Loading...

An Investigation into Authentication Security of GSM algorithm for Mobile Banking

©2013 Academic Paper 61 Pages

Summary

Due to the mobility of its users, GSM systems are vulnerable to an unauthorized access and eaves droppings when compared with the traditional fixed wired networks.
The main idea of this project is to develop an application device in order to secure mobile banking over unsecure GSM network. It is important to mention that mobile banking is a term that is used for performing balance checks, account transactions, payments, credit applications, and many other online applications. Unfortunately, the security architecture for cellular network is not entirely secure. As a matter of fact, GSM network infrastructure is proved to be insecure. Many possible attacks are documented in literature. For security was never considered in the initial stages, the sending of protective banking information across an open mobile phone network remains insecure.

Consequently, this project focuses entirely on the development and design of security techniques in order to asses some security issues within mobile banking through cellular phone network (GSM). The main aim of this project is to investigate and examine the following:
1. Security issues in each level of the mobile network architecture.
2. Messages and signals exchanged between user’s cellular phone and mobile network at each level.
3. The overall security architecture of GSM flaws.
4. Some existing security measures for mobile transactions.
5. The current security within SMS banking and GPRS banking.
Finally, two folded simulations in MATLABT were performed using OFDM which is a broadband multicarrier modulation method that provides a high performance operation to transmitted and received data or information.

Excerpt

Table Of Contents


Table of Contents:

Abstract

List of Figures

List of Tables

Abbreviations

Acknowledgment

Chapter1: Overview of mobile banking security
Introduction

Chapter 2: GSM security issues
Literature review
2.1 GSM network architecture and GSM security
2.2 Mobile Banking and security
2.3 SMS/GPRS banking services
2.4 End to End security architecture for mobile banking system

Chapter 3: The focus of study
3.1 Theoretical section
3.1.1 GSM and GPRS security architecture
3.1.2 Security mechanism in GSM network
3.1.2.1 GSM authentication centre
3.1.2.2 Authentication procedure
3.1.3 Issus with GSM network system
3.1.3.1 Problems with A3/A8 authentication algorithm
3.1.3.2 A5 algorithm problems
3.1.3.3 Attack on RAND value
3.1.4 Current mobile banking
3.1.4.1 Current SMS banking services in Oman
3.1.4.2 Wireless Application WAP
3.1.4.3 Issus in mobile banking in Oman
3.1.4.4 Security problems with GPRS using WAP Implementations
3.1.4.5 Security problems connected with using the GPRS network
3.1.5 Secure SMS solution
3.1.5.1 Secure SMS protocol
3.1.5.2 Message structure
3.1.6 Generation and sending secure SMS messages
3.1.6.1 Security of secure SMS protocol
3.1.7 Secure GPRS solution
3.1.7.1 Protocol message components
3.1.7.2 Client protocol Initialization
3.1.7.3 SGP handshake for Client
3.1.7.4 Server protocol initialization
3.1.7.5 SGP handshake for server
3.1.7.6 Keys and certificates storage in the bank server
3.1.7.7 Secure GPRS protocol

Chapter 4: Simulation Results
4. Results of the project

Chapter 5
5. Conclusion & Future work
References

Appendix A:
Practical section

Appendix B:
Code of Programs

Abstract:

GSM systems are vulnerable to an unauthorized access and eaves droppings when compared with the traditional fixed wired networks due to the mobility of its users. The main idea of this project is to develop an application device to secure mobile banking over unsecure GSM network. It is important to mention here that, mobile banking is a term used for performing balance checks, account transactions, payments, credit applications and many other online applications. But unfortunately, the security architecture for cellular network is not entirely secure. As a matter of fact, GSM network infrastructure is proved to be insecure and many possible attacks have well documented in the literature. Security was never considered in the initial stages therefore sending protective banking information across an open mobile phone network remains insecure. Consequently, this project focuses entirely on the developing and designing security techniques to asses some security issues within mobile banking through cellular phone network (GSM). The main aim of this project was to investigate and examine the following:

1. Security issues in each level of the mobile network architecture.
2. Messages and signals exchanged between user’s cellular phone and mobile network at each level.
3. The overall security architecture of GSM flaws.
4. Some existing security measures for mobile transactions.
5. The current security within SMS banking and GPRS banking.

Finally, two folded simulation in MATLABT were performed using OFDM which is a broadband multicarrier modulation method that provides a high performance operation to transmitted and received data or information. In other words, it is the most customary single that uses carrier modulation that gives high speed function in microwave frequency. Therefore, the first program was concerned with generating transmission and receiving the OFDM signal without channel noise effect. The second program was concerned with the effects of high power amplifier and channel noise on the OFDM signals. It is to be noticed here that the OFDM is a modulation that is especially suitable for wireless communication. Consequently, the suggested programme succeeded in achieving a limited noise or interference in the signal as the users complained and suffered constantly from this noise and from losing the data or the information.

List of Figures:

Figure 1: Modular Transaction Architecture

Figure 2: Distribution of GSM security Parameters

Figure 3: GSM Architecture

Figure 4: WAP External Network

Figure 5: WAP Protocol layers

Figure 6: Wireless Application Protocol WAP Layer

Figure 8: Protocol Overview

Figure 9: The ideal WAP Gateway in banking server

Figure 10: Message components sending

Figure 11: Packing of SGP message

Figure 12: Server unpacking and verifying full SGP message

Figure 13: OFDM system block diagram

Figure 14: Transmitter Data

Figure 15: QPSK modulated (transmission Data)

Figure 16: 4 QPSK

Figure 17: OFDM signal

Figure 18: Time domain signal comes out as spectrum out of FFT and IFFT

Figure 19: QPSK modulation (received Data)

Figure 20: Receiver data

Figure 21: Transmitter data

Figure 22: QPSK receiver data

Figure 23: OFDM after channel noise

Figure 24: Receiving data

Figure 25: OFDM Low Pass Filter Circuit and Ideal Filter Response Curves

Figure 26: Frequency signal Response use Low Pass Filter

List of Tables

Table 1: Project Results

Abbreviations

illustration not visible in this excerpt

Acknowledgment

I would like here to express my sincere thanks and deepest gratitude to my supervisor Dr. Aboubaker Lasebase, Head of Telecommunication Department. His constant guidance, painstaking reading and valuable instructions hare helped much in writing this research. His course on Telecommunication Security has helped a lot in developing the topic of this research.

Thanks are also extended to all the staff members who taught and supported me though out my whole study.

I would like also to express my gratefulness to my father, Professor Dr. Hussein Raheem and my mother professor Dr. Ibtisam Jasim, who have shared with me all my moments of aspiration and desperation. Their financial and moral generosity is beyond expression. I would like also to thank my sister and colleague Rand whose kind presence with me helps a lot in facing all the difficulties and challenges as an international student

My last but not least thanks are for all my friends and for all those who have helped me in one way or another in the different stages of my study .

Chapter 1: Overview of mobile banking security

1. Introduction:

We present age is witnessing rapid and continuous technological inventions. GSM is one of the greatest derives that man has ever invented and which is at present prevailing our planet. Today almost everyone uses GSM system in one way or another. The fact that infrastructure is already there makes this device easy and convenient to be used at the different types of human communication. In reality, GSM communication channel call is only partly encrypted. The security and authentication mechanisms incorporated in GSM make it the most secure mobile communication standard currently available, particularly in comparison with the analogue systems to be described. Part of the enhanced security of GSM is due to the fact that it is a digital system utilizing a speech coding algorithm, GMSK, digital modulation, slow frequency hopping and TDMA time slot architecture. In addition, GSM high security standard makes it the most secure cellular telecommunication currently available. Although the confidentiality of a call and anonymity of the GSM subscriber is only guaranteed on the radio channel, it is a prerequisite in achieving end to end security. The subscriber’s anonymity is ensured through the use of temporary identification number. The confidentiality of the communication itself on the radio link is performed by the application of encryption algorithms and frequency hopping which could only be realized by using digital system and signalling. Mobile Banking refers to the provision and availability of banking and financial services with the help of mobile telecommunication devices. The scope of offered services may include facilities to conduct bank and stock market transactions, to administer accounts and to access customized information. With the rapid development of technology, the mobile telecommunication technology has widely expanded in different world countries. Mobile banking becomes especially important and popular these days .It can provide customers with faster and highly qualified services to perform their banking and financial services with the assistance of mobile telecommunication devices. In addition, the majority of the mobile banking researchers have agreed that mobile banking consists of three main sections, namely mobile accounting, mobile brokerage and mobile financial which contains the information necessary for such services. On the other hand, the customer service sector has many processes such as balance checking, account transactions and payment. Furthermore, mobile banking can provide different facilities, such as LBS affiliated to the banks. Contrasted with the Internet banking, the mobile banking is completely secure and easier to be used. Added to this, mobile banking does not only provide basic services like traditional banks, but it can provide the customer with 3A services simultaneously; these services are anytime, anywhere and anyhow. Unfortunately, nothing is perfect in life, the security architecture for cellular network is not entirely secure because the GSM network infrastructure has been proved to be insecure and many possible attacks have been discovered as protection discretions are not well considered. As a result, sending protective banking information across open mobile phone network is entirely insecure. Accordingly, Margrave D (2006) (9), attempted to cover the security issues within mobile banking through cellular phone network (GSM). The goal was build portable device applications that ensure that users can send securely their banking information via mobile network. Obviously, the rapid growth of digital wireless communication in recent years has increased the need for high speed mobile data transmission. Now, modulation techniques were implemented to enhance communication capacity. Simulation by using MATLAB has been implemented to generate, transmit and receive OFDM signal without a channel noise effect and also to examine the effects of high power amplifier and channel noise on OFDM signals. The project, therefore, aspired to develop an application device to secure mobile banking over unsecure GSM network. Consequently, the project will deal also with some network security requirements such as authentication, non repudiation, authorization, availability, integrity, confidentiality and access control depending on the insecurity of existing protocol. However, it is quite possible that expected attacks were produced. Significantly, these attacks unravelled flaws existing in mobile banking protocols. The project, therefore, had algorithm for Mobile Banking to provide a convenient and effective means for customers to pay and perform other banking transactions. To sum it up , mobile banking service is a modified version of internet banking using cellular technology and GSM network as a medium to transfer request over wireless network as portrayed in the following picture.

illustration not visible in this excerpt

Figure 1: Modular Transaction Architecture

Chapter 2: GSM Security Issues

2. Literature review:

The aim of this part is to summarize and asses some research writings that have attempted to approach the topic under questioning. It intends also to show any possible connections and relevancies of importance between them and the subject of this research. This review is carried out through the discussion of four important sections:

- GSM network architecture and Security.
- Mobile Banking.
- SMS/ GPRS Banking Services
- End to End security architecture for the mobile banking system

2.1 GSM network architecture and Security:

The mobile wireless networks are somehow susceptible and vulnerable to unauthorized users access. This is because of the mobility and the flexibility provided by this GSM network to all users regardless of the varied nature of the covered area or place. GSM can be regarded as a system of mobile communication. In New Generation Features for GSM Systems, Liveris, Anagnostostopulos, Lykou and Stasinopoulos (2010) (46) pointed out that GSM offers enhanced features such as total mobility, in the sense that the subscriber has the ability to communicate in different areas covered by the GSM cellular network outside his home location or even out of his country. It can also provide an excellent and high capacity achieved by using the FDMA, TDMA, efficient speech coding and the GMSK modulation scheme. Furthermore, it introduces different services to the users such as voice communication, voice mail, short message transmission etc. Finally, they concluded that GSM possesses the most secure cellular communication standard. They enumerate the GSM features, but they did not tackle or discuss the vulnerabilities in the GSM network architecture.

Kasim and Eraul (2010) (4) similarly discussed and evaluated the security techniques in the GSM. However; they attempted to set a new protocol that can improve the security of the GSM. Regarding GSM architecture, they stated that GSM network can be divided into three important areas. The first area is the MS which is simultaneously a base for both the station of the subsystem and the network of the subsystem. Furthermore, the MS consists of two main important elements: the mobile equipment and the subscriber identity module. Moreover, the BSS controls the radio link and connects it with the MS. Besides, the network subsystem provides and performs the switching of the calls among mobile users and mobile fixed networks such as ISDN, PST…etc. Accordingly, Figure 2 shows the distribution of GSM security parameters and also the IMSI. When the cellular phone user moves from one domain to another, the user’s identity should be recognized at every domain or area of boundary encountered. The IMSI remains confidential, as it provides the user with privacy .The identity of the users or the subscribers are protected from any hacker who might cause damage to the network system. Those researchers went on to say in their article that making authentication to GSM can provide mobile communication system with more security. Consequently most GSMs are based on the authentication and encryption of the information (data) techniques which are capable of preventing hacker from stealing the information of the users. On the other hand, these techniques are not totally void of weaknesses or vulnerabilities. For instance, confidentiality is guaranteed only when the radio channel is exclusively between the MS and the BSS. Another problem arises when the mobile moves from one domain to another. Obviously, such movement has its direct effect on the quality of the security services. Furthermore, the user’s identity confidentiality depends on the user’s information in accessing the net work. In other words, when the user provides the system with wrong data, the system will break down. Therefore, this article gave indeed illuminating information security in GSM, but it does not mention how this new protocol could avoid different attacks, such as the Dos and man in the middle attack.

illustration not visible in this excerpt

Figure 2: Distribution of GSM Security Permanents (4)

“In solutions to the GSM security weaknesses”, Toorani and Shirzi 2010 (1) tackled some significant security vulnerabilities and flaws and attempted some practical solutions to improve the security of the currently available 2G system. In addition, they discussed some vulnerability in GSM System, such as Man in the Middle Attack, lack of user visibility, vulnerability to Denial of service Dos attack and vulnerability to replay attacks. As solutions, they suggested, for instance, using the secure algorithms for A3/A8 implementations that can protect the SIM card from any cloning attack. This suggestion was quiet reasonable because the network operators could improve themselves without any aid from software and hardware manufacturers or GSM consortium. Added to this, they offered another solution namely using the ciphering algorithms where the operators could use secure algorithms, like the A5/3 which can be implemented on both the BTS and the mobile phones. Any change in these algorithms would prevent communication between the BTS and the mobile phones. The idea behind this solution was to encrypt the traffic between the network components so as to prevent the attacker from modifying the transmitted data. The researchers, however, recommended highly using the End to End security for being the best, the easiest and the most advantageous solution. The significance of Toorani and Shirzi‘s paper lies in the fact that it is somehow related to the topic of this project especially in matter of developing an algorithm which can improve the mobile baking security.

2.2 Mobile Banking and security:

Definitely, the mobile banking has become greatly important nowadays, because it is faster and easier to be used and it saves time. However, security is a big challenge to this system because hackers form the most dangerous threat to this system. They can steal data and damage the system. Such issues were discussed by different writers in an attempt to identify security problems in banking application and to suggest remedial means to these problems. To begin with, Amir Herzberg (2003) (2) has discussed some challenging issues related directly to secure payments in the banking transaction process. He provides a modular architecture which supports the security when the transactions start from the bank to the users. In addition, his architecture consisted of three important independent processes. In the first one, the device could identify the user from his card, password or from the information that was stored in the database of the system. The second process was authentication which was considered as the most important process because it could identify the user on the network of the mobile banking. Also, it supported the security in this system; the mobile authenticates the transaction request through either subscriber identification or through the cryptographic mechanism labelled as public or private key. The third process was the secure performance, which depended on the by the mobile transaction quality provided to the user. Nonetheless, these processes do not provide good secure implementation to the mobile banking transaction; therefore they cannot be taken as reliable and trustworthy.

According to Chou et al. (2010) (47) the mobile banking payment architecture connected up the provided operator service provides and banking institution. He went on to say that the architecture permitted mobile consumers to buy services using the SMS and WAP. Therefore this architecture just provides an alternative payment idea but does not offer a clear picture concerning the process service delivery.

Elliott et al (2010) (14), however, established a payment system which used brands restrictive blinding signature to the mobile devices which could offer a multi-party security .As for Buchana et al (6), he combined the SET protocol and the TLS/WTLS protocol to enhance security services over the WAP 1.X for the payment in the m-commerce. Kungisdan et al. (0) on the other hand, suggested a payment protocol which provided a good measure of security. It is to be admitted here that this protocol meets the transaction security pre requisites using the public key based on payment protocols like the SET and the IKP.

Laforet (2006) (27) thought that mobile Internet banking is slowly increasing in China .At that year, there was only 33 % using online banking and 14% using mobile banking. Whereas, Howecroft et, (2005) (28) reported that younger consumers used mobile banking more than older consumers. Skmm (2005) (30) considered mobile phone as a good communication tool for the users to do their banking work in short time and from anywhere and at any time.

2.3 SMS/ GPRS Banking Services:

Since 1991, text messaging has been developing into GSM digital phone rapidly. According to Baron, Patterson, and Harries, (2010) (37) SMS short service is very crucial for mobile banking services. Harb and Farahat (2008) 19) believe that the SMS was the main medium for mobile banking for being quick and easy to be used by customers. A recent survey performed by Hudson (2008) (17) using SMS also emphasizes the dramatic increase in the last few decades, and as an example he mentions that the New Zealanders send 600 million messages per month. The number stated showed that the SMS become a very familiar device in mobile banking. The revolutionary development of the information technology enhanced the electronic banking process. According to the Zhang (2010) 48) the SMS mobile Banking is a new model that uses the SIM card together with the STK technology .The latter service is available in mobile phones via using different networks such as GSM, GPRS and CDMA. These techniques do not only save information in one place but have also a high process capacity represented in the micro- processing unit (CPU). Added to this, the STK is completely different from the SIM card which is used only for the user’s identity recognition. Furthermore, the information communication between the customer and the SMS mobile banking business centre can be completed only with a third party. Here the mobile telecommunication company makes a connection via using the GSM or the GPRS networks, using the internet short message and SMS mobile bank business centre. Therefore, the short message gateway provides a good exchange channel for the short message centre and the mobile bank business. In other words, the short message centre uses also the short message peer to peer protocol (SMPP), which subsequently makes communication with internet short gateway. On the other hand, SMS mobile bank can be attacked by virus attacker or denial service attacker, which can damage and loose the information. Although, this technology is very cheap and fast, it is very fragile in the face of attackers. In addition, the writer does not offer any positive solutions to the above mentioned problems. Similarly, Tekelec (2007) (40) also emphasizes the significance of the SMS banking services. But, he confirms too that this service was widely exposed to the unauthorized SS7 network hackers, who can spoof the data and use it for their own interests. GPRS used both 2G and 3G. However, GPRS 2.5 G had the ability to access the internet and also use multimedia messaging services such as the WAP. According to M.Shirali (2010) (25), the GPRS was one of greatest technologies that had been ever invented. The 2G GPRS service used data from 56 to 11 Kbit /second in the dial up modem speeds, which was rather slow. The 3G of the GPRS wireless network was indeed much faster. Paeng (2000) (1) tackles both the GSM and the GPRS security and authentication. The GPRS was based on the A3 algorithm, but he does not mention the security problem in A3 algorithm GPRS and he did not suggest any solutions which could change the performance of authentication.

2.4 End to End security architecture for mobile banking system:

Narendiran, Alblbert, Rabara and Rajendran (2010) (13) attempted an evaluation of End to End security architecture for mobile banking system. They proposed End to End security framework by using KI for the mobile banking. They pointed out how to encrypt the messages by using the public keys .End to End security performance guarantees the data transmitted using the X.409 sander. This article provides a lot of information about this technique, but it used an old version of sander certificate. We recommend, therefore, using a new sander such as X500, X509 and SSL. The problem with End to End security in mobile banking is that there is no full encryption data between the user and the bank, a deficiency which allows hackers to steal or destroy data.

Chapter 3: The focus of study

3.1 Theoretical section:

In the last few decades, the number of online banking users has increased with remarkable speed and cadence. This has given momentous to developers to devise more suitable methods of transactions to enable customers perform banking transactions from anywhere and at anytime. Although mobile banking is new, it is a very convenient system for users to make their transactions. The number of the bank users is being increased in a way similar to that of the mobile phone customers. The National Bank of Oman is a vivid example of this new trend in mobile banking implementation via applying the two important channels, the WAP on the GPRS, the SMS and the WIG. However, this implementation is not entirely void of weaknesses and blemishes. Consequently, this part of the project investigates the security threats faced by mobile banking implementations via using GSM networks. The aim is to build up transportable application devices so as to provide the users with more security when sending their bank information. These devices will promote the performance of the mobile banking users via two channels namely the SMS and the GPRS. To achieve this target, different points will be discussed. To begin with, an overview of the GSM architecture and the security weaknesses of this architecture will be provided .Then, the mobile banking solutions which are provided by NBO and their security shortfalls will be similarly discussed. Furthermore, suggested solutions to the SMS/GPRS banking protocol will be presented. Finally, prevalent mobile banking solutions will be compared to the suggested solutions. A comparison table will be drawn to illustrate this comparison.

3.1.1 GSM and GPRS security architecture

Needless to say, GSM is widely distinguished in different parts of the world as a very appropriate form for mobile phone. Figure 3 shows the simple structure of the GSM architecture system that provides SMS and GPRS services.

illustration not visible in this excerpt

Figure 3: GSM Architecture 18)

The GPRS core network can be regarded as an incorporated part of the GSM network, with added nodes to cater for packet switching. In addition, the GPRS can use some of the prevailing GSM network elements. These elements include the BSS, the MSC, the AUC, and finally, the HLR. On the other hand, a reasonable number of the GPRS network elements that can be added to GSM network consist of the GSN, the GTP and the AP, together with the PDP context. (18)

3.1.2 Security mechanisms in GSM network

Every system has some kind of security devices to vaccinate itself against attackers who aim at damaging the system. The GSM system is not an exceptional .It has some security mechanism that can hinder any illegal activities practiced by hacker’s. The SIM cloning is a security device that can stop unauthorized users to access the network. The GSM has special means to authenticate and encrypt data exchanged in the network. (35)

3.1.2.1 GSM Authentication Centre

GSM authentication centre is used to provide authenticity for each SIM card available with the users. This technique provides a connection to GSM mobile network. In addition, this service prevails when the mobile connects to the network and also when the users switch on the mobile. On the other hand, if the authentication in the SIM card fails, no services network whatsoever will be offered to the user. Otherwise, if the authentication is achieved, the SGSN and HLR will allow the user to be connected to the network. (0)

3.1.2.2 Authentication Procedure

Most of the authentication of the SIM card depends on the shared symmetric secret key, which is between the card and the AUC called Ki. In addition this secret key is embedded into the SIM card through the manufacture, and is then replicated into the AUC. This authentication proceeds through several steps described as follows: (23)

1. When the AUC authenticates the SIM, it will generate a random number which is known as the RAND number.
2. The RAND number will be sent then to the users. On the other hand, both of the AUC and the SIM flow into the Ki and the RAND number .The outcome is a value known as Signed RE Sponse (SRES) and authentication is achieved faultlessly when the SIM SRES matches with AUC SRES.
3. By feeding the Ki and the RAND number into the A5 algorithm, the AUC and the SIM generate a second secret key which is known as Kc .This key is used to encrypt and decrypt the net work connection.
4. When the SIM authentication is fulfilled, the HLR will ask for the mobile identity to ensure that the MS is not black listed.
5. The mobile returns the IMEI number. The latter will be forwarded to the EIR that will authorize the subscriber .Only then; the PDP context activation takes place.

3.1.3 Issus with GSM Network System
3.1.3.1 Problems with the A3/A8 authentication algorithm

A3/A8 can be described as the mechanism that is used to authenticate a handset on a mobile phone network. However, A3 and A8 are not really encryption algorithms. They are in fact placeholders in which COMP128is a commonly used algorithms. (28)

Suspicions concerning the validity of COMP128 as a secure medium for mobile banking were raised to the utmost when Wagner and Goldberg were able to break it in few hours .After destroying it they succeeded in obtaining the Ki and performing SIM cloning once again.

3.1.3.2 A5 algorithm Problems

Eavesdropping between the MS and the BSS is quite possible to occur .This possibility makes GPRS over the GSM network quite insecure for mobile banking. To solve this problem, A5 algorithm has been implemented. Although, there are at least three versions of the A5 algorithm (A5/1, A5/2and A5/0), they are all deficient and cannot be recommended as secure for mobile banking. (43)

3.1.3.3 Attack on the RAND value

The RAND value can be attacked by (Denial of the Service) DoS when the AUC tries to achieve the authentication with the SIM card. Therefore, The RAND value, sent to the SIM card, can be modified by an intruder who can fail the authentication.22)

3.1.4 Current Mobile Banking

In this part, the security shortfalls of the Mobile banking solutions using SMS Short message service will be investigated.

3.1.4.1 Current SMS Banking Services in Oman

Omani banks such as The National Bank of Oman (NBO) use (WIG) Wireless Internet Gateway for the mobile baking services. The NOB applies the USSD with the SMS. The NBO will requests the user to send the USSD cord together with his PIN to the banking server. Then, the server notifies the user that the server is prepared to accept the SMS. However, this service is not quite secure as long as each user transmits his data in plain text message. Furthermore, the mobile network operation obtains full access to the banking detailed information which is sent by the user.(21)

As a matter of fact, using SMS involves many serious security problems such as text encryption, mutual authentication, text encryption and end to end security. These problems require then a thorough investigation starting from forging originator’s address.

The short message services can be attacked by a third party, a hacker who sends fake information to the services. It is quite possible to change the originator’s address field in the SMS header to another address and this in turn enables the sender to send out fake messages. As mentioned above, the text encryption is another serious problem faced by mobile banking .The plaintext is the source of this problem. It occurs during transmission between the BTS and the MS. The End to End encryption does not exist at present .Consequently; secure algorithm is required to support security performances.

The NBO provides mobile banking GPRS, which uses MTN mobile banking gateway. This service enables bank account holders to access the WAP sites, in a way similar to that performed without the use of online banking. (34)

3.1.4.2 Wireless Application Protocol WAP

It is well known that WAP is an open international standard for applications which uses wireless communication. It enables access to the internet from the mobile phone. Furthermore, the mobile phones or terminals can access the internet by using wireless application protocol browsers. The WML sites will be written instead of the HTML, XML or XHTML. In other words, the WAP protocol is confided only between the user and the WAP gateway. In this way, the connection is secured by SSL or TLS. (39) This mechanism is better illustrated in Figure 4 below:

illustration not visible in this excerpt

Figure 4: WAP External Network

Communication security can be provided by using the WTLS protocol and the WIM. This protocol can provide a public key based security which is similar to TLS. The WIM stores the security keys. In order to achieve interoperability of the WAP equipment and the software together with varied technologies, WAP uses the WAP protocol. Figure 5 shows the different layers of the WAP protocol. (40)

illustration not visible in this excerpt

Figure 5: WAP Protocol layers 24)

3.1.4.3 Issues in mobile banking in Oman

The previous part was considering about how does the system of SMS messages and GPRS is working in the National Banking of Oman (NBO). However, it was quite difficult to collect the information about the security issues that might face the NBO because of the bank reputation but as an engineer it was easy to discover the security limitation in this bank. These security issues were considering about the SMS messaging protocol; therefore, a demonstration will be given and some solutions will be provided as the following shown.

3.1.4.4 Security problems with GPRS using WAP Implementations

The mobile banking which uses WAP provides a good level of security. Never the less, there are still some gaps, which could threaten the communication security. To begin with, there is no End to End encryption between the user and the bank server, but there is End to End encryption between the user and the gateway and between the gateway and the bank server. To solve this problem the bank server, should possess an APN in any GPRS networks. Significantly, this technique will be used as a WAP Gateway for the bank service .In other words, it enables the client to get connection to the bank without a third party. Furthermore, Public Key Cryptosystems provided by the WTLS are not adequate enough to meet the current WAP application security prerequisites. Because of this deficiency, the key sizes have been restricted. Last but not least, anonymous key exchange suites that are provided by the WTLT have been proven insecure. In other words, both of the client and the server are not authenticated. It is highly recommended then that banks should provide a means that could hinder it. (15)

3.1.4.5 Security problems connected with using the GPRS network

As the GPRS core network is extremely general, it needs to cater some banking security pre requisites. For example, bank authentication seems to be lacking. Without providing adequate authentication, mechanism, bank information or client account information could possibly be endangered. Also, to avoid any fabrication of the bank’s or the client’s information, a provision of functions should be prevailed. Added to this, the mechanism used so far to provide confidentiality of information between the mobile station and the bank server has been proven to be vulnerable as long as the network operator can view the client’s information .Moreover, specific performed actions by either the bank or the client cannot be confirmed. And this in itself is a sort of inaccuracy that might raise security matters on the bank’s side’s .Finally; inconsistency is another deficiency in the bank’s performance that can also raise security suspicions. This problem is the outcome of the fact that the GPRS provides session handling facilities while it does not handle bank sessions. (15)

3.1.5 Secure SMS Solution

The solution for the above explained problems lies in providing a secure messaging protocol that uses SMS. This protocol has treated security problems in the current deficient GSM architecture. It is to be mentioned here that three kinds of transactions have been selected in this project, namely, check balance, transfer money and purchase airtime which can change according to the bank’s services. It is also to be mentioned here that these transactions vary from one bank to another. (3)

3.1.5.1 Secure SMS Protocol

To make the SMS more secure for using, the SMS messages needs to be largely improved. The most important part of improving the security performance of SMS is making some changes in the message structure and protocol sequences.

3.1.5.2 Message Structure

Figure 6 shows the wireless application protocol WAP layer for the message structure. It shows the provided solution and each solution from which layer had been taken in order to solve the security issues.

illustration not visible in this excerpt

Figure 6: Wireless Application Protocol WAP Layer

[...]

Details

Pages
Type of Edition
Originalausgabe
Year
2013
ISBN (PDF)
9783954895779
ISBN (Softcover)
9783954890774
File size
1011 KB
Language
English
Publication date
2014 (February)
Keywords
Authentication Security GSM Mobile Banking
Previous

Title: An Investigation into Authentication Security of GSM algorithm for Mobile Banking
book preview page numper 1
book preview page numper 2
book preview page numper 3
book preview page numper 4
book preview page numper 5
book preview page numper 6
book preview page numper 7
book preview page numper 8
book preview page numper 9
book preview page numper 10
book preview page numper 11
book preview page numper 12
61 pages
Cookie-Einstellungen