Security of Mobile Banking

About This Presentation

Title:

Security of Mobile Banking

Description:

HLR Home Location Register. VLR Visitor Location Register. MSC ... Mobile Phone Interface. Short Message Transport Protocol. GSM Network. Banking Application ... – PowerPoint PPT presentation

Number of Views:1099

Avg rating:3.0/5.0

Slides: 33

Provided by: chn2

Category:

more less

Transcript and Presenter's Notes

Title: Security of Mobile Banking

1
Security of Mobile Banking

Presented by
Ming Ki Chong mchong_at_cs.uct.ac.za
Kelvin Chikomo kchikomo_at_cs.uct.ac.za
Supervisor
Alapan Arnab, Andrew Hutchison

2
Overview

Introduction
SMS Banking
GPRS Banking
Conclusion

3
Introduction
4
Hypothesis

There are currently many flaws in the present
mobile banking implementations.
We believe we can build a more secure banking
implementation using both SMS and GPRS protocols

5
Project Outcomes

Developed application should abide to the
following security principles
Confidentiality
Authenticity
Integrity
Non-repudiation
Availability
Comparison of SMS and GPRS implementations

6
Timeline
7
Work Division

Ming Ki Chong
SMS Banking
Kelvin Chikomo
GPRS Banking

8
Work Division
GSM GPRS Architecture
GSM SMS Architecture
Secure GPRS Banking
Secure SMS Banking
Secure SMS Banking Server
Secure GPRS Banking Server
Secure Mobile Banking
9
SMS Banking
10
SMS Banking Overview

Back Ground Research
GSM Architecture
SMS Scenarios
Current SMS banking
What I Propose to Research
What I Propose to Implement
Concerns

11
GSM Architecture
MS Mobile Station BTS Base Transceiver
Station BSC Base Station Controller MSC Mobile
Switching Centre GMSC Gateway MSC SMSC Short
Message Service Centre OMC Operation and
Maintenance Centre ISC International Switching
Centre EIR Equipment Identity Centre AUC Authentic
ation Centre HLR Home Location Register VLR Visito
r Location Register
12
SMS Security Flaws
SMS is stored in plain text
Short Message Entity SME
SMSC
HLR
MSC
VLR
MS
Access Authenticate
1. Msg Transfer
2. Verify Restrictions
3. Forward Short Msg
4. Submit
5. Delivery Report
6. Delivery Report
13
Current Mobile Banking

WIZZIT
MTN Mobile Banking
Standard Bank
FNB
ABSA

Use WIG (Wireless Internet Gateway)
14
What I Propose to Research

Different Protocols for SMS Banking
Security of using SMSes to Perform Transactions
SMS Encryption
Authentication
Possible Attacks

15
What I propose to Implement

Mobile Banking Application Using J2ME
Secure SMS protocol
SMS Banking Server
Secure Connection between the Bank Server and the
Database

16
Protocol Layers
17
Concerns

Cost
J2ME vs. WIG
Security vs. Performance
Security vs. Functionality
Hardware Platform (Compatibility)
Usability (User Interface)

18
GPRS Banking
19
Overview

GPRS architecture
Data route
Security implementations and shortfalls
Bank implementations (WAP)
Handshakes
Authentication mechanisms (Pins Voice prints)
Security shortfalls
What I propose to do

20
Data route
21
GPRS security shortfalls

Authentication Center (RAND, Kc, Ki, SRES)
Denial of service attack, using the RAND value.
Problems with the A3/A8 authentication algorithm
Problems with A5 algorithm
Look at note

22
Bank implementations (WAP)

Handshakes
Authentication mechanisms (Pins Voice prints)
Security shortfalls

23
Handshakes
24
Authentication mechanisms

Secret passwords
Voice prints
SIM verification codes

25
Security Shortfalls

There is no end-to-end encryption between client
and bank server.
Public key cryptosystems key sizes offered by the
WTLS standard are not strong enough.
Anonymous key exchange suites offered by the
WTLS handshake are not considered secure.

26
Present implementations
My proposal implementation
27
What I propose to do

Build a WAP Gateway, that links the mobile
station to the bank Server from the GPRS network.
Either implement a Wap Browser plugin or J2ME App
that will ensure Full Mutual Authentication
during handshake protocol
The Plugin or J2ME app should also update and
maintain network settings

28
If time permits