Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Detection and Prevention of security vulnerabilities associated with mobile banking applications

1,398 views

Published on

  • Be the first to comment

Detection and Prevention of security vulnerabilities associated with mobile banking applications

  1. 1. Detection and prevention ofsecurity vulnerabilities associatedwith mobile banking applications Team: TRAC Members: Tessy Sebastian Rafael Santana Alisa Pinchuk Clinton D Souza
  2. 2. Agenda• Objective• Background• Related Work• Our Approach• Results• Conclusion• Contribution• Questions
  3. 3. Objective• Purpose: analyze the security aspects of mobile banking applications• Analyzed current exploitation techniques• Analyzed types of intrusion detection techniques• Proposed unique and efficient methodology for authentication in mobile banking application
  4. 4. Background• “Electronic banking – the execution of financial services via the Internet – changed the business of retail banks significantly, at the same time reducing costs and increasing convenience for the customer” (Pousttchi & Schurig, 2004).• Enhance access, user-friendliness and availability• Concern over the authenticity and integrity of data
  5. 5. Common Mobile Application Attacks• Information Disclosure• Logical attacks• Phishing• Sniffing
  6. 6. Information Disclosure• Information leakage, loss and distort• Use of wireless data network• Tools that protect the wireless transmit media
  7. 7. Logical attacks• Abuse of functionality, denial of service, insufficient anti-automation, insufficient process validation• DDoS attack o slow down the response of the system o users unable to enter normal mobile banking system
  8. 8. Phishing• masquerading trustworthy entity• email• Vishing• Smishing
  9. 9. Sniffing• Passive sniffing o get information from communication medium• Active sniffing o inject packets into the traffic• Wi-fi Sniffing o sending data thats not encrypted• Use sniffer software
  10. 10. Related Work : Intrusion Detection• Stephen and Wilson in their research paper proposed a detection technique based on global and local observations of user’s behavior• Karlsen and Killingberg designed and implemented an intrusion detection technique for internet banking systems based on profiles
  11. 11. Intrusion Detection• Detect or identify an attempt to gain unauthorized access• Intrusion detection systems (IDS)• Two intrusion detection techniques o Anomaly Detection o Misuse Detection
  12. 12. Current Intrusion DetectionTechniques• User profile based intrusion detection technique o Users behavior to detect anomalies o User statistics, usage pattern, transaction amount• Drawbacks o Need considerable amount of data o Natural changes in usage pattern
  13. 13. Our ApproachDetection Profile Based Intrusion Detection• Composed of 5 models to form a session structure profile: o Usage patterns o Inter-request time delay o Session time o User statistics o Response
  14. 14. DetectionData source: Transaction Log o Transactions performed by the userThe session structure profile: o Will attempt to flag an unusual sequence of attempts o Classified unusual as an anomaly o Evaluate the interaction between the user and the applicationAnalyzed by: Markov Chain
  15. 15. PreventionTwo Factor AuthenticationAn approach which required the presentation of two or more of three factors.1. Knowledge factor : defines something the user knows.2. Possession factor : defines something the user has.3. Inherence factor : defines something the user is.
  16. 16. Phases of Authentication
  17. 17. Registration Phase
  18. 18. Login/Handshake Phase
  19. 19. Transmission Phase• Details how user information is transmitted over the internet.• User has no control over medium of transmission.• All banking institutions use SSL/TLS encryption using SSL handshaking protocol.• Establishes a secure connection.• Certain research papers propose use of steganography as medium of transmission.• Existence of data is hidden within a data or audio file and transmitted to the banking server.
  20. 20. Verification Phase
  21. 21. Data Transfer• Data transactions can be transferred over the channel using secure WTLS protocols.• WTLS uses modern cryptographic algorithms, in common with TLS, allows negotiations of cryptographic suites between client and server.• The data transfer section handles actions and queries by users such as checking new balance, adding more money , depositing a cheque etc..
  22. 22. Mutual Authentication• Two efficient ways, that the authentication notification can be made effective was through email and SMS.• Based on previous sections on intrusion detection we believe this adds to its enhancement as it serves as means of detection in-case of unauthorized access.
  23. 23. Results : PreventionPROS• The use of speech approach as a mean of authentication currently has an error rate of less than 1% which has reduced from 33% in 2003.• A research paper published in 2010 by Shen, Zheng and Li provided statistical and modular data proving the effectiveness of voice recognition using GMM-UBM voice recognition approach.CONS• More work needs to be done on separating background noises from user speech.
  24. 24. Results : DetectionPROS• Session structure profile provides a total picture of the user’s behavior• Lead to the detection of a more general behavior rather than just simple individual values.CONS• The approach shows promising results but based on previous research some activities may pass as fraudulent.
  25. 25. Conclusion• We discussed various types of attacks that occur on mobile devices, and attacks that occur specifically on the mobile banking.• We additionally discussed the current intrusion detection systems.• Finally, we proposed an authentication mechanism.
  26. 26. Contributions• Alisa Pinchuk : o Selected relevant attacks on mobile banking applications , and provided a foundation which proved the solutions proposed will help reduce the occurrence of the attack.• Clinton D Souza: o Designed Two Factor authentication using PIN and Voice recognition based on recent studies and current authentication system implementation.• Rafael Santana: o Found very unique intrusion detections systems that are being proposed in the research community and which if implemented will assist banking systems in better protecting their servers and application which are deployed.• Tessy Sebastian: o Found very unique intrusion detections systems that are being proposed in the research community and which if implemented will assist banking systems in better protecting their servers and application which are deployed.
  27. 27. References1. Nie, J., & Hu, X. (2008). Mobile banking information security and protection methods. Retrieved from <http://ieeexplore.ieee.org.ezproxy1.lib.asu.edu/stamp/stamp.jsp?tp=&arnumber=4722412&tag=1>.(Nie & Hu, 2008)2. Ruggiero , P., & Foote , J. (n.d.). Cyber threats to mobile phones. Retrieved from <http://www.us- cert.gov/reading_room/cyber_threats_to_mobile_phones.pdf>.(Ruggiero & Foote)3. Shen, L., Zheng, N., Zheng, S., & Li, W. (n.d.). Secure mobile services by face and speech based personal authentication.(Shen, Zheng, Zheng & Li)4. Sanderson, C.; Bengio, S.; Bourlard, H.; Mariethoz, J.; Collobert, R.; BenZeghiba, M.F.; Cardinaux, F.; Marcel, S.; , "Speech & face based biometric authentication at IDIAP," Multimedia and Expo, 2003. ICME 03. Proceedings. 2003 International Conference on , vol.3, no., pp. III- 1-4 vol.3, 6-9 July 20035. Yang Wujian; Wu Yangkai; Chen Guanlin; , "Application of Voice Recognition for Mobile E-Commerce Security," Circuits, Communications and System (PACCS), 2011 Third Pacific-Asia Conference on , vol., no., pp.1-4, 17-18 July 2011doi: 10.1109/PACCS.2011.5990286URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5990286&isnumber=5990080
  28. 28. Questions ?

×