Upload
shona-townsend
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
CISC 849 : Applications in Fintech
Cybersecurity in Banking
CISC 849 : Applications in Fintech
Ashraf Bah
Computer & Information Sciences
University of Delaware
Performance Evaluation on End-to-End Security Architecture for Mobile
Banking System
Cybersecurity in Banking
CISC 849 : Applications in Fintech
Factors driving cyber attacks
Unfriendly nations seeking intelligence or intellectual property
Hacktivists making political statements Organized crime groups seeking money It is easier and cheaper for criminals of
all types to seek out new ways to perpetrate cyber fraud
CISC 849 : Applications in Fintech
Where are IT Systems managed
CISC 849 : Applications in Fintech
Frequency at which managers are updated
CISC 849 : Applications in Fintech
Mobile Banking Operations
Balance Inquiries Payments Transfers Notifications
overdraft alerts low balance warnings large transactions alerts
CISC 849 : Applications in Fintech
SMS Banking
The bank and the client communicate through SMS(Short Message Service) msg.
Problem: The default data format for SMS messages is in plaintext
Mutual authentication, text encryption, end-to-end security, non-repudiation were omitted during the design of GSM architecture
End-to-end encryption is not available. Only encryption is between transceiver base and bank. The encryption used is A5 which is vulnerable
CISC 849 : Applications in Fintech
Using GPRS: WAP Sites Banking
WAP: Wireless Application Protocol (WAP) “[It] is a technical standard for accessing
information over a mobile wireless network.” -Wiki
Consumers with access to WAP can perform banking the same way it is done over internet.
Mobile banking using WAP is secure, but there are loopholes that can lead to insecure communication
There is no end-to-end encryption between the client and the Gateway and between the Gateway and the Bank
To resolve this, the bank server could have its own Access Point Name (APN) to serve as Gateway for the bank: No third parties in the middle.
CISC 849 : Applications in Fintech
Public Key Infrastructure for Mobile Banking
In PKI, there is one public key for encryption and one private key for decryption
It works as follows: User obtains bank’s public key from the directory
uses it to encrypt the message The encrypted message is sent to bank server Only bank server is able to decrypt the message
Although everybody can read public-key directories, they must be protected from falsification. Hence, good PKI is needed.
CISC 849 : Applications in Fintech
Proposed Framework
Framework
Goal: Secure sensitive data over GPRS network, regardless of the Transport Protocol
CISC 849 : Applications in Fintech
Proposed Framework
Device Authentication
CISC 849 : Applications in Fintech
Proposed Framework
Client Functionality
CISC 849 : Applications in Fintech
Proposed Framework
Server Functionality Receives the client’s public key + concatenated msg
and it splits the msg into the encrypted msg digest and encrypted option-id & secret-key
Decrypts the option-id and secret-key, using server’s private key
If secret key is not in database, send error msg Else, decrypt the message digest using pin number and
digital signature Using client’s public key, digested digital signature is
decrypted and split into option-id and secret-key Verifies the original msg in the digital signature is same
as the original message in the decrypted msg
CISC 849 : Applications in Fintech
Experimental Setup
Basic client-server model Heavy operations such as object creation are
kept to the minimum Expensive computations are performed on the
server side Intense throwing of the input/output and data
exchange exceptions techniques to catch wireless network connection failures
J2ME on the client side J2EE on the server side
CISC 849 : Applications in Fintech
Technologies Used
Message Digest Algorithm: NIST's SHA-1 Encryption Algorithms:
RSA algorithm with variable key sizes of 1024 bits 3DES w/ variable key length 1024 AES algorithm with variable key length 256.
J2ME Wireless Toolkit (WTK) v2.5 WTK is used to compile, build, package, execute,
and as debugger for developing MIDP apps
Wireless Client: Nokia N72 Server: Apache Tomcat server
CISC 849 : Applications in Fintech
Results: Time Measurements
CISC 849 : Applications in Fintech
Results: Memory Measurements
CISC 849 : Applications in Fintech
Merits of the paper
Encrypting messages that constitute mobile banking transactions provides confidentiality and message integrity
The system utilizes a public-key infrastructure which is independent of financial institutions, network operators and mobile banking intermediaries but can be used by all of them.
No need for a browser In terms of time and memory consumption, it
is clear which encryption works best
CISC 849 : Applications in Fintech
Shortcomings of the paper
The authors did not mention anything about the pros and cons of each of the three encryptions, or which one is best for encryption ( not time and memory usage).
The paper was published in 2008. IOS was unveiled in 2007, and Android was introduced in 2003 (though commercialized in 2008); yet the paper does not mention any of them.
No comparisons to other Nokia and Samsung Many typos
CISC 849 : Applications in Fintech
ECC-Based Biometric Signature: A New Approach in Electronic Banking
Security
Cybersecurity in Banking
CISC 849 : Applications in Fintech
Emerging Security Trends
Integrating biometrics into mobile banking apps (fingerprint, voice recog)
Combining biometrics and PKI
CISC 849 : Applications in Fintech
Approach
Resolves PKI’s key management problem Private keys can be generated directly from
the biometric scan Use ECC-based biometric signature that uses
the ECC algorithm to generate and verify signatures online
ECC (Elliptic Curve Cryptography)-based biometric has some advantages over RSA-based biometrics
CISC 849 : Applications in Fintech
Advantages of the Approach
In this mechanism, there is no need to store or transmit any private value:
by simply sharing a few public values and using a live biometric scan, the two parties can share a secret key
CISC 849 : Applications in Fintech
Startups
Lookout: https://www.youtube.com/watch?v=vdB_QVJNegs
Trineba: focuses on the prevention side of the cybersecurity