Detection and prevention of security vulnerabilities associated with mobile banking applications Team: TRAC Members: Tessy Sebastian Rafael Santana Alisa Pinchuk Clinton D Souza
Jun 08, 2015
Detection and prevention of
security vulnerabilities associated
with mobile banking applications
Team: TRAC
Members: Tessy Sebastian
Rafael Santana
Alisa Pinchuk
Clinton D Souza
Agenda
• Objective
• Background
• Related Work
• Our Approach
• Results
• Conclusion
• Contribution
• Questions
Objective
• Purpose: analyze the security aspects of mobile
banking applications
• Analyzed current exploitation techniques
• Analyzed types of intrusion detection techniques
• Proposed unique and efficient methodology for
authentication in mobile banking application
Background
• “Electronic banking – the execution of financial
services via the Internet – changed the business of
retail banks significantly, at the same time reducing
costs and increasing convenience for the customer”
(Pousttchi & Schurig, 2004).
• Enhance access, user-friendliness and availability
• Concern over the authenticity and integrity of data
• Information Disclosure
• Logical attacks
• Phishing
• Sniffing
Common Mobile Application Attacks
Information Disclosure
• Information leakage, loss and distort
• Use of wireless data network
• Tools that protect the wireless transmit
media
Logical attacks
• Abuse of functionality, denial of service,
insufficient anti-automation, insufficient
process validation
• DDoS attack o slow down the response of the system
o users unable to enter normal mobile banking system
Phishing
• masquerading
trustworthy entity
• Vishing
• Smishing
Sniffing
• Passive sniffing o get information from communication medium
• Active sniffing o inject packets into the traffic
• Wi-fi Sniffing o sending data thats not encrypted
• Use sniffer software
Related Work : Intrusion Detection
• Stephen and Wilson in their research paper
proposed a detection technique based on
global and local observations of user’s
behavior
• Karlsen and Killingberg designed and
implemented an intrusion detection
technique for internet banking systems
based on profiles
Intrusion Detection
• Detect or identify an attempt to gain
unauthorized access
• Intrusion detection systems (IDS)
• Two intrusion detection techniques o Anomaly Detection
o Misuse Detection
Current Intrusion Detection
Techniques
• User profile based intrusion detection
technique o User's behavior to detect anomalies
o User statistics, usage pattern, transaction amount
• Drawbacks o Need considerable amount of data
o Natural changes in usage pattern
Our Approach
Detection
Profile Based Intrusion Detection
• Composed of 5 models to form a session
structure profile: o Usage patterns
o Inter-request time delay
o Session time
o User statistics
o Response
Detection
Data source: Transaction Log o Transactions performed by the user
The session structure profile: o Will attempt to flag an unusual sequence of
attempts
o Classified unusual as an anomaly
o Evaluate the interaction between the user and the
application
Analyzed by: Markov Chain
Prevention
Two Factor Authentication
An approach which required the presentation
of two or more of three factors.
1. Knowledge factor : defines something the user knows.
2. Possession factor : defines something the user has.
3. Inherence factor : defines something the user is.
Phases of Authentication
Registration Phase
Login/Handshake Phase
Transmission Phase
• Details how user information is transmitted over the
internet.
• User has no control over medium of transmission.
• All banking institutions use SSL/TLS encryption using
SSL handshaking protocol.
• Establishes a secure connection.
• Certain research papers propose use of steganography
as medium of transmission.
• Existence of data is hidden within a data or audio file
and transmitted to the banking server.
Verification Phase
Data Transfer
• Data transactions can be transferred over the channel
using secure WTLS protocols.
• WTLS uses modern cryptographic algorithms, in
common with TLS, allows negotiations of cryptographic
suites between client and server.
• The data transfer section handles actions and queries
by users such as checking new balance, adding more
money , depositing a cheque etc..
Mutual Authentication
• Two efficient ways, that the authentication
notification can be made effective was through email
and SMS.
• Based on previous sections on intrusion detection we
believe this adds to its enhancement as it serves as
means of detection in-case of unauthorized access.
Results : Prevention
PROS
• The use of speech approach as a mean of
authentication currently has an error rate of less than
1% which has reduced from 33% in 2003.
• A research paper published in 2010 by Shen, Zheng and
Li provided statistical and modular data proving the
effectiveness of voice recognition using GMM-UBM
voice recognition approach.
CONS
• More work needs to be done on separating background
noises from user speech.
Results : Detection
PROS
• Session structure profile provides a total picture of the
user’s behavior
• Lead to the detection of a more general behavior
rather than just simple individual values.
CONS
• The approach shows promising results but based on
previous research some activities may pass as
fraudulent.
Conclusion
• We discussed various types of attacks that occur on
mobile devices, and attacks that occur specifically on
the mobile banking.
• We additionally discussed the current intrusion
detection systems.
• Finally, we proposed an authentication mechanism.
Contributions
• Alisa Pinchuk :
o Selected relevant attacks on mobile banking applications , and provided a foundation which proved the solutions proposed will help reduce the occurrence of the attack.
• Clinton D Souza:
o Designed Two Factor authentication using PIN and Voice recognition based on recent studies and current authentication system implementation.
• Rafael Santana:
o Found very unique intrusion detections systems that are being proposed in the research community and which if implemented will assist banking systems in better protecting their servers and application which are deployed.
• Tessy Sebastian:
o Found very unique intrusion detections systems that are being proposed in the research community and which if implemented will assist banking systems in better protecting their servers and application which are deployed.
References
1. Nie, J., & Hu, X. (2008). Mobile banking information security and protection methods. Retrieved from
<http://ieeexplore.ieee.org.ezproxy1.lib.asu.edu/stamp/stamp.jsp?tp=&arnumber=4722412&tag=1>.
(Nie & Hu, 2008)
2. Ruggiero , P., & Foote , J. (n.d.). Cyber threats to mobile phones. Retrieved from <http://www.us-
cert.gov/reading_room/cyber_threats_to_mobile_phones.pdf>.
(Ruggiero & Foote)
3. Shen, L., Zheng, N., Zheng, S., & Li, W. (n.d.). Secure mobile services by face and speech based personal authentication.
(Shen, Zheng, Zheng & Li)
4. Sanderson, C.; Bengio, S.; Bourlard, H.; Mariethoz, J.; Collobert, R.; BenZeghiba, M.F.; Cardinaux, F.; Marcel, S.; , "Speech &
face based biometric authentication at IDIAP," Multimedia and Expo, 2003. ICME '03. Proceedings. 2003 International
Conference on , vol.3, no., pp. III- 1-4 vol.3, 6-9 July 2003
5. Yang Wujian; Wu Yangkai; Chen Guanlin; , "Application of Voice Recognition for Mobile E-Commerce Security," Circuits,
Communications and System (PACCS), 2011 Third Pacific-Asia Conference on , vol., no., pp.1-4, 17-18 July 2011
doi: 10.1109/PACCS.2011.5990286
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5990286&isnumber=5990080
Questions
?