Embed Size (px)
Citation preview
Security of Mobile Banking
Presented by:Ming Ki Chong [email protected]
Kelvin Chikomo [email protected]
Supervisor: Alapan Arnab, Andrew Hutchison
Ming Ki Chong & Kelvin Chikomo 2
Overview
Introduction SMS Banking GPRS Banking Conclusion
Introduction
Ming Ki Chong & Kelvin Chikomo 4
Hypothesis
There are currently many flaws in the present mobile banking implementations.
We believe we can build a more secure banking implementation using both SMS and GPRS protocols
Ming Ki Chong & Kelvin Chikomo 5
Project Outcomes
Developed application should abide to the following security principles: Confidentiality Authenticity Integrity Non-repudiation Availability
Comparison of SMS and GPRS implementations
Ming Ki Chong & Kelvin Chikomo 6
Timeline
Milestone Duration
Design 2 Weeks
Development 4 Weeks
Testing 2 Weeks
Web Page Development and poster
3 Weeks
Final Report and Research paper
Throughout the project time
Project Demonstration 17 November
Ming Ki Chong & Kelvin Chikomo 7
Work Division
Ming Ki Chong SMS Banking
Kelvin Chikomo GPRS Banking
Ming Ki Chong & Kelvin Chikomo 8
Work DivisionGSM + SMS Architecture
GSM + GPRS Architecture
Secure SMS Banking
Secure GPRS Banking
Secure SMS Banking Server
Secure GPRS Banking Server
Secure Mobile Banking
SMS Banking
Ming Ki Chong & Kelvin Chikomo 10
SMS Banking Overview
Back Ground Research GSM Architecture SMS Scenarios
Current SMS banking What I Propose to Research What I Propose to Implement Concerns
Ming Ki Chong & Kelvin Chikomo 11
MS Mobile Station
BTS Base Transceiver Station
BSC Base Station Controller
MSC Mobile Switching Centre
GMSC Gateway MSC
SMSC Short Message Service Centre
OMC Operation and Maintenance Centre
ISC International Switching Centre
EIR Equipment Identity Centre
AUC Authentication Centre
HLR Home Location Register
VLR Visitor Location Register
MSC
OMC
GMSC
SMSC
HLR VLREIR AUC
BSC
BTS
MS
BSC
ISC
BTS
MS
GSM Architecture
Ming Ki Chong & Kelvin Chikomo 12
Short Message Entity
SME SMSC HLR MSC VLR MS
4. Submit
1. Msg Transfer
3. Forward Short Msg
Access & Authenticate
2. Verify Restrictions
5. Delivery Report
6. Delivery Report
SMS Security FlawsSMS is stored in plain text
Ming Ki Chong & Kelvin Chikomo 13
Current Mobile Banking
WIZZIT
MTN Mobile Banking Standard Bank FNB ABSA
Use WIG (Wireless Internet Gateway)
Ming Ki Chong & Kelvin Chikomo 14
What I Propose to Research
Different Protocols for SMS Banking Security of using SMSes to Perform Transactions SMS Encryption Authentication Possible Attacks
Ming Ki Chong & Kelvin Chikomo 15
What I propose to Implement
Mobile Banking Application Using J2ME Secure SMS protocol SMS Banking Server Secure Connection between the Bank Server and
the Database
Bank ServerMobile Phone
Database
Ming Ki Chong & Kelvin Chikomo 16
Protocol Layers
Banking Application
Secure SMS Protocol
Mobile Phone Interface
Short Message Transport Protocol
GSM Network
Banking Application
Secure SMS Protocol
Bank Server Interface
Short Message Transport Protocol
GSM Network
Mobile Phone Bank Server
GSM Architecture
Ming Ki Chong & Kelvin Chikomo 17
Concerns
Cost J2ME vs. WIG Security vs. Performance Security vs. Functionality Hardware Platform (Compatibility) Usability (User Interface)
GPRS Banking
Ming Ki Chong & Kelvin Chikomo 19
OverviewGPRS architecture Data route Security implementations and shortfalls
Bank implementations (WAP) Handshakes Authentication mechanisms (Pins Voice prints) Security shortfalls
What I propose to do
Ming Ki Chong & Kelvin Chikomo 20
Data route
Ming Ki Chong & Kelvin Chikomo 21
GPRS security shortfalls
Authentication Center (RAND, Kc, Ki, SRES) Denial of service attack, using the RAND value. Problems with the A3/A8 authentication
algorithm Problems with A5 algorithm
Look at note
Ming Ki Chong & Kelvin Chikomo 22
Bank implementations (WAP)
Handshakes
Authentication mechanisms (Pins Voice prints)
Security shortfalls
Ming Ki Chong & Kelvin Chikomo 23
Handshakes
Ming Ki Chong & Kelvin Chikomo 24
Authentication mechanisms
Secret passwords Voice prints SIM verification codes
Ming Ki Chong & Kelvin Chikomo 25
Security Shortfalls
There is no end-to-end encryption between client and bank server.
Public key cryptosystems key sizes offered by the WTLS standard are not strong enough.
Anonymous key exchange suites offered by the WTLS handshake are not considered secure.
Ming Ki Chong & Kelvin Chikomo 26
Present implementations
My proposal implementationMy proposal implementation
Ming Ki Chong & Kelvin Chikomo 27
What I propose to do
Build a WAP Gateway, that links the mobile station to the bank Server from the GPRS network.
Either implement a Wap Browser plugin or J2ME App that will ensure Full Mutual Authentication during handshake protocol
The Plugin or J2ME app should also update and maintain network settings
Ming Ki Chong & Kelvin Chikomo 28
If time permits
Look into using different key sizes, and encryption algorithms like blow fish.
Ming Ki Chong & Kelvin Chikomo 29
Possible hindrances
Time could be limited
GPRS Access Point
Ming Ki Chong & Kelvin Chikomo 30
Future research
Lawful tapping
Session ID management on Bank Server side. (In case of abbreviated handshake)
Conclusion
Ming Ki Chong & Kelvin Chikomo 32
Outcome
Two secure mobile banking solutions. SMS solution GPRS solution
Secure banking server Research Paper citing shortfalls in current systems
and our new implementation.
