Dr. V.N.SastryProfessor, IDRBT & Executive Secretary,
+91-40-23534981 to 84October 30, 2012 1
• MBS Issues• Common• Specific
• Developments• MPFI TSG on Mobile Banking
Security (MBS) • IBA-IDRBT WG on MBS• IDRBT MBS Lab
• WPKIOctober 30, 2012 2
Main Points
MBS Issues Awareness and Education on MBS
As per the users backgroundIn his/her native language Specific to the Mobile Phone Features
Enabling Secure Banking Services Through multiple Mobile Communication
Channels ( SMS, USSD, IVRS, GPRS, NFC )
On different Types of Mobile Phones ( Low End, Medium Type and High End )
Using the features supported by the Mobile Phone
October 30, 2012 3
MBS Issues Contd.. Developing Customized Mobile Banking
Applications as per the OS Testing of each of the Mobile Banking
applicationsHandling of complaints on side channel and
malware attacks on Mobile PhonesTaking measures for fraud detection and
prevention mechanismsScalability issues to support high volume and
real time Transactions of Mobile PaymentsVerification of MBS models and protocols
in a simulated and testing environment. October 30, 2012 4
MBS Lab Experiments
October 30, 2012 5
MBS Problems 1. Verification of Security Properties2. Authentication and Key Agreement Protocols3. Access Control Models 4. Cryptographic Techniques5. Secure Mobile Payments : IMPS, AEPS, Mobile Wallet,6. NFC based Mobile Payments7. Mobile Banking Services (SaaS) in a Secure Banking Cloud
Framework8. Autonomic Computing (Self Healing and Self Protecting ) in
Securing Mobile Operating Systems and Mobile Banking Applications
9. IVRS based Customer Education Service in all Indian Languages10. MANETS for Financial Inclusion.11. Formal Methods for Design and Analysis of Secure Mobile
Payment Protocols12. Testing of Mobile Banking Application : Functionality, Security and
ComplianceOctober 30, 2012 6
Mobile Banking Security Device Level Security Communication Level Security
Application Level Security
October 30, 2012 7
Major 3 Sections of a Mobile PhonePower Section
Power distributionCharging section
Radio SectionBand SwitchingRF Power AmplificationTransmitterReceiver
Computer SectionCPU (central processing unit)Memory (RAM,FLASH,COMBO CHIP: SIM,
USIM)Interfaces
October 30, 2012 8
Classification of Mobile Attacks
Behavior based Environment based
Virus
Channel based Application Based
Worm
SMS
Trojan NFC System External
Wi-Fi (OS) (Mob. Ban. App)
Spyware Bluetooth
GPRS
IVRS
USSD
9October 30, 2012
Attacks by Type of Malware (Q1 2012)
Virus: Malicious code that gets attached to a host file and replicates when the host software runs.
Worm: Self-replicating code that automatically spreads across a network
Trojan:A program that exhibits to be useful application but actually harbors hidden malicious code
Spyware:Software that reveals private information about the user or computer system to eavesdroppers
10October 30, 2012
Some reported attacks on Mobile Phones
PhishingBotnetFake PlayerTrojan horseBluejacking ( Symbian )BlueBug BlueSnarfing BluePrinting
•Cabir (First in 2004 )
•Comwar
•Skulls
•Windows CE virus
October 30, 2012 11
1) Certificate Authority
2) Validation Authority
3) Registration Authority
4) Certificate Repository
5) Digital Certificate
6) Digital Signature
WIRELESS PUBLIC KEY INFRASTRUCTURE (WPKI)
October 30, 2012 12
WPKI Implementation for MBS Requires
ECC (Elliptic Curve cryptography)
Crypto SIM enabled Mobile Phone
SLC (Short Lived Certificate) OCSP (Online Certificate Status Protocol) for certificate validation
October 30, 2012 13
ELLIPTIC CURVE CRYPTOGRAPHY (ECC)ECC is a public key cryptography.One main advantage of ECC is its small key size. A 160-bit key in ECC is considered to be as
secured as 1024-bit key in RSA.It uses Elliptic Curve Digital Signature Algorithm
(ECDSA).ECDSA does Signature Generation and
Signature Verification .
October 30, 2012 14
October 30, 2012 15
October 30, 2012 16
October 30, 2012 18
October 30, 2012 20
October 30, 2012 21
MBS TESTING
Functional Testing Security Testing
Interface Mapping
Secure Storage
Test Case Writing & Execution
Compliance Testing
Verification of Security Properties
Secure Communication
Levels of Security
Transactions, Behaviour & Performance
22October 30, 2012
Compliance Testing
Mobile ad-hoc Networks (MANET) for Mobile Banking and Financial Inclusion It is a Mobile wireless network. MANET nodes are rapidly deployable, self configuring
and capable of doing autonomous operation in the network.
Nodes co-operate to provide Connectivity and Services. Operates without base station and centralized
administration. Nodes exhibit mobility and the topology is dynamic. Nodes must be able to relay traffic sense. A MANET can be a standalone network or it can be
connected to external networks(Internet).
October 30, 2012 23