Online Banking Fraud Prevention Recommendations and Best Practices
Detection and Prevention of security vulnerabilities associated with mobile banking applications
-
Upload
clinton-dsouza -
Category
Documents
-
view
887 -
download
0
Transcript of Detection and Prevention of security vulnerabilities associated with mobile banking applications
![Page 1: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/1.jpg)
Detection and prevention of
security vulnerabilities associated
with mobile banking applications
Team: TRAC
Members: Tessy Sebastian
Rafael Santana
Alisa Pinchuk
Clinton D Souza
![Page 2: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/2.jpg)
Agenda
• Objective
• Background
• Related Work
• Our Approach
• Results
• Conclusion
• Contribution
• Questions
![Page 3: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/3.jpg)
Objective
• Purpose: analyze the security aspects of mobile
banking applications
• Analyzed current exploitation techniques
• Analyzed types of intrusion detection techniques
• Proposed unique and efficient methodology for
authentication in mobile banking application
![Page 4: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/4.jpg)
Background
• “Electronic banking – the execution of financial
services via the Internet – changed the business of
retail banks significantly, at the same time reducing
costs and increasing convenience for the customer”
(Pousttchi & Schurig, 2004).
• Enhance access, user-friendliness and availability
• Concern over the authenticity and integrity of data
![Page 5: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/5.jpg)
• Information Disclosure
• Logical attacks
• Phishing
• Sniffing
Common Mobile Application Attacks
![Page 6: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/6.jpg)
Information Disclosure
• Information leakage, loss and distort
• Use of wireless data network
• Tools that protect the wireless transmit
media
![Page 7: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/7.jpg)
Logical attacks
• Abuse of functionality, denial of service,
insufficient anti-automation, insufficient
process validation
• DDoS attack o slow down the response of the system
o users unable to enter normal mobile banking system
![Page 8: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/8.jpg)
Phishing
• masquerading
trustworthy entity
• Vishing
• Smishing
![Page 9: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/9.jpg)
Sniffing
• Passive sniffing o get information from communication medium
• Active sniffing o inject packets into the traffic
• Wi-fi Sniffing o sending data thats not encrypted
• Use sniffer software
![Page 10: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/10.jpg)
Related Work : Intrusion Detection
• Stephen and Wilson in their research paper
proposed a detection technique based on
global and local observations of user’s
behavior
• Karlsen and Killingberg designed and
implemented an intrusion detection
technique for internet banking systems
based on profiles
![Page 11: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/11.jpg)
Intrusion Detection
• Detect or identify an attempt to gain
unauthorized access
• Intrusion detection systems (IDS)
• Two intrusion detection techniques o Anomaly Detection
o Misuse Detection
![Page 12: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/12.jpg)
Current Intrusion Detection
Techniques
• User profile based intrusion detection
technique o User's behavior to detect anomalies
o User statistics, usage pattern, transaction amount
• Drawbacks o Need considerable amount of data
o Natural changes in usage pattern
![Page 13: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/13.jpg)
Our Approach
Detection
Profile Based Intrusion Detection
• Composed of 5 models to form a session
structure profile: o Usage patterns
o Inter-request time delay
o Session time
o User statistics
o Response
![Page 14: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/14.jpg)
Detection
Data source: Transaction Log o Transactions performed by the user
The session structure profile: o Will attempt to flag an unusual sequence of
attempts
o Classified unusual as an anomaly
o Evaluate the interaction between the user and the
application
Analyzed by: Markov Chain
![Page 15: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/15.jpg)
Prevention
Two Factor Authentication
An approach which required the presentation
of two or more of three factors.
1. Knowledge factor : defines something the user knows.
2. Possession factor : defines something the user has.
3. Inherence factor : defines something the user is.
![Page 16: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/16.jpg)
Phases of Authentication
![Page 17: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/17.jpg)
Registration Phase
![Page 18: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/18.jpg)
Login/Handshake Phase
![Page 19: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/19.jpg)
Transmission Phase
• Details how user information is transmitted over the
internet.
• User has no control over medium of transmission.
• All banking institutions use SSL/TLS encryption using
SSL handshaking protocol.
• Establishes a secure connection.
• Certain research papers propose use of steganography
as medium of transmission.
• Existence of data is hidden within a data or audio file
and transmitted to the banking server.
![Page 20: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/20.jpg)
Verification Phase
![Page 21: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/21.jpg)
Data Transfer
• Data transactions can be transferred over the channel
using secure WTLS protocols.
• WTLS uses modern cryptographic algorithms, in
common with TLS, allows negotiations of cryptographic
suites between client and server.
• The data transfer section handles actions and queries
by users such as checking new balance, adding more
money , depositing a cheque etc..
![Page 22: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/22.jpg)
Mutual Authentication
• Two efficient ways, that the authentication
notification can be made effective was through email
and SMS.
• Based on previous sections on intrusion detection we
believe this adds to its enhancement as it serves as
means of detection in-case of unauthorized access.
![Page 23: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/23.jpg)
Results : Prevention
PROS
• The use of speech approach as a mean of
authentication currently has an error rate of less than
1% which has reduced from 33% in 2003.
• A research paper published in 2010 by Shen, Zheng and
Li provided statistical and modular data proving the
effectiveness of voice recognition using GMM-UBM
voice recognition approach.
CONS
• More work needs to be done on separating background
noises from user speech.
![Page 24: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/24.jpg)
Results : Detection
PROS
• Session structure profile provides a total picture of the
user’s behavior
• Lead to the detection of a more general behavior
rather than just simple individual values.
CONS
• The approach shows promising results but based on
previous research some activities may pass as
fraudulent.
![Page 25: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/25.jpg)
Conclusion
• We discussed various types of attacks that occur on
mobile devices, and attacks that occur specifically on
the mobile banking.
• We additionally discussed the current intrusion
detection systems.
• Finally, we proposed an authentication mechanism.
![Page 26: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/26.jpg)
Contributions
• Alisa Pinchuk :
o Selected relevant attacks on mobile banking applications , and provided a foundation which proved the solutions proposed will help reduce the occurrence of the attack.
• Clinton D Souza:
o Designed Two Factor authentication using PIN and Voice recognition based on recent studies and current authentication system implementation.
• Rafael Santana:
o Found very unique intrusion detections systems that are being proposed in the research community and which if implemented will assist banking systems in better protecting their servers and application which are deployed.
• Tessy Sebastian:
o Found very unique intrusion detections systems that are being proposed in the research community and which if implemented will assist banking systems in better protecting their servers and application which are deployed.
![Page 27: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/27.jpg)
References
1. Nie, J., & Hu, X. (2008). Mobile banking information security and protection methods. Retrieved from
<http://ieeexplore.ieee.org.ezproxy1.lib.asu.edu/stamp/stamp.jsp?tp=&arnumber=4722412&tag=1>.
(Nie & Hu, 2008)
2. Ruggiero , P., & Foote , J. (n.d.). Cyber threats to mobile phones. Retrieved from <http://www.us-
cert.gov/reading_room/cyber_threats_to_mobile_phones.pdf>.
(Ruggiero & Foote)
3. Shen, L., Zheng, N., Zheng, S., & Li, W. (n.d.). Secure mobile services by face and speech based personal authentication.
(Shen, Zheng, Zheng & Li)
4. Sanderson, C.; Bengio, S.; Bourlard, H.; Mariethoz, J.; Collobert, R.; BenZeghiba, M.F.; Cardinaux, F.; Marcel, S.; , "Speech &
face based biometric authentication at IDIAP," Multimedia and Expo, 2003. ICME '03. Proceedings. 2003 International
Conference on , vol.3, no., pp. III- 1-4 vol.3, 6-9 July 2003
5. Yang Wujian; Wu Yangkai; Chen Guanlin; , "Application of Voice Recognition for Mobile E-Commerce Security," Circuits,
Communications and System (PACCS), 2011 Third Pacific-Asia Conference on , vol., no., pp.1-4, 17-18 July 2011
doi: 10.1109/PACCS.2011.5990286
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5990286&isnumber=5990080
![Page 28: Detection and Prevention of security vulnerabilities associated with mobile banking applications](https://reader033.fdocuments.in/reader033/viewer/2022052307/5575c27ad8b42a312a8b4abe/html5/thumbnails/28.jpg)
Questions
?