SMS Based Mobile Banking Surapaneni Pujitha*, B Veera Mallu**

advertisement
International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue4- April 2013
SMS Based Mobile Banking
Surapaneni Pujitha*, B Veera Mallu**
*(Department of Computer Science And Engineering, K.L University, India
** (Department of Computer Science And Engineering, K.L University, India
Growth in the M-Banking is driven by various
Abstract:
facilities like convenience of banking operations,
M-banking has one of the main division of
greater reach to consumers and Integration of
m-commerce. Mobile banking services consists
other m-commerce services with mobile banking.
of information inquiry, notifications and alerts,
In M-banking there is no place restriction, it is
applications and payment transfer.Mobile based
highly penetration coefficient as growth of
application is used for connecting customer
mobile phones are more than computers, it is
handset with bank server for all such services.
fully
Current M-banking applications used by banks
transaction authenticity and is 100% available all
are facing security challenges for payment
the time with users.
personalized
and
private
increasing
transfer banks are using secure payment gateway
However, there are several challenges that
and other security measures which increases cost
need to be addressed to completely utilize the
and infrastructure for bank but major day-to-day
benefits
banking applications are inquiries, notifications
compatibility, security, scalability, reliability.
and alerts. The problem with current banking
Due to increase in use of mobile handsets for
applications is that they send data directly to
many m-commerce applications, Chances of
customer in plain text form compromising with
mobile hacking for financial benefits are heavily
security.
increased.Currently mostly all banks in India and
of
the
M-Banking
like
handset
We present SMS based secure mobile
outside are sending text SMS directly to the
banking which enhances security with minimum
customer handset for basic bank services without
cost. In this approach bank hides customer
any security which can be accessed by any
transaction data is secure SMS using AES
malicious person and can use this information for
symmetric cryptographic algorithm and send it
getting access to customer account. OTA
customer
handset.
(Over-the-air) mobile data can be hacked in
Customer application decrypts data in secure
network path from bank to customer mobile
manner.
handset including MPIN, a password use for user
application
supported
identification in M-banking. Thus there is a need
Keywords: M-banking, MD5, AES, MPIN
of secure and cost effective solution which can be
easily provided on all types of handsets. Our
1.INTRODUCTION:
objective is to provide cost effective, secure, fast
M-banking system is one which provides all daily
M-banking solution combining features of
banking operations to customer with one
cryptography.
click of his mobile handset with supported
application. M-banking system has potential to
In this paper we have presented SMS based
secure mobile banking with minimum cost using
cryptography.
provide access or delivery of very specific and
highly necessary information to customer .
ISSN: 2231-5381
http://www.ijettjournal.org
Page 1211
International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue4- April 2013
2. M-BANKING CHANNELS:
various languages like J2ME, .NET having
M-banking can be executed using various
advantages that it can use GPRS, USSD or SMS,
channels like SMS, USSD, GPRS, WAP; Phone
MMS to carry the consumer data/instruction in an
based
Application, SIM Application. All of
encrypted format and it is operator independent.
these channels are used separately or combined
These are secure application which resides on
for various banking operations
supported handset.
A. Short Message Service (SMS)
E. SIM Application Tool Kit
SMS is the simplest form of mobile banking.
The SIM Application Toolkit allows for the
It is largely used for information-based services.
service provider or bank to house the consumer’s
SMS
amongest
mobile banking menu within the SIM card. STK
consumers since all the mobile phones support
is the most secure method of mobile banking. It
SMS. Short messages are stored and forwarded
allows the bank to load its own encryption keys
by SMS centres. These messages have some
onto the SIM card with the bank’s own developed
security issues.
application.
B.
has the maximum reach
Unstructured
Supplementary
Services
Delivery (USSD)
3. CURRENT M-BANKING
Even though various channels are available
USSD is a technology unique to GSM. It is a
for M-banking most of the banks uses SMS as
capability built into the GSM standard for support
basic and cheap channel for basic banking
of transmitting information over the signalling
operations. Currently all banks in India like ICICI,
channels of the GSM network. USSD provides
HSBC, SBI etc are not using any encryption
session-based
Turnaround
techniques in SMS based M-banking system.
response times for interactive applications are
They are using simple text based SMS for
shorter for USSD than SMS. In USSD, the
customer queries in which they directly send
interaction is in the form of a continuous session
account information to customer only hiding
as opposed to SMS. USSD is available on all
some digits of account number which can be
handsets.
easily hacked by any hacker or seen by anyone
communication.
from message inbox. Even though some banks do
C. Wireless Application Protocol (WAP) /
provide some other channel like GPRS and WAP
General Packet Radio Service (GPRS)
but cost of implementation is more and these
GPRS is a packet-switched data service
facilities are not available on all types of mobile
available to GSM users.GPRS enables services
handset thus there is a need of secure and cost
such as WAP access, Multimedia Messaging
effective solution which can be easily provided
Service (MMS), and Internet communication
on all types of handsets.
services such as email and World Wide Web
access in mobile phones. WAP is wireless
A. Issues in M-banking
application protocol used over GPRS. It is similar
to Internet banking. The consumer’s handset
1) Lack of Standards: The lack of standards gives
needs to be WAP enabled. WAP banking is open
rise to lot of local and fragmented versions of
to similar threats as Internet banking.
m-payments offered by different stakeholders.
Standards need to address security and privacy
D. Phone-based Application
concerns of customers as well as interoperability
Phone based applications are developed in
ISSN: 2231-5381
between various implementations.
http://www.ijettjournal.org
Page 1212
International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue4- April 2013
this means that messages are not sent directly to
2) Device constraints: There are technical issues
the recipient but via a network SMS
related to the mobile devices .The mobile phones
Centre.
suffers
from
various constrains like
less
SMS comprises two basic point-to-point
processing power and memory, bandwidth, short
services as Mobile-originated short message
battery life , frequent disconnections, tiny screens,
(MO-SM) and Mobile-terminated short message
poor resolution and privacy issues.
(MT-SM). Mobile-originated short messages are
transported from MO capable handset to SMSC
3) Security Issues: Securing m-Commerce is
whereas Mobile-terminated short messages are
even more difficult than wired transaction.
transported from SMSC to the handsets. The
Device constraints raise the questions as to
figure no. 1 shows a typical organization of
whether there will be adequate security for users
network elements in a GSM network supporting
without compromising the ease of use and speed.
SMS.
Current real time M-banking application of
various banks uses plain text messages without
any security algorithm for sending data hence any
malicious user can access customer important
data on mobile and
Fig. 1. Basic model of SMS based M-banking
used it for malicious purpose thus direct sending
of data is not suggestible for M-banking. SMS are
The benefits of SMS to subscribers are
prone to spoofing and there are issues related to
convenience, flexibility, and seamless integration
SMS
technology
of messaging services and data access, delivery
manufacturers are developing improved security
of notifications and alerts, guaranteed message
for
deliver,
encryption.
applications
However
with
authentication
and
reliable,
low-cost
communication
encryption technologies and many claims that the
mechanism, increased subscriber productivity,
transaction using mobile device is fully secure.
delivery of messages to multiple subscribers at a
There are many techniques for secure M-banking
time.
operations but major research work has been
The SMSC (Short Message Service Centre)
done on Cryptography and steganography
is the entity which does the job of store and
techniques. Cryptography is a process of
forward of messages to and from the mobile
converting plaintext data into cipher text using
station. The SME (Short Message Entity), which
cryptographic algorithms. They insure basic
is typically a mobile phone or a GSM modem,
security
can be located in the fixed network or a mobile
requirements
like
authentication,
confidentiality, integrity and non-repudiation.
station, receives or sends SMS. The SMSC
usually has a configurable time limit for how long
B. Basics of Short Message Service
it will store the message. SMS Gateway
Short Message Service (SMS) is the ability
SMS Gateway is an interface between software
to send and receive text messages to and from
applications mobile networks. An SMS Gateway
mobile telephones. SMS was launched as a part
allows interfacing software applications to send
of GSM1 standard. Each short message is up to
and/or receive SMS messages over mobile
160 characters in length. The 160 characters can
network.
comprise of words, numbers, or punctuation
A GSM Modem modulates outgoing digital
symbols. Short Message Service is a store and
signals from a computer or other digital device to
forward service;
signals for a GSM network and demodulates the
ISSN: 2231-5381
http://www.ijettjournal.org
Page 1213
International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue4- April 2013
incoming GSM signal and converts it to a digital
signal for the computer or other digital device.
internet.
Secure M-Banking server side application is
developed in windows compatible environment
4. PROPOSED SOLUTION:
like VB.NET which can be installed on bank
Current real time M-banking application of
application server. Application is consisting of
various banks uses plain text messages without
SMS Service,Information Manage, Account
any security algorithm for sending data in SMS
Details Manage, User Request modules to receive
banking hence any malicious user can access
and process secure encrypted message from
customer important data on mobile.
customer mobile. SMS Service module is
Proposed
symmetric
secure
M-banking is based
cryptographic
techniques
on
responsible for retrieving and replying secure
where
SMS automatically whenever they reaches server
common secret key is shared among bank
GSM handset / Modem.
customer and bank server. Proposed Architecture
Bank database consists of various tables
consists of 4 components as Customer Mobile
storing customer details pertaining to his personal
application, Bank Server application, Bank side
information,Account information and transaction
mobile / GSM Modem, Bank database and
information. Bank database stores customer
wireless OTA [1]. Our solution uses windows
confidential information like his MPIN, Mobile
mobile as client application platform and .NET
identification pin and encryption keys in
framework as server side software. Customer
encrypted and secure manner.
interested in using M-Banking facilities has to
We have discussed various major types of
make registration only once with corresponding
M-Banking channels as SMS, GPRS, WAP and
bank. Bank has all necessary details of customer
USSD out of which every channel has own
in database. Bank sends Customer–side mobile
advantages and disadvantages. WAP and GPRS
application developed for windows mobile to
are good and provide session based security but
user. Application will be installed once on
they are handset dependent and also in rural part
windows
This
of India all mobile operators are not providing
application consists of Login screen along with
respective services.USSD is used along with
get session key option, menu screen for bank
SMS and requires separate infrastructure.
services options, and encryption and decryption
Thus SMS channel is simple, easy to implement,
screens for outgoing and incoming secure SMS
cheaper and widely used channel which is device
and send message screen to send SMS to server
independent. Current SMS based M-banking
GSM handset /Modem. Application will be
service has many drawbacks as SMS is inherently
updated as and when bank updates it.
developed in GSM for non-sensitive message
mobile
supported
handset.
Bank will have GSM mobile Handset /
transfer among users. Mutual authentication, text
GSM modem connected to bank application
encryption,
server. GSM handset will be connected to
non-repudiation is not present in design of GSM
application server using either Bluetooth or USB
architecture [16]. Major issues with SMS based
cable having SIM card installed in it which has
banking are SMS Spoofing which is an attack
task of receiving, processing and replying
where malicious user sends out SMS message
customer SMS continuously. GSM handset/
which appears to be sent by original sender.
modem are cheaper and can be easily installed
Current SMS architecture allows hiding original
but have slow speed for message handling which
sender’s address by altering respective field in
can be increased by
original SMS header. Also SMS has encryption
connecting modem with SMSC centre over
only during path from base trans receiver station
ISSN: 2231-5381
http://www.ijettjournal.org
end-to-end
security
and
Page 1214
International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue4- April 2013
and mobile station.End-to-end encryption is not
in plain test format so that at the server end,
available.
information can be retrieved to get required keys
from database.
5. IMPLEMENTATION:
Session key: - It is onetime key randomly
We have implemented proposed solution
generated from customer MPIN inputted in bank
in .NET platform for windows mobile in
server database during M-Banking registration
windows
mobile
process. This key is stored in 2nd field of
application in .NET framework runs on supported
message. Customer makes a request to get
windows mobile handset for which we have used
session key from his handset to bank server. Bank
HTC mobile and bank server application is
server will reply this with encrypted session keys
running in .NET along with any GSM handset
stored in file, which will be stored on customer
connected in Bluetooth / USB mode to it. We
handset.
have added secure SMS structure which provides
Cipher Text: - This text is created from
extra security
combination of plain text and MPIN and stored in
along with satisfying security parameters. This
3rd filed of message structure. Main idea behind
secure SMS will add extra security features like
this is to protect data from malicious attacker. As
cryptographic and hashing algorithm to satisfy
MPIN is most important data and from which
confidentiality, integrity,
session keys are created to be used for encryption
authentication and non-repudiation. Our system
and decryption purpose, hence it s send in
is based on secure SMS protocol and it uses SMS
encrypted manner.
as media to send and receive encrypted
Message Digest: - Message digest is used for
information.
checking integrity. Customer message digest is
.
calculated from combination of plain text and
A. Secure SMS Message Structure
MPIN and stored in 4th field of secure SMS.
environment.
Customer
The secured SMS message is divided into
MD5 algorithm is used to calculate message
multiple fields’s to accommodate for the various
digest on both ends. This received digest will be
security checks required for the protocol. Figure
compared with calculated digest at bank server
no. 2 shows the structure overview for a secure
end , if not found of same size then message will
SMS message. The use of each labelled structure
be discarded as fake transaction and no message
is explained below.
will be send to mobile handset from which
Account
Session Key
request is sent.
No
(generated from MPIN)
(6 Digit)
B. Sending Secure SMS from Client Mobile
Whenever customer wish to make any
transaction using M-banking, he will run
Cipher Text
(Plain Text+MPIN)
Message
Digest
Fig. 2. Secure SMS message Structure
application installed on handset and provide all
necessary details. We have used 6 transactions for
testing purpose and information collected from
user on his handset is used to generate secure
Secure SMS message structure proposed by us
SMS. After registration customer will get mobile
consists of 4 fields’s as shown in above figure.
application installed once on his windows mobile.
Account Number: - It is customer account
Customer will enter 4-digit MPIN which will be
number in bank which is first field used for
stored in server database in encrypted format
authentication purpose. This information is stored
using his password. For non-repudiation purpose
ISSN: 2231-5381
http://www.ijettjournal.org
Page 1215
International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue4- April 2013
we have added concept of one time session key.
inbox. We have used ActiveX control for this
Server uses customer MPIN to generate session
purpose. Bank Server application splits received
key randomly and again stored them in encrypted
secure SMS in same 4-parts.
format.
Server reads first part, a plain text 6-digit
Customer runs the banking application and
account number and compares it with database
feed details of 6-digit account number, 4-digit
stored account number. If match is not found, it
MPIN and 4-digit password and click button to
will send message “Wrong Account Number” to
get session key. Server sends generated session
customer handset. If account match is found then
key to customer handset which will be stored in
server uses 2nd part of secure SMS, which is
encrypted format on his handset. Customer goes
session key send by user to decrypt 3rd part of
to menu screen, chooses requires account type
received secure SMS.
and type of transaction he wish to perform and
After decrypting 3rd part of SMS, server
goes to next screen. Mobile client application
application gets combination of plaintext as
shows 4 entries on next screen consisting of
customer original transaction query followed by
session key received, generated fixed plain text
4-digit MPIN. Server application compares
message depending upon transaction chosen,
received MPIN with stored MPIN from server
cipher text created from combination of plain text
table if a match is not found, will send message
and MPIN and 4-part secure message. Secure
“Wrong Pin Number” to customer handset.
SMS contains account number in plain text,
Server calculates message digest of 3rd part
session key in encrypted format, cipher text
received using MD5 algorithm and compare it
created from plain text and MPIN and message
with received massage digest, 4th part of secure
digest calculated from message. Customer will
SMS to check for message integrity. If match is
send message to sever using as normal message.
not found, server generates message on server
side “Fake Transaction” and sends nothing to
C. Receiving and Replying Secure SMS from
customer side handset as it may be off any
Server Module
malicious user.
Proposed Server is running on computer
If all security checks are proper, Server
installed with required software like VB.NET,
application process query of customer and get
Windows mobile device centre and SDK, .NET
required data from database encrypts data using
compact framework, MS-access and Server side
session key received from customer and sends
application. Server side application has four
automatically to customer handset.
modules as SMS Service, Information Manage,
Transaction Manage and User Requests. SMS
6. EXPERIMENTAL RESULTS:
service module retrieves SMS received at Server
We have developed two applications for
side handset and decode it to get original query
client and server side. Mobile client application is
send by customer. Server application process
developed using .NET compact framework and
query, get required data from bank database and
VB.NET, installed on windows mobile supported
then sends it in encrypted format to customer
HTC mobile device. This application is used by
mobile through bank side modem.
customer for
Whenever Customer sends any secure SMS
various
M-banking
transactions
to
send
containing his transaction query to server side
encrypted secure SMS to bank Server and gets
GSM Modem, Server application automatically
back encrypted reply from bank Server. Client
retrieves secure SMS and deletes it from server
and Server side application performs symmetric
attached handset to avoid flooding of message
encryption and decryption using 256-bit AES
ISSN: 2231-5381
http://www.ijettjournal.org
Page 1216
International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue4- April 2013
symmetric encryption algorithm. MD5 algorithm
is used for hashing purpose. Server side bank
Fig. 3. Generating 4-Part Secure Message
application is developed using VB.NET it uses
SMS toolkit, an ActiveX control to retrieve and
This secure SMS is retrieved by server side
process secure SMS automatically. Server side
SMS service module. Server application split
application also contains certain modules for
message and decrypt it to get original transaction
database management of customer account and
query of customer. This query is processed to get
transactions
response data from database which is firstly
Normally
symmetric
cryptographic
encrypted and then send to customer handset.
algorithm don’t have non-repudiation as both
Customer handset get auto reply from server
party shares common secret key but we have used
side in cipher text, which is decrypted on mobile
session
maintaining
by client side application to get server response in
non-repudiation property of encryption. Since
plain text. The Figure no.4 shows response
Session key is used only once and created
obtained automatically from server for account
randomly, no two users can have common session
balance. This reply consists of 3 parts. First part is
key and it is created from MPIN, a master key
common session key used by server and client.
which customer only knows so he cannot deny
Second part is cipher text received from server
that he has done transaction.
application in secure manner. Third part is plain
key
concept
for
We have carried out 6 types of transaction
text message obtained after decrypting secure
including Account Balance, Mini transactions,
message received from server. Client mobile
Cheque Book Request, Cheque Stop request, Pay
application uses 256-bit AES algorithm to
Bill and Fund Transfer. Following are some
decrypt message using common session
sample client application module. The figure no.
key.
3 shows session key, user query in fixed plain text
This message will be hidden from customer
format, cipher text generated from combination
and he will only get final query results in plain
of plain text and his MPIN and 4-part secure SMS
text format but for result purpose we have shown
message generated as per format discussed. This
this screen.
last message is sent to server.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 1217
International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue4- April 2013
from HTC windows mobile and using VB.Net
server side application. We have used LG GSM
mobile as server attached mobile device.
Experiments shows that secure SMS Mobile
banking provides cost effective and secure
system
with
satisfying
Confidentiality,
Authentication, Integrity and Non-Repudiation
using symmetric cryptography. Application can
be used on any windows mobile supported
handset from anywhere as no GPRS and WAP are
required.
We
have
implemented
system
using
symmetric key AES algorithm. In future better
power consumption algorithm like blowfish can
be tried out. Steganogrpahy can also be applied
for secure M-banking transactions. We can use
concept of STK, SIM application toolkit where
bank can stored the application and encryption
Fig. 4. Secure Reply from Server
keys on SIM.
To be a secure system, it must satisfy
Confidentiality, Authentication, Integrity and
REFERENCES:
Non-Repudiation Secure SMS system maintains
[1] Przemyslaw Krol, Przemysław Nowak,
confidentiality using AES cryptography and
Bartosz Sakowicz,”Mobile Banking Services
Non-Repudiation
Based On J2ME/J2EE”, CADSM’2007.
using
session
key.
Here
3-factor authentication is used for authentication
[2] Yousuf S. AlHinai, Sherah Kurnia and Robert
and security purpose whereas Message integrity
B. Johnston,”Adoption of Mobile, Commerce
is carried out using MD5 algorithm.
Services by Individuals: A Meta-Analysis
of the Literature”, Sixth International Conference
7. CONCLUSION AND FUTURE WORK:
We have implemented a secure SMS based
on the Management of Mobile Business .
[3] T N T Nguyen, P Shum and E H Chua,”Secure
Mobile Banking system. The system allows user
end-to-end mobile payment System”.
to carry out all banking transaction securely from
[4] Ashutosh Saxena, Manik Lal Das and Anurag
anywhere, anytime. All messages from user
Gupta,”MMPS: A Versatile Mobile-to-Mobile
windows mobile are sent in encrypted format to
Payment System”, Proceedings of the
bank server. Bank server decrypt message,
International Conference On Mobile Business
process query and encrypt result in SMS.Server
2005.
sends message to customer which will be
[5] Iuon-Chang Lin and Yang-Bin Lin,”An
decrypted on his handset. The evaluation of the
Efficient
system was
Commerce”.
studied for varying banking transaction and under
[6] Mohammad Shirali-Shahreza and M. Hassan
various security threatening malicious activities
Shirali-Shahreza, ”Text Steganography in SMS”,
were recorded. Performance of the transaction is
2007 International Conference on
studied.
Convergence Information Technology.
We have executed few banking transaction
ISSN: 2231-5381
Steganography
Scheme
for
M-
[7] Sandeep Singh Ghotra, Baldev Kumar
http://www.ijettjournal.org
Page 1218
International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue4- April 2013
Mandhan, Sam Shang Chun Wei, Yi Song, Chris
Steketee, ”Secure Display and Secure
Transactions
Using
a
Handset”,
Sixth
International Conference on the Management of
Mobile Business.
[8] Jiehua Wang, Song Yuan, “A Novel Security
Mobile Payment System Based On Watermarked
Voice Cheque”.
[9] M. Shirali-Shahreza, "Stealth Steganography
in SMS", Proceedings of the third IEEE and IFIP
International Conference on Wireless
and Optical Communications Networks 2006.
[10] Kewin Chikomo, Ming Ki Chong, Alpan
Arnab, Andrew Hutchison, “Security of Mobile
Banking”.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 1219
Download