Dr. V.N.Sastry Professor, IDRBT & Executive Secretary, MPFI to 84 October 30, 20121

MBS Issues Common Specific Developments MPFI TSG on Mobile Banking Security (MBS) IBA-IDRBT WG on MBS IDRBT MBS Lab WPKI October 30, Main Points

MBS Issues Awareness and Education on MBS As per the users background In his/her native language Specific to the Mobile Phone Features Enabling Secure Banking Services Through multiple Mobile Communication Channels ( SMS, USSD, IVRS, GPRS, NFC ) On different Types of Mobile Phones ( Low End, Medium Type and High End ) Using the features supported by the Mobile Phone October 30, 20123

MBS Issues Contd.. Developing Customized Mobile Banking Applications as per the OS Testing of each of the Mobile Banking applications Handling of complaints on side channel and malware attacks on Mobile Phones Taking measures for fraud detection and prevention mechanisms Scalability issues to support high volume and real time Transactions of Mobile Payments Verification of MBS models and protocols in a simulated and testing environment. October 30, 20124

MBS Lab Experiments October 30, 20125

MBS Problems 1. Verification of Security Properties 2. Authentication and Key Agreement Protocols 3. Access Control Models 4. Cryptographic Techniques 5. Secure Mobile Payments : IMPS, AEPS, Mobile Wallet, 6. NFC based Mobile Payments 7. Mobile Banking Services (SaaS) in a Secure Banking Cloud Framework 8. Autonomic Computing (Self Healing and Self Protecting ) in Securing Mobile Operating Systems and Mobile Banking Applications 9. IVRS based Customer Education Service in all Indian Languages 10. MANETS for Financial Inclusion. 11. Formal Methods for Design and Analysis of Secure Mobile Payment Protocols 12. Testing of Mobile Banking Application : Functionality, Security and Compliance October 30, 20126

Mobile Banking Security Device Level Security Communication Level Security Application Level Security October 30, 20127

Major 3 Sections of a Mobile Phone Power Section Power distribution Charging section Radio Section Band Switching RF Power Amplification Transmitter Receiver Computer Section CPU (central processing unit) Memory (RAM,FLASH,COMBO CHIP: SIM, USIM) Interfaces October 30, 20128

Classification of Mobile Attacks Behavior based Environment based Virus Channel based Application Based Worm SMS Trojan NFC System External Wi-Fi (OS) (Mob. Ban. App) Spyware Bluetooth GPRS IVRS USSD 9October 30, 2012

Attacks by Type of Malware (Q1 2012) Virus: Malicious code that gets attached to a host file and replicates when the host software runs. Worm: Self-replicating code that automatically spreads across a network Trojan: A program that exhibits to be useful application but actually harbors hidden malicious code Spyware: Software that reveals private information about the user or computer system to eavesdroppers 10October 30, 2012

Some reported attacks on Mobile Phones Phishing Botnet Fake Player Trojan horse Bluejacking ( Symbian ) BlueBug BlueSnarfing BluePrinting Cabir (First in 2004 ) Comwar Skulls Windows CE virus October 30,

1) Certificate Authority 2) Validation Authority 3) Registration Authority 4) Certificate Repository 5) Digital Certificate 6) Digital Signature WIRELESS PUBLIC KEY INFRASTRUCTURE (WPKI) October 30,

WPKI Implementation for MBS Requires ECC (Elliptic Curve cryptography) Crypto SIM enabled Mobile Phone SLC (Short Lived Certificate) OCSP (Online Certificate Status Protocol) for certificate validation October 30,

ELLIPTIC CURVE CRYPTOGRAPHY (ECC) ECC is a public key cryptography. One main advantage of ECC is its small key size. A 160-bit key in ECC is considered to be as secured as 1024-bit key in RSA. It uses Elliptic Curve Digital Signature Algorithm (ECDSA). ECDSA does Signature Generation and Signature Verification. October 30,

October 30,

October 30,

ECDSA - Elliptic Curve Digital Signature Algorithm: a) Signature Generation For signing a message m by sender A, using A’s private key dA 1. Calculate e = HASH (m), where HASH is a cryptographic hash function, such as SHA Select a random integer k from [1,n − 1] 3. Calculate r = x1 (mod n), where (x1, y1) = k * G. If r = 0, go to step 2 4. Calculate s = k − 1(e + d r)(mod n). If s = 0, go to step 2 5. The signature is the pair (r, s). b) Signature Verification : For B to authenticate A's signature, B must have A’s public key QA 1. Verify that r and s are integers in [1,n − 1]. If not, the signature is invalid 2. Calculate e = HASH (m), where HASH is the same function used in the signature generation 3. Calculate w = s −1 (mod n) 4. Calculate u1 = ew (mod n) and u2 = rw (mod n) 5. Calculate (x1, y1) = u1G + u2QA 6. The signature is valid if x1 = r(mod n), invalid otherwise October 30,

October 30,

October 30,

October 30,

IVRS BASED EDUCATION SERVICE ON MOBILE BANKING AND ITS SECURITY BY MBSL,IDRBT-HYDERABAD CALL : October 30,

MBS TESTING Functional TestingSecurity Testing Interface Mapping Secure Storage Test Case Writing & Execution Compliance Testing Verification of Security Properties Secure Communication Levels of Security Transactions, Behaviour & Performance 22October 30, 2012 Compliance Testing

Mobile ad-hoc Networks (MANET) for Mobile Banking and Financial Inclusion  It is a Mobile wireless network.  MANET nodes are rapidly deployable, self configuring and capable of doing autonomous operation in the network.  Nodes co-operate to provide Connectivity and Services.  Operates without base station and centralized administration.  Nodes exhibit mobility and the topology is dynamic.  Nodes must be able to relay traffic sense.  A MANET can be a standalone network or it can be connected to external networks(Internet). October 30,