You are on page 1of 3

Improving Mobile Banking Security Using Steganography

Mohammad Shirali-Shahreza
Computer Science Department
Sharif University of Technology
Tehran, IRAN
shirali@cs.sharif.edu
Abstract
Upon development of m-commerce as one of the new
branches of e-commerce, m-banking has emerged as one
of the main divisions of m-commerce. As the m-banking
was received very well, it has embarked upon supply of
various services based on different systems and with the
aid of various services such as the Short Messaging
Service (SMS). However, in spite of its advantages, mbanking is facing some challenges as well. One of these
challenges is the issue of security of this system.
This paper presents a method for increasing security of
the information requested by users with the use of
steganography method. In this method, instead of direct
sending of the information, it is hidden in a picture by the
password and is put on a site. Then the address of the
picture is sent to the user. After receiving the address of
the picture through SMS, the user downloads the picture
by a special program. After entering the password, the
user can witness the information extracted from the
picture if the password is entered correctly.
This project is written in J2ME language (Java 2 Micro
Edition) and has been implemented on Nokia mobile
phones, models N71 and 6680.
Keywords: M-commerce, M-banking,
Steganography, Network security.

E-banking,

1. Introduction
Using internet for banking affairs is of interest in
different aspects. By the use of internet, there is no need
to go to the bank and to a special branch of the bank and
one can manage his banking works from any place. There
is no problem such as crowded banks and long queues,
therefore the customers can save time. It also reduces the
customers' expenses. In this system, there is no such
problem as closure of the bank after office hours and
banking can be done in any hour.
On the other hand, mobile phones have advanced
during the recent years and as a result of the progress in
mobile phones and incorporating difference services in

International Conference on Information Technology (ITNG'07)


0-7695-2776-0/07 $20.00 2007

the mobile phones, the banks have started to think of


offering banking services on the mobile phone. Some of
the reasons for preference of m-banking over e-banking
are [1]: 1- No place restriction; 2- High penetration
coefficient; 3- Fully personalized; and 4- Availability.
However, in general, the mobile banking has been
well received as it increases the convenience of the
customers and reduces banking costs.
The banking services are divided into two groups of
mobile agency services and mobile banking services.
Mobile banking services are the same as the conventional
banking services and are generally divided into the
following four categories [2]:
1. Notifications and alerts: These services are offered
to inform the customer of the transactions done or to
be done with his account.
2. Information: Information on the transactions and
statements are sent in specific periods.
3. Applications: An application is sent by the customer
to the service provider regarding his account or a
special transaction.
4. Transfer: Transfer of money between different
accounts of the customer or payment to third parties.
In order to implement mobile banking services, an
infrastructure server such as WAP (Wireless Application
Protocol), i-mode, Palm.Net and so on is needed [3].
To exchange information with the customer, services
such as Short Messaging Service (SMS) or Multimedia
Messaging Service (MMS) can be used.
The issue of security of m-banking is a source of
concern to the users and numerous solutions and systems
have been so far presented in order to increase the
security of m-banking [4].
As mentioned earlier, there are two types of services
offered in m-banking, i.e. A) notifications and alerts and
B) information, in which the bank sends messages
containing information or notification needed by the
customer. Although the protocols in the network have
increased the security of these messages and prevent
disclosure of this information as far as possible, this paper
presents a new method for improving security of these
messages by using steganography method. Steganography

is a method for covert exchange of information. In


steganography, the main goal is to hide information in a
cover media so that others may not notice the present of
hidden information [5]. In the next section, my proposed
method is described in details. Section 3 explains
implementation of this project. In section 4, advantages of
this method are discussed. Section 5 is final conclusion.

2. My suggested algorithm
As mentioned above, banks offer services for sending
notifications such as remittance of money to the
customer's account by a third party, alerts such as due
dates for loan installments and information requested by
the user such as credit balance of the accounts. While
sending information, as the information is sent directly
and after request of the user, it is possible that hackers
might access and disclose the user's information.
In my suggested method, instead of direct sending of
information, it is hidden in a picture by a password and
placed in another website. Then the pictures address is
sent to the user instead of the information. A special
program already installed on the user's mobile phone
receives the pictures address. Then this program
downloads the picture containing the hidden information
from the internet and shows it to the user after extracting
the hidden information by using the password and based
on steganography algorithm. This method acts as follow:
The customer sends his request for information to the
bank; for example asks for his credit balance. Based on
the request of the user, the bank prepares the information.
In our example, extracts the user's credit balance from the
database. Then the bank system hides the prepared
information in a picture based on a password and by the
use of a special program that we call "coder". For this
purpose, the bank has a huge collection of pictures of
different sizes to choose from. Here, a picture with a
proper size proportionate to the amount of information
requested is selected randomly.
As any customer has formerly upon registration in the
m-banking system has created a user account with a
special password, the same password is used as the
password for hiding the information in the picture. My
algorithm for hiding information in picture is as follow:
In this project I use LSB steganography which hide
information in the least significant bits (LSB) of pixels
colors. In this method each byte of information is hidden
in two pixels. For hiding the information a byte is divided
into eight bits. By using a password, two pixels are
selected in which a byte of information is hidden.
In order to select the pixels in which data will be
hidden the following algorithm is used [6]:
In this algorithm the image is segmented into n blocks
of m pixels. Then according to the password, a block is
selected and the information is hidden in an empty pixel

International Conference on Information Technology (ITNG'07)


0-7695-2776-0/07 $20.00 2007

of this block. The algorithm for selecting a block and an


empty pixel in that block is as follows: if the selected
block starts with the pixel number k and has m pixels then
the number of the last pixel is k+m-1.
This algorithm uses an array of size m+1 for
remembering empty pixels of current block. This array
contains the number of pixels having no data. The last
cell of the array is the total empty pixels in the current
block. According to the password, an empty pixel is
selected and the last empty pixel number is copied to this
array cell. After this operation the total number of empty
pixels on the block decreases by one. This method is also
used for selecting a block to hide the information in itself.
After selecting the pixels I hide a byte within them.
Each pixel has three colors (RGB), and the information is
stored in the LSB of these colors.
It seems that the human eyes are less sensitive to blue
colors, so more significant changes may be applied to
blue colors, before the changes be recognized. Therefore
each byte of information is hidden into two pixels. The
number indicating the size of information is stored in the
image as well. Knowing the size of the information is
necessary for decoding correctly the information.
The PNG (Portable Network Graphics) format is used
to represent images. The decoding algorithm is the same
as the coding algorithm.
After hiding the information in the picture, the name
of the picture is determined based on the user account of
the customer and the request time of the user. This picture
is uploaded in a site chosen by the bank's server. This site
is selected from among the sites under control of the
bank. For example, the bank has 20 site addresses and
chooses one address, and copies the picture thereon. This
picture is deleted automatically after 15 minutes to
prevent disclosure of information.
Then the picture's address is sent to the customer
instead of the requested information. A special program
installed on the customer's mobile phone which we call
"decoder", receives this address and by referring to the
address downloads the picture.
After downloading the picture, the program
disconnects itself from the internet. Now the decoder
program extracts the information from the picture based
on the password received from the user and according to
the algorithm described earlier. If the password is entered
correctly, the information are accurately extracted and
shown to the customer.

3. Experimental result
The implementation of this project can be generally
divided into two sections:
1. The server section: This section should prepare
the information requested by the user, running
the coding program, hiding the information in

the picture, copying the picture in the destined


place and finally sending the address of the
picture to the customer's mobile phone.
2. The user section: In this section, Sending
request, receiving address of the picture and
downloading the picture and extracting
information by decoder program are carried out.
My main concentration is focused on the user section,
because mobile phones have restrictions such as limited
memory, lack of proper keyboard and so on.
At first, the user sends his request to the bank center
via SMS [7]. After receiving the user's request, the bank
system identifies him by the use of his mobile phone
number and prepares the information he had requested.
Based on the amount of information requested by the
customer, a picture of proper size is chosen randomly.
Then, the information is hidden in the picture by coder
program with the use of the user's password. The coder
program is in Java language. This program then uploads
this picture in a site selected randomly from among the
existing sites. The name of the file is also determined
based on the name of the user and the request time of the
user. The picture is in PNG format. At the end, this
program sends via SMS the pictures address to the
decoder program on the user's mobile phone.
The decoder program executed on the customer's
mobile phone is in J2ME or Java 2 Micro Edition
language. The decoder receives the SMS containing the
address of the picture sent by the coder program. This
program downloads the picture from the said address,
then the program disconnects from the internet and the
program receives the code that is the same as the
customer's password for his user account in the mobile
banking system and decodes and extracts information
from the picture based on the password and based on the
algorithm described earlier. If the password is entered
correctly, the information is extracted accurately and
shown to the user. The picture in the internet is
automatically deleted after 15 minutes. This project is
implemented on Nokia N71 and 6680 mobile phones.

4. Advantages
1.
2.
3.
4.

In this method, the information is never placed on the


internet and exchanged on plain form. Thus, the
possibility of disclosure of information is very low.
No user password is exchanged between the server
and the mobile phone. Therefore there is no risk of
disclosure of user password.
In this method, the amount of information exchanged
between user and the banking system decreases, so
the responding speed of the bank system increases.
Steganography is a relatively modem method in
secret exchange of information. Therefore, the

International Conference on Information Technology (ITNG'07)


0-7695-2776-0/07 $20.00 2007

5.

possibility of disclosure and extraction of its


information esp. in mobile phones is much lower.
The steganography algorithm advantages are: [6]
a. The password is not stored in the stegano
image; so it is difficult to detect the password.
b. Because the password is used, it is difficult to
detect the information hidden in the image.
c. The decoding program uses a few kilobytes of
memory. Also the program is fast enough.

5. Conclusion
This paper presents a method to make sending
information requested by users in mobile banking system
more safe and secure based on the idea of steganography.
By hiding information in pictures and lack of direct
sending of information, this method increases the security
of sending the information for users in m-banking system.
My method can be used in other types of mobile
banking services like the notifications and alerts as well.
The steganography algorithm used can be changed
based on the requirements of the concerned m-banking
system and other algorithms like DCT can be used.
My method is capable of implementation in e-banking
as well. By a combination of steganography with other
methods of secret exchange of information such as
cryptography, the security of this method can be still
enhanced. For instance, the information can be first coded
and then hidden in picture. Other media such as music
can be also used as a cover media for steganography.

6. References
[1] T. Laukkanen, "Comparing consumer value creation in
Internet and mobile banking," International Conference on
Mobile Business (ICMB 2005), 11-13 July, 2005, pp. 655- 658.
[2] K. Pousttchi, and M. Schurig, "Assessment of today's mobile
banking applications from the view of customer requirements,"
Proceedings of the 37th Annual Hawaii International
Conference on System Sciences, 5-8 January, 2004.
[3] N. Kahzadi; E. Edalat.; and M. A. Dehgan-Dehnavi,
"Commerce and M-Banking in World and Iran," Proceedings of
the Third National Conference on E-Commerce, Tehran, Iran,
31 May-1 June, 2005, pp. 306-329 (In Persian).
[4] W. Itani, and A. I. Kayssi, "J2ME end-to-end security for Mcommerce," 2003 IEEE Wireless Communications and
Networking, vol.3, pp. 2015- 2020, 16-20 March, 2003.
[5] M. Shirali-Shahreza, "Stealth Steganography in SMS,"
Proceedings of the Third IEEE and IFIP Int. Conf. on Wireless
and Optical Communications Networks, 11-13 April, 2006.
[6] M. Shirali Shahreza, "An Improved Method for
Steganography on Mobile Phone", WSEAS Transactions on
Systems, Issue 7, vol. 4, pp. 955-957, July, 2005.
[7] B. Dukic, and M. Katic, "m-order - payment model via SMS
within the m-banking," 27th Int. Conference on Information
Technology Interfaces, 20-23 June, 2005, pp. 93-98.