Beruflich Dokumente
Kultur Dokumente
Abstract: With the help of modern information communication Mobile banking can provide context-specific,
technology, mobile banking as a new type of financial services carrier location-based services (LBS) related to banks. Compare with
can provide efficient and effective financial services for clients.
Compare with Internet banking, mobile banking is more secure and
Internet banking, mobile banking is more secure and user
user friendly. The implementation of wireless communication friendly. Mobile banking not only can provide traditional bank
technologies may result in more complicated information security services, but also offer customer with 3A services (anytime,
problems. Based on the principles of information security, this anywhere and anyhow). The convenient, efficient and
paper presented issues of information security of mobile banking and effective mobile banking service has been the main reason to
discussed the security protection measures such as: Encryption attract more customers. The security is the foundation for
technology, identity authentication, digital signature,WPKI mobile banking development.
technology. As mobile banking services proliferate, the vulnerable
Key words: Mobile banking Information security Encryption handsets and associated platforms will become hacks or
technology
criminals attacking targets increasingly. Mobile devices
present many of the same risks as Internet banking. In the
1 Introduction following part of the paper it will discuss the information
security issues in mobile banking operation and services, it
With the wide-expansion of mobile telecommunication also point out the most general security protection methods in
technology into the business world, mobile banking became mobile banking.
the popular and promising banking method in bank industry
recently. Mobile banking can provide customers with better 2 The Issues in Mobile Banking Information Security
quality and more cost-saving services. It refers to provision
2.1 The Operation of Mobile Banking
and availment of banking and financial services with the help
A mobile banking system comprises a mobile banking unit
of mobile telecommunication devices. The scope of provided
and a data processing centre which may be the mainframe
services may include facilities to conduct bank and investment
computer of the bank responsible for processing banking
market transactions, to administer accounts and to access
transactions and data storage. The mobile banking includes
customized information. Most of the mobile banking
one or more banking terminals such as ATMs, deposit
researchers agreed that mobile banking consists of three parts:
machines and multimedia enquiry stations.
mobile accounting, mobile brokerage and mobile financial
Mobile banking system has provided a good foundation for
information services. For customer service sector including:
providing personalized, customer- oriented, new model of
balance checking, account transactions, payment, etc.
financial services, which incorporates a number of wireless
conventional banking services. Increasingly, bank customers
communication channels, integrate the merits of different
will expect real-time information and access 24 hours a day,
technologies(fig.1).
seven days a week, wherever they are in the world. Services
such as electronic account management, mobile brokerage and From table 1, the mobile banking technology models
financial information and alerts enable banks and network implemented in Chinese banks are all different. The security
operators to increase bank’s competitive edge and strengthen problems and issues would be various based on the
customer loyalty. technologies.
Mobile operator
Handset/PDA
D
Communications
Internet
network
Banking system
588
refer to information security of the network banking ,and then 3.3 Identity Authentication
introduce new technology and safety measures to protect the
Authentication is one of the most important tools of
safety of mobile banking according to the characteristics of
defense and it is the foundation of other security mechanisms
mobile banks. In the following part we will discuss the mobile
in mobile banking. Currently STK is often used in China's
banking protection methods.
mobile banking business such as Bank of China, China
3.1 Implementing encryption technology to protect data Merchants Bank, etc. Customer and the bank will sign an
privacy agreement for binding between customer identification
While some security mechanism has been used in the mobile information and phone numbers, verification and protection of
phone and wireless communications network, wireless password. The establishment of customer identification
transmission infrastructure such as GSM also applied information, phone numbers, password protection
encryption technology. For mobile banking application,it mechanisms require customers’ authentication. The banks’
often involves confidential and sensitive information such as access passwords are quite simple and easy to remember
PIN and Bank Password, etc. The encryption technology and which will cause banks’ valuable information easy to reach by
security mechanism of transaction layer is not enough to hackers. The characteristic of mobile devices such as
protect the safety of Mobile banking. Current relatively good mobility and ease to loss make mobile banking information
security encryption and authentication measures require more vulnerable to attack in an open environment. South Korea as
powerful computing power and storage capacity to support. the world's pioneer of mobile banking has been developed
Only clients of Internet banking have a very powerful PC can dynamic authentication system DAS4M based on WIPI
apply the complex encryption and authentication technologies mobile platform, through randomly displaying the table of
to ensure safety. With low capacity of operation of mobile characters on the screen of mobile devices, according to the
terminal, the complex encrypted authentication technology corresponding location of password on the keyboard, use
can not applied to defend against security risks. corresponding figures on the keyboard to replace the
In order to reduce the calculation strength of the encryption password. Although such systems bring inconvenience to
and guarantee the higher safety, present mobile devices start to users,it can prevent direct attacks. Therefore, we can also
use a symmetric encryption algorithm AES and asymmetric learn from South Korean banks and bring technology such as
encryption algorithm ECC. That is , AES is a "core" and ECC dynamic password and other technology currently used by the
"shell", The data on wireless transmission is encrypted with network banking to mobile banking to improve the security of
AES, The encryption key use ECC to encrypt, This method not mobile banking.
only ensures that data security but also increase the speed of
3.4 Digital Signature
encryption and decryption. The AEC and the ECC are currently
the most powerful encryption technology to protect hackers. Digital Signature Technology plays an important role in the
When the hackers attack cryptograph, they need to directly data authentication and non- repudiation. At present digital
attack against the AES 128. It is extremely difficult under the signature techno- logies recognized by the majority of people
conditions of the existing technology; If they choose to attack are the RSA algorithm based on the integer factori- zation and
the session key of ECC, they will meet the thorny problem of ECC algorithm based on elliptic curve discrete logarithm
ECDLP. In addition, the use of a session key is effective only problem calculated. The digital signature imbedded in STK
for first time, so even if they get the session key, there is not card is often applied by China's mobile banking application,
much value. Meanwhile, this hybrid algorithm has a very small that is, asymmetric key RSA key is embedded in STK card,
key management to decrease the volume of key management with Hash functions to get digital signature. The RSA in
and improve its security. computing speed and safety is as good as ECC, practically the
ECC for digital signatures will be more fit for mobile banking.
3.2 System and data integrity
The reasons are: firstly, ECC security level is higher, the
For the incomplete data caused in the communication process, calculation processing speed require- ment is low, storage
mobile communication system should provide appropriate space is small, low band- width requirement. For RSA, more
mechanisms to prevent the occurrence of non- integrity. One complex com- puting capacity and the speed of encryption is
carrier channel, mobile terminals, gateways, servers and other slow. According to David Clark experimental comparison, the
equipment constantly face threat of malicious viruses attack and safety performance of RAS with Key length of a typical 1024
other malicious attack. . Mobile banking system shall be is as same as ECC encryption algorithm with a 160, ECC can
equipped with appropriate safety measures such as firewalls, com- plete the same workload with a smaller amount of
intrusion detection system and rapid recovery mechanism to computation, so ECC is more suitable for mobile devices.
guarantee data security. Integrity mechanisms of the system ECC has been used in the areas of e-commerce, e-government,
should be able to test integrity of system and document coding it will soon be applied to the mobile banking security
to ensure that the integrity of mobile banking system. In the technology.
process of data transmission, incomplete data transmission and
3.5 WPKI
failure of the records should be monitored consistently to find
the loopholes in the system. WPKI(Wireless Public Key Infrastructure)is gradually
developed in order to meet with the needs of a wireless
589
network authentication and encryption, This technology is key certificate management, the trusted third-party
introduced into the wireless network environment on the basis organizations----Certification Center (CA) to verify the
of the Internet e-commerce PKI security mechanisms to identity of the user, these help effectively to establish security
follow a set of established standards for key and certificate and trusted wireless network environment and ensure the
management platform system. But WPKI is not a new information security such as data on transmission, data
standard, it uses optimized ECC elliptic curve encryption and integrity, user authentication, and non-repudiation of
compression X.509 digital certificates, it also used a public transactions.
Cipher text
Wireless Network
UIM
Internet
AC
RA
Private key certificate
Public Key
SP
590