21
Dr. V.N.Sastry Professor, IDRBT & Executive Secretary, MPFI [email protected] +91-40-23534981 to 84 October 30, 2012 1

MOBILE BANKING SECURITY (MBS) ISSUES & DEVELOPMENTS

  • Upload
    quana

  • View
    33

  • Download
    0

Embed Size (px)

DESCRIPTION

MOBILE BANKING SECURITY (MBS) ISSUES & DEVELOPMENTS. Dr. V.N.Sastry Professor, IDRBT & Executive Secretary, MPFI [email protected] +91-40-23534981 to 84. Main Points. MBS Issues Common Specific Developments MPFI TSG on Mobile Banking Security (MBS) IBA-IDRBT WG on MBS - PowerPoint PPT Presentation

Citation preview

Page 1: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

Dr. V.N.SastryProfessor, IDRBT & Executive Secretary,

[email protected]

+91-40-23534981 to 84October 30, 2012 1

Page 2: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

• MBS Issues• Common• Specific

• Developments• MPFI TSG on Mobile Banking

Security (MBS) • IBA-IDRBT WG on MBS• IDRBT MBS Lab

• WPKIOctober 30, 2012 2

Main Points

Page 3: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

MBS Issues Awareness and Education on MBS

As per the users backgroundIn his/her native language Specific to the Mobile Phone Features

Enabling Secure Banking Services Through multiple Mobile Communication

Channels ( SMS, USSD, IVRS, GPRS, NFC )

On different Types of Mobile Phones ( Low End, Medium Type and High End )

Using the features supported by the Mobile Phone

October 30, 2012 3

Page 4: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

MBS Issues Contd.. Developing Customized Mobile Banking

Applications as per the OS Testing of each of the Mobile Banking

applicationsHandling of complaints on side channel and

malware attacks on Mobile PhonesTaking measures for fraud detection and

prevention mechanismsScalability issues to support high volume and

real time Transactions of Mobile PaymentsVerification of MBS models and protocols

in a simulated and testing environment. October 30, 2012 4

Page 5: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

MBS Lab Experiments

October 30, 2012 5

Page 6: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

MBS Problems 1. Verification of Security Properties2. Authentication and Key Agreement Protocols3. Access Control Models 4. Cryptographic Techniques5. Secure Mobile Payments : IMPS, AEPS, Mobile Wallet,6. NFC based Mobile Payments7. Mobile Banking Services (SaaS) in a Secure Banking Cloud

Framework8. Autonomic Computing (Self Healing and Self Protecting ) in

Securing Mobile Operating Systems and Mobile Banking Applications

9. IVRS based Customer Education Service in all Indian Languages10. MANETS for Financial Inclusion.11. Formal Methods for Design and Analysis of Secure Mobile

Payment Protocols12. Testing of Mobile Banking Application : Functionality, Security and

ComplianceOctober 30, 2012 6

Page 7: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

Mobile Banking Security Device Level Security Communication Level Security

Application Level Security

October 30, 2012 7

Page 8: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

Major 3 Sections of a Mobile PhonePower Section

Power distributionCharging section

Radio SectionBand SwitchingRF Power AmplificationTransmitterReceiver

Computer SectionCPU (central processing unit)Memory (RAM,FLASH,COMBO CHIP: SIM,

USIM)Interfaces

October 30, 2012 8

Page 9: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

Classification of Mobile Attacks

Behavior based Environment based

Virus

Channel based Application Based

Worm

SMS

Trojan NFC System External

Wi-Fi (OS) (Mob. Ban. App)

Spyware Bluetooth

GPRS

IVRS

USSD

9October 30, 2012

Page 10: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

Attacks by Type of Malware (Q1 2012)

Virus: Malicious code that gets attached to a host file and replicates when the host software runs.

Worm: Self-replicating code that automatically spreads across a network

Trojan:A program that exhibits to be useful application but actually harbors hidden malicious code

Spyware:Software that reveals private information about the user or computer system to eavesdroppers

10October 30, 2012

Page 11: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

Some reported attacks on Mobile Phones

PhishingBotnetFake PlayerTrojan horseBluejacking ( Symbian )BlueBug BlueSnarfing BluePrinting

•Cabir (First in 2004 )

•Comwar

•Skulls

•Windows CE virus

October 30, 2012 11

Page 12: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

1) Certificate Authority

2) Validation Authority

3) Registration Authority

4) Certificate Repository

5) Digital Certificate

6) Digital Signature

WIRELESS PUBLIC KEY INFRASTRUCTURE (WPKI)

October 30, 2012 12

Page 13: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

WPKI Implementation for MBS Requires

ECC (Elliptic Curve cryptography)

Crypto SIM enabled Mobile Phone

SLC (Short Lived Certificate) OCSP (Online Certificate Status Protocol) for certificate validation

October 30, 2012 13

Page 14: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

ELLIPTIC CURVE CRYPTOGRAPHY (ECC)ECC is a public key cryptography.One main advantage of ECC is its small key size. A 160-bit key in ECC is considered to be as

secured as 1024-bit key in RSA.It uses Elliptic Curve Digital Signature Algorithm

(ECDSA).ECDSA does Signature Generation and

Signature Verification .

October 30, 2012 14

Page 15: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

October 30, 2012 15

Page 16: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

October 30, 2012 16

Page 17: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

October 30, 2012 18

Page 18: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

October 30, 2012 20

Page 19: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

October 30, 2012 21

Page 20: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

MBS TESTING

Functional Testing Security Testing

Interface Mapping

Secure Storage

Test Case Writing & Execution

Compliance Testing

Verification of Security Properties

Secure Communication

Levels of Security

Transactions, Behaviour & Performance

22October 30, 2012

Compliance Testing

Page 21: MOBILE  BANKING SECURITY (MBS)  ISSUES & DEVELOPMENTS

Mobile ad-hoc Networks (MANET) for Mobile Banking and Financial Inclusion It is a Mobile wireless network. MANET nodes are rapidly deployable, self configuring

and capable of doing autonomous operation in the network.

Nodes co-operate to provide Connectivity and Services. Operates without base station and centralized

administration. Nodes exhibit mobility and the topology is dynamic. Nodes must be able to relay traffic sense. A MANET can be a standalone network or it can be

connected to external networks(Internet).

October 30, 2012 23