cisc 849 : applications in fintech cybersecurity in banking

CISC 849 : Applications in Fintech

Cybersecurity in Banking


Ashraf Bah

Computer & Information Sciences

University of Delaware

Performance Evaluation on End-to-End Security Architecture for Mobile

Banking System



Factors driving cyber attacks

Unfriendly nations seeking intelligence or intellectual property

Hacktivists making political statements Organized crime groups seeking money It is easier and cheaper for criminals of

all types to seek out new ways to perpetrate cyber fraud


Where are IT Systems managed


Frequency at which managers are updated


Mobile Banking Operations

Balance Inquiries Payments Transfers Notifications

overdraft alerts low balance warnings large transactions alerts


SMS Banking

The bank and the client communicate through SMS(Short Message Service) msg.

Problem: The default data format for SMS messages is in plaintext

Mutual authentication, text encryption, end-to-end security, non-repudiation were omitted during the design of GSM architecture

End-to-end encryption is not available. Only encryption is between transceiver base and bank. The encryption used is A5 which is vulnerable


Using GPRS: WAP Sites Banking

WAP: Wireless Application Protocol (WAP) “[It] is a technical standard for accessing

information over a mobile wireless network.” -Wiki

Consumers with access to WAP can perform banking the same way it is done over internet.

Mobile banking using WAP is secure, but there are loopholes that can lead to insecure communication

There is no end-to-end encryption between the client and the Gateway and between the Gateway and the Bank

To resolve this, the bank server could have its own Access Point Name (APN) to serve as Gateway for the bank: No third parties in the middle.


Public Key Infrastructure for Mobile Banking

In PKI, there is one public key for encryption and one private key for decryption

It works as follows: User obtains bank’s public key from the directory

uses it to encrypt the message The encrypted message is sent to bank server Only bank server is able to decrypt the message

Although everybody can read public-key directories, they must be protected from falsification. Hence, good PKI is needed.


Proposed Framework

Framework

Goal: Secure sensitive data over GPRS network, regardless of the Transport Protocol


Proposed Framework

Device Authentication


Proposed Framework

Client Functionality


Proposed Framework

Server Functionality Receives the client’s public key + concatenated msg

and it splits the msg into the encrypted msg digest and encrypted option-id & secret-key

Decrypts the option-id and secret-key, using server’s private key

If secret key is not in database, send error msg Else, decrypt the message digest using pin number and

digital signature Using client’s public key, digested digital signature is

decrypted and split into option-id and secret-key Verifies the original msg in the digital signature is same

as the original message in the decrypted msg


Experimental Setup

Basic client-server model Heavy operations such as object creation are

kept to the minimum Expensive computations are performed on the

server side Intense throwing of the input/output and data

exchange exceptions techniques to catch wireless network connection failures

J2ME on the client side J2EE on the server side


Technologies Used

Message Digest Algorithm: NIST's SHA-1 Encryption Algorithms:

RSA algorithm with variable key sizes of 1024 bits 3DES w/ variable key length 1024 AES algorithm with variable key length 256.

J2ME Wireless Toolkit (WTK) v2.5 WTK is used to compile, build, package, execute,

and as debugger for developing MIDP apps

Wireless Client: Nokia N72 Server: Apache Tomcat server


Results: Time Measurements


Results: Memory Measurements


Merits of the paper

Encrypting messages that constitute mobile banking transactions provides confidentiality and message integrity

The system utilizes a public-key infrastructure which is independent of financial institutions, network operators and mobile banking intermediaries but can be used by all of them.

No need for a browser In terms of time and memory consumption, it

is clear which encryption works best


Shortcomings of the paper

The authors did not mention anything about the pros and cons of each of the three encryptions, or which one is best for encryption ( not time and memory usage).

The paper was published in 2008. IOS was unveiled in 2007, and Android was introduced in 2003 (though commercialized in 2008); yet the paper does not mention any of them.

No comparisons to other Nokia and Samsung Many typos


ECC-Based Biometric Signature: A New Approach in Electronic Banking

Security



Emerging Security Trends

Integrating biometrics into mobile banking apps (fingerprint, voice recog)

Combining biometrics and PKI


Approach

Resolves PKI’s key management problem Private keys can be generated directly from

the biometric scan Use ECC-based biometric signature that uses

the ECC algorithm to generate and verify signatures online

ECC (Elliptic Curve Cryptography)-based biometric has some advantages over RSA-based biometrics


Advantages of the Approach

In this mechanism, there is no need to store or transmit any private value:

by simply sharing a few public values and using a live biometric scan, the two parties can share a secret key


Startups

Lookout: https://www.youtube.com/watch?v=vdB_QVJNegs

Trineba: focuses on the prevention side of the cybersecurity

https://www.youtube.com/watch?v=vdB_QVJNegs

https://www.youtube.com/watch?v=vdB_QVJNegs

cisc 849 : applications in fintech cybersecurity in banking

Documents

banking cisc

updated cisc

vulnerable cisc

banks public key

publickey directories

systems managed cisc

transport protocol cisc

cyber fraud cisc