History Of Mobile Banking

Mobile banking is known as M-banking or SMS Banking. The european company called PayBox supported financially by Deutsche Bank, in 1999 started mobile banking. [i] SMS was the earliest mobile banking service offered. It is an emerging field in the banking segment. However, older phones had limited functionality. Mobile phones, palm PCs and PDAs were lacking hardware and software support. The higher cost of data plans and the slower network speed were also limiting factors in the growth of mobile banking. It has been improved with the advancement of the technology, the hardware and software. The cost of mobile devices has been reduced drastically and is still reducing. Network speed is much better than before and data plans are not as costly. All of these changes have provided necessary raw materials for the growth of mobile banking and the numbers of people using mobile banking is increasing day by day. Users, who were using computers/laptops for online banking, are moving towards mobile banking because of ease of use and fast access. In the USA, mobile banking was introduced in 2006 by Wachovia bank. [ii] In Sep 2007, Aite group predicted the mobile banking users in the United States would reach 1.6 million by the end of the year 2007 and will rapidly increase to 35 million by the year 2010. [iii] The report indicated the growth potential for mobile banking.

However, the security issues are the major concerns for mobile banking service providers and the users. As mobile banking systems mature, more users will start using mobile banking, which will draw the attention of the hacker community to target mobile banking customers mostly for financial gain. Safety and security of the personal and financial information stored and managed in the devices are the key factors for users, banking organization and the security community. The purpose of this paper is to gain basic knowledge of mobile banking, explain the different kinds of architecture used in mobile banking and identify the different security attacks and its countermeasures.

Mobile banking in US compare to other countries

Wachovia bank was the first to announce mobile banking services to their customers in Sep 2006 and re-launched in March 2007 followed by a few other banks. [iv] They developed their own banking product with AT&T. Bank of America started mobile banking services in March 2007 in collaboration with four major wireless carriers, which reported 500,000 users within the first 6 months. Initially, the services offered were funds transfer, bill payment, branch and ATM locations, account balance, etc. Since then there has been huge progress in mobile banking services. In 2009 and 2010 respectively, San Antonio, Texas-based USAA launched their new application for the iPhone and Android platform that is capable of remote deposit capture allowing users to take a photo of the check and deposit electronically. [v] In the middle of 2010 Chase bank also introduced the mobile RDC application for the iPhone. [vi] In Nov 2010, U.S. Bank and Visa announced a mobile payment system for their customers. [vii] They offer the service via use of the MicroSD card, which fits in most existing mobile devices. A month before that, U.S. bank launched a full suite mobile banking solution for prepaid cardholders with bill pay capabilities. Even though the US based banks provide different kinds of mobile banking services, they are still far behind of their counter parts in the world.

7Many banks in the world have offered mobile banking and financial services for years. European and Asian countries have been offering mobile banking services for years that vary for banking related services to the mobile “proximity” payments. Japan and South Korea are the world leaders in adopting mobile banking technology. Before 2004, the Internet was the only way of using mobile banking in Japan, which enabled customers to browse the merchant website through a web browser. However, customers still had to use their credit/debit cards for payments. In 2004, NTT DoCoMo started using FeliCa contactless IC chips developed by Sony for mobile devices, which can carry personal and financial information that facilitated remote payments and substituted mobile devices for cash and cards at merchants’ points of sale. In 2005, KDDI and Vodafone also adopted FeliCa. 7In 2002, SK Telecom and KTF launched their proximity payment programs in South Korea, which used an infrared technology. These programs were not successful because of number of reasons. In 2003, LG Telecom started South Korea’s first IC chip based mobile banking service, which significantly increased the market share of LG Telecom. The other carriers also adopted IC chips following the success of LG Telecom. Also, Visa and MasterCard have successfully operated in South Korea since 2006. Since then mobile banking services have come a long way in other countries of the world.

Difference between mobile banking and online banking/credit/debit card banking

At present, mobile banking provides almost the same kind of services as online, credit/debit card banking. When mobile banking services first started, the mobile devices were not able to support all mobile banking services and they were lacking hardware and software support. The initial mobile banking service offered was the SMS banking; while online banking was very well developed and was offering all kinds of banking services. Credit/debit card systems are also fully developed and people were able to use their cards at merchants’ point of sale and online for payments. However, technological advancements in mobile devices have enabled users to use mobile banking related services via SMS, web browser and mobile web applications. Currently available mobile devices have the same processing power as computers and they are still evolving. In some countries, mobile banking was started in the early 90’s and now offer a full suite mobile banking solution, which has features of online banking and credit/debit card banking. People are using their mobile devices to replace cash and cards. However, mobile banking services in the USA were started at the end of 2006. Most USA banks are still not offering full mobile banking solutions to their customers. U.S. banks recently announced proximity payment systems in 2010, which has been in use for a long time in other countries. Some of the features of online banking and credit/debit card banking are not available for mobile banking systems. So mobile banking systems in the US are less developed compared to online, credit/debit card banking in terms of services. However, as number of people enrolled in mobile banking increases and banks offer more services with a full range of solutions in the US, the line between mobile banking and online/credit/debit card banking will get thinner and, in the future, mobile banking will provide a combination service of online and credit/debit card banking in the US.

In terms of security, mobile banking is as secure as online banking and offers the same security features and protections. However, there is less number of users for mobile banking than online/credit/debit card banking, which reduces the risk of security threats. The hacking community is more targeted towards the online/credit/debit card banking for financial gain. A large number of antivirus, antimalware/spyware etc. available for online banking are not widely available for mobile banking. But with the increase in number of users for mobile banking, these software are also increasing. Mobile banking also carries the risk of some attacks called Vishing, SMishing and spoofing that are only possible in mobile devices. The security features and countermeasures for them differ from online banking. However, mobile banking provides the same security protections as the online banking, as most of them are derived from the experience with online banking.

Mobile banking services

5Mobile banking systems allow users to perform bank related transactions like balance checks, account transactions, bill payments, fund transfers, credit/debit card management, etc. through mobile telecommunication devices like mobile phones or PDAs (personal digital assistants). Mobile banking can be divided in three different concepts based on an academic model: (1) Mobile accounting, (2) Mobile brokerage and (3) Mobile financial information services. 6Mobile accounting services can be divided into account operations and account administration. Account operations include fund transfers, bill payments, etc. and account administration includes ordering checks, updating profiles and personal information, managing lost or stolen cards, etc. Mobile brokerage is related to buying and selling of stocks, securities, and obtaining current information about securities. Mobile financial information divides into account information and market information. Account information includes information on branch and ATM locations, credit/debit cards, statements, alerts, balance inquiries, etc., while market information includes products and services, currency exchanges, interest rates, etc.

Mobile banking advantages & disadvantages

Mobile banking offers many advantages to both, users and service providers. It is fast and easy to use and saves time. For online banking, an internet connection is an essential which is a major problem in developing countries. However, many individuals can find mobile connectivity at places where internet connection cannot be found. Mobile banking is cost effective for providers as cost of mobile banking is much less compared with onsite banking. Various kinds of banking services and transactions can be performed with mobile banking. However, mobile banking has many disadvantages too. Security issues are the major concern. Phishing scams, viruses and Trojans and physical loss of the mobile device are some of the security issues that affect mobile banking. The cost of the mobile devices, which are compatible with the mobile banking application and still quite high. Mobile requires a data plan and text messaging services, which is an added cost to the user. Some providers charge for software and mobile banking services as well.

Different types of mobile banking architecture

5There are three types of architectures available for mobile phones to enable mobile banking. Up until 2010 most of the mobile banking was performed by SMS or mobile web. With the advancement in mobile phones and following the success of Apple’s iPhone and other operating system based phones, mobile banking is increasing through the special client applications. These different architectures are further discussed below:

SMS or MMS based mobile banking

Mobile website

Mobile client application

SMS or MMS based mobile banking architecture

SMS based mobile banking was the first mobile banking service offered. It is based on plain text message interaction. 6,11SMS banking works in two different modes. Pull mode and push mode. Pull mode is a one-way text message system where the bank sends a text message to the users informing them about certain account situations. It can be used to promote other mobile banking services. Push mode is a two-way message system where users send text messages to the bank requesting specific transactions or services with predefined request codes and the bank replies with specific information pertaining to the transactions or services through plain text messages.

6,11There are two different kinds of text messaging systems: SMS and MMS. SMS is a short form of short message service, which includes sending or receiving plain text messages from the bank. It has a limitation on the number of characters can be included in a message. MMS, known as multimedia messaging service, is the second type of messaging service, which can carry larger text messages and works on the same platform as SMS. To use message based mobile banking, a customer has to enroll his/her cell phone to the bank and the bank sends a text massage with a onetime password. Each bank has its own SMS banking number and commands for mobile banking. The message based system has some advantages. It is cost effective and familiar technology, virtually available in each and every cell phone regardless of manufacturer, model or carrier. It provides two-way communication between the bank and the user, so either the bank or the customer can initiate communication. It does not transmit or store the confidential information in the mobile device. However, SMS cannot carry a larger message and account information. SMS has to be limited to certain number of characters which limits its use.

Mobile website based mobile banking architecture

6,11This architecture includes the use of the internet browser of the mobile device to access the bank’s internet banking website. Users can connect to the internet via a wireless network or their carrier’s internet service. The biggest advantage of this architecture is most of the processing is done at a remote server at the bank and much less information is stored in the mobile device. On the other hand, it doesn’t require the installation of special software and most of the phones today are capable of using an internet browser.

6,11WAP (wireless access protocol) was created in 1999 and made internet access possible through mobile devices. WAP is an industry standard for wireless applications for mobile devices. It provides the same kind of user experience to the customer as the Internet banking and it does not require the installation of a special mobile banking application. However, it has some disadvantages also. Banks have to create mobile websites that are mobile friendly and can be accessed through the small screen of mobile device. It does not work with all kinds of phones and requires smart or PDA phones. There is an added cost for data plans and only customers can initiate communication. This system is more prone to attack as mobile devices are not capable of running firewalls or antivirus protections.

Mobile client application based mobile banking architecture

6,11This architecture requires the download and installation of a mobile client application to the mobile device. With the help of the application a bank can provide a wide range of services to their customers. Although this approach has some advantages and some disadvantages. First of all, users have to learn a new application. The application has to be customized to different phones which increases the development cost to the banks. The applications are also susceptible to attacks and only customers can initiate communication. The older phones are not capable of running this application because of technical limitations. The use of internet requires a data plan that increases the cost on the part of customers. (A data plan requires to use client application based mobile banking architecture, which increases the cost on the part of customer.) Some of the banks charge an initial fee for downloading and installing the mobile client application.

Mobile banking security requirements

Confidentiality

Authentication

integrity

non-repudiation

Security attacks/threats

Mobile banking is an emerging technology and the number of mobile banking subscribers increases day by day. With the increase in number of users, the concerns for security also rise. Different kinds of security attacks are as follows:

What kinds of attacks are more on which types of architecture model?

Vishing12

Vishing is a social engineering attack over the telephone system. It is a type of phishing and it is a combination term of voice and phishing. Mostly it uses features facilitated by Voice over IP (VOIP), to gain access to private, personal and financial information from the public (information of the users). It is used to get the authentication information of the user mostly for financial gain.

13Phishing

Phishing is an another kind of social engineering attack in an electronic communication to acquire sensitive information like usernames, passwords and credit card details by redirecting unsuspecting users to a fake website with the use of an authentic looking email. It can also be carried out by instant messages.

14Smishing

Smishing is also a social engineering attack similar to phishing. The name is derived from ‘SMs phiSHING’. It uses the text message system of the phone to get private, personal, and financial information of the user. A web site URL embedded in the text message may act as a ‘hook’. However, the phone number that connects to the automated voice response system has become more common.

15,16Spoofing

Spoofing is an attack where a person or program successfully masquerades as another with falsifying data. A spoofing attack causes the telephone network to display a number on the recipient’s caller-id-display. This number is familiar and looks like it came from a legitimate source, which is not an origination source actually.

6Lost and stolen phones

This is one the biggest threats for mobile banking. Mobile phones are small and portable and could be easily lost or stolen. Authentication, authorization and confidentiality are the areas to be considered when mobile devices are lost or stolen. 19In 2001, 1.3 million devices were lost or stolen in the UK. 17In 2006, over 1 billion phones were sold worldwide. Of those 80 million were smartphones, which have operating system and can store all kinds of information. 18A survey found that 34% users didn’t even use a PIN. This threat increases with the increase in the number of phones.

6Cracking and Cloning

Cracking a mobile device means modifying its software to gain control of that particular mobile device. Attackers find the ways to break or crack the software and once cracked the attacker has the access to the data stored in the device. An IPhone cracked by an ISE is an example of phone cracking. Attacker found?? an exploit in the iPhones web browser, deployed a fussing attack and injected invalid data into a program looking for the buffer overflow. With cracking, the software attacker can also view SMS logs, call history, etc. or send that data to their machine. Bluetooth is also vulnerable to phone crack attack. 17If Bluetooth is on, any Bluetooth device can connect to the phone within a 30 foot range. An attacker can use bluesnarfing and download, upload or edit files on a device without the owner’s permission. Default setting can be change by attacker.(Even once a Bluetooth device connected with phone, attacker can change the default setting also.) 20One survey in London found that 379 out of 943 phones had their default setting on and 138 out of 379 were vulnerable to attack.

Making identical copies of anything is known as cloning. Cloning of a mobile device creates a second device, which has the same identical information as the original device. Cloning new phones is difficult while older phones were easy to clone with some basic equipment. 17Cloning of GSM phones is much more difficult in comparison to cloning of CDMA phones. Cloning of CDMA phones only requires a phones electronic serial number and mobile identification number. A few ALLTEL customers had their phones cloned during their visit to different places. Cloning can affect all carriers and all kinds of phones if they are left on. 21With less than $2000, any attacker can build a cloning device that can capture the signals from a mobile device. It can capture the signals sent out by the phone from up to a mile away and get the codes that identify the phone. Cracking and cloning are active threats to mobile banking. Cracking can be used to get sensitive data from the phone or to install malware while cloning can duplicate all information from the phone and an attacker can get about half of the information to identify the phone.

6,22Man-In-the-Middle attack(MIM)

MIM is considered a threat to the confidentiality and integrity of people. It is a form of active eavesdropping in which attacker makes independent connections to victims by positioning him/herself in between two victims to take control of communication between them with the intention of interception and alteration of information and relays it to others, making them believe that it came from the other person and not from the attacker. The attacker must be able to intercept all messages and alter them while it is transit. It is also known as active wiretapping or traffic intercepting. The chances of this kind of attack increases with the use of wireless connection compared to other more secured connections.

Viruses, malware and malicious code

24Malicious code is a software in the form of viruses, malware or worms. These kinds of software can be inserted into a system without the knowledge of the user. The primary intent of inserting the software is to gain private personal and financial information of the user and compromise the integrity and confidentiality of the system. It affects the victims’ private data, applications, operating systems or sometimes just annoys the users. 23Mobile browsers are susceptible to the same kind of security risks as home or office computers. Mobile browsers are little safer at this point compared to computers. With the increase of mobile banking, the numbers of these kinds of software will increase. However, at present, the increasing number of viruses and Trojan horses is the biggest concern to mobile banking security. 25The mobile devices running windows operating system are a favorite target for the hacker community.

26The first generation viruses were proof-of-concept viruses. The Commwarrior virus spreads over Bluetooth and MMS. SymbOS.skulls is a Trojan horse that affects symbian phones and changes all the application icons to skull icons. In 1994, the Cabir worm spread as an infected SIS package called caribe.sis. It spread via open Bluetooth connections and affected Symbian Series 60 phones. Timifonica virus infected PCs in 2000 and sent harmless text messages to cell phones. There are also software that infect mobile devices and look for personal information like stored password or other sensitive information. Some Trojans can steal address book information and send that information to hackers via SMS or MMS. 6Bluetooth can be used easily to spread these viruses. Most digital phones available today are Bluetooth enabled and any Bluetooth device can be infected within range. In Finland, a mobile malware was spread from Bluetooth to Bluetooth device during a soccer game. However, while Bluetooth is the easiest way to spread viruses it is not the only way. Malware have been written that use Internet and cellular networks to spread. SMS and MMS can also be used to spread viruses and malware.

Therefore, this threat is a recent major concern for banks and users. Vast number of attacks can be launched with use of viruses and malware.

Security countermeasures

Security of mobile banking is an important and a crucial issue. In addition to that, wireless communication increases the vulnerability of the system. Therefore, more robust security system is necessary to protect the private personal and financial information of the users. Following are some of the countermeasures discussed in the paper.

What kinds of countermeasures are more required and more available for which types of architecture model?

User authentication

27Authentication is process of identification of something or someone as authentic. There are three different ways by which someone can be authenticated. These three categories are based on the factors of authentication: what you know, what you have or what you are. Each of these factors have a range of elements. Research has suggested that for better security at least two or preferably three factors be verified. If two elements are required for authentication it is called as two-factor authentication while two or more than two factors authentication is known as multi-factor authentication. 6FFIEC requires banks to use multiple forms of authentication for electronic banking. All mobile banking systems need to use at least two-factor authentication for user identification.

6Authentication techniques based on what user knows including a combination of the pin number, the username, the password and the onetime password for mobile banking. Research has shown security concerns with this technique as users use weak passwords, write it down or share with others. 28Therefore, to increase the protection of the mobile device pin protection or distributed pin verification scheme has been suggested in which one-half of the pin is stored in the mobile device and rest of the half is stored in a remote machine in the network. So the attacker can get only half of the pin from the phone’s memory.

6Another technique uses what user has. This includes ID card, cell phone, credit card etc. Use of any of the above forms is not a reliable technique as the user must have the physical possession of them.

6Biometrics is an another form of authentication that includes face, voice, fingerprint, DNA sequence etc. 18Clarke and Furnell found in a survey that 83% of populations were in favor of using biometric system for authentication. 29A report on biometric security for mobile banking in March 2008 discusses the different issues of the mobile banking and suggests use of biometric system for more robust security with the help of a user’s fingerprint as a biometric element. 6Behavior analysis can also be used as a security measure where users are granted or denied access based on their previous behavior. A robust system uses multiple forms of identification before and during use of an application and if necessary asks for more accurate form of identification. If the user fails they are locked out.

Encryption

30Encryption means changing or transforming the information in an unreadable form to anyone with the help of algorithm. A key is required to make the information readable again. This process is called decryption. Encryption addresses the confidentiality issue. Encryption can be used to protect data ‘at rest’ and ‘in transit’. There are vast numbers of incidents reporting data interception in transit.

6There are two different ways to protect the data on the phone. (1) Encryption of information stored in the phone and (2) Encryption of the information during communication. 31The current encryption technique is AES and ECC. The wireless data is encrypted with AES and the encryption key uses ECC to encrypt this data. They increase the speed of encryption and decryption and currently they are the most powerful technology available for encryption. 6CellTrust uses AES and micro clients to protect the SMS messages and send encrypted SMS messages. ClairMail recommends the use of SSL and HTTPS during communication. TPM is another tool that can help with encryption and protection of mobile devices. It is an embedded chip in the motherboard that can work with mobile devices or security smartcards. It can store keys, passwords, digital signature and certificates. 32TPM chip has a unique RSA key embedded in it during production. So it can be used to perform platform authentication. For example, to verify mobile devices seeking access for mobile banking.

Digital signature

33Digital signature is an electronic signature that can be used to identify the authenticity of the message of the document. It is also known as digital cryptographic signature. It can be used with encrypted or unencrypted message. A valid digital signature indicates that the message or document was sent by a known person and it was not altered in transit. Digital signature also represents non-repudiation. Therefore, ones the message has been sent and digitally signed, the signer cannot deny that he/she did not sign a message. 6With the help of Digital signatures customer can sign the document and does not have to visit branch office. In mobile banking, adding a digital signature to the transaction proves that a customer authorized the transaction.

31At present digital signature technology uses RSA algorithm and ECC algorithm. Because of higher security level, low calculating processing speed, small storage space and low band-width requirement ECC will be more suitable for mobile banking.

WPKI technology

34PKI (public key infrastructure) is a security mechanism for wireless internet and uses public key cryptography and certificate management for communications. It provides all four of the security feature for e-commerce: confidentiality, integrity, non-repudiation and authentication.

35WAP (wireless access protocol) is developed by WAP forum to provide a common format for internet transfers for mobile devices. The WAP stack includes five layers: WAE, WSP, WTP, WDP and WTLS. WAP consists of WIM, WTLS, WMLScrypt and WPKI.

31Wireless application protocol PKI is an extension of traditional IETF PKI standards used in wired network. It is mainly used in wireless network. WPKI applications have to work in a restricted environment like less powerful CPUs, less memory, less storage space, small displays etc. Therefore, WPKI must be optimized like the other security and application services within WAP environment. WPKI uses a public key system based on ECC algorithm for encryption and decryption. With the help of this system the information can safely reach to its destination. In the presence of other security protocols like WIM, WTLS and WMLScrypt of WAP, WPKI can fulfill all four security requirements for mobile banking: confidentiality of data, identity and authentication, integrity and non-repudiation.

Conclusion

The number of people use mobile devices is rising rapidly. Advanced technology in mobile device field has overcome the limitations of the older phones. Newer phones have a wide range of functions and improvement in hardware and software support, which enabled users to use mobile devices as substitute for computers. These mobile devices are capable of performing complex functions, which enabled users to manage their finances through mobile devices.

There are three different kinds of architecture for mobile banking. SMS based system works in almost any mobile device. Web based systems are similar to internet system and they are more popular in the USA. The client application system offers robust solution to mobile banking. However, all of these systems have security issues those need to identified and addressed in a proper fashion. Confidentiality, authentication, integrity and non-repudiation are the most important security requirements for any mobile banking system.

Authentication of the user and encryption of the data presents serious challenges to the mobile banking system. Implementing the various types of authentication and encryption technology can improve the mobile banking security, which reduces customers’ fear against security issues and increase