Short Message Services Encryption Security Mobile Banking Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Abstract - Mobile banking has indeed brought a new revolution and value added financial services to customer banking and has shaped the way customer banking is done in recent years. It is known that the default data format for short message service (SMS) in Global System for Mobile Communication (GSM) is plaintext, which can be easily read by an intruder or even the employees within the operator's network from eavesdropping or modifying the SMS messages therefore making it unsecured enough for mobile banking. In this term paper, the focus will be on the SMS encryption method that can be used to provide secure mobile banking for customers.

Index Terms- Mobile banking, GSM, SMS, Encryption.


tHE influence of technology on the banking institutions over the past decade has resulted into various development in the way banking transactions are performed in various parts of the world. One of the major revolutions in the banking industry is the emergence of mobile banking. Mobile banking simply makes provision for customers to conduct banking and financial services from their cell phones, which has provided the bank customers with flexibility and ease of banking transactions right from their mobile handsets. Various international and local banks have also introduced different mobile banking applications. According to researchers, mobile banking can be divided into three main parts namely mobile accounting, mobile brokerage and mobile financial information services [1].

As expected mobile banking customers will expect to have real-time information and access to their account and perform activities such as account balance checking, business transactions, payments etc., at any time of the day irrespective of wherever they might be. The convenience, efficiency and effectiveness of mobile banking have been the attracting force for the continuous increase in mobile bank customers. Major services such as mobile brokerage, electronic account management, financial information and alerts has enabled network operators and banks to have competitive advantage and also strengthened customer loyalty and trust. As the use of mobile banking spreads, the vulnerable handsets and

associated platforms will be the target of hackers and other criminal minds [1]. In essence, just like the online banking, mobile banking has security issues attached to its use.

In this paper, the section 2 examines the various proposals or experiments as the case maybe that try to provide secure SMS for mobile banking. Section 3 will discuss on the proposed solutions in details while section 4 deals with the conclusion after examining the different proposals.


Various data encryption proposals and issues relating to mobile banking are discussed in different papers below.

Narendiran et al. [2] proposed an end-to-end security framework using public key infrastructure (PKI) for mobile banking. This security framework employs public key cryptography for customer certificate and digital signatures. The PKI works as follows: each mobile bank user is listed in a public key directory alongside his/her public key. The user obtains the bank's public key from the directory when he/she wants to send a message to the bank's server and uses the key to encrypt the message. The encrypted message is then sent back to the bank application server which the application server decrypts with its private key. Furthermore, the user uses his/her private key to digitally sign the message by encrypting the message with his/her private key to ascertain non-repudiation. The appropriate use of PKI solves the major problem of any system based on asymmetric cryptography pertaining to signing of the root certificate and maintenance of the required infrastructure. Narendiran et al. also performed an experiment to test their proposed end-to-end security solution from which they came to the conclusion that the more secured a network is the greater the performance.

Nie et al. [1] discussed on encryption technology for mobile banking considering the low capacity of mobile terminal which prevents it from making complex encryption and storage capacity to support compared to the high computing power of the PC used for complex encryption and authentication when used for online banking. To overcome this barrier the present mobile use a symmetric AES encryption algorithm and asymmetric ECC encryption algorithm. It was observed that this method not only ensured data security but also increased the speed of encryption and decryption.

Hossain et al. [3] proposed enhancing the security of SMS is GSM. In this proposal both the encryption and digital signature was incorporated with the SMS transmission. Encryption will be done with the existing A8, GSM encryption algorithm. Hash of the encrypted message will be created and will also be signed digitally and then transmitted. The encryption ensures message privacy while the digital signature ensures authentication, data integrity and non-repudiation.

Chikomo et al. [4] investigated the security threats in mobile banking implementations using the GSM network. Their focus was to propose a solution that will provide secure platforms for mobile bank users to bank using SMS and General Packet Radio Services (GPRS).


Concerning the security shortfalls of the current mobile banking short message service, it should be noted that the initial idea for SMS usage in GSM was to send non-sensitive message across the open network. Security measures such as SMS encryption, end-to-end security, mutual authentication, non-repudiation were not included in the original design of GSM architecture. GSM authentication is done in one way direction, that is, the mobile phone is authenticated to the Base station but not vice versa, therefore it is possible for a false base station to capture traffic from the mobile phone. The encryption algorithm used is A5, which has been proven to be vulnerable, thereby requiring a secured algorithm to be put in place.

Taking a critical look at various proposals and experiment done on the encryption of data for mobile banking, all suggests will be analyzed critically. According to various objectives laid out in different proposals, it is quite evidence that cryptographic systems both asymmetric encryption and symmetric encryption including message authentication will be used. One of the notable things proposed by the authors in [1], it was that in order to reduce the calculation of the encryption strength and to guarantee higher safety, mobile devices were expected to use AES symmetric encryption algorithm and ECC (Elliptic Curve Cryptography) asymmetric encryption algorithm. AES is used to encrypt the data on wireless transmission while the encryption key uses ECC to encrypt. This method ensures data security and also increases the speed of encryption and decryption. The AES and ECC were said to be the most powerful encryption to protect against hackers, stating that it is extremely difficult to bypass. Although, the RSA algorithm computing speed and safety is almost as good as the ECC, but ECC is more preferable when it comes to digital signatures for mobile banking [1] because the RSA is found to use more processing power [3].

The experimental results performed by Narendiran et al was used to measure the impact of time and memory on the performance of these three encryption algorithms (RSA,AES and 3DES) running on a mobile phone. It was discovered that it took more latency time and memory consumption for 3DES and AES compared to RSA.

Since SMS will continue to play a vital role in mobile banking, a solution that will provide secure messaging protocol was proposed and demonstrated by Chikomo et al [4] for mobile banking used by some South African banks. The secured messaging protocol was integrated with mobile banking system in order to improve the SMS security feature in mobile banking and help to overcome the existing SMS security shortfalls present in the GSM architecture. The secured SMS protocol was divided into two parts, the first is the message generation in which the mobile phone generates the message and sends it over to the server and the second part involve the massage security checks in which the severe reads the received message and performs security checks.

During mobile banking transactions the mobile phone captures all the necessary security information from the user which is used to generate the secured SMS to be sent to the server. To maintain message integrity, some contents used for calculating the message digest must be encrypted so that if it is intercepted by an attacker, it cannot be used to generate another digest. The key used for encryption is generated from a one-time password entered by the user which is only known to by the server and the user. After the application completes processing the security contents, the contents are placed in the SMS message in line with the message structure sent to the server via the GSM network. When the server receives the message from the cellular network it does the various kinds of security checks on the message and if passed the server proceeds to retrieve the one-time password from the database and use it as the decryption key to decode the encrypted contents. Once the decryption is successful, the one-time password is discarded and the server's sequence counter is increased by a value of 1.The secure contents are read by the server and used to calculate the message digest. The same algorithm used by the mobile application is used to calculate the message. The server then compares the two message digest to calculate message integrity. If nothing is altered in the message, the server then retrieves the PIN (i.e. the account holder's password) and comperes it to the account holder's PIN from the database of the server. If all checks are passed, the requested transactions are performed.

Also examining the proposal by Hossain et al [3], in which dealt with the enhancement of SMS in GSM for mobile banking. In this proposal, the SMS is encrypted using the existing A8 and A5 encryption algorithm, and the SMS is treated just as any other voice or data in the GSM network. All specification is in accordance with the GSM specification. Then along with the ciphered SMS, a digital signature is incorporated. In this research the Secured Hash Algorithm (SHA-1) will be incorporated as the digital signature. The encrypted SMS will be signed with the private key of the signing message (i.e. SHA-1) and this signed encrypted message along with the encrypted message is sent to the GSM cellular network. It should be noted that in the digital signing, the encrypted message is fed into the SHA-1 algorithm to get 160 bit SHA-1 hash, and then the RSA algorithm will sign the hash. Then the subscriber will send the signed hash and the encrypted message to the bank via the cellular network. At the receiver end, the bank's server will request for the corresponding public key for verifying the message from the verification key center and the signed and unsigned encrypted message will be separated. The receiver will then apply the public key on the signed message and decrypt it. It will also make a hash of the unsigned encrypt SMS message. The receiver then compares the hash of the RSA signed hash of the SHA-1 hash signed message of the sender's message with the hash of the unsigned encrypted SMS message. If they match each other, then the message has been verified as original else it suggests there has been an alteration of the message. The receiver then decrypts the SMS after it has been verified using the cipher key using the GSM A5 algorithm as it is done in voice communication. The secured SMS communication should be done in real time and also have a minimal accepted delay time.


The various proposals have been analyzed by different authors and where possible demonstrated, using experiments [2], to prove that the secured SMS message used for mobile banking can be delivered successful using cryptography.