Discuss: Security in SMS Banking
by Sachin Shetty, CCNA, BS7799 LA
Hi Sachin,
Thanks for the very useful article on SMS banking & security.
Some of the points that i would like to clarify with you in regards to this are :
(1) On the transmission security, between mobile device to the Bulk SMS centre, what are the security mechanisms normally adopted to ensure the privacy of data that is transmitted ? Does wireless protocols support any form of link level encryptions to protect data privacy ?
(2) Normally, does the bank publish the mobile number that is used for customer contact or is it done by mobile service provider and redirected to a proxy number ?
(3) what are your views on non repudiation in mobile banking application ? what measures the application and the infrastructure needs to take to ensure non repudiation of a mobile device initiated user transaction ?
I am looking for statistics on security violation or break-in's in a mobile banking case. Have you recently come across any press reports or information to this ?
Thanks and best regards
Shashi
Hi shashi,
Thanks for the really exhaustive and well thought out comment on this article. Have to accept that this is one of the very best that i have received so far.
I am answering answering you query as per the points raised by you.
1) Mobile communications for e.g GSM communications can utilise A5 algorithm for encryption. In this a cipher is generated with a session key and the frame number. Therefore the keystream changes with every frame. You can learn more about this at http://www.gsm-security.net/faq/gsm-encryption-algorithm-a5-cipher.shtml.
2) The bank does not publish the mobile number used for customer contact. Its the bulk service providers number that the customer has to send the sms to, for e.g. 8888.
3) Non repudiation in mobile banking is a tricky issue. In the setup discussed in the article the only way for the bank to ensure if its the valid user who is requesting details, is to look at the mobile number from which the sms originated and maintain logs for the same. But we can soon get to see a smart phone that will digitally sign each sms message sent from the user phone after properly authenticating the user. In such a case more sensitive transactions like account to account money transfer will become a reality.
However as of now mobile banking features allow a user to perform not so critical details like request his account balance, order a cheque book etc .In such cases non repudiation is not a very big issue.
As far as your last question goes even i have to come across an incident involving a mobile banking application break-in. Majority of such cases even if they occur are buried before they are published :).
Hope this answers your queries. Do feel free to shoot a question if you feel otherwise.
Thanks
Sachin
Can you give me some advices or links for transmisstion security between mobile devices and Bulk SMS Center in CDMA network?
Please reply me soon!
Thanks!
Hi Huu Dinh,
Thanks for the query. Kindly refer the following article which explains authentication and encryption in CDMA network
http://www.ee.iitb.ac.in/eesa/Techno-Journalism/prize-winning%20entries/2nd_prize_CDMA_technology_Amit_Balani.pdf
Best Regards
Sachin
Hi Sachin,
Thanks for your relpy! I'm now designing a sms payment system over the CDMA network. The security is very important. Can you give me a suggest about the model of the system.
Sincere!
Huu Dinh
Hi Sachin,
Your brief discussion regarding security in SMS banking is truly an insightful one.
I am from the Philippines and we have revolutionized sms banking. At present, two major service providers/wireless carriers (Globe TElecom and Smart Communications) provide mobile banking services for most commercial banks.
SMS banking transactions include the usual balance inquiry, checkbook request, etc. However, fund transfers and bills payment have also been included and the security issues are there including repudiation.
In this regard, I have the following questions:
1. Is there a way (technology/equipment) that are/can be used to capture encrypted messages between the cellphone and the SMS Center and vice versa?
2. If there's a way, can the intercepted encrypted messages be decrypted to reveal confidential/critical information regarding banking client particularly account numbers, mobile pins, cellphone numbers, and account balances?
3. In the SMS Center, can the operator read or decipher the messages passing thru the wireless carrier's data center.
Thank you and regards.\
Hi Sachin ,
We r looking for the encryption of sms for secured mobile payments .
Can u suggest any ready to use system for the same ?
I read the comment from Mtrx saying that they have a right solution for the Mpayment . Any deatils of their system ? We r looking purchase a new system for ouur bank .
Hi Mtrx,
Sorry for replying late. I really like the questions concerning the confidentiality in sms banking. It is possible to crack encryption in sytems like GSM, however this has only beeen done in simulated lab environments. I dont know of any such incident where a person was able to crack the encryption by capturing packets on the air. Regarding your other concern of decryption of messages at the wireless providers end, i must say that it is surely a concern and appropriate measures should be taken to reduce the risk. The control is specially warranted in cases where critical banking transcations like account to account transfer of money takes place.
Regards
Sachin
Hi pranay,
I dont know which location you belong to. If you are in india, i am not sure of any wireless provider. But to throw an insight into the technology, its called mobile PKI and it would require special SIM cards called WIM or SWIM which provides authentication, non-repudiation, confidentiality and integrity. You might find more information in the following article
http://www.silicon-trust.com/problems/tec_mcommerce.asp
Regards
Sachin
Hello group,
Forgot to mention one more thing. In order to speed up the whole process of encryption decryption, it makes sense to use hybrid encryption where the data will be encrypted by a symmetric key (AES) and the symmetric key will be protected by assymmetric encryption. Hope this clears the air. I also think its time for me to include all this in my new article. Thanks to you all for asking such thought provoking questions. Hope the new article rolls out soon.
Regards
Sachin
P.S: Smartrusts mobile PKI implemetation for Mobitel (Slovenia) http://www.smarttrust.com/company/pdf/pr_20060403_mobitel.pdf
It is possible to capture an SMS sent to a mobile phone. Simply spoof the phone and use another to dial the real phone so it is busy when the SMS arrives.
I have a comment on one of the previous comments ... "It is possible to crack encryption in systems like GSM, however this has only been done in simulated lab environments. I don’t know of any such incident where a person was able to crack the encryption by capturing packets on the air." ... unfortunately you are wrong here. If you got enough cash you can buy a ready device that will capture all SMS, phone conversations, GPRS data from 8 different mobile phone users real-time - within limited range. This cracks both A5.2 and A5.1 algorithms REAL-TIME. If you got enough time and budget of let’s say $20K and lots of time you can make such device supporting 1 channel yourself. If you got such device you can easily capture SMS transmitted through GSM networks and for this reason I prefer to use CDMA.
Overall, security of SMS banking depends on implementation and there are number of banks that implemented it incorrectly and could be very easy target for malicious hackers.
"Regarding your other concern of decryption of messages at the wireless providers end, i must say that it is surely a concern and appropriate measures should be taken to reduce the risk"
Dear Sachin,
Concerning this comment, what possible measures can the wireless providers and the Bulk SMS providers implement to prevent their staff from accessing sensitive information.
Best Regards
Khem
Hi Sachin,
I have a requirement where in I need to use a password for a CDMA mobile application which should not be stored in Flat files or Embedded File System(EFS) or it should be encrypted in a better way to protect it from wrong hands.
Please help me in this regard.
Thanks
Praveen.
Hi Frens,
I have a requirement where in I need to use a password for a CDMA mobile application which should not be stored in Flat files or Embedded File System(EFS) or it should be encrypted in a better way to protect it from wrong hands.
Please help me in this regard.
Thanks
Praveen.
hello sachin,
i got some idea after visiting your site about mobile banking i.e sms banking. i am working as an IT manager of a newly establised bank in Afghanistan. now i want to introduce SMS banking facility in my Bank. we r using a banking software purchsed from Bangladesh. its database is SQL Server 2000. and it is a central storing system. we have only one Head Office and one Branch Office. but we r going to open more Branch office within some months.
so in this regards i hav some question to you:
1. what will be the steps for introducing SMS Banking ?
2. how the SMS Server will work with our central database server ?
3. which type of company provide this service ? the local telecom provider company or not.
4.plz send me the total network diagram of SMS banking system.
I'm IT students and study on the "security approches in sms banking".would u plz give me some references .tnx
Just to let u folks know that content of ALL sms can be seen at the service provider. SMSC engineers can definately see the content, this includes both GSM & CDMA.
I am a smsc engineer for a cdma network. We encrypt sms before sending it to SS7 provider so hopefully they can't see the content.
I'm a E-Commerce student and I need some information about sms banking for my thesis. please help me. I need some reference.
Hi Sachin,
Both of your articles on SMS banking are very informative as well discussions also. They are bit old though but still relevant.
I have a question, by today date also some banks are providing fund transfer facility on mobile banking with normal SMS service (even phones which doesn't support java and GPRS are able to avail this service). In this scenario how bank ensures the security of transaction. Since any one can sniff SMS and IPIN and hack the system as they are not even encrypted.
Thanks & Regards,
Saket
AS YOU KNOW MOBILE BANKING THROUGH SMS WORKS OVER THE GSM NETWORK THAT MEAN THEREB IS NO NEED FOR INTERNET CONNECTION,
SO PLZ CAN YOU TELL WHAT IS THE NEED OF THE HTTPS PROTOCOL IN THAT DIAGRAM
Hi Sachin,
Infact i needed the informative notes about how to do mobile banking through smsc and what is the mechanism of it at all.
i wish u can help me.
thanks in adv