plugin or J2ME App that will ensure Full Mutual Authentication during handshake protocol • The Plugin or J2ME app should also update and maintain network settings Ming Ki Chong & Kelvin Chikomo

  28. If time permits • Look into using different key sizes, and encryption algorithms like blow fish. Ming Ki Chong & Kelvin Chikomo

  29. Possible hindrances • Time could be limited • GPRS Access Point Ming Ki Chong & Kelvin Chikomo

  30. Future research • Lawful tapping • Session ID management on Bank Server side. (In case of abbreviated handshake) Ming Ki Chong & Kelvin Chikomo

  31. Conclusion

  32. Outcome • Two secure mobile banking solutions. • SMS solution • GPRS solution • Secure banking server • Research Paper citing shortfalls in current systems and our new implementation. Ming Ki Chong & Kelvin Chikomo

More Related