Contents
About Mobile Banking
1. Introduction......................................................................................................... 02
2. Objective............................................................................................................. 02
3. What Is Mobile banking........................................................................................ 02
4. A Mobile banking Conceptual Model....................................................................... 03
5. Mobile Banking Business Models............................................................................ 03
6. Mobile Banking Services....................................................................................... 04
7. Future Functionalities Of Mobile banking................................................................. 05
8. Challenges For a Mobile Banking Solution............................................................... 07
9. Mobile banking Channel Platform........................................................................... 09
10. STK/SAT-SIM Application Toolkit Menu................................................................... 09
11. USSD-Unstructured Supplementary Service Data..................................................... 12
12. Wireless Application protocol (WAP)....................................................................... 15
13. Java Menu-J2ME.................................................................................................. 16
14. IVR-Interactive Voice Response Banking Data Security............................................ 17
15. Short Message Services (SMS)............................................................................... 19
16. Demonstrative Structure And key Feature of Mobile Software................................... 24
17. The Security System And Bridge through Three Systems Mobile............................... 25
18. Need For Mobile Banking Security.......................................................................... 26
19. Appendix............................................................................................................. 27
20. Reference............................................................................................................ 27
Introduction:
|
|
Across the developing countries, millions of people rely
on formal and informal economic activity and local level networks to earn their
living. Most of these populations are from BOP (according to World Bank people
who earns less than $2 a day: annual income less than PPP US$ 3000) and they
don’t have access to basic financial service e.g. banks as access to those is
costly, not inconvenient and very limited. Accesses to financial services or
banks are vital for those people as- “This lack of access to finance in some
parts of the developing world stifles entrepreneurship, stunts development and
leaves people trapped in a poor, cash-only
“Society”.
Developing countries are still struggling to ensure access of most of its
unbanked
BOP citizens and the informal sector to the formal financial services.
Mobile banking can be seen as one solution to these
problems. Advancements in mobile technology have changed our lives over the
past ten years. It has the potential to even more powerfully transform the
lives of the world’s poorest people. The technology is no doubt the cheapest
and most convenient way to connect people and provide an array of innovative
services. At the start of this century, just 12% of the world's population had
a mobile phone. Now that figure is well over 61% percent (ITU, 2008).
Objective:
·
Online banking has given more freedom to
customers to deal with their accounts without requiring them to actually step
into a branch.
·
The goal of mobile banking is to expand that
freedom to users even more, by making the goal of mobile banking is to expand
that freedom to users even more, by making.
·
One of the newest pieces of mobile
technology that is becoming widely popular is the iPhone.
·
Currently, mobile banking applications for
the iPhone allow the user to view account balances, make transfers, and pay
bills.
What Is Mobile BANKING?
Mobile banking (also
known as M-Banking, mobile banking) is a term used for performing balance
checks, account transactions, payments, credit applications and other banking
transactions through a mobile device such as a mobile phone or Personal Digital
Assistant (PDA). The earliest mobile banking services were offered
over
SMS, a service known as SMS banking. With the introduction of the first
primitive smart phones with WAP support enabling the use of the mobile web in
1999, the first European banks started to offer mobile banking on this platform
to
Their
customers. Mobile banking has until recently (2010) most often been performed
via SMS or the Mobile Web. Apple's initial success with iPhones and the rapid
growth of phones based on Google's Android (operating system) have led to
increasing use of special client programs, called apps, downloaded to the
mobile device.
A Mobile Banking Conceptual Model:
In one academic model, mobile banking is defined as:
Mobile
Banking refers to the provision and a ailment of banking- and financial
services with the help of mobile telecommunication devices. The scope of
offered services may include facilities to conduct banking and stock market
transactions, to administer accounts and to access customized information.
According
to this model Mobile Banking can be said to consist of three interrelated
concepts:
·
Mobile Accounting
·
Mobile Brokerage
·
Mobile Financial Information Services
Most
services in the categories designated Accounting and Brokerage are transaction based.
The non-transaction-based services of an informational nature are however
essential for conducting transactions - for instance, balance inquiries might
be needed before committing a money remittance. The accounting and brokerage
services are therefore offered invariably in combination with information
services. Information services, on the other hand, may be offered as an
independent module.
Mobile
phone banking may also be used to help in business situations as well as
financially.
Mobile Banking Business Model:
A wide spectrum of Mobile/branchless banking models is
evolving. However, no matter what business model, if mobile banking is being
used to attract low-income populations in often rural locations, the business
model will depend on banking agents, i.e., retail or postal outlets that
process financial transactions on behalf Telco’s or banks. The banking agent is
an important part of the mobile banking business model for customer care,
service quality, and cash management will depend on them. Many Telco’s will
work through their local airtime resellers. However, banks in Colombia, Brazil,
Peru, and other markets use pharmacies, bakeries, etc.
These
models differ primarily on the question that who will establish the
relationship (account opening, deposit taking, lending etc.) to the end
customer, the Bank or the Non-Bank/Telecommunication Company (Telco). Another
difference
lies
in the nature of the agency agreement between the bank and the Non-Bank. Models
of branchless banking can be classified into three broad categories - Bank
Focused, Bank-Led and Nonbank-Led.
Bank-focused
model:
The
bank-focused model emerges when a traditional bank uses non-traditional low- cost
delivery channels to provide banking services to its existing customers. Examples
range from the use of automatic teller machines (ATMs) to internet banking or
mobile phone banking to provide certain limited banking services to banks’
customers. This model is additive in nature and may be seen as a modest
extension of conventional branch-based banking.
Bank-led
model:
The
bank-led model offers a distinct alternative to conventional branch-based
Banking
in that customer conducts financial transactions at a whole range of retail
agents (or through a mobile phone) instead of at bank branches or through bank
employees. This model promises the potential to substantially increase the
financial
services
outreach by using a different delivery channel (retailers/ mobile phones), a
different
trade partner (Telco / chain store) having experience and target market
distinct from traditional banks, and may be significantly cheaper than the
bank-based alternatives. The bank-led model may be implemented by either using
correspondent arrangements or by creating a JV between Bank and Telco/non-bank.
In this model customer account relationship rests with the bank
Non-bank-led
model:
The
non-bank-led model is where a bank has a limited role in the day-to-day account
management. Typically its role in this model is limited to the safekeeping of
funds. Account management functions are conducted by a non-bank (e.g. Telco)
who has direct contact with individual customers.
Mobile Banking Services:
Mobile banking can offer services such as the following:
Account information:
1. Mini-statements and checking of account history
2. Alerts on account activity or passing of set thresholds
3. Monitoring of term deposits
4. Access to loan statements
5. Access to card statements
6. Mutual funds / equity statements
7. Insurance policy management
8. Pension plan management
9. Status on check, stop payment on the check
10.
Ordering checks books
11.
Balance checking on the account
12.
Recent transactions
13.
Due date of payment (functionality for stop,
change and deleting of payments)
14.
PIN provision, Change of PIN and reminder
over the Internet
15.
Blocking of (lost, stolen) cards
Payments, deposits, withdrawals, and transfers:
1. Cash-in, cash-out transactions at an ATM
2. Domestic and international fund transfers
3. Micro-payment handling
4. Mobile recharges
5. Commerce payment processing
6. Bill payment processing
7. Peer to Peer payments
8. Withdrawal at banking agents
9. Deposit at banking agent
A
specific sequence of SMS messages will enable the system to verify if the
client has sufficient funds in his or her wallet and authorize a deposit or
withdrawal transaction at the agent. When depositing money, the merchant
receives cash and the system credits the client's bank account or mobile
wallet. In the same way the client can also withdraw money at the merchant:
through exchanging SMS to provide authorization, the merchant hands the client
cash and debits the merchant account.
Investments:
1. Portfolio management services
2. Real-time stock quotes
3. Personalized alerts and notifications on security prices
Support:
1. Status of requests for credit, including mortgage
approval, and insurance coverage
2. Check (check) book and card requests
3. Exchange of data messages and email, including complaint
submission and tracking
4. ATM Location
Content
services:
1. General information such as weather updates, news
2. Loyalty-related offers
3. Location-based services
Based
on a survey conducted by Forrester, mobile banking will be attractive mainly
to the
younger, more "tech-savvy" customer segment. A third of mobile phone
users
say
that they may consider performing some kind of financial transaction through
their mobile phone. But most of the users are interested in performing basic
transactions such as querying for account balance and making bill payment.
Future
Functionalities In Mobile Banking:
Based on the 'International Review of Business Research
Papers' from World business Institute, Australia, following are the key
functional trends possible in the world of Mobile Banking.
With
the advent of technology and increasing use of Smartphone and tablet based
devices, the use of Mobile Banking functionality would enable customers to
connect
across
the entire customer life cycle much comprehensively than before. With this
scenario, current mobile banking objectives of say building relationships,
reducing
cost,
achieving new revenue stream will transform to enable new objectives targeting
higher level goals such as building brand of the banking organization. Emerging
technology and functionalities would enable to create new ways of lead
generation, prospecting as well as developing deep customer relationship and mobile
banking world would achieve superior customer experience with bi-directional
communications.
Illustration
of objective based functionality enrichment In Mobile Banking
·
Communication enrichment: - Video
Interaction with agents, advisors.
·
Pervasive Transaction capabilities: -
Comprehensive “Mobile wallet”
·
Customer Education: - “Test drive” for demos
of banking services
·
Connect with new customer segment: - Connect
with Gen Y – Gen Z uses games and social network ambushed to surrogate bank’s
offerings
·
Content monetization: - Micro level revenue
themes such as music, e-book download
·
Vertical positioning: - Positioning
offerings over mobile banking specific industries
·
Horizontal positioning: - Positioning
offerings over mobile banking across all the industries
·
Personalization of corporate banking
services: - Personalization experience for multiple roles and hierarchies in
corporate banking as against the vanilla based segment based enhancements in
the current context
·
Build Brand: - Built the bank’s brand while enhancing
the “Mobile real estate”.
Challenges
For A Mobile Banking Solution:
Key challenges in developing a sophisticated mobile
banking application are:
Handset
operability:
There are a large number of different mobile phone
devices and it is a big challenge for banks to offer mobile banking solution on
any type of device. Some of these devices support Java ME and others support
SIM Application Toolkit, a WAP browser, or only SMS. Initial interoperability
issues however have been localized, with countries like India using portals
like R-World to enable the limitations of low end Java based phones, while
focus on areas such as South Africa have defaulted to the USSD as a basis of
communication achievable with any phone.
The
desire for interoperability is largely dependent on the banks themselves, where
installed applications (Java based or native) provides better security, are
easier to use and allow development of more complex capabilities similar to
those of internet
Banking
while SMS can provide the basics but becomes difficult to operate with more
complex transactions.
There
is a myth that there is a challenge of interoperability between mobile banking
Applications
due to perceived lack of common technology standards for mobile banking. In
practice it is too early in the service Lifecycle for interoperability to be addressed
within an individual country, as very few countries have more than one mobile
banking service provider. In practice, banking interfaces are well defined and
money movements between banks follow the IS0-8583 standard. As mobile banking
matures, money movements between service providers will naturally adopt the
same standards as in the banking world.
Security:
Security of financial transactions, being executed from
some remote location and transmission of financial information over the air,
are the most complicated challenges that need to be addressed jointly by mobile
application developers, wireless network service providers and the banks' IT
departments. The following aspects need to be addressed to offer a secure
infrastructure for financial transaction over a wireless network:
1. Physical part of the handheld device. If the bank is
offering smart-card based security, the physical security of the device is more
important.
2. The security of any thick-client application running on
the device. In case the device is stolen, the hacker should require at least an
ID/Password to access the application.
3. Authentication of the device with the service provider
before initiating a transaction. This would ensure that unauthorized devices
are not connected to perform financial transactions.
4. User ID / Password authentication of a bank’s customer.
5. Encryption of the data being transmitted over the air.
6. Encryption of the data that will be stored in device for
later / off-line analysis of the customer.
One-time
password (OTPs) is the latest tool used by financial and banking service
providers in the fight against cyber fraud. Instead of relying on traditional
memorized passwords, OTPs are requested by consumers each time they want to
perform transactions using the online or mobile banking interface. When the
request
is
received the password is sent to the consumer’s phone via SMS. The password has
expired once it has been used or once its scheduled life-cycle has expired.
Because
of the concerns made explicit above, it is extremely important that SMS gateway
providers can provide a decent quality of service for banks and financial
institutions in regards to SMS services. Therefore, the provision of service
level agreements (SLAs) is a requirement for this industry; it is necessary to
give the bank customer delivery guarantees of all messages, as well as
measurements of the speed of delivery, throughput, etc. SLAs give the service
parameters in which a messaging solution is guaranteed to perform.
Scalability
and reliability:
Another challenge for the CIOs and CTOs of the banks is
to scale-up the mobile banking infrastructure to handle the exponential growth
of the customer base. With mobile banking, the customer may be sitting in any part of the world (true
anytime, anywhere banking) and hence banks need to ensure that the systems are
up and running in a true 24 x 7 fashion. As customers will find mobile banking
more and more useful, their expectations of the solution will increase. Banks
unable to meet the performance and reliability expectations may lose customer
confidence. There are systems such as Mobile Transaction Platform which allow
quick and secure mobile enabling of various banking services. Recently in India
there has been a phenomenal growth in the use of Mobile Banking applications,
with leading banks adopting Mobile Transaction Platform and the Central Bank
publishing guidelines for mobile banking operations.
Application
distribution:
Due to the nature of the connectivity between the bank
and its customers, it would be impractical to expect customers to regularly
visit banks or connect to a web site for regular upgrade of their mobile
banking application. It will be expected that the mobile application itself
check the upgrades and updates and download necessary patches (so called
"Over The Air" updates). However, there could be many issues to
implement this approach such as upgrade / synchronization of other dependent
components.
Personalization:
It would be expected from the mobile application to
support personalization such as:
1. Preferred Language
2. Date / Time format
3. Amount format
4. Default transactions
5. Standard Beneficiary list
6. Alerts
Security
For Mobile Banking System
Mobile
Banking channel Platforms:
There are six mobile banking channel platforms. They are:
1. STK Menu
2. USSD Menu
3. Java Menu
4. Text SMS
5. IVR
6. WAP
Mobile
Banking Security Options:
The diagram bellow shows the options we have
for securing data across the GSM Channel:
The data
carried across the mobile network is protected by the standard GSM security
protocols at the communication layer. The subscriber identity is also protected
across this chain. The risk of transporting data across the GSM channel may be
found in the number of stops the data make before reaching the bank. Unlike
fixed line communication, data being carried across the mobile network jumps
from one base station to the next, which means that the chain of encrypted on
communication is broken. The data are also unencrypted when it hits the network
operator. Thus, there is a broken encryption between the consumer and the bank.
STK/SAT-Sim
Application Toolkit Menu:
The SIM Application Toolkit allows for the service provider or bank to
house the consumer’s mobile banking menu within the SIM card. STK is the most
secure method of mobile banking. It allows the bank to load its own encryption
keys onto the SIM card with the bank’s own developed application.
Overview of
STK:
1. The SIM Application Toolkit is a set of commands which defines how the
card should interact with the outside world and extends the communication
protocol between the card and the handset.
2. With SIM Application Toolkit, the card has a proactive role in the
handset (this means that the SIM initiates commands independently of the
handset and the network).
3. SAT (SIM Application Toolkit) is designed as a client server
application.
4. The applications are stored in the SIM card, and not on the handset.
Applications are downloaded over the air and
stored in SIM card and the process is controlled by the service provider.
5. Service provider keeps total control of the applications, when they are
to be downloaded and when they should be removed.
6. It uses the SMS for the bearer medium to transfer the information
between the handset and the service provider.
STK Banking
Data Security:
The SAT is the most secure method of mobile banking. It allows the bank
to load its own encryption keys onto the SIM card with the bank’s own developed
application. Thus the consumer data can be stored on the SIM Card and the
consumer can be authenticated on the handset prior to having to carry any data
across the mobile network. The data is also encrypted prior to leaving the
handset and only decrypted using the banks encryption keys within the bank.
Features on
STK Menu:
·
Supported by the 100% hand set,
·
SIM based menu
·
Dynamic menu to choose from.
·
Easy to use
Advantages of
STK Menu:
·
Some manufacturers claim that STK enables
higher levels of security through identity verification and encryption, which
are necessary for secure electronic commerce.
·
STK has been deployed on the largest number
of mobile devices.
Limitations
on STK Menu:
·
Updating STK applications and menus stored
on the SIM can be difficult after the customer takes delivery of the SIM. To
deliver updates, either the SIM must be returned and exchanged for a new one
(which can be costly and inconvenient) or the application updates must
delivered over-the-air (OTA) using specialized, optional SIM features. Mobile
Network Operators can now (as of October 2010), for example, deliver updated
STK application menus by sending a secure SMS to handsets that include a SIM
alliance Toolbox (S@T) compliant wireless internet browser (WIB). When using a
Bearer Independent Protocol-compliant (BIP) SIM card in a BIP- compliant
handset, the updates can be delivered very quickly as well (depending upon the
network connectivity available to and supported by the handset, i.e. GPRS/3G
speed). It might also be possible to change the menu of wireless internet
gateway (WIG) -based STK applications. The update limitations hinder the number
and frequency of STK application deployments.
·
STK has essentially no support for
multimedia, only basic pictures.
·
The STK technology has limited independent
development support available.
Example of
STK Menu:
Deliver updated STK application menus by sending a secure SMS to
handsets that include a SIM alliance Toolbox (S@T) compliant wireless internet
browser (WIB). When using a Bearer Independent Protocol-compliant (BIP) SIM
card in a BIP compliant handset, the updates can be delivered very quickly as
well (depending upon the network connectivity available to and supported by the
handset, i.e. GPRS/3G speed). It might also be possible to change the menu of
wireless internet gateway (WIG) -based STK applications. The update limitations
hinder the number and frequency of STK application deployments.
|
|
USSD
(Unstructured Supplementary Services data):
USSD is a unique service for mobile networks comprised of
two-directional session based exchange of unstructured data in GSM mobile
networks. The USSD service supports high-speed real-time information exchange
between subscriber and service application.
USSD Banking
Data Security:
USSD opens a single session between the device and the USSD application
at the network operator, processor, or a bank. In other words the transaction
is completed while the session is open and is not stored for subsequent
completion.
The end-to-end transaction flow is across the encrypted GSM
communication layer and the subscriber identity is also hidden. The data can
also be encrypted as soon as it terminates at the USSD gateway sitting at the
network operator, processor or bank, thus preventing any internal risk of
misuse of data. Therefore the only risk is that the data carried within the
communication layer is not itself encrypted. If someone were to be able to
break the GSM encryption, they would have access to the data.
In USSD channel the consumer’s sensitive data are typically kept on a
server and no t on the handset. This data is encrypted. The data entered into
the handset is limited to authentication of the consumer (the PIN) and the
banking instruction from the consumer, without having to enter an account or
personal details. The threat remains that if the handset and the SIM card and
the authentication data is stolen, and used on the mobile banking channel to
transact, then the consumer is at risk. The data is useless without these four
elements.
Mitigating
Security Risks in USSD-based Mobile Payment Applications:
Mobile payment applications use various communications channels which
are not secure, including USSD and IP-based communications. As usage of these
communications channels by payment applications increases, security flaws are
becoming prime concerns for service providers.
Critical threats such as fraudulent transactions, request/response
manipulations, weak encryption, and insecure message communications have
Directly
triggered revenue loss for mobile payment service providers. Fraudulent
transactions, mobile application request/response tampering/dropping, sensitive
information disclosure due to weak cryptographic implementation, improper
account management, and modification of sensitive information can also cause
security breaches and loss of sensitive data in USSD-based mobile payment
applications.
In light of these threats, application development and integration
companies, telecoms, and banks providing payment services need to assess
USSD-based apps and ensure that secure coding practices have been followed
during USSD-based application software development.
USSD Commands Request/Response Tampering:
A malicious user can tamper with USSD command requests and responses.
This may cause confusion for the legitimate user and can also lead to
fraudulent transactions. This request and response tampering is possible
through hardware and software interceptors. Weak encrypted request and response
messages are prime concerns in such threat vectors.
USSD Request/Response Message Replay
Attacks:
When a phone is lost, an adversary may perform fraudulent transactions
through an installed USSD application. An application must authenticate USSD
request originator (authentication through a combination of MSISDN (Mobile Station International Subscriber Directory Number), IMEI (International Mobile Equipment Identity), PIN and unique
Message Tracking ID). If this USSD application server or application is unable
to authenticate the USSD request originator, then it can perform fraudulent
transactions.
Improper Data Validation (USSD IP Mode
Applications):
Improper data validation in the USSD IP mode application can lead to
SQL injection, cross site scripting attacks. An adversary may purposely insert
specifically crafted scripts in user input. Once successfully inserted in the
database, the attacker may try to use the same to perform malicious actions on
the database or at another user’s active session.
Features on
USSD Menu:
·
Supported by the 100% hand set
·
Dynamic,
·
Easy to use, all users can access
·
No need to write SMS,
·
Operator base dependency,
·
No store and forwarding option.
Advantages of
USSD Services:
·
Extremely low cost
·
Real-time
·
Fast and responsive
·
Interactive navigation
·
Consumer driven
·
Can be used as payment method
·
Automated response
·
Allows for mass-usage
·
Location-based, SIM and PUK-based and user
selected customization and segmentation.
Disadvantages
of USSD Services:
·
Little in the way of aesthetics
·
Messages cannot be saved or forwarded
·
USSD codes aren’t as memorable as other
Common Short Codes (CSC)
·
Not always reliable due to session-based
timeouts
USSD Used
Applications:
Services ideal with USSD as the bearer include mobile chat, m
-commerce, prepaid balance inquiry, mobile banking, call-related services and
any other service that requires interaction between the user and the
application.
·
Menu Browsing
·
Alternative to IVR
·
Balance Enquiry
·
Card Validity
·
Prepaid Recharge (from any visiting
network also)
·
“Pull” based Services like informational
services.
·
News – Weather
·
Movies –
Sports Update
·
Currency Update – Stock Market
·
Telephone Directory – Yellow Pages
·
Push Services.
·
Voting / Polling
·
Flash Emergency Information
·
Customer care /service management
·
Service Activation / Deactivation
·
Voice Mail
·
MMS
·
Roaming
·
Information query: News, Weather, Sports,
Finance, Train schedules, real time Currency Converter.
·
Reservations (Train / Movie).
·
Sponsored Menu Item / Advertisement
·
Companies / Shops / Theaters can get
listed
·
On the Menu and promote their services
·
Contests.
·
Tele-voting.
·
Virtual Money Transaction
·
Debit Card.
·
Interactive Interface to Corporate ERP.
·
Voice Chat.
Roaming: This has huge advantages while roaming. This is because USSD
services are well available in roaming networks and all the USSD messages are
directed towards the subscriber’s Home Network itself, thus, same set of
services that are available in home network can be given in a visited network
too, giving subscribers a Virtual Home Environment (VHE). Information query:
News, Weather, Sports, Finance, Train.
Example of
USSD Menu:
A typical USSD message starts with an asterisk (*) followed by digits
that comprise commands or data. Groups of digits may be separated by additional
asterisks. The message is terminated by a number sign (#).Example USSD codes:
1.
*101#
2.
*109*72348937857623#
3.
After entering a USSD code on a GSM handset,
the reply from the GSM operator is displayed within a few second.
Wireless
Application Protocol (WAP):
WAP is wireless application protocol used over GPRS. It is similar to
Internet banking. The consumer’s handset needs to be WAP enabled. WAP banking
is open to similar threats as Internet banking.
WAP banking
data Security:
WAP allows for a GPRS session to be opened between the handset's web
browsers and the web application at the bank. This session is protected once
again by the encrypted GSM communication layer and then can be further
protected by encryption of the actual banking website that is being accessed.
This makes WAP banking open to similar threats as internet banking, yet further
secured in that the bank can establish that the session has been initiated by
the consumer’s SIM.
Features on
WAP:
·
GPRS supported handset
·
Need active WAP connection
·
Internet using knowledge
How to get
WAP:
An IP address will direct users to the WAP site of Mobile Banking.
|
|
Java Menu
(J2ME):
Java Platform, Micro Edition, or Java ME, is a Java platform designed
for embedded systems (mobile devices are one kind of such systems). Target
devices range from industrial controls to mobile phones (especially feature
phones) and set-top boxes. Java ME was formerly known as Java 2 Platform, Micro
Edition (J2ME).
J2ME Banking
data Security:
J2ME uses the same bearer channel as WAP. However J2ME applications can
have additional security around the application that is resident on the
handset. Thus the data entered into the J2ME application can be encrypted at
that point and sent across the GPRS channel as described above. It would only
be decrypted at the bank or processor. J2ME is however open to certain attacks
in that the consumer needs to establish that the application is being
downloaded from the correct source and that the source is not that of a
malicious attempt to copy the bank's application in order to obtain sensitive
data from the consumer.
Features on Java Menu:
·
Only Java supported handset
·
Need internet connection, Easy to use
·
Internet using knowledge.
·
More than 80% JAVA Support phone set on the
market
How to Get
Java Menu:
By sending a simple SMS we can get a link to download the JAVA menu.
IVR
(Interactive Voice response) banking data security:
Highly secured as inserted PIN (by pressing buttons) cannot be
traced by the Telco.
IVR, being a voice call, is protected by both the encrypted GSM communication
layer25 as well as the GSM protection of the subscriber identity of the
consumer26 and it is carried across the mobile network to the bank’s IVR. Only
at this point are the entries that the consumer has keyed into their phone,
stored. If this is in the bank’s environment it should be secure, but if on an
‘on behalf’ platform it may not be secure.
In the IVR banking channel, the consumer’s sensitive data is typically
kept on a server and not on the handset. This data is encrypted. The data entered
into the handset is limited to authentication of the consumer (the PIN) and the
banking instruction from the consumer, without having to enter an account or
personal details. The threat remains that if the handset and the SIM card and
the authentication data is stolen, and used on the mobile banking channel to
transact, then the consumer is at risk. The data is useless without these four
elements.
Features on
IVR:
·
100% handset support
·
Easy to use
·
Keyword typing hassle free.
How to Get:
Dialing to a Short Code user will hear a pre-recorded voice which will
direct and give answers to queries.
Short
message Services (SMS):
SMS is the simplest form of mobile banking. It is largely used for
information-based services. SMS has the maximum reach amongst consumers since
all the mobile phones support SMS. Short messages are stored and forwarded by
SMS centers. These messages have some security issues.
SMS Banking
Data Security:
SMS banking is deemed to be the least secure of the mobile bearer
channels. This is due to the number of points that the SMS data is available to
others in a clear or unencrypted format. A consumer would initiate a
transaction by sending an SMS to
the bank
using the bank’s SMS short code as a terminating address. The SMS would be
automatically stored on the handset and be available to anyone that looks at
the consumer’s phone. The SMS would then pass through the encrypted GSM
communication channel, through the base stations and terminate at the mobile
network operator, where it is typically stored unencrypted. The MNO may at this
point pass the message onto the bank’s wireless application processor, SMS
gateway, or mobile banking processor (which may be a third party), where it is
stored either encrypted or unencrypted. The third party would then pass the
message to the bank across an encrypted fixed line to the bank where it is
typically stored in a secured environment.
In SMS banking channel, the consumer’s sensitive data is typically kept
on a server and not on the handset. This data is encrypted. The data entered
into the handset is limited to authentication of the consumer (the PIN) and the
banking instruction from the consumer, without having to enter an account or
personal details. The threat remains that if the handset and the SIM card and
the authentication data is stolen, and used on the mobile banking channel to
transact, then the consumer is at risk. The data is useless without these four
elements.
Message
Structure:
The secured SMS message is divided into multiple fields to accommodate
for the various security checks required for the protocol. To ease the
understanding of the message structure, Figure 4 shows the structure overview
for a secure SMS message. The numbers above the fields are the minimum number
of bytes required for each field in the message. The number of bytes for each
field can be increased depending on the implementation requirements.
|
|
The use of
each labeled structure is explained below:
The Version is the mobile application version
number. It contains a specified byte pattern. The receiver checks if the first
three bytes of the received SMS message are valid for the bank application. If
the message version number does not match the application version, then the
message is discarded. As there are possibilities that the can receive
accidental SMS messages that are not intended for the bank server. The usage of
the version bytes is to help to eliminate these erroneous messages.
·
The AccId contains the bank account identifier of the user.
·
The Seq is the user’s current sequence number of the one-time password.
·
The Encrypted Text Length contains the number of next bytes
that are the ciphered message.
·
The Digest Length contains the number of next bytes
that contains the message digest.
·
The Digest contains the calculated digest value of the
message. The use of the digest is for the server to check for message
integrity. For the secure SMS banking protocol, a single digest of the
following fields is calculated Version ,AccID, Seq, PIN, Type of Transaction and Transaction Payload
The content
of the following fields is encrypted using the generated session key.
·
The PIN contains the user predefined
password. This is used by the receiver application to authenticate the user
·
The secure SMS message can be used for
different types of transactions. The Type of Transaction is used by the bank server
application to identify the type of transaction it should perform.
·
The Transaction Payload is the extra data that are used for
a transaction, but it is not used for any security purpose. The content of the
Transaction Payload depends on the type of transaction requested. The structure
of the payload depends on the type of transaction offered by the bank.
Protocol
Sequences:
In the GSM network, SMS messages are sent asynchronously to the
receiver, because of this the Secure SMS protocol is asynchronous. The figure
below illustrates the overview of the secure SMS protocol.
We can
consider the Secure SMS protocol to be divided into two parts. The first part
is the message generation. The mobile phone generates the message and sends it
to the server. The second part is the message security checks. The server reads
the
received
message, decodes the contents and performs security checks. The following
subsections describe each part of the protocol.
Generating
and Sending Secure SMS Messages:
The mobile phone captures all the required security information from
the user. This information is used to generate the secure SMS message to be
sent to the server. The mobile application has a preset version byte pattern,
this pattern is inserted into the message.
The message hash value a number which can ensure message integrity for
the receiver side. The requirement of maintaining the message integrity is that
at least some of the contents that are used for calculating the message digest
need to be encrypted. This can ensure message integrity because if the message
is intercepted, the attacker cannot use the encrypted contents to generate
another digest. The
Integrity
validation will not pass if any part of the original message is altered. The
fields of content that need to be encrypted are dependent on the needs of the
developer. The protocol requires that the message to have some identification
details not to be encrypted. This is for the receiver to identify the account
holder's identity. The algorithm used for encryption must be a symmetric
encryption algorithm. The key used for encryption is generated from the
one-time password entered by the user. The one-time passwords are only known by
the server and the user. After the application completes processing the
security contents, the contents are placed in the SMS message according to the
message structure described in the Message Structure section. The SMS message
is sent to the server via the GSM network.
Receiving and
Decoding Secure SMS Message:
When the server receives the message from the cellular network, it
breaks the message down according to the structure described in the Message
Structure section. The server first checks for the version bytes pattern. If
the version is correct, it is assumed that the message is suitable for the
secure SMS protocol. Next, the server reads the account identifier from the
message and checks if the account identifier exists in the server database.
After this, the server retrieves the current sequence number for the given
account identifier. The server checks if the sequence number read from the
message matches the sequence number read from the server database.
If the above security checks all passed, the server proceeds to
retrieve the one-time password from the database. The password is indexed by
the account identifier and the sequence number. Thereafter the server uses the
retrieved password as the sequence number. Thereafter the server uses the
retrieved password as then the used one-time password is discarded and the
server is a sequence counter for that account gets incremented by the value of
1.
After the decryption, the server reads the secure contents that are
required for the calculation of the message digest. The message digest is
calculated using the same algorithm as the algorithm used by the mobile
application. The server compares the two digests for message integrity. If the
message is proven not to have been altered, then the server retrieves the PIN
(the account holder’s personal password) from the message and compares it
against the account holders PIN from the server database. If all of the above
security checks pass, the server performs the requested transaction.
Advantages of
Text SMS:
·
Allows you to request and receive banking
information from your bank on your mobile phone
·
You can manage bank accounts, check account
balances, perform check requests and pay some bills.
·
If you are in a business you can access your
account whenever you need to
·
It is more convenient because you don't have
to go to a bank to complete a banking transaction.
·
It's quite discrete, so you can view it when
you are doing everyday jobs and you don't have to set aside time to go to the
bank.
Disadvantages
of Text SMS:
·
If you don't have the internet on your
mobile you can't access what you need in your bank account.
·
You could get your phone stolen and it will
have all of your details on it, so people can gain access to your account as
well as your phone.
·
It causes more people to use their mobile
phones and can cause radiation.
Demonstrative
Structure and Key Feature of Software
First
Step:
From the bank
user information goes to the MASP’s system, where they maintain the security
Second Step:
From MASP the
information goes to Distributor and DSR.
Third Step:
DSR sends the
information to agents and via agents the customers get the required information
and customers to also send the request by those agents to.
The
Security System and Bridge Through the Three Systems Mobile:
First
Step:
Customers
send the shortcut via his/her mobile phone and that code goes to operator like
GP, ROBI etc. They pass the info thru SMSC and firewall for special security.
Second Step:
Operators
send the code to MASP via router. After checking by firewalls the shortcut goes
to MASP‘s SMS Gateway and assures the security of the sensitive information
hidden in the code.
Third Step:
MASP sends
the code to banks system via a router. The firewall and routers pass the code
to the server then the socket app as a client.
This is the way an SMS/short code goes to banks system where the
funding is safe. The operator and MASP system assures the security of the
bridge between banks and customers here.
Need
For Mobile Banking Security
2014 will witness over 3 billion mobile users worldwide, according to
Gartner s research. Mobile phones will become the preferred and most commonly
used web device globally by 2013. They will be considered the most convenient
device for almost everything that PCs are doing today. As a result, a large
number of mobile applications will be built for multiple platforms (Android,
J2ME, Symbian, etc.) and domains (mobile payments, mobile commerce, mobile
Value Added Services, etc.).
As more and more transactions are made over mobile phones, hackers are
perpetrating more fraud and attacks. Experts believe most security breaches are
inevitable as mobile usage grows. What makes mobile phones vulnerable is the
speed and advancement of technology, along with continued business demand for
newer mobile products and services. Proper security controls must become an
intrinsic part of mobile phones and mobile applications.
Major business impacts in case of mobile application security breach
are:
·
Fraudulent transactions (Revenue Loss)
through mobile applications
·
Confidentiality (Users sensitive data-
Credit/Debit Card Data, PIN , user credentials)
·
Revenue loss through communications
services misuse
·
Brand value degradation through SIM card
cloning and related attacks
·
Misuse of Enterprises Data through
personal handheld devices
·
Fraudulent transactions through USSD
(Unstructured Supplementary Service Data) and DSTK (Dynamic SIM Toolkit)
Applications
While telecoms and the rest of the service chain are becoming more
motivated to deploy secure, reliable and robust products, the task is
challenging. There are multiple mobile operating systems platforms, various
telecom providers; banking service dependencies, and a complex network
infrastructure to consider.
Appendix:
ATM- Automatic Teller Machines
BB- Bangladesh Bank
ITU- International Telecommunication Union
IVR- Interactive Voice Response
KYC- Known Your Customer
MPIN- Master Personal Identification Number
POS- point-of-sale terminal
PSO- payment system operators
PSP- payment service providers
PDA- Personal Digital Assistant
SMS- Short Message Service
STK- SIM Application Toolkit
SIM- Subscriber Identity Module
Telco- Telecommunication Company
USSD- Unstructured Supplementary Service Data
WAP- Wireless Application Protocol
MASP- Mobile Application Service
Provider
Reference:
Comments
Post a Comment