Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security of Mobile Banking Presented by: Ming Ki Chong Kelvin Chikomo

Similar presentations


Presentation on theme: "Security of Mobile Banking Presented by: Ming Ki Chong Kelvin Chikomo"— Presentation transcript:

1 Security of Mobile Banking Presented by: Ming Ki Chong Kelvin Chikomo Supervisor: Alapan Arnab, Andrew Hutchison

2 Ming Ki Chong & Kelvin Chikomo2 Overview Introduction SMS Banking GPRS Banking Conclusion

3 Introduction

4 Ming Ki Chong & Kelvin Chikomo4 Hypothesis There are currently many flaws in the present mobile banking implementations. We believe we can build a more secure banking implementation using both SMS and GPRS protocols

5 Ming Ki Chong & Kelvin Chikomo5 Project Outcomes Developed application should abide to the following security principles: Confidentiality Authenticity Integrity Non-repudiation Availability Comparison of SMS and GPRS implementations

6 Ming Ki Chong & Kelvin Chikomo6 Timeline MilestoneDuration Design2 Weeks Development4 Weeks Testing2 Weeks Web Page Development and poster 3 Weeks Final Report and Research paper Throughout the project time Project Demonstration17 November

7 Ming Ki Chong & Kelvin Chikomo7 Work Division Ming Ki Chong SMS Banking Kelvin Chikomo GPRS Banking

8 Ming Ki Chong & Kelvin Chikomo8 Work Division GSM + SMS Architecture GSM + GPRS Architecture Secure SMS Banking Secure GPRS Banking Secure SMS Banking Server Secure GPRS Banking Server Secure Mobile Banking

9 SMS Banking

10 Ming Ki Chong & Kelvin Chikomo10 SMS Banking Overview Back Ground Research GSM Architecture SMS Scenarios Current SMS banking What I Propose to Research What I Propose to Implement Concerns

11 Ming Ki Chong & Kelvin Chikomo11 MSMobile Station BTSBase Transceiver Station BSCBase Station Controller MSCMobile Switching Centre GMSCGateway MSC SMSCShort Message Service Centre OMCOperation and Maintenance Centre ISCInternational Switching Centre EIREquipment Identity Centre AUCAuthentication Centre HLRHome Location Register VLRVisitor Location Register MSC OMC GMSC SMSC HLRVLREIRAUC BSC BTS MS BSC ISC BTS MS GSM Architecture

12 Ming Ki Chong & Kelvin Chikomo12 Short Message Entity SME SMSC HLRMSCVLRMS 4. Submit 1. Msg Transfer 3. Forward Short Msg Access & Authenticate 2. Verify Restrictions 5. Delivery Report 6. Delivery Report SMS Security Flaws SMS is stored in plain text

13 Ming Ki Chong & Kelvin Chikomo13 Current Mobile Banking WIZZIT MTN Mobile Banking Standard Bank FNB ABSA Use WIG (Wireless Internet Gateway)

14 Ming Ki Chong & Kelvin Chikomo14 What I Propose to Research Different Protocols for SMS Banking Security of using SMSes to Perform Transactions SMS Encryption Authentication Possible Attacks

15 Ming Ki Chong & Kelvin Chikomo15 What I propose to Implement Mobile Banking Application Using J2ME Secure SMS protocol SMS Banking Server Secure Connection between the Bank Server and the Database Bank Server Mobile Phone Database

16 Ming Ki Chong & Kelvin Chikomo16 Protocol Layers Banking Application Secure SMS Protocol Mobile Phone Interface Short Message Transport Protocol GSM Network Banking Application Secure SMS Protocol Bank Server Interface Short Message Transport Protocol GSM Network Mobile Phone Bank Server GSM Architecture

17 Ming Ki Chong & Kelvin Chikomo17 Concerns Cost J2ME vs. WIG Security vs. Performance Security vs. Functionality Hardware Platform (Compatibility) Usability (User Interface)

18 GPRS Banking

19 Ming Ki Chong & Kelvin Chikomo19 Overview GPRS architecture Data route Security implementations and shortfalls Bank implementations (WAP) Handshakes Authentication mechanisms (Pins Voice prints) Security shortfalls What I propose to do

20 Ming Ki Chong & Kelvin Chikomo20 Data route

21 Ming Ki Chong & Kelvin Chikomo21 GPRS security shortfalls Authentication Center (RAND, Kc, Ki, SRES) Denial of service attack, using the RAND value. Problems with the A3/A8 authentication algorithm Problems with A5 algorithm Look at note

22 Ming Ki Chong & Kelvin Chikomo22 Bank implementations (WAP) Handshakes Authentication mechanisms (Pins Voice prints) Security shortfalls

23 Ming Ki Chong & Kelvin Chikomo23 Handshakes

24 Ming Ki Chong & Kelvin Chikomo24 Authentication mechanisms Secret passwords Voice prints SIM verification codes

25 Ming Ki Chong & Kelvin Chikomo25 Security Shortfalls There is no end-to-end encryption between client and bank server. Public key cryptosystems key sizes offered by the WTLS standard are not strong enough. Anonymous key exchange suites offered by the WTLS handshake are not considered secure.

26 Ming Ki Chong & Kelvin Chikomo26 Present implementations My proposal implementation

27 Ming Ki Chong & Kelvin Chikomo27 What I propose to do Build a WAP Gateway, that links the mobile station to the bank Server from the GPRS network. Either implement a Wap Browser plugin or J2ME App that will ensure Full Mutual Authentication during handshake protocol The Plugin or J2ME app should also update and maintain network settings

28 Ming Ki Chong & Kelvin Chikomo28 If time permits Look into using different key sizes, and encryption algorithms like blow fish.

29 Ming Ki Chong & Kelvin Chikomo29 Possible hindrances Time could be limited GPRS Access Point

30 Ming Ki Chong & Kelvin Chikomo30 Future research Lawful tapping Session ID management on Bank Server side. (In case of abbreviated handshake)

31 Conclusion

32 Ming Ki Chong & Kelvin Chikomo32 Outcome Two secure mobile banking solutions. SMS solution GPRS solution Secure banking server Research Paper citing shortfalls in current systems and our new implementation.


Download ppt "Security of Mobile Banking Presented by: Ming Ki Chong Kelvin Chikomo"

Similar presentations


Ads by Google