Discuss: SMS Banking
by Sachin Shetty, CCNA, BS7799 LA
I did not understood second figure of this article. Does Mobile supports HTTPS traffic, if yes and how. Please explaing me in brief.
Thanks
Piyush Mistry.
Hi piyush,
Normally bulk service providers have special numbers like 8888 where u can send ur sms. The servers for these can be located on the wireless carrier end. They will receive the message and transfer it to their location using HTTPS. This link will not be the mobile (GSM/CDMA) link. It will be normal internet traffic.
Regards
Sachin Shetty
Paladion Networks
Is this product being used at any banks in India or outside India ?
How does this system get the data from the backend banking systems ?
Hi kunal,
Yes the system is being used, especially the PULL application part. I had audited the same in one of the banks. Getting the data from the backend applications can be done through code written specially for that purpose which will contain non-dynamic queries.
Regards
Sachin
Just to add a bit to the previous comment. Remember the connection between the application server and database server should also be encrypted.
Regards
Sachin Shetty
Hi Sachin,
I'd read similar stuff earlier, not sure if it was on Palisade.
Good article though, I specifically liked the second diagram which clearly explains the packet path. Is this something that you've actually seen in action or is this the recommended architecture?
Recently I discovered VISA-to-VISA money transers on my banking service providers Internet portal and I think it is the coolest thing to happen since ATMs. What according to you, as a core banking application security expert, are the possible ingredients that'd be required to migrate that application to the SMS framework? Is wireless security good enough for such a quantum leap or is there a long way to go before we get there!
Hope I'm not taking up too much of your time and Nilesh's blog space ;)!
Warm Regards
Imtiaz
Hope I'm not taking up too much of your time and Nilesh's blog space ;)!
Imtiaz, not at all. In fact, you can comment as much as you like. Space is never an issue on a discussion forum!
Hi Sachin,
I'm writing an essay bout the current issues for mobile banking, and I was wondering if you knew of any articles, links etc, that deal with the consequences, both technical and social, that mobile banking have. Also, has this actually been implemented successfully anywhere in the world? In Australia, where I am from, I haven't seen or heard about anything to date. Has there been any security or user issues with the system??? Thanks heaps
-Sugandha
Hi Imtiaz,
Yes there was a similar article by karmendra some time back. As far as the architecture is concerned, this is a recommended architecture .
Regarding the second part of your query, I am yet to come across a bank that has implemented money transfers through sms banking (correct me if i am wrong).
For any sms banking architecture that involves money transfer there must be an authentication scheme involved. The scenario would be the client sending the proper sms to the bulk service provider in order to transfer money. The mobile banking application should then ask the user to enter a numeric PIN to avoid fraudulent transfers in case of loss of a mobile handset. However as you pointed out in the last sentence of your query, there are fears of someone sniffing out the numeric PIN. That someone could be an insider from the mobile service provider or the bulk service provider through which the PIN is routed to the mobile banking application.
Regards
Sachin
Hi Sugandha,
Alas even i tried to search for some good articles on the web when i was working on this article but didnt find any. I am working on the concluding part of this article, where i will discuss some of the attacks that a mobile banking application can face, purely on the application end though. That article should see the light of the day in the next issue probably :).
Regards
Sachin
Thanks Sachin, I will be looking forward to that :) As a side query, for the essay I am writing, I would like to use one of the diagrams that you have used in your article. Am I allowed to do this? All references will be provided and full credit to you of course :P Thanks
Hi sugandha,
You are free to use the diagram in the article.
Thanks
Sachin
Hi Sachin
I work for a South African bank and I am in the process of reviewing the success of SMS based banking in India for possible application in Africa.
1) Do you have any information on the number of mobile banking users in India as well as at which banks they bank?
2) Do you have any idea as to what perecantage of the banked Indian market is registered for SMS banking?
and
3) Do you expect the Inian market to migrate to WIG or WAP based technologies to deliver mobile banking?
Regards
Chris
Hi,
Useful article for basics on mobile banking. One query though... you talked about transmission of encrypted sms... however, as of now in India, the message would go through several service providers even if the short code is used (correct me if I am wrong)... this is especially true for pull-based service. how do you think this could be handled? also, are current mobile handsets capable of using something like a browser to encrypt and decrypt messages like browsers on PCs.
Rgds,
Nitin
Could any one tell me that : whole proceedure for money trasfer using sms for p2p, the security aspects, frame work, internal mechanism from the starting when the sms is generated till it reaches the smsc.
Dear Sachin
Our bank is a microfinance bank and the first of its kind in Malawi. A number of our customers who are economically active poor, live in rural, peri-urban and high density urban locations. Banks are not rear their business operations. We are conteplating of introducing SMS banking in Malawi.
We have fears of security threats. Could any one tell me:
1. That SMS banking is tried and tested and found to be secure enough?
2. Which banks in the world are using the technology amd how long have they used this facility?
3. Can banks using the technology share with us some of the problems they encountered?
4. How did they go about implementing the facility?
5. What internal controls exist in these systems?
6. Who are the main suppliers of such technology so that we can get into contact with them.
7. Can the system allow customers using cellular phones from different mobie service providers?
I would really appreciate if I can have anwers ffor these pertinent questions before we go too far with the project.
Regards
Luckwell
Hi Luckwell,
Mobile banking is secure if the necessary controls are implemented. You should read the next article in this series and the comments to get more insight into it. In the US T-mobile has a service called T-online. Also you need to get in touch with mobile service providers in Malawai in order to implement controls like mobile PKI to secure SMS banking. Hope this answers the queries.
Regards
Sachin
Hi nitin,
Kindly read the comments in the next article to find an answer to your query. I doubt in india such a service is available as of now. Regarding ur specific query about encryption in mobile communication, it is possible to have SSL based encryption in browsers present in mobile phones.
Regards
Sachin
it does not address two main problem on SMS :
1)By itself, SMS does not include feature that allows for confirmation that the intended recipient is available or even if it has received the message.
2)Being transaction based(not session based) SMS does not allow the sender to have a high degree of confidence that the recipient will receive the message in real-time
how will the SMS traffic and delay be address on this one.
Ex. my due date for the bills is today and i pay thru SMS today , but due to bulk SMS/SMS traffic in my network provider SMS was received by the server two days later.
How is the data sent in SMS to the bank authenticated ????????
Hi,
Yours is the only article that i have come across on the internet so far that talks, as briefly as it does, about the technology behind SMS banking.
Can u please help me gain more insight into how SMS banking works with respect to the methodologies adapted in taking data from the bank's database and sending it in the format the SMS provider understands. I am talking on a pure technical level. I would really appreciate some URLs, references, etc. that discuss this aspect in detail.
hi
I am doing mobile banking project in .net.
please healp me this project'
From a specialised SMS transit carrier's prespective:
Enabling the account holder or the card holder to control accounts via MO SMS (i.e. SMS originated by the account holder's handset) is BAD and UNSAFE, no matter the security mesaures taken at the bank, the aggregator or the carrier level.
SMS is transmitted via international SS7 (C7) networks, which lack authentification means, thus making it possible fot telco hackers to spoof and counterfeit virtually ANY SMS. The very mechanism of MO SMS service makes it vulnerable to fraud by thousands of hackers and spammers around the world. Hence, any bank account that can be controlled by MO SMS to perform outbound financial transactions is at an extreme risk of being targeted.
We are one of the largest (MT) SMS banking providers in the world carrying outbound alerts traffic from hundreds of banks on 5 continents. Under no circumstances we would allow any MO traffic from subscribers which may have tangible effect on our customer bank accounts.
In recent months, we've been receiving frequent reports of large-scale hacker attacks wiping out bank accounts via elaborately spoofed text messages.
Simple and usefull write-up.
Could any one tell me how banks bill customer using this service? and how is the business model between banks and mobile operator offering this service?
You said that, the bulk SMS service providers box sits at the wireless operator. Is it mandatory
Thanx
it was very helpful for the bachelor students who are doing their projects in mobile banking which includes me too. so it would be easy for us if the whole working procedure of the mobile banking system was known. it would be great help for me if you provide the detail working information abt it as soon as possible.
thank you for your great information i got through your article it help me in my thesis
thanks a lot. I ve actually been working on this idea for a while. your article was an eye opener. How do i get the part 2 of the write up.how do i contact u personally for expert advice.
great post dude!Really influential.keep it up.
Hi Sachin,
The main concern with regards to SMS Mobile Banking is regarding the security.As for pull services if we opt for payment to credit card,or balance transfer from credit card to credit card the delicate information like card number needs to be encrypted both while sending and while storing in handset memory.Which encrypting methodolgy do you use for this and how did you do ?? Kindly let me know how can we configure the gateway so that I can receive the SMS to my Application listening port rather than handset listening port.A comment from you is highly appreciated.
I am trying to create a free mobile banking software. but facing some problem in the secure sms / encrypt sms part . hopefully some brother over here can provide me some idea about it . if possible can share some source code with me .. thanks. hope that my free mobile banking software can be success and is not a dream . anyone have idea about it please feel free to email me thanks
How can you protect the sms server from other getting the banking transactions or financial document.