SMS Based Mobile Banking Surapaneni Pujitha*, B Veera Mallu**
advertisement
International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue4- April 2013 SMS Based Mobile Banking Surapaneni Pujitha*, B Veera Mallu** *(Department of Computer Science And Engineering, K.L University, India ** (Department of Computer Science And Engineering, K.L University, India Growth in the M-Banking is driven by various Abstract: facilities like convenience of banking operations, M-banking has one of the main division of greater reach to consumers and Integration of m-commerce. Mobile banking services consists other m-commerce services with mobile banking. of information inquiry, notifications and alerts, In M-banking there is no place restriction, it is applications and payment transfer.Mobile based highly penetration coefficient as growth of application is used for connecting customer mobile phones are more than computers, it is handset with bank server for all such services. fully Current M-banking applications used by banks transaction authenticity and is 100% available all are facing security challenges for payment the time with users. personalized and private increasing transfer banks are using secure payment gateway However, there are several challenges that and other security measures which increases cost need to be addressed to completely utilize the and infrastructure for bank but major day-to-day benefits banking applications are inquiries, notifications compatibility, security, scalability, reliability. and alerts. The problem with current banking Due to increase in use of mobile handsets for applications is that they send data directly to many m-commerce applications, Chances of customer in plain text form compromising with mobile hacking for financial benefits are heavily security. increased.Currently mostly all banks in India and of the M-Banking like handset We present SMS based secure mobile outside are sending text SMS directly to the banking which enhances security with minimum customer handset for basic bank services without cost. In this approach bank hides customer any security which can be accessed by any transaction data is secure SMS using AES malicious person and can use this information for symmetric cryptographic algorithm and send it getting access to customer account. OTA customer handset. (Over-the-air) mobile data can be hacked in Customer application decrypts data in secure network path from bank to customer mobile manner. handset including MPIN, a password use for user application supported identification in M-banking. Thus there is a need Keywords: M-banking, MD5, AES, MPIN of secure and cost effective solution which can be easily provided on all types of handsets. Our 1.INTRODUCTION: objective is to provide cost effective, secure, fast M-banking system is one which provides all daily M-banking solution combining features of banking operations to customer with one cryptography. click of his mobile handset with supported application. M-banking system has potential to In this paper we have presented SMS based secure mobile banking with minimum cost using cryptography. provide access or delivery of very specific and highly necessary information to customer . ISSN: 2231-5381 http://www.ijettjournal.org Page 1211 International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue4- April 2013 2. M-BANKING CHANNELS: various languages like J2ME, .NET having M-banking can be executed using various advantages that it can use GPRS, USSD or SMS, channels like SMS, USSD, GPRS, WAP; Phone MMS to carry the consumer data/instruction in an based Application, SIM Application. All of encrypted format and it is operator independent. these channels are used separately or combined These are secure application which resides on for various banking operations supported handset. A. Short Message Service (SMS) E. SIM Application Tool Kit SMS is the simplest form of mobile banking. The SIM Application Toolkit allows for the It is largely used for information-based services. service provider or bank to house the consumer’s SMS amongest mobile banking menu within the SIM card. STK consumers since all the mobile phones support is the most secure method of mobile banking. It SMS. Short messages are stored and forwarded allows the bank to load its own encryption keys by SMS centres. These messages have some onto the SIM card with the bank’s own developed security issues. application. B. has the maximum reach Unstructured Supplementary Services Delivery (USSD) 3. CURRENT M-BANKING Even though various channels are available USSD is a technology unique to GSM. It is a for M-banking most of the banks uses SMS as capability built into the GSM standard for support basic and cheap channel for basic banking of transmitting information over the signalling operations. Currently all banks in India like ICICI, channels of the GSM network. USSD provides HSBC, SBI etc are not using any encryption session-based Turnaround techniques in SMS based M-banking system. response times for interactive applications are They are using simple text based SMS for shorter for USSD than SMS. In USSD, the customer queries in which they directly send interaction is in the form of a continuous session account information to customer only hiding as opposed to SMS. USSD is available on all some digits of account number which can be handsets. easily hacked by any hacker or seen by anyone communication. from message inbox. Even though some banks do C. Wireless Application Protocol (WAP) / provide some other channel like GPRS and WAP General Packet Radio Service (GPRS) but cost of implementation is more and these GPRS is a packet-switched data service facilities are not available on all types of mobile available to GSM users.GPRS enables services handset thus there is a need of secure and cost such as WAP access, Multimedia Messaging effective solution which can be easily provided Service (MMS), and Internet communication on all types of handsets. services such as email and World Wide Web access in mobile phones. WAP is wireless A. Issues in M-banking application protocol used over GPRS. It is similar to Internet banking. The consumer’s handset 1) Lack of Standards: The lack of standards gives needs to be WAP enabled. WAP banking is open rise to lot of local and fragmented versions of to similar threats as Internet banking. m-payments offered by different stakeholders. Standards need to address security and privacy D. Phone-based Application concerns of customers as well as interoperability Phone based applications are developed in ISSN: 2231-5381 between various implementations. http://www.ijettjournal.org Page 1212 International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue4- April 2013 this means that messages are not sent directly to 2) Device constraints: There are technical issues the recipient but via a network SMS related to the mobile devices .The mobile phones Centre. suffers from various constrains like less SMS comprises two basic point-to-point processing power and memory, bandwidth, short services as Mobile-originated short message battery life , frequent disconnections, tiny screens, (MO-SM) and Mobile-terminated short message poor resolution and privacy issues. (MT-SM). Mobile-originated short messages are transported from MO capable handset to SMSC 3) Security Issues: Securing m-Commerce is whereas Mobile-terminated short messages are even more difficult than wired transaction. transported from SMSC to the handsets. The Device constraints raise the questions as to figure no. 1 shows a typical organization of whether there will be adequate security for users network elements in a GSM network supporting without compromising the ease of use and speed. SMS. Current real time M-banking application of various banks uses plain text messages without any security algorithm for sending data hence any malicious user can access customer important data on mobile and Fig. 1. Basic model of SMS based M-banking used it for malicious purpose thus direct sending of data is not suggestible for M-banking. SMS are The benefits of SMS to subscribers are prone to spoofing and there are issues related to convenience, flexibility, and seamless integration SMS technology of messaging services and data access, delivery manufacturers are developing improved security of notifications and alerts, guaranteed message for deliver, encryption. applications However with authentication and reliable, low-cost communication encryption technologies and many claims that the mechanism, increased subscriber productivity, transaction using mobile device is fully secure. delivery of messages to multiple subscribers at a There are many techniques for secure M-banking time. operations but major research work has been The SMSC (Short Message Service Centre) done on Cryptography and steganography is the entity which does the job of store and techniques. Cryptography is a process of forward of messages to and from the mobile converting plaintext data into cipher text using station. The SME (Short Message Entity), which cryptographic algorithms. They insure basic is typically a mobile phone or a GSM modem, security can be located in the fixed network or a mobile requirements like authentication, confidentiality, integrity and non-repudiation. station, receives or sends SMS. The SMSC usually has a configurable time limit for how long B. Basics of Short Message Service it will store the message. SMS Gateway Short Message Service (SMS) is the ability SMS Gateway is an interface between software to send and receive text messages to and from applications mobile networks. An SMS Gateway mobile telephones. SMS was launched as a part allows interfacing software applications to send of GSM1 standard. Each short message is up to and/or receive SMS messages over mobile 160 characters in length. The 160 characters can network. comprise of words, numbers, or punctuation A GSM Modem modulates outgoing digital symbols. Short Message Service is a store and signals from a computer or other digital device to forward service; signals for a GSM network and demodulates the ISSN: 2231-5381 http://www.ijettjournal.org Page 1213 International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue4- April 2013 incoming GSM signal and converts it to a digital signal for the computer or other digital device. internet. Secure M-Banking server side application is developed in windows compatible environment 4. PROPOSED SOLUTION: like VB.NET which can be installed on bank Current real time M-banking application of application server. Application is consisting of various banks uses plain text messages without SMS Service,Information Manage, Account any security algorithm for sending data in SMS Details Manage, User Request modules to receive banking hence any malicious user can access and process secure encrypted message from customer important data on mobile. customer mobile. SMS Service module is Proposed symmetric secure M-banking is based cryptographic techniques on responsible for retrieving and replying secure where SMS automatically whenever they reaches server common secret key is shared among bank GSM handset / Modem. customer and bank server. Proposed Architecture Bank database consists of various tables consists of 4 components as Customer Mobile storing customer details pertaining to his personal application, Bank Server application, Bank side information,Account information and transaction mobile / GSM Modem, Bank database and information. Bank database stores customer wireless OTA [1]. Our solution uses windows confidential information like his MPIN, Mobile mobile as client application platform and .NET identification pin and encryption keys in framework as server side software. Customer encrypted and secure manner. interested in using M-Banking facilities has to We have discussed various major types of make registration only once with corresponding M-Banking channels as SMS, GPRS, WAP and bank. Bank has all necessary details of customer USSD out of which every channel has own in database. Bank sends Customer–side mobile advantages and disadvantages. WAP and GPRS application developed for windows mobile to are good and provide session based security but user. Application will be installed once on they are handset dependent and also in rural part windows This of India all mobile operators are not providing application consists of Login screen along with respective services.USSD is used along with get session key option, menu screen for bank SMS and requires separate infrastructure. services options, and encryption and decryption Thus SMS channel is simple, easy to implement, screens for outgoing and incoming secure SMS cheaper and widely used channel which is device and send message screen to send SMS to server independent. Current SMS based M-banking GSM handset /Modem. Application will be service has many drawbacks as SMS is inherently updated as and when bank updates it. developed in GSM for non-sensitive message mobile supported handset. Bank will have GSM mobile Handset / transfer among users. Mutual authentication, text GSM modem connected to bank application encryption, server. GSM handset will be connected to non-repudiation is not present in design of GSM application server using either Bluetooth or USB architecture [16]. Major issues with SMS based cable having SIM card installed in it which has banking are SMS Spoofing which is an attack task of receiving, processing and replying where malicious user sends out SMS message customer SMS continuously. GSM handset/ which appears to be sent by original sender. modem are cheaper and can be easily installed Current SMS architecture allows hiding original but have slow speed for message handling which sender’s address by altering respective field in can be increased by original SMS header. Also SMS has encryption connecting modem with SMSC centre over only during path from base trans receiver station ISSN: 2231-5381 http://www.ijettjournal.org end-to-end security and Page 1214 International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue4- April 2013 and mobile station.End-to-end encryption is not in plain test format so that at the server end, available. information can be retrieved to get required keys from database. 5. IMPLEMENTATION: Session key: - It is onetime key randomly We have implemented proposed solution generated from customer MPIN inputted in bank in .NET platform for windows mobile in server database during M-Banking registration windows mobile process. This key is stored in 2nd field of application in .NET framework runs on supported message. Customer makes a request to get windows mobile handset for which we have used session key from his handset to bank server. Bank HTC mobile and bank server application is server will reply this with encrypted session keys running in .NET along with any GSM handset stored in file, which will be stored on customer connected in Bluetooth / USB mode to it. We handset. have added secure SMS structure which provides Cipher Text: - This text is created from extra security combination of plain text and MPIN and stored in along with satisfying security parameters. This 3rd filed of message structure. Main idea behind secure SMS will add extra security features like this is to protect data from malicious attacker. As cryptographic and hashing algorithm to satisfy MPIN is most important data and from which confidentiality, integrity, session keys are created to be used for encryption authentication and non-repudiation. Our system and decryption purpose, hence it s send in is based on secure SMS protocol and it uses SMS encrypted manner. as media to send and receive encrypted Message Digest: - Message digest is used for information. checking integrity. Customer message digest is . calculated from combination of plain text and A. Secure SMS Message Structure MPIN and stored in 4th field of secure SMS. environment. Customer The secured SMS message is divided into MD5 algorithm is used to calculate message multiple fields’s to accommodate for the various digest on both ends. This received digest will be security checks required for the protocol. Figure compared with calculated digest at bank server no. 2 shows the structure overview for a secure end , if not found of same size then message will SMS message. The use of each labelled structure be discarded as fake transaction and no message is explained below. will be send to mobile handset from which Account Session Key request is sent. No (generated from MPIN) (6 Digit) B. Sending Secure SMS from Client Mobile Whenever customer wish to make any transaction using M-banking, he will run Cipher Text (Plain Text+MPIN) Message Digest Fig. 2. Secure SMS message Structure application installed on handset and provide all necessary details. We have used 6 transactions for testing purpose and information collected from user on his handset is used to generate secure Secure SMS message structure proposed by us SMS. After registration customer will get mobile consists of 4 fields’s as shown in above figure. application installed once on his windows mobile. Account Number: - It is customer account Customer will enter 4-digit MPIN which will be number in bank which is first field used for stored in server database in encrypted format authentication purpose. This information is stored using his password. For non-repudiation purpose ISSN: 2231-5381 http://www.ijettjournal.org Page 1215 International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue4- April 2013 we have added concept of one time session key. inbox. We have used ActiveX control for this Server uses customer MPIN to generate session purpose. Bank Server application splits received key randomly and again stored them in encrypted secure SMS in same 4-parts. format. Server reads first part, a plain text 6-digit Customer runs the banking application and account number and compares it with database feed details of 6-digit account number, 4-digit stored account number. If match is not found, it MPIN and 4-digit password and click button to will send message “Wrong Account Number” to get session key. Server sends generated session customer handset. If account match is found then key to customer handset which will be stored in server uses 2nd part of secure SMS, which is encrypted format on his handset. Customer goes session key send by user to decrypt 3rd part of to menu screen, chooses requires account type received secure SMS. and type of transaction he wish to perform and After decrypting 3rd part of SMS, server goes to next screen. Mobile client application application gets combination of plaintext as shows 4 entries on next screen consisting of customer original transaction query followed by session key received, generated fixed plain text 4-digit MPIN. Server application compares message depending upon transaction chosen, received MPIN with stored MPIN from server cipher text created from combination of plain text table if a match is not found, will send message and MPIN and 4-part secure message. Secure “Wrong Pin Number” to customer handset. SMS contains account number in plain text, Server calculates message digest of 3rd part session key in encrypted format, cipher text received using MD5 algorithm and compare it created from plain text and MPIN and message with received massage digest, 4th part of secure digest calculated from message. Customer will SMS to check for message integrity. If match is send message to sever using as normal message. not found, server generates message on server side “Fake Transaction” and sends nothing to C. Receiving and Replying Secure SMS from customer side handset as it may be off any Server Module malicious user. Proposed Server is running on computer If all security checks are proper, Server installed with required software like VB.NET, application process query of customer and get Windows mobile device centre and SDK, .NET required data from database encrypts data using compact framework, MS-access and Server side session key received from customer and sends application. Server side application has four automatically to customer handset. modules as SMS Service, Information Manage, Transaction Manage and User Requests. SMS 6. EXPERIMENTAL RESULTS: service module retrieves SMS received at Server We have developed two applications for side handset and decode it to get original query client and server side. Mobile client application is send by customer. Server application process developed using .NET compact framework and query, get required data from bank database and VB.NET, installed on windows mobile supported then sends it in encrypted format to customer HTC mobile device. This application is used by mobile through bank side modem. customer for Whenever Customer sends any secure SMS various M-banking transactions to send containing his transaction query to server side encrypted secure SMS to bank Server and gets GSM Modem, Server application automatically back encrypted reply from bank Server. Client retrieves secure SMS and deletes it from server and Server side application performs symmetric attached handset to avoid flooding of message encryption and decryption using 256-bit AES ISSN: 2231-5381 http://www.ijettjournal.org Page 1216 International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue4- April 2013 symmetric encryption algorithm. MD5 algorithm is used for hashing purpose. Server side bank Fig. 3. Generating 4-Part Secure Message application is developed using VB.NET it uses SMS toolkit, an ActiveX control to retrieve and This secure SMS is retrieved by server side process secure SMS automatically. Server side SMS service module. Server application split application also contains certain modules for message and decrypt it to get original transaction database management of customer account and query of customer. This query is processed to get transactions response data from database which is firstly Normally symmetric cryptographic encrypted and then send to customer handset. algorithm don’t have non-repudiation as both Customer handset get auto reply from server party shares common secret key but we have used side in cipher text, which is decrypted on mobile session maintaining by client side application to get server response in non-repudiation property of encryption. Since plain text. The Figure no.4 shows response Session key is used only once and created obtained automatically from server for account randomly, no two users can have common session balance. This reply consists of 3 parts. First part is key and it is created from MPIN, a master key common session key used by server and client. which customer only knows so he cannot deny Second part is cipher text received from server that he has done transaction. application in secure manner. Third part is plain key concept for We have carried out 6 types of transaction text message obtained after decrypting secure including Account Balance, Mini transactions, message received from server. Client mobile Cheque Book Request, Cheque Stop request, Pay application uses 256-bit AES algorithm to Bill and Fund Transfer. Following are some decrypt message using common session sample client application module. The figure no. key. 3 shows session key, user query in fixed plain text This message will be hidden from customer format, cipher text generated from combination and he will only get final query results in plain of plain text and his MPIN and 4-part secure SMS text format but for result purpose we have shown message generated as per format discussed. This this screen. last message is sent to server. ISSN: 2231-5381 http://www.ijettjournal.org Page 1217 International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue4- April 2013 from HTC windows mobile and using VB.Net server side application. We have used LG GSM mobile as server attached mobile device. Experiments shows that secure SMS Mobile banking provides cost effective and secure system with satisfying Confidentiality, Authentication, Integrity and Non-Repudiation using symmetric cryptography. Application can be used on any windows mobile supported handset from anywhere as no GPRS and WAP are required. We have implemented system using symmetric key AES algorithm. In future better power consumption algorithm like blowfish can be tried out. Steganogrpahy can also be applied for secure M-banking transactions. We can use concept of STK, SIM application toolkit where bank can stored the application and encryption Fig. 4. Secure Reply from Server keys on SIM. To be a secure system, it must satisfy Confidentiality, Authentication, Integrity and REFERENCES: Non-Repudiation Secure SMS system maintains [1] Przemyslaw Krol, Przemysław Nowak, confidentiality using AES cryptography and Bartosz Sakowicz,”Mobile Banking Services Non-Repudiation Based On J2ME/J2EE”, CADSM’2007. using session key. Here 3-factor authentication is used for authentication [2] Yousuf S. AlHinai, Sherah Kurnia and Robert and security purpose whereas Message integrity B. Johnston,”Adoption of Mobile, Commerce is carried out using MD5 algorithm. Services by Individuals: A Meta-Analysis of the Literature”, Sixth International Conference 7. CONCLUSION AND FUTURE WORK: We have implemented a secure SMS based on the Management of Mobile Business . [3] T N T Nguyen, P Shum and E H Chua,”Secure Mobile Banking system. The system allows user end-to-end mobile payment System”. to carry out all banking transaction securely from [4] Ashutosh Saxena, Manik Lal Das and Anurag anywhere, anytime. All messages from user Gupta,”MMPS: A Versatile Mobile-to-Mobile windows mobile are sent in encrypted format to Payment System”, Proceedings of the bank server. Bank server decrypt message, International Conference On Mobile Business process query and encrypt result in SMS.Server 2005. sends message to customer which will be [5] Iuon-Chang Lin and Yang-Bin Lin,”An decrypted on his handset. The evaluation of the Efficient system was Commerce”. studied for varying banking transaction and under [6] Mohammad Shirali-Shahreza and M. Hassan various security threatening malicious activities Shirali-Shahreza, ”Text Steganography in SMS”, were recorded. Performance of the transaction is 2007 International Conference on studied. Convergence Information Technology. We have executed few banking transaction ISSN: 2231-5381 Steganography Scheme for M- [7] Sandeep Singh Ghotra, Baldev Kumar http://www.ijettjournal.org Page 1218 International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue4- April 2013 Mandhan, Sam Shang Chun Wei, Yi Song, Chris Steketee, ”Secure Display and Secure Transactions Using a Handset”, Sixth International Conference on the Management of Mobile Business. [8] Jiehua Wang, Song Yuan, “A Novel Security Mobile Payment System Based On Watermarked Voice Cheque”. [9] M. Shirali-Shahreza, "Stealth Steganography in SMS", Proceedings of the third IEEE and IFIP International Conference on Wireless and Optical Communications Networks 2006. [10] Kewin Chikomo, Ming Ki Chong, Alpan Arnab, Andrew Hutchison, “Security of Mobile Banking”. ISSN: 2231-5381 http://www.ijettjournal.org Page 1219
