Detection and Prevention of security vulnerabilities associated with mobile banking applications

Detection and prevention of

security vulnerabilities associated

with mobile banking applications

Team: TRAC

Members: Tessy Sebastian

Rafael Santana

Alisa Pinchuk

Clinton D Souza

Agenda

• Objective

• Background

• Related Work

• Our Approach

• Results

• Conclusion

• Contribution

• Questions

Objective

• Purpose: analyze the security aspects of mobile

banking applications

• Analyzed current exploitation techniques

• Analyzed types of intrusion detection techniques

• Proposed unique and efficient methodology for

authentication in mobile banking application

Background

• “Electronic banking – the execution of financial

services via the Internet – changed the business of

retail banks significantly, at the same time reducing

costs and increasing convenience for the customer”

(Pousttchi & Schurig, 2004).

• Enhance access, user-friendliness and availability

• Concern over the authenticity and integrity of data

• Information Disclosure

• Logical attacks

• Phishing

• Sniffing

Common Mobile Application Attacks

Information Disclosure

• Information leakage, loss and distort

• Use of wireless data network

• Tools that protect the wireless transmit

media

Logical attacks

• Abuse of functionality, denial of service,

insufficient anti-automation, insufficient

process validation

• DDoS attack o slow down the response of the system

o users unable to enter normal mobile banking system

Phishing

• masquerading

trustworthy entity

• email

• Vishing

• Smishing

Sniffing

• Passive sniffing o get information from communication medium

• Active sniffing o inject packets into the traffic

• Wi-fi Sniffing o sending data thats not encrypted

• Use sniffer software

Related Work : Intrusion Detection

• Stephen and Wilson in their research paper

proposed a detection technique based on

global and local observations of user’s

behavior

• Karlsen and Killingberg designed and

implemented an intrusion detection

technique for internet banking systems

based on profiles

Intrusion Detection

• Detect or identify an attempt to gain

unauthorized access

• Intrusion detection systems (IDS)

• Two intrusion detection techniques o Anomaly Detection

o Misuse Detection

Current Intrusion Detection

Techniques

• User profile based intrusion detection

technique o User's behavior to detect anomalies

o User statistics, usage pattern, transaction amount

• Drawbacks o Need considerable amount of data

o Natural changes in usage pattern

Our Approach

Detection

Profile Based Intrusion Detection

• Composed of 5 models to form a session

structure profile: o Usage patterns

o Inter-request time delay

o Session time

o User statistics

o Response

Detection

Data source: Transaction Log o Transactions performed by the user

The session structure profile: o Will attempt to flag an unusual sequence of

attempts

o Classified unusual as an anomaly

o Evaluate the interaction between the user and the

application

Analyzed by: Markov Chain

Prevention

Two Factor Authentication

An approach which required the presentation

of two or more of three factors.

1. Knowledge factor : defines something the user knows.

2. Possession factor : defines something the user has.

3. Inherence factor : defines something the user is.

Phases of Authentication

Registration Phase

Login/Handshake Phase

Transmission Phase

• Details how user information is transmitted over the

internet.

• User has no control over medium of transmission.

• All banking institutions use SSL/TLS encryption using

SSL handshaking protocol.

• Establishes a secure connection.

• Certain research papers propose use of steganography

as medium of transmission.

• Existence of data is hidden within a data or audio file

and transmitted to the banking server.

Verification Phase

Data Transfer

• Data transactions can be transferred over the channel

using secure WTLS protocols.

• WTLS uses modern cryptographic algorithms, in

common with TLS, allows negotiations of cryptographic

suites between client and server.

• The data transfer section handles actions and queries

by users such as checking new balance, adding more

money , depositing a cheque etc..

Mutual Authentication

• Two efficient ways, that the authentication

notification can be made effective was through email

and SMS.

• Based on previous sections on intrusion detection we

believe this adds to its enhancement as it serves as

means of detection in-case of unauthorized access.

Results : Prevention

PROS

• The use of speech approach as a mean of

authentication currently has an error rate of less than

1% which has reduced from 33% in 2003.

• A research paper published in 2010 by Shen, Zheng and

Li provided statistical and modular data proving the

effectiveness of voice recognition using GMM-UBM

voice recognition approach.

CONS

• More work needs to be done on separating background

noises from user speech.

Results : Detection

PROS

• Session structure profile provides a total picture of the

user’s behavior

• Lead to the detection of a more general behavior

rather than just simple individual values.

CONS

• The approach shows promising results but based on

previous research some activities may pass as

fraudulent.

Conclusion

• We discussed various types of attacks that occur on

mobile devices, and attacks that occur specifically on

the mobile banking.

• We additionally discussed the current intrusion

detection systems.

• Finally, we proposed an authentication mechanism.

Contributions

• Alisa Pinchuk :

o Selected relevant attacks on mobile banking applications , and provided a foundation which proved the solutions proposed will help reduce the occurrence of the attack.

• Clinton D Souza:

o Designed Two Factor authentication using PIN and Voice recognition based on recent studies and current authentication system implementation.

• Rafael Santana:

o Found very unique intrusion detections systems that are being proposed in the research community and which if implemented will assist banking systems in better protecting their servers and application which are deployed.

• Tessy Sebastian:

o Found very unique intrusion detections systems that are being proposed in the research community and which if implemented will assist banking systems in better protecting their servers and application which are deployed.

References

1. Nie, J., & Hu, X. (2008). Mobile banking information security and protection methods. Retrieved from

<http://ieeexplore.ieee.org.ezproxy1.lib.asu.edu/stamp/stamp.jsp?tp=&arnumber=4722412&tag=1>.

(Nie & Hu, 2008)

2. Ruggiero , P., & Foote , J. (n.d.). Cyber threats to mobile phones. Retrieved from <http://www.us-

cert.gov/reading_room/cyber_threats_to_mobile_phones.pdf>.

(Ruggiero & Foote)

3. Shen, L., Zheng, N., Zheng, S., & Li, W. (n.d.). Secure mobile services by face and speech based personal authentication.

(Shen, Zheng, Zheng & Li)

4. Sanderson, C.; Bengio, S.; Bourlard, H.; Mariethoz, J.; Collobert, R.; BenZeghiba, M.F.; Cardinaux, F.; Marcel, S.; , "Speech &

face based biometric authentication at IDIAP," Multimedia and Expo, 2003. ICME '03. Proceedings. 2003 International

Conference on , vol.3, no., pp. III- 1-4 vol.3, 6-9 July 2003

5. Yang Wujian; Wu Yangkai; Chen Guanlin; , "Application of Voice Recognition for Mobile E-Commerce Security," Circuits,

Communications and System (PACCS), 2011 Third Pacific-Asia Conference on , vol., no., pp.1-4, 17-18 July 2011

doi: 10.1109/PACCS.2011.5990286

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5990286&isnumber=5990080

Questions

?