This is not the document you are looking for? Use the search form below to find more!
Mobile Banking in Developing Countries: Secure Framework for ...
4.00 (1 votes)
Document Description
The cost of delivering financial services in both developing and developed countries has always been an aspect of concern to financial institutions. Financial institutions incur exorbitant operating costs in the course of providing services to their clients. These costs definitely in the end trickle down to the bank client and translate into a drawback to the number of clients an institution attracts. On top of this the inconvenience to the client in terms of time delays and access is also a fundamental issue. While developed countries have a developed Internet infrastructure that has expedited development and pervasiveness of electronic banking services, developing countries have low access to the Internet. Take for example in Uganda internet connectivity is at level 1.5 given a scale of 0 to 4 according to Mingesetal (2001) [18]. Thus with the difusion of mobile telephony taking the case of Uganda cellular subscribers have increased from 3000 in 1996 to over 2.3 million by 2006. Today researchers are working at developing more low cost and secure mobile banking services to suit developing countries.
File Details- Added: April, 13th 2011
- Reads: 301
- Downloads: 1
- File size: 547.70kb
- Pages: 56
- content preview
- Name: eliasz
Embed Code:
Related Documents
The Adoption of E-banking in Developing Countries: A Theoretical ...
by: eliasz, 19 pagesElectronic banking offers numerous benefits to SMEs. SMEs can check account balances, transfer money, pay bills, collect receivables and ultimately reduce transaction costs and establish greater ...
Basic Tips for Fund-raising for Small NGOs in Developing Countries
by: samanta, 15 pagesSome of the most frequently asked questions (FAQs) to forums for community-based organizations (CBOs) in developing countries, whatever the subject, are regarding funding. In addition, the first ...
The Challenge of Reforming Budgetary Institutions in Developing Countries
by: samanta, 30 pagesThe paper notes that the development of sound budgetary institutions in countries such as France, the U.K. and the U.S. has taken a very long time―200 years or more―and is still evolving. ...
Strategie issues in preventing cataract blindness in developing countries
by: shinta, 10 pagesCataract blindness is a public health problem of major proportions in developing countries. Intracapsular cataract extraction with aphakic spectacles has been the standard surgical technique ...
ETHICAL ISSUES IN THE DESIGN AND CONDUCT OF CLINICAL TRIALS IN DEVELOPING COUNTRIES
by: shinta, 4 pagesTHERE has been considerable controversy about the ethics of clinical trials that are sponsored or conducted by groups in industrialized countries but carried out in developing ...
The Effect of Foreign Aid on Economic Growth in Developing Countries
by: shinta, 8 pageshis paper analyzes the effects of foreign aid on the economic growth of developing countries. The study uses annual data on a group of 85 developing countries covering Asia, Africa, and Latin ...
Possible Adverse Effects of Increasing Block Water Tariffs in Developing Countries
by: shinta, 7 pagesThe use of increasing block water tariffs is widespread throughout developing countries. An increasing block tariff (IBT) is a price struc- ture in which a commodity is priced at a low ...
Opportunities for Women's and Girl's Health : Building Global Support to Prevent Cervical Cancer in Developing Countries
by: shinta, 12 pagesStrains of human papillomavirus (HPV) – a large family of viruses – are the proven cause of cervical and anal cancer. This paper focuses on the opportunities for improving ...
Blindness and cataract in children in developing countries
by: shinta, 2 pagesBlindness in children is considered a priority area for VISION 2020, as visually impaired children have a lifetime of blindness ahead of them. Various studies across the globe ...
SOCIOECONOMIC INEQUALITY IN MALNUTRITION IN DEVELOPING COUNTRIES
by: shinta, 24 pagesThe objectives of this study are to report socioeconomic inequalities in childhood malnutrition in the developing world, to provide evidence on the association between socioeconomic ...
Content Preview
Mobile Banking in Developing Countries:
Secure Framework for Delivery of
SMS-banking Services
MASTER THESIS
Author: Abunyang Emmanuel
Student Number: s0535249
Radboud University Nijmegen.
The Netherlands
Security of Systems
Supervisor:
Prof. Dr. Bart Jacobs
August 2007
Abstract
The cost of delivering financial services in both developing and developed
countries has always been an aspect of concern to financial institutions. Fi-
nancial institutions incur exorbitant operating costs in the course of provid-
ing services to their clients. These costs definitely in the end trickle down
to the bank client and translate into a draw back to the number of clients
an institution attracts. On top of this the inconvenience to the client in
terms of time delays and access is also a fundamental issue. While developed
countries have a developed Internet infrastructure that has expedited devel-
opment and pervasiveness of electronic banking services, developing countries
have low access to the Internet. Take for example in Uganda internet con-
nectivity is at level 1.5 given a scale of 0 to 4 according to Minges et al (2001)
[18]. Thus with the diffusion of mobile telephony taking the case of Uganda
cellular subscribers have increased from 3000 in 1996 to over 2.3 million by
2006. Today researchers are working at developing more low cost and secure
mobile banking services to suit developing countries. This has led to the
development of short messaging service (SMS) as a mobile banking conduit
by banking institutions take for example the centenary Bank in Uganda.
SMS is considered a globally accepted wireless service initially adopted and
developed for use in the GSM system. It enables transmission of alphanu-
meric messages between mobile subscribers and external systems. However
questions about data confidentiality, user authentication and data integrity
arise. In this thesis we investigate , analyse and propose a prototype imple-
mentation that takes into account these security issues. Hence we present a
secure model for SMS mobile banking services tailored to suit mobile cellular
phone users. We give conclusions about application of SMS banking services
in developing countries and future trends.
Acknowledgements
I would like to express my gratitude to all the people who helped me make
this thesis possible. My special thanks go to my supervisor Professor Bart Ja-
cobs of Radboud University Nijmegen for his excellent guidance and support
throughout the project. I also extend my gratitude to Dr Martijn Oostdijk
for his valuable ideas and suggestions during the project. In deed without
them this thesis would not have been possible.
I also wish to register my appreciation to Professor Theo van der Weide,
Nicole el Moustakim and all the staff of external relations for all the encour-
agement and timely assistance offered
I would also like to extend my gratitude to NUFFIC and the coordinators
of ICT capacity building project in Uganda and the Netherlands for giving
me the opportunity of studying this masters program in Radboud University
Nijmegen.
Finally to my family, I dedicate this work to my wife Everline and kids
(Martha, Ludwig and Mary) who have had to bear with my absence through-
out these two years of study. To them I say thanks for being on my side.
Contents
1 Introduction
6
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
1.2 Research Questions . . . . . . . . . . . . . . . . . . . . . . . .
8
2
Background of Related Systems and Security Issues.
9
2.1
GSM Architecture. . . . . . . . . . . . . . . . . . . . . . . . .
9
2.2 GSM Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.1
Subscriber Identity Confidentiality . . . . . . . . . . . 11
2.2.2
Subscriber Identity Authentication . . . . . . . . . . . 11
2.2.3
User Data Confidentiality. . . . . . . . . . . . . . . . . 12
2.3 Security Deficiencies of GSM Architecture. . . . . . . . . . . . 13
2.3.1
A5 Encryption Algorithm. . . . . . . . . . . . . . . . . 14
2.3.2
A3/A8 Authentication Algorithm. . . . . . . . . . . . . 14
2.4 Enabling technologies for Mobile Banking. . . . . . . . . . . . 14
2.4.1
Short Messaging Service (SMS) . . . . . . . . . . . . . 15
2.4.2
Wireless Application Protocol (WAP) . . . . . . . . . . 15
2.4.3
Interactive Voice Communication (IVR) . . . . . . . . 15
2.4.4
Standalone Mobile Application Clients (MAC) . . . . . 15
2.5 Current SMS Banking Services in Uganda . . . . . . . . . . . 16
2.5.1
Security Limitation with the Current SMS Approach . 16
2.5.1.1
Message Spoofing . . . . . . . . . . . . . . . . 16
2.5.1.2
SMS Encryption . . . . . . . . . . . . . . . . 16
2.5.1.3
SMS Service Centre Attack. . . . . . . . . . . 16
3 Theory Concerning Cryptographic Security Mechanisms.
18
3.1 Basic Cryptography. . . . . . . . . . . . . . . . . . . . . . . . 18
3.1.1
Formal Description of Symmetric and Asymmetric Cryp-
tosystem. . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2.1
Types of Authentication . . . . . . . . . . . . . . . . . 20
3.2.2
Approaches to Authentication. . . . . . . . . . . . . . . 20
3.2.3
Freshness Assurance of Authentication. . . . . . . . . . 20
3.2.3.1
Clock Based Authentication . . . . . . . . . . 21
3.2.3.2
Authentication by Challenge /Response . . . 21
1
3.2.4
Secure Hash Function . . . . . . . . . . . . . . . . . . . 21
4 SMS Banking Proposed Secure Model.
23
4.1 The Solution. . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.1.1
Mobile Application Component . . . . . . . . . . . . . 23
4.1.2
Bank Server . . . . . . . . . . . . . . . . . . . . . . . . 24
4.1.2.1
Back End Database . . . . . . . . . . . . . . 25
4.2 Message Format and Authentication Protocols . . . . . . . . . 25
4.2.1
Message Structure. . . . . . . . . . . . . . . . . . . . . 25
4.2.2
Review of Possible Handshake Protocols. . . . . . . . . 27
4.3 Proposed Authentication and Message Exchange Protocols . . 29
4.3.1
Key Generation . . . . . . . . . . . . . . . . . . . . . . 30
4.3.2
Key Storage . . . . . . . . . . . . . . . . . . . . . . . . 30
4.3.3
Key management Assumptions . . . . . . . . . . . . . 31
4.3.4
Application of Keys . . . . . . . . . . . . . . . . . . . . 31
4.3.4.1
Check Balance . . . . . . . . . . . . . . . . . 31
4.3.4.2
Money Transfer. . . . . . . . . . . . . . . . . 32
4.3.5
Protocol Sequence. . . . . . . . . . . . . . . . . . . . . 32
4.3.6
Secure Message Generation and Transmission. . . . . . 32
4.3.6.1
Secure SMS Message Reception and Decoding. 33
5 Security Analysis of Proposed Protocol
34
5.1 Stakeholders . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.2 Security in the Proposed Secure SMS Protocol. . . . . . . . . 34
5.2.1
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . 35
5.2.2
Authentication. . . . . . . . . . . . . . . . . . . . . . . 35
5.2.3
Non Repudiation . . . . . . . . . . . . . . . . . . . . . 35
5.2.4
Confidentiality . . . . . . . . . . . . . . . . . . . . . . 35
5.3 Threat Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.3.1
SMS Centre Threats . . . . . . . . . . . . . . . . . . . 36
5.3.2
Transmission Monitoring Threats . . . . . . . . . . . . 36
5.3.3
Threat Model Discussion . . . . . . . . . . . . . . . . . 37
6 The Prototype
40
6.1 System Development . . . . . . . . . . . . . . . . . . . . . . . 40
6.1.1
Mobile Information Device Application, MIDlet . . . . 41
6.1.1.1
JAD Files . . . . . . . . . . . . . . . . . . . . 41
6.1.1.2
JAR Files . . . . . . . . . . . . . . . . . . . . 41
6.2 Development Environment. . . . . . . . . . . . . . . . . . . . . 41
6.3 System Design . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
6.3.1
Use Case Illustration. . . . . . . . . . . . . . . . . . . . 42
6.3.2
Class Collaboration of Mobile User Application Package 42
6.3.3
SMS Server Package . . . . . . . . . . . . . . . . . . . 43
6.4 Prototype Implementation . . . . . . . . . . . . . . . . . . . . 44
2
6.4.1
Security Technologies Used . . . . . . . . . . . . . . . . 44
6.4.1.1
Sequence–Password Generator . . . . . . . . . 46
6.4.2
Communication between Client and Server . . . . . . . 47
6.4.3
Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
7 Conclusion and Reflections.
49
7.1 Reflections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.2 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3
List of Figures
2.1 GSM Architecture . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Authentication Procedure . . . . . . . . . . . . . . . . . . . . 12
2.3 Cipher Key Generation and Enciphering . . . . . . . . . . . . 13
4.1 Overview of the Solution . . . . . . . . . . . . . . . . . . . . . 24
4.2 SMS Message Structure. . . . . . . . . . . . . . . . . . . . . . 26
5.1 Attack Topology . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.2 Attack Tree Threat Model . . . . . . . . . . . . . . . . . . . . 39
6.1 Use Case Diagram of Prototype . . . . . . . . . . . . . . . . . 43
6.2 Class Diagram of Mobile User Application Package . . . . . . 44
6.3 Class Diagram of Server Package . . . . . . . . . . . . . . . . 45
6.4 Screen Shot Depicting Check Balance Test Transaction . . . . 48
4
Summary
This thesis explores the current technological and security aspects in mobile
banking systems. We review a number of systems offering mobile banking
services and highlight their technologies, services and security implementa-
tions. We use insights from these reviews to construct a secure frame work
for delivery of SMS banking in developing countries taking Uganda as our
domain of study.
In our research we focus on how to achieve security of banking informa-
tion used in SMS banking transactions because of varying degree of threats
and resource constraints on some components like memory in mobile cellular
phones. We achieve this by seeking to answer a number of questions;
1. What are the enabling technologies for mobile banking using a cell
phone?
2. What are the security concerns on the enabling technologies used?
3. What security measures are currently deployed with these technologies?
4. What is the appropriate model applicable for developing countries?
5. What are the observed requirements, limitations and challenges of this
mobile banking application in the context of the developing countries?
6. What are the possible solutions?
We present an overview of GSM network and its security limitations. We
further explore various authentication protocols relevant to our study and re-
view them to come up with our proposed protocol. Based on security analysis
tools we present a threat model using attack trees to give a security guar-
antee of our scheme. The current systems have focused on cost implications
at the expense of security. Hence a number of issues like confidentiality and
integrity of the message including authentication still need attention. We
therefore present a prototype implementation that demonstrates how these
security aspects can reliably be achieved in a SMS mobile banking system.
Our prototype provides a mechanism for authentication, encryption and
decryption for purposes of confidentiality and processes message digest for
integrity checks. We end up by giving a conclusion about secure SMS mobile
banking in developing countries and future work.
5
Chapter 1
Introduction
The way we live today is so much influenced by computing technologies.
Computers control the economy, transportation, banking and many other
functions. This development has made information attractive to criminals
because of the economic value of such information. The advent of the Internet
and wireless communication is believed to particularly have opened an entire
new area of crime. The European cyber crime treaty has drawn a criminal
policy aimed at protecting society against cyber crime by deterring and pros-
ecuting actions directed against the confidentiality, integrity and availability
of computer systems, communication networks and computer data [1]. This
indicates the extent to which authorities are getting prepared to fight cyber
crime in society.
Internet and mobile technologies are increasingly being adopted and utilised
in the banking industry; this has reshaped the consumption of financial ser-
vices [2]. In this research we analyse the security of electronic banking ser-
vices with an emphasis on mobile commerce transactions with a focus on mo-
bile banking using mobile devices specifically cell phones. Electronic banking
is considered a way of delivering banking services through the internet to the
consumer at a reduced cost to the banking industry and improved conve-
nience to the customer [4]. However there exists a low internet connectivity
in the developing countries given the costs of connection especially in rural
areas and yet banking services need to be brought closer to the population
to enhance development [16]. A viable solution here is mobile banking. Here
we are interested in what the implications are in the terms of security and
also in the economic viability of these technologies in developing countries.
Mobile commerce shall be defined as commercial transaction activities car-
ried out via communication networks that interface wireless or mobile devices.
A mobile device is a device used to connect to a mobile service for example
cell phones and Personal Digital Assistants (PDA). The high diffusion rate of
mobile phones coupled with the stability of mobile communication technolo-
6
gies have greatly contributed to the enhancement of mobile banking solutions
in the provision of financial services in the world [5]. Mobile banking is con-
sidered as a service that enables users to receive information regarding the
status of their accounts, to transfer among bank accounts, to facilitate stock
trading and direct payment confirmation using mobile devices.
A number of enabling technologies are being used in the delivery of mobile
banking service applications. They include Interactive Voice Response (IVR),
Short Messaging Service (SMS), Wireless Access Protocol (WAP) and stand
alone Mobile Application Clients (MAC).The goal of this research project
is to analyse these enabling technologies and applications that enhance mo-
bile banking trustworthiness in order to investigate the security limitations
and challenges and to propose possible solutions to mitigate them. We will
specifically look at the SMS enabling technology because its the most cost
effective service suitable for a developing country. However it has a num-
ber of security limitations for example when authorising a bill payment the
format is Account Number, PIN and amount [6]. Because these messages
are not encrypted, prone to human error and normally telecommunication
companies keep a copy of these messages in their servers they are quite an
easy target for criminals.
The intention of this research is to propose and implement some measure
that can be used to offset these limitations given the computing restrictions
of the ordinary cell phone which are predominantly used in the developing
countries. In chapter one, we discuss the GSM system which is an important
data transmission media used in delivery of SMS messages. Chapter three
discusses the cryptographic theory used in realization of security features in
this project. In chapter four we present our proposed protocol and analyse
its security capabilities in chapter five. We finally present the prototype
implementation in chapter six and conclude in chapter seven.
1.1
Motivation
In mobile banking data is electronically transmitted over wireless communi-
cation channels and the Internet. These processes raise issues of how users
are authenticated, how integrity of data is maintained and importantly the
confidentiality of this data. Considering the low extent of development of
ICT in developing countries when compared to the developed countries elec-
tronic banking has not really been able to diffuse into society given the low
rate of Internet access[15,16]. However the advent of mobile telephony has
seen the widespread adoption of cell phone usage this makes mobile banking
in the developing countries a very attractive service for the banking industry
7
Secure Framework for Delivery of
SMS-banking Services
MASTER THESIS
Author: Abunyang Emmanuel
Student Number: s0535249
Radboud University Nijmegen.
The Netherlands
Security of Systems
Supervisor:
Prof. Dr. Bart Jacobs
August 2007
Abstract
The cost of delivering financial services in both developing and developed
countries has always been an aspect of concern to financial institutions. Fi-
nancial institutions incur exorbitant operating costs in the course of provid-
ing services to their clients. These costs definitely in the end trickle down
to the bank client and translate into a draw back to the number of clients
an institution attracts. On top of this the inconvenience to the client in
terms of time delays and access is also a fundamental issue. While developed
countries have a developed Internet infrastructure that has expedited devel-
opment and pervasiveness of electronic banking services, developing countries
have low access to the Internet. Take for example in Uganda internet con-
nectivity is at level 1.5 given a scale of 0 to 4 according to Minges et al (2001)
[18]. Thus with the diffusion of mobile telephony taking the case of Uganda
cellular subscribers have increased from 3000 in 1996 to over 2.3 million by
2006. Today researchers are working at developing more low cost and secure
mobile banking services to suit developing countries. This has led to the
development of short messaging service (SMS) as a mobile banking conduit
by banking institutions take for example the centenary Bank in Uganda.
SMS is considered a globally accepted wireless service initially adopted and
developed for use in the GSM system. It enables transmission of alphanu-
meric messages between mobile subscribers and external systems. However
questions about data confidentiality, user authentication and data integrity
arise. In this thesis we investigate , analyse and propose a prototype imple-
mentation that takes into account these security issues. Hence we present a
secure model for SMS mobile banking services tailored to suit mobile cellular
phone users. We give conclusions about application of SMS banking services
in developing countries and future trends.
Acknowledgements
I would like to express my gratitude to all the people who helped me make
this thesis possible. My special thanks go to my supervisor Professor Bart Ja-
cobs of Radboud University Nijmegen for his excellent guidance and support
throughout the project. I also extend my gratitude to Dr Martijn Oostdijk
for his valuable ideas and suggestions during the project. In deed without
them this thesis would not have been possible.
I also wish to register my appreciation to Professor Theo van der Weide,
Nicole el Moustakim and all the staff of external relations for all the encour-
agement and timely assistance offered
I would also like to extend my gratitude to NUFFIC and the coordinators
of ICT capacity building project in Uganda and the Netherlands for giving
me the opportunity of studying this masters program in Radboud University
Nijmegen.
Finally to my family, I dedicate this work to my wife Everline and kids
(Martha, Ludwig and Mary) who have had to bear with my absence through-
out these two years of study. To them I say thanks for being on my side.
Contents
1 Introduction
6
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
1.2 Research Questions . . . . . . . . . . . . . . . . . . . . . . . .
8
2
Background of Related Systems and Security Issues.
9
2.1
GSM Architecture. . . . . . . . . . . . . . . . . . . . . . . . .
9
2.2 GSM Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.1
Subscriber Identity Confidentiality . . . . . . . . . . . 11
2.2.2
Subscriber Identity Authentication . . . . . . . . . . . 11
2.2.3
User Data Confidentiality. . . . . . . . . . . . . . . . . 12
2.3 Security Deficiencies of GSM Architecture. . . . . . . . . . . . 13
2.3.1
A5 Encryption Algorithm. . . . . . . . . . . . . . . . . 14
2.3.2
A3/A8 Authentication Algorithm. . . . . . . . . . . . . 14
2.4 Enabling technologies for Mobile Banking. . . . . . . . . . . . 14
2.4.1
Short Messaging Service (SMS) . . . . . . . . . . . . . 15
2.4.2
Wireless Application Protocol (WAP) . . . . . . . . . . 15
2.4.3
Interactive Voice Communication (IVR) . . . . . . . . 15
2.4.4
Standalone Mobile Application Clients (MAC) . . . . . 15
2.5 Current SMS Banking Services in Uganda . . . . . . . . . . . 16
2.5.1
Security Limitation with the Current SMS Approach . 16
2.5.1.1
Message Spoofing . . . . . . . . . . . . . . . . 16
2.5.1.2
SMS Encryption . . . . . . . . . . . . . . . . 16
2.5.1.3
SMS Service Centre Attack. . . . . . . . . . . 16
3 Theory Concerning Cryptographic Security Mechanisms.
18
3.1 Basic Cryptography. . . . . . . . . . . . . . . . . . . . . . . . 18
3.1.1
Formal Description of Symmetric and Asymmetric Cryp-
tosystem. . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2.1
Types of Authentication . . . . . . . . . . . . . . . . . 20
3.2.2
Approaches to Authentication. . . . . . . . . . . . . . . 20
3.2.3
Freshness Assurance of Authentication. . . . . . . . . . 20
3.2.3.1
Clock Based Authentication . . . . . . . . . . 21
3.2.3.2
Authentication by Challenge /Response . . . 21
1
3.2.4
Secure Hash Function . . . . . . . . . . . . . . . . . . . 21
4 SMS Banking Proposed Secure Model.
23
4.1 The Solution. . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.1.1
Mobile Application Component . . . . . . . . . . . . . 23
4.1.2
Bank Server . . . . . . . . . . . . . . . . . . . . . . . . 24
4.1.2.1
Back End Database . . . . . . . . . . . . . . 25
4.2 Message Format and Authentication Protocols . . . . . . . . . 25
4.2.1
Message Structure. . . . . . . . . . . . . . . . . . . . . 25
4.2.2
Review of Possible Handshake Protocols. . . . . . . . . 27
4.3 Proposed Authentication and Message Exchange Protocols . . 29
4.3.1
Key Generation . . . . . . . . . . . . . . . . . . . . . . 30
4.3.2
Key Storage . . . . . . . . . . . . . . . . . . . . . . . . 30
4.3.3
Key management Assumptions . . . . . . . . . . . . . 31
4.3.4
Application of Keys . . . . . . . . . . . . . . . . . . . . 31
4.3.4.1
Check Balance . . . . . . . . . . . . . . . . . 31
4.3.4.2
Money Transfer. . . . . . . . . . . . . . . . . 32
4.3.5
Protocol Sequence. . . . . . . . . . . . . . . . . . . . . 32
4.3.6
Secure Message Generation and Transmission. . . . . . 32
4.3.6.1
Secure SMS Message Reception and Decoding. 33
5 Security Analysis of Proposed Protocol
34
5.1 Stakeholders . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.2 Security in the Proposed Secure SMS Protocol. . . . . . . . . 34
5.2.1
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . 35
5.2.2
Authentication. . . . . . . . . . . . . . . . . . . . . . . 35
5.2.3
Non Repudiation . . . . . . . . . . . . . . . . . . . . . 35
5.2.4
Confidentiality . . . . . . . . . . . . . . . . . . . . . . 35
5.3 Threat Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.3.1
SMS Centre Threats . . . . . . . . . . . . . . . . . . . 36
5.3.2
Transmission Monitoring Threats . . . . . . . . . . . . 36
5.3.3
Threat Model Discussion . . . . . . . . . . . . . . . . . 37
6 The Prototype
40
6.1 System Development . . . . . . . . . . . . . . . . . . . . . . . 40
6.1.1
Mobile Information Device Application, MIDlet . . . . 41
6.1.1.1
JAD Files . . . . . . . . . . . . . . . . . . . . 41
6.1.1.2
JAR Files . . . . . . . . . . . . . . . . . . . . 41
6.2 Development Environment. . . . . . . . . . . . . . . . . . . . . 41
6.3 System Design . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
6.3.1
Use Case Illustration. . . . . . . . . . . . . . . . . . . . 42
6.3.2
Class Collaboration of Mobile User Application Package 42
6.3.3
SMS Server Package . . . . . . . . . . . . . . . . . . . 43
6.4 Prototype Implementation . . . . . . . . . . . . . . . . . . . . 44
2
6.4.1
Security Technologies Used . . . . . . . . . . . . . . . . 44
6.4.1.1
Sequence–Password Generator . . . . . . . . . 46
6.4.2
Communication between Client and Server . . . . . . . 47
6.4.3
Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
7 Conclusion and Reflections.
49
7.1 Reflections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.2 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3
List of Figures
2.1 GSM Architecture . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Authentication Procedure . . . . . . . . . . . . . . . . . . . . 12
2.3 Cipher Key Generation and Enciphering . . . . . . . . . . . . 13
4.1 Overview of the Solution . . . . . . . . . . . . . . . . . . . . . 24
4.2 SMS Message Structure. . . . . . . . . . . . . . . . . . . . . . 26
5.1 Attack Topology . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.2 Attack Tree Threat Model . . . . . . . . . . . . . . . . . . . . 39
6.1 Use Case Diagram of Prototype . . . . . . . . . . . . . . . . . 43
6.2 Class Diagram of Mobile User Application Package . . . . . . 44
6.3 Class Diagram of Server Package . . . . . . . . . . . . . . . . 45
6.4 Screen Shot Depicting Check Balance Test Transaction . . . . 48
4
Summary
This thesis explores the current technological and security aspects in mobile
banking systems. We review a number of systems offering mobile banking
services and highlight their technologies, services and security implementa-
tions. We use insights from these reviews to construct a secure frame work
for delivery of SMS banking in developing countries taking Uganda as our
domain of study.
In our research we focus on how to achieve security of banking informa-
tion used in SMS banking transactions because of varying degree of threats
and resource constraints on some components like memory in mobile cellular
phones. We achieve this by seeking to answer a number of questions;
1. What are the enabling technologies for mobile banking using a cell
phone?
2. What are the security concerns on the enabling technologies used?
3. What security measures are currently deployed with these technologies?
4. What is the appropriate model applicable for developing countries?
5. What are the observed requirements, limitations and challenges of this
mobile banking application in the context of the developing countries?
6. What are the possible solutions?
We present an overview of GSM network and its security limitations. We
further explore various authentication protocols relevant to our study and re-
view them to come up with our proposed protocol. Based on security analysis
tools we present a threat model using attack trees to give a security guar-
antee of our scheme. The current systems have focused on cost implications
at the expense of security. Hence a number of issues like confidentiality and
integrity of the message including authentication still need attention. We
therefore present a prototype implementation that demonstrates how these
security aspects can reliably be achieved in a SMS mobile banking system.
Our prototype provides a mechanism for authentication, encryption and
decryption for purposes of confidentiality and processes message digest for
integrity checks. We end up by giving a conclusion about secure SMS mobile
banking in developing countries and future work.
5
Chapter 1
Introduction
The way we live today is so much influenced by computing technologies.
Computers control the economy, transportation, banking and many other
functions. This development has made information attractive to criminals
because of the economic value of such information. The advent of the Internet
and wireless communication is believed to particularly have opened an entire
new area of crime. The European cyber crime treaty has drawn a criminal
policy aimed at protecting society against cyber crime by deterring and pros-
ecuting actions directed against the confidentiality, integrity and availability
of computer systems, communication networks and computer data [1]. This
indicates the extent to which authorities are getting prepared to fight cyber
crime in society.
Internet and mobile technologies are increasingly being adopted and utilised
in the banking industry; this has reshaped the consumption of financial ser-
vices [2]. In this research we analyse the security of electronic banking ser-
vices with an emphasis on mobile commerce transactions with a focus on mo-
bile banking using mobile devices specifically cell phones. Electronic banking
is considered a way of delivering banking services through the internet to the
consumer at a reduced cost to the banking industry and improved conve-
nience to the customer [4]. However there exists a low internet connectivity
in the developing countries given the costs of connection especially in rural
areas and yet banking services need to be brought closer to the population
to enhance development [16]. A viable solution here is mobile banking. Here
we are interested in what the implications are in the terms of security and
also in the economic viability of these technologies in developing countries.
Mobile commerce shall be defined as commercial transaction activities car-
ried out via communication networks that interface wireless or mobile devices.
A mobile device is a device used to connect to a mobile service for example
cell phones and Personal Digital Assistants (PDA). The high diffusion rate of
mobile phones coupled with the stability of mobile communication technolo-
6
gies have greatly contributed to the enhancement of mobile banking solutions
in the provision of financial services in the world [5]. Mobile banking is con-
sidered as a service that enables users to receive information regarding the
status of their accounts, to transfer among bank accounts, to facilitate stock
trading and direct payment confirmation using mobile devices.
A number of enabling technologies are being used in the delivery of mobile
banking service applications. They include Interactive Voice Response (IVR),
Short Messaging Service (SMS), Wireless Access Protocol (WAP) and stand
alone Mobile Application Clients (MAC).The goal of this research project
is to analyse these enabling technologies and applications that enhance mo-
bile banking trustworthiness in order to investigate the security limitations
and challenges and to propose possible solutions to mitigate them. We will
specifically look at the SMS enabling technology because its the most cost
effective service suitable for a developing country. However it has a num-
ber of security limitations for example when authorising a bill payment the
format is Account Number, PIN and amount [6]. Because these messages
are not encrypted, prone to human error and normally telecommunication
companies keep a copy of these messages in their servers they are quite an
easy target for criminals.
The intention of this research is to propose and implement some measure
that can be used to offset these limitations given the computing restrictions
of the ordinary cell phone which are predominantly used in the developing
countries. In chapter one, we discuss the GSM system which is an important
data transmission media used in delivery of SMS messages. Chapter three
discusses the cryptographic theory used in realization of security features in
this project. In chapter four we present our proposed protocol and analyse
its security capabilities in chapter five. We finally present the prototype
implementation in chapter six and conclude in chapter seven.
1.1
Motivation
In mobile banking data is electronically transmitted over wireless communi-
cation channels and the Internet. These processes raise issues of how users
are authenticated, how integrity of data is maintained and importantly the
confidentiality of this data. Considering the low extent of development of
ICT in developing countries when compared to the developed countries elec-
tronic banking has not really been able to diffuse into society given the low
rate of Internet access[15,16]. However the advent of mobile telephony has
seen the widespread adoption of cell phone usage this makes mobile banking
in the developing countries a very attractive service for the banking industry
7
Add New Comment