Skip to main content

A Brief Description of Mobile Banking

Contents




About Mobile Banking

1.         Introduction......................................................................................................... 02

2.         Objective............................................................................................................. 02

3.         What Is Mobile banking........................................................................................ 02

4.         A Mobile banking Conceptual Model....................................................................... 03

5.         Mobile Banking Business Models............................................................................ 03

6.         Mobile Banking Services....................................................................................... 04

7.         Future Functionalities Of Mobile banking................................................................. 05

8.         Challenges For a Mobile Banking Solution............................................................... 07

9.         Mobile banking Channel Platform........................................................................... 09

10.      STK/SAT-SIM Application Toolkit Menu................................................................... 09

11.      USSD-Unstructured Supplementary Service Data..................................................... 12

12.      Wireless Application protocol (WAP)....................................................................... 15

13.      Java Menu-J2ME.................................................................................................. 16

14.      IVR-Interactive Voice Response Banking Data Security............................................ 17

15.      Short Message Services (SMS)............................................................................... 19

16.      Demonstrative Structure And key Feature of Mobile Software................................... 24

17.      The Security System And Bridge through Three Systems Mobile............................... 25

18.      Need For Mobile Banking Security.......................................................................... 26

19.      Appendix............................................................................................................. 27

20.      Reference............................................................................................................ 27



Mobile Banking System

 

Introduction:

Across the developing countries, millions of people rely on formal and informal economic activity and local level networks to earn their living. Most of these populations are from BOP (according to World Bank people who earns less than $2 a day: annual income less than PPP US$ 3000) and they don’t have access to basic financial service e.g. banks as access to those is costly, not inconvenient and very limited. Accesses to financial services or banks are vital for those people as- “This lack of access to finance in some parts of the developing world stifles entrepreneurship, stunts development and leaves people trapped in a poor, cash-only
“Society”. Developing countries are still struggling to ensure access of most of its
unbanked BOP citizens and the informal sector to the formal financial services.
                              
Mobile banking can be seen as one solution to these problems. Advancements in mobile technology have changed our lives over the past ten years. It has the potential to even more powerfully transform the lives of the world’s poorest people. The technology is no doubt the cheapest and most convenient way to connect people and provide an array of innovative services. At the start of this century, just 12% of the world's population had a mobile phone. Now that figure is well over 61% percent (ITU, 2008).

Objective:
·        Online banking has given more freedom to customers to deal with their accounts without requiring them to actually step into a branch.
·        The goal of mobile banking is to expand that freedom to users even more, by making the goal of mobile banking is to expand that freedom to users even more, by making.
·        One of the newest pieces of mobile technology that is becoming widely popular is the iPhone.
·        Currently, mobile banking applications for the iPhone allow the user to view account balances, make transfers, and pay bills.

What Is Mobile BANKING?
Mobile banking (also known as M-Banking, mobile banking) is a term used for performing balance checks, account transactions, payments, credit applications and other banking transactions through a mobile device such as a mobile phone or Personal Digital Assistant (PDA). The earliest mobile banking services were offered
over SMS, a service known as SMS banking. With the introduction of the first primitive smart phones with WAP support enabling the use of the mobile web in 1999, the first European banks started to offer mobile banking on this platform to


Their customers. Mobile banking has until recently (2010) most often been performed via SMS or the Mobile Web. Apple's initial success with iPhones and the rapid growth of phones based on Google's Android (operating system) have led to increasing use of special client programs, called apps, downloaded to the mobile device.

A Mobile Banking Conceptual Model:
In one academic model, mobile banking is defined as:
Mobile Banking refers to the provision and a ailment of banking- and financial services with the help of mobile telecommunication devices. The scope of offered services may include facilities to conduct banking and stock market transactions, to administer accounts and to access customized information.

According to this model Mobile Banking can be said to consist of three interrelated concepts:
·        Mobile Accounting
·        Mobile Brokerage
·        Mobile Financial Information Services

Most services in the categories designated Accounting and Brokerage are transaction based. The non-transaction-based services of an informational nature are however essential for conducting transactions - for instance, balance inquiries might be needed before committing a money remittance. The accounting and brokerage services are therefore offered invariably in combination with information services. Information services, on the other hand, may be offered as an independent module.

Mobile phone banking may also be used to help in business situations as well as financially.

Mobile Banking Business Model:
A wide spectrum of Mobile/branchless banking models is evolving. However, no matter what business model, if mobile banking is being used to attract low-income populations in often rural locations, the business model will depend on banking agents, i.e., retail or postal outlets that process financial transactions on behalf Telco’s or banks. The banking agent is an important part of the mobile banking business model for customer care, service quality, and cash management will depend on them. Many Telco’s will work through their local airtime resellers. However, banks in Colombia, Brazil, Peru, and other markets use pharmacies, bakeries, etc.

These models differ primarily on the question that who will establish the relationship (account opening, deposit taking, lending etc.) to the end customer, the Bank or the Non-Bank/Telecommunication Company (Telco). Another difference

lies in the nature of the agency agreement between the bank and the Non-Bank. Models of branchless banking can be classified into three broad categories - Bank Focused, Bank-Led and Nonbank-Led.

Bank-focused model:
          The bank-focused model emerges when a traditional bank uses non-traditional low- cost delivery channels to provide banking services to its existing customers. Examples range from the use of automatic teller machines (ATMs) to internet banking or mobile phone banking to provide certain limited banking services to banks’ customers. This model is additive in nature and may be seen as a modest extension of conventional branch-based banking.

Bank-led model:
          The bank-led model offers a distinct alternative to conventional branch-based
Banking in that customer conducts financial transactions at a whole range of retail agents (or through a mobile phone) instead of at bank branches or through bank employees. This model promises the potential to substantially increase the financial
services outreach by using a different delivery channel (retailers/ mobile phones), a
different trade partner (Telco / chain store) having experience and target market distinct from traditional banks, and may be significantly cheaper than the bank-based alternatives. The bank-led model may be implemented by either using correspondent arrangements or by creating a JV between Bank and Telco/non-bank. In this model customer account relationship rests with the bank

Non-bank-led model:
          The non-bank-led model is where a bank has a limited role in the day-to-day account management. Typically its role in this model is limited to the safekeeping of funds. Account management functions are conducted by a non-bank (e.g. Telco) who has direct contact with individual customers.

Mobile Banking Services:
Mobile banking can offer services such as the following:
Account information:
1.     Mini-statements and checking of account history
2.     Alerts on account activity or passing of set thresholds
3.     Monitoring of term deposits
4.     Access to loan statements
5.     Access to card statements
6.     Mutual funds / equity statements
7.     Insurance policy management
8.     Pension plan management
9.     Status on check, stop payment on the check
10.            Ordering checks books
11.            Balance checking on the account
12.            Recent transactions

13.            Due date of payment (functionality for stop, change and deleting of payments)
14.            PIN provision, Change of PIN and reminder over the Internet
15.            Blocking of (lost, stolen) cards

Payments, deposits, withdrawals, and transfers:
1.     Cash-in, cash-out transactions at an ATM
2.     Domestic and international fund transfers
3.     Micro-payment handling
4.     Mobile recharges
5.     Commerce payment processing
6.     Bill payment processing
7.     Peer to Peer payments
8.     Withdrawal at banking agents
9.     Deposit at banking agent

A specific sequence of SMS messages will enable the system to verify if the client has sufficient funds in his or her wallet and authorize a deposit or withdrawal transaction at the agent. When depositing money, the merchant receives cash and the system credits the client's bank account or mobile wallet. In the same way the client can also withdraw money at the merchant: through exchanging SMS to provide authorization, the merchant hands the client cash and debits the merchant account.

Investments:
1.     Portfolio management services
2.     Real-time stock quotes
3.     Personalized alerts and notifications on security prices

Support:
1.     Status of requests for credit, including mortgage approval, and insurance coverage
2.     Check (check) book and card requests
3.     Exchange of data messages and email, including complaint submission and tracking
4.     ATM Location

Content services:
1.     General information such as weather updates, news
2.     Loyalty-related offers
3.     Location-based services

Based on a survey conducted by Forrester, mobile banking will be attractive mainly
to the younger, more "tech-savvy" customer segment. A third of mobile phone users
say that they may consider performing some kind of financial transaction through their mobile phone. But most of the users are interested in performing basic transactions such as querying for account balance and making bill payment.


Future Functionalities In Mobile Banking:

Based on the 'International Review of Business Research Papers' from World business Institute, Australia, following are the key functional trends possible in the world of Mobile Banking.

With the advent of technology and increasing use of Smartphone and tablet based devices, the use of Mobile Banking functionality would enable customers to connect
across the entire customer life cycle much comprehensively than before. With this scenario, current mobile banking objectives of say building relationships, reducing
cost, achieving new revenue stream will transform to enable new objectives targeting higher level goals such as building brand of the banking organization. Emerging technology and functionalities would enable to create new ways of lead generation, prospecting as well as developing deep customer relationship and mobile banking world would achieve superior customer experience with bi-directional communications.

Illustration of objective based functionality enrichment In Mobile Banking
·        Communication enrichment: - Video Interaction with agents, advisors.
·        Pervasive Transaction capabilities: - Comprehensive “Mobile wallet”
·        Customer Education: - “Test drive” for demos of banking services
·        Connect with new customer segment: - Connect with Gen Y – Gen Z uses games and social network ambushed to surrogate bank’s offerings
·        Content monetization: - Micro level revenue themes such as music, e-book download
·        Vertical positioning: - Positioning offerings over mobile banking specific industries
·        Horizontal positioning: - Positioning offerings over mobile banking across all the industries
·        Personalization of corporate banking services: - Personalization experience for multiple roles and hierarchies in corporate banking as against the vanilla based segment based enhancements in the current context
·        Build Brand: - Built the bank’s brand while enhancing the “Mobile real estate”.


Challenges For A Mobile Banking Solution:

Key challenges in developing a sophisticated mobile banking application are:

Handset operability:
There are a large number of different mobile phone devices and it is a big challenge for banks to offer mobile banking solution on any type of device. Some of these devices support Java ME and others support SIM Application Toolkit, a WAP browser, or only SMS. Initial interoperability issues however have been localized, with countries like India using portals like R-World to enable the limitations of low end Java based phones, while focus on areas such as South Africa have defaulted to the USSD as a basis of communication achievable with any phone.

The desire for interoperability is largely dependent on the banks themselves, where installed applications (Java based or native) provides better security, are easier to use and allow development of more complex capabilities similar to those of internet
Banking while SMS can provide the basics but becomes difficult to operate with more complex transactions.

There is a myth that there is a challenge of interoperability between mobile banking
Applications due to perceived lack of common technology standards for mobile banking. In practice it is too early in the service Lifecycle for interoperability to be addressed within an individual country, as very few countries have more than one mobile banking service provider. In practice, banking interfaces are well defined and money movements between banks follow the IS0-8583 standard. As mobile banking matures, money movements between service providers will naturally adopt the same standards as in the banking world.

Security:
Security of financial transactions, being executed from some remote location and transmission of financial information over the air, are the most complicated challenges that need to be addressed jointly by mobile application developers, wireless network service providers and the banks' IT departments. The following aspects need to be addressed to offer a secure infrastructure for financial transaction over a wireless network:

1.     Physical part of the handheld device. If the bank is offering smart-card based security, the physical security of the device is more important.
2.     The security of any thick-client application running on the device. In case the device is stolen, the hacker should require at least an ID/Password to access the application.
3.     Authentication of the device with the service provider before initiating a transaction. This would ensure that unauthorized devices are not connected to perform financial transactions.
4.     User ID / Password authentication of a bank’s customer.
5.     Encryption of the data being transmitted over the air.
6.     Encryption of the data that will be stored in device for later / off-line analysis of the customer.

One-time password (OTPs) is the latest tool used by financial and banking service providers in the fight against cyber fraud. Instead of relying on traditional memorized passwords, OTPs are requested by consumers each time they want to perform transactions using the online or mobile banking interface. When the request
is received the password is sent to the consumer’s phone via SMS. The password has expired once it has been used or once its scheduled life-cycle has expired.

Because of the concerns made explicit above, it is extremely important that SMS gateway providers can provide a decent quality of service for banks and financial institutions in regards to SMS services. Therefore, the provision of service level agreements (SLAs) is a requirement for this industry; it is necessary to give the bank customer delivery guarantees of all messages, as well as measurements of the speed of delivery, throughput, etc. SLAs give the service parameters in which a messaging solution is guaranteed to perform.

Scalability and reliability:
Another challenge for the CIOs and CTOs of the banks is to scale-up the mobile banking infrastructure to handle the exponential growth of the customer base. With mobile banking, the customer may be sitting in any part of the world (true anytime, anywhere banking) and hence banks need to ensure that the systems are up and running in a true 24 x 7 fashion. As customers will find mobile banking more and more useful, their expectations of the solution will increase. Banks unable to meet the performance and reliability expectations may lose customer confidence. There are systems such as Mobile Transaction Platform which allow quick and secure mobile enabling of various banking services. Recently in India there has been a phenomenal growth in the use of Mobile Banking applications, with leading banks adopting Mobile Transaction Platform and the Central Bank publishing guidelines for mobile banking operations.

Application distribution:
Due to the nature of the connectivity between the bank and its customers, it would be impractical to expect customers to regularly visit banks or connect to a web site for regular upgrade of their mobile banking application. It will be expected that the mobile application itself check the upgrades and updates and download necessary patches (so called "Over The Air" updates). However, there could be many issues to implement this approach such as upgrade / synchronization of other dependent components.

Personalization:
It would be expected from the mobile application to support personalization such as:
1.     Preferred Language
2.     Date / Time format

3.     Amount format
4.     Default transactions
5.     Standard Beneficiary list
6.     Alerts

Security For Mobile Banking System

Mobile Banking channel Platforms:

There are six mobile banking channel platforms. They are:
1.     STK Menu
2.     USSD Menu
3.     Java Menu
4.     Text SMS
5.     IVR
6.     WAP
         
Mobile Banking Security Options:
The diagram bellow shows the options we have for securing data across the GSM Channel:


The data carried across the mobile network is protected by the standard GSM security protocols at the communication layer. The subscriber identity is also protected across this chain. The risk of transporting data across the GSM channel may be found in the number of stops the data make before reaching the bank. Unlike fixed line communication, data being carried across the mobile network jumps from one base station to the next, which means that the chain of encrypted on communication is broken. The data are also unencrypted when it hits the network operator. Thus, there is a broken encryption between the consumer and the bank.

STK/SAT-Sim Application Toolkit Menu:

The SIM Application Toolkit allows for the service provider or bank to house the consumer’s mobile banking menu within the SIM card. STK is the most secure method of mobile banking. It allows the bank to load its own encryption keys onto the SIM card with the bank’s own developed application.
Overview of STK:
1.     The SIM Application Toolkit is a set of commands which defines how the card should interact with the outside world and extends the communication protocol between the card and the handset.
2.     With SIM Application Toolkit, the card has a proactive role in the handset (this means that the SIM initiates commands independently of the handset and the network).
3.     SAT (SIM Application Toolkit) is designed as a client server application.
4.     The applications are stored in the SIM card, and not on the handset.
Applications are downloaded over the air and stored in SIM card and the process is controlled by the service provider.
5.     Service provider keeps total control of the applications, when they are to be downloaded and when they should be removed.
6.     It uses the SMS for the bearer medium to transfer the information between the handset and the service provider.

STK Banking Data Security:


The SAT is the most secure method of mobile banking. It allows the bank to load its own encryption keys onto the SIM card with the bank’s own developed application. Thus the consumer data can be stored on the SIM Card and the consumer can be authenticated on the handset prior to having to carry any data across the mobile network. The data is also encrypted prior to leaving the handset and only decrypted using the banks encryption keys within the bank.

Features on STK Menu:
·        Supported by the 100% hand set,
·        SIM based menu
·        Dynamic menu to choose from.
·        Easy to use

Advantages of STK Menu:
·        Some manufacturers claim that STK enables higher levels of security through identity verification and encryption, which are necessary for secure electronic commerce.
·        STK has been deployed on the largest number of mobile devices.

Limitations on STK Menu:
·        Updating STK applications and menus stored on the SIM can be difficult after the customer takes delivery of the SIM. To deliver updates, either the SIM must be returned and exchanged for a new one (which can be costly and inconvenient) or the application updates must delivered over-the-air (OTA) using specialized, optional SIM features. Mobile Network Operators can now (as of October 2010), for example, deliver updated STK application menus by sending a secure SMS to handsets that include a SIM alliance Toolbox (S@T) compliant wireless internet browser (WIB). When using a Bearer Independent Protocol-compliant (BIP) SIM card in a BIP- compliant handset, the updates can be delivered very quickly as well (depending upon the network connectivity available to and supported by the handset, i.e. GPRS/3G speed). It might also be possible to change the menu of wireless internet gateway (WIG) -based STK applications. The update limitations hinder the number and frequency of STK application deployments.
·        STK has essentially no support for multimedia, only basic pictures.
·        The STK technology has limited independent development support available.

Example of STK Menu:
Deliver updated STK application menus by sending a secure SMS to handsets that include a SIM alliance Toolbox (S@T) compliant wireless internet browser (WIB). When using a Bearer Independent Protocol-compliant (BIP) SIM card in a BIP compliant handset, the updates can be delivered very quickly as well (depending upon the network connectivity available to and supported by the handset, i.e. GPRS/3G speed). It might also be possible to change the menu of wireless internet gateway (WIG) -based STK applications. The update limitations hinder the number and frequency of STK application deployments.


USSD (Unstructured Supplementary Services data):

USSD is a unique service for mobile networks comprised of two-directional session based exchange of unstructured data in GSM mobile networks. The USSD service supports high-speed real-time information exchange between subscriber and service application.

USSD Banking Data Security:


USSD opens a single session between the device and the USSD application at the network operator, processor, or a bank. In other words the transaction is completed while the session is open and is not stored for subsequent completion.

The end-to-end transaction flow is across the encrypted GSM communication layer and the subscriber identity is also hidden. The data can also be encrypted as soon as it terminates at the USSD gateway sitting at the network operator, processor or bank, thus preventing any internal risk of misuse of data. Therefore the only risk is that the data carried within the communication layer is not itself encrypted. If someone were to be able to break the GSM encryption, they would have access to the data.

In USSD channel the consumer’s sensitive data are typically kept on a server and no t on the handset. This data is encrypted. The data entered into the handset is limited to authentication of the consumer (the PIN) and the banking instruction from the consumer, without having to enter an account or personal details. The threat remains that if the handset and the SIM card and the authentication data is stolen, and used on the mobile banking channel to transact, then the consumer is at risk. The data is useless without these four elements.

Mitigating Security Risks in USSD-based Mobile Payment Applications:

Mobile payment applications use various communications channels which are not secure, including USSD and IP-based communications. As usage of these communications channels by payment applications increases, security flaws are becoming prime concerns for service providers.

Critical threats such as fraudulent transactions, request/response manipulations, weak encryption, and insecure message communications have



Directly triggered revenue loss for mobile payment service providers. Fraudulent transactions, mobile application request/response tampering/dropping, sensitive information disclosure due to weak cryptographic implementation, improper account management, and modification of sensitive information can also cause security breaches and loss of sensitive data in USSD-based mobile payment applications.

In light of these threats, application development and integration companies, telecoms, and banks providing payment services need to assess USSD-based apps and ensure that secure coding practices have been followed during USSD-based application software development.

USSD Commands Request/Response Tampering:
A malicious user can tamper with USSD command requests and responses. This may cause confusion for the legitimate user and can also lead to fraudulent transactions. This request and response tampering is possible through hardware and software interceptors. Weak encrypted request and response messages are prime concerns in such threat vectors.

USSD Request/Response Message Replay Attacks:
When a phone is lost, an adversary may perform fraudulent transactions through an installed USSD application. An application must authenticate USSD request originator (authentication through a combination of MSISDN (Mobile Station International Subscriber Directory Number), IMEI (International Mobile Equipment Identity), PIN and unique Message Tracking ID). If this USSD application server or application is unable to authenticate the USSD request originator, then it can perform fraudulent transactions.

Improper Data Validation (USSD IP Mode Applications):
Improper data validation in the USSD IP mode application can lead to SQL injection, cross site scripting attacks. An adversary may purposely insert specifically crafted scripts in user input. Once successfully inserted in the database, the attacker may try to use the same to perform malicious actions on the database or at another user’s active session.



Features on USSD Menu:
·        Supported by the 100% hand set
·        Dynamic,
·        Easy to use, all users can access
·        No need to write SMS,
·        Operator base dependency,
·        No store and forwarding option.




Advantages of USSD Services:
·        Extremely low cost
·        Real-time
·        Fast and responsive
·        Interactive navigation
·        Consumer driven
·        Can be used as payment method
·        Automated response
·        Allows for mass-usage
·        Location-based, SIM and PUK-based and user selected customization and segmentation.

Disadvantages of USSD Services:
·        Little in the way of aesthetics
·        Messages cannot be saved or forwarded
·        USSD codes aren’t as memorable as other Common Short Codes (CSC)
·        Not always reliable due to session-based timeouts

USSD Used Applications:
Services ideal with USSD as the bearer include mobile chat, m -commerce, prepaid balance inquiry, mobile banking, call-related services and any other service that requires interaction between the user and the application.
·        Menu Browsing
·        Alternative to IVR
·        Balance Enquiry
·        Card Validity
·        Prepaid Recharge (from any visiting network also)
·        “Pull” based Services like informational services.
·        News – Weather
·        Movies –  Sports Update
·        Currency Update – Stock Market
·        Telephone Directory – Yellow Pages
·        Push Services.
·        Voting / Polling
·        Flash Emergency Information
·        Customer care /service management
·        Service Activation / Deactivation
·        Voice Mail
·        MMS
·        Roaming
·        Information query: News, Weather, Sports, Finance, Train schedules, real time Currency Converter.

·        Reservations (Train / Movie).
·        Sponsored Menu Item / Advertisement
·        Companies / Shops / Theaters can get listed
·        On the Menu and promote their services
·        Contests.
·        Tele-voting.
·        Virtual Money Transaction
·        Debit Card.
·        Interactive Interface to Corporate ERP.
·        Voice Chat.

Roaming: This has huge advantages while roaming. This is because USSD services are well available in roaming networks and all the USSD messages are directed towards the subscriber’s Home Network itself, thus, same set of services that are available in home network can be given in a visited network too, giving subscribers a Virtual Home Environment (VHE). Information query: News, Weather, Sports, Finance, Train.

Example of USSD Menu:
A typical USSD message starts with an asterisk (*) followed by digits that comprise commands or data. Groups of digits may be separated by additional asterisks. The message is terminated by a number sign (#).Example USSD codes:
1.      *101#
2.      *109*72348937857623#
3.      After entering a USSD code on a GSM handset, the reply from the GSM operator is displayed within a few second.

Wireless Application Protocol (WAP):

WAP is wireless application protocol used over GPRS. It is similar to Internet banking. The consumer’s handset needs to be WAP enabled. WAP banking is open to similar threats as Internet banking.

WAP banking data Security:


WAP allows for a GPRS session to be opened between the handset's web browsers and the web application at the bank. This session is protected once again by the encrypted GSM communication layer and then can be further protected by encryption of the actual banking website that is being accessed. This makes WAP banking open to similar threats as internet banking, yet further secured in that the bank can establish that the session has been initiated by the consumer’s SIM.

Features on WAP:
·        GPRS supported handset
·        Need active WAP connection
·        Internet using knowledge

How to get WAP:
An IP address will direct users to the WAP site of Mobile Banking.



Java Menu (J2ME):

Java Platform, Micro Edition, or Java ME, is a Java platform designed for embedded systems (mobile devices are one kind of such systems). Target devices range from industrial controls to mobile phones (especially feature phones) and set-top boxes. Java ME was formerly known as Java 2 Platform, Micro Edition (J2ME).






J2ME Banking data Security:

J2ME uses the same bearer channel as WAP. However J2ME applications can have additional security around the application that is resident on the handset. Thus the data entered into the J2ME application can be encrypted at that point and sent across the GPRS channel as described above. It would only be decrypted at the bank or processor. J2ME is however open to certain attacks in that the consumer needs to establish that the application is being downloaded from the correct source and that the source is not that of a malicious attempt to copy the bank's application in order to obtain sensitive data from the consumer.

Features on Java Menu:
·        Only Java supported handset
·        Need internet connection, Easy to use
·        Internet using knowledge.
·        More than 80% JAVA Support phone set on the market

How to Get Java Menu:
By sending a simple SMS we can get a link to download the JAVA menu.


IVR (Interactive Voice response) banking data security:

Highly secured as inserted PIN (by pressing buttons) cannot be traced by the Telco.



IVR, being a voice call, is protected by both the encrypted GSM communication layer25 as well as the GSM protection of the subscriber identity of the consumer26 and it is carried across the mobile network to the bank’s IVR. Only at this point are the entries that the consumer has keyed into their phone, stored. If this is in the bank’s environment it should be secure, but if on an ‘on behalf’ platform it may not be secure.

In the IVR banking channel, the consumer’s sensitive data is typically kept on a server and not on the handset. This data is encrypted. The data entered into the handset is limited to authentication of the consumer (the PIN) and the banking instruction from the consumer, without having to enter an account or personal details. The threat remains that if the handset and the SIM card and the authentication data is stolen, and used on the mobile banking channel to transact, then the consumer is at risk. The data is useless without these four elements.

Features on IVR:
·        100% handset support
·        Easy to use
·        Keyword typing hassle free.

How to Get:
Dialing to a Short Code user will hear a pre-recorded voice which will direct and give answers to queries.
















Short message Services (SMS):

SMS is the simplest form of mobile banking. It is largely used for information-based services. SMS has the maximum reach amongst consumers since all the mobile phones support SMS. Short messages are stored and forwarded by SMS centers. These messages have some security issues.

SMS Banking Data Security:



SMS banking is deemed to be the least secure of the mobile bearer channels. This is due to the number of points that the SMS data is available to others in a clear or unencrypted format. A consumer would initiate a transaction by sending an SMS to

the bank using the bank’s SMS short code as a terminating address. The SMS would be automatically stored on the handset and be available to anyone that looks at the consumer’s phone. The SMS would then pass through the encrypted GSM communication channel, through the base stations and terminate at the mobile network operator, where it is typically stored unencrypted. The MNO may at this point pass the message onto the bank’s wireless application processor, SMS gateway, or mobile banking processor (which may be a third party), where it is stored either encrypted or unencrypted. The third party would then pass the message to the bank across an encrypted fixed line to the bank where it is typically stored in a secured environment.

In SMS banking channel, the consumer’s sensitive data is typically kept on a server and not on the handset. This data is encrypted. The data entered into the handset is limited to authentication of the consumer (the PIN) and the banking instruction from the consumer, without having to enter an account or personal details. The threat remains that if the handset and the SIM card and the authentication data is stolen, and used on the mobile banking channel to transact, then the consumer is at risk. The data is useless without these four elements.

Message Structure:
The secured SMS message is divided into multiple fields to accommodate for the various security checks required for the protocol. To ease the understanding of the message structure, Figure 4 shows the structure overview for a secure SMS message. The numbers above the fields are the minimum number of bytes required for each field in the message. The number of bytes for each field can be increased depending on the implementation requirements.





The use of each labeled structure is explained below:

The Version is the mobile application version number. It contains a specified byte pattern. The receiver checks if the first three bytes of the received SMS message are valid for the bank application. If the message version number does not match the application version, then the message is discarded. As there are possibilities that the can receive accidental SMS messages that are not intended for the bank server. The usage of the version bytes is to help to eliminate these erroneous messages.
·        The AccId contains the bank account identifier of the user.
·        The Seq is the user’s current sequence number of the one-time password.
·        The Encrypted Text Length contains the number of next bytes that are the ciphered message.
·        The Digest Length contains the number of next bytes that contains the message digest.
·        The Digest contains the calculated digest value of the message. The use of the digest is for the server to check for message integrity. For the secure SMS banking protocol, a single digest of the following fields is calculated Version ,AccID, Seq, PIN, Type of Transaction and  Transaction Payload

The content of the following fields is encrypted using the generated session key.

·        The PIN contains the user predefined password. This is used by the receiver application to authenticate the user
·        The secure SMS message can be used for different types of transactions. The Type of Transaction is used by the bank server application to identify the type of transaction it should perform.
·        The Transaction Payload is the extra data that are used for a transaction, but it is not used for any security purpose. The content of the Transaction Payload depends on the type of transaction requested. The structure of the payload depends on the type of transaction offered by the bank.

Protocol Sequences:
In the GSM network, SMS messages are sent asynchronously to the receiver, because of this the Secure SMS protocol is asynchronous. The figure below illustrates the overview of the secure SMS protocol.






We can consider the Secure SMS protocol to be divided into two parts. The first part is the message generation. The mobile phone generates the message and sends it to the server. The second part is the message security checks. The server reads the
received message, decodes the contents and performs security checks. The following subsections describe each part of the protocol.

Generating and Sending Secure SMS Messages:
The mobile phone captures all the required security information from the user. This information is used to generate the secure SMS message to be sent to the server. The mobile application has a preset version byte pattern, this pattern is inserted into the message.

The message hash value a number which can ensure message integrity for the receiver side. The requirement of maintaining the message integrity is that at least some of the contents that are used for calculating the message digest need to be encrypted. This can ensure message integrity because if the message is intercepted, the attacker cannot use the encrypted contents to generate another digest. The

Integrity validation will not pass if any part of the original message is altered. The fields of content that need to be encrypted are dependent on the needs of the developer. The protocol requires that the message to have some identification details not to be encrypted. This is for the receiver to identify the account holder's identity. The algorithm used for encryption must be a symmetric encryption algorithm. The key used for encryption is generated from the one-time password entered by the user. The one-time passwords are only known by the server and the user. After the application completes processing the security contents, the contents are placed in the SMS message according to the message structure described in the Message Structure section. The SMS message is sent to the server via the GSM network.

Receiving and Decoding Secure SMS Message:
When the server receives the message from the cellular network, it breaks the message down according to the structure described in the Message Structure section. The server first checks for the version bytes pattern. If the version is correct, it is assumed that the message is suitable for the secure SMS protocol. Next, the server reads the account identifier from the message and checks if the account identifier exists in the server database. After this, the server retrieves the current sequence number for the given account identifier. The server checks if the sequence number read from the message matches the sequence number read from the server database.

If the above security checks all passed, the server proceeds to retrieve the one-time password from the database. The password is indexed by the account identifier and the sequence number. Thereafter the server uses the retrieved password as the sequence number. Thereafter the server uses the retrieved password as then the used one-time password is discarded and the server is a sequence counter for that account gets incremented by the value of 1.

After the decryption, the server reads the secure contents that are required for the calculation of the message digest. The message digest is calculated using the same algorithm as the algorithm used by the mobile application. The server compares the two digests for message integrity. If the message is proven not to have been altered, then the server retrieves the PIN (the account holder’s personal password) from the message and compares it against the account holders PIN from the server database. If all of the above security checks pass, the server performs the requested transaction.

Advantages of Text SMS:
·        Allows you to request and receive banking information from your bank on your mobile phone
·        You can manage bank accounts, check account balances, perform check requests and pay some bills.
·        If you are in a business you can access your account whenever you need to
·        It is more convenient because you don't have to go to a bank to complete a banking transaction.
·        It's quite discrete, so you can view it when you are doing everyday jobs and you don't have to set aside time to go to the bank.

Disadvantages of Text SMS:
·        If you don't have the internet on your mobile you can't access what you need in your bank account.
·        You could get your phone stolen and it will have all of your details on it, so people can gain access to your account as well as your phone.
·        It causes more people to use their mobile phones and can cause radiation.


















Demonstrative Structure and Key Feature of Software


First Step:
From the bank user information goes to the MASP’s system, where they maintain the security

Second Step:
From MASP the information goes to Distributor and DSR.

Third Step:
DSR sends the information to agents and via agents the customers get the required information and customers to also send the request by those agents to.

The Security System and Bridge Through the Three Systems Mobile:



First Step:
Customers send the shortcut via his/her mobile phone and that code goes to operator like GP, ROBI etc. They pass the info thru SMSC and firewall for special security.

Second Step:
Operators send the code to MASP via router. After checking by firewalls the shortcut goes to MASP‘s SMS Gateway and assures the security of the sensitive information hidden in the code.

Third Step:
MASP sends the code to banks system via a router. The firewall and routers pass the code to the server then the socket app as a client.

This is the way an SMS/short code goes to banks system where the funding is safe. The operator and MASP system assures the security of the bridge between banks and customers here.






Need For Mobile Banking Security

2014 will witness over 3 billion mobile users worldwide, according to Gartner s research. Mobile phones will become the preferred and most commonly used web device globally by 2013. They will be considered the most convenient device for almost everything that PCs are doing today. As a result, a large number of mobile applications will be built for multiple platforms (Android, J2ME, Symbian, etc.) and domains (mobile payments, mobile commerce, mobile Value Added Services, etc.).

As more and more transactions are made over mobile phones, hackers are perpetrating more fraud and attacks. Experts believe most security breaches are inevitable as mobile usage grows. What makes mobile phones vulnerable is the speed and advancement of technology, along with continued business demand for newer mobile products and services. Proper security controls must become an intrinsic part of mobile phones and mobile applications.

Major business impacts in case of mobile application security breach are:
·        Fraudulent transactions (Revenue Loss) through mobile applications
·        Confidentiality (Users sensitive data- Credit/Debit Card Data, PIN , user credentials)
·        Revenue loss through communications services misuse
·        Brand value degradation through SIM card cloning and related attacks
·        Misuse of Enterprises Data through personal handheld devices

·        Fraudulent transactions through USSD (Unstructured Supplementary Service Data) and DSTK (Dynamic SIM Toolkit) Applications

While telecoms and the rest of the service chain are becoming more motivated to deploy secure, reliable and robust products, the task is challenging. There are multiple mobile operating systems platforms, various telecom providers; banking service dependencies, and a complex network infrastructure to consider.











Appendix:
           
            ATM- Automatic Teller Machines
          BB- Bangladesh Bank
            ITU- International Telecommunication Union
          IVR- Interactive Voice Response
          KYC- Known Your Customer
            MPIN- Master Personal Identification Number
          POS- point-of-sale terminal
          PSO- payment system operators
            PSP- payment service providers
            PDA- Personal Digital Assistant
            SMS- Short Message Service
            STK- SIM Application Toolkit
            SIM- Subscriber Identity Module
            Telco- Telecommunication Company
            USSD- Unstructured Supplementary Service Data
          WAP- Wireless Application Protocol
          MASP- Mobile Application Service Provider

Reference:

Comments

Popular posts from this blog

ORA-01033 Oracle initialization or shutdown in progress

ORA-01033 Oracle initialization or shutdown in progress When you connect oracle 12c plug gable database, Thus time you have get oracle initialization or shutdown in progress error. This error occurred because pluggable database are not initialized. To fix this error connect as sysdba and run  ALTER PLUGGABLE DATABASE ALL OPEN    command. ALTER PLUGGABLE DATABASE ALL OPEN Thanks.

AFTER LOGON Trigger not perfectly working

AFTER LOGON not perfectly working.  I have tried it on single instance oracle 12c database it's perfectly work but it's not perfectly working on multi instance Oracle 12c database. I have submitted this matter in oracle forum but not found any perfect answer. Do you know why  it's not working ???

Checking operating system version: must be 5.0, 5.1 or 5.2 Actual 6.1 Failed

This error occurred when we are installing old oracle software in latest OS (Operating System).   Basically Its’s occurring on windows platform.