2008 International Conference on Computer Science and Software Engineering
Mobile Banking Information Security and Protection Methods
Jin ,Nie
The Center for the Studies of Information Resource
Management at Wuhan University
Jinnie@whu.edu.cn
Abstract: With the help of modern information communication
technology, mobile banking as a new type of financial services carrier
can provide efficient and effective financial services for clients.
Compare with Internet banking, mobile banking is more secure and
user friendly. The implementation of wireless communication
technologies may result in more complicated information security
problems. Based on the principles of information security, this
paper presented issues of information security of mobile banking and
discussed the security protection measures such as: Encryption
technology, identity authentication, digital signature,WPKI
technology.
Key words: Mobile banking Information security Encryption
technology
1 Introduction
With the wide-expansion of mobile telecommunication
technology into the business world, mobile banking became
the popular and promising banking method in bank industry
recently. Mobile banking can provide customers with better
quality and more cost-saving services. It refers to provision
and availment of banking and financial services with the help
of mobile telecommunication devices. The scope of provided
services may include facilities to conduct bank and investment
market transactions, to administer accounts and to access
customized information. Most of the mobile banking
researchers agreed that mobile banking consists of three parts:
mobile accounting, mobile brokerage and mobile financial
information services. For customer service sector including:
balance checking, account transactions, payment, etc.
conventional banking services. Increasingly, bank customers
will expect real-time information and access 24 hours a day,
seven days a week, wherever they are in the world. Services
such as electronic account management, mobile brokerage and
financial information and alerts enable banks and network
operators to increase bank’s competitive edge and strengthen
customer loyalty.
Handset/PDA
D
Communications
network
Fig.1 Mobile Banking Operation System
2.2 Information Security and Mobile Banking
978-0-7695-3336-0/08 $25.00 © 2008 IEEE
DOI 10.1109/CSSE.2008.1422
Xianling,Hu
The Center for the Studies of Information Resource
Management at Wuhan University
Danyouyu1@126.com
Mobile banking can provide context-specific,
location-based services (LBS) related to banks. Compare with
Internet banking, mobile banking is more secure and user
friendly. Mobile banking not only can provide traditional bank
services, but also offer customer with 3A services (anytime,
anywhere and anyhow). The convenient, efficient and
effective mobile banking service has been the main reason to
attract more customers. The security is the foundation for
mobile banking development.
As mobile banking services proliferate, the vulnerable
handsets and associated platforms will become hacks or
criminals attacking targets increasingly. Mobile devices
present many of the same risks as Internet banking. In the
following part of the paper it will discuss the information
security issues in mobile banking operation and services, it
also point out the most general security protection methods in
mobile banking.
2 The Issues in Mobile Banking Information Security
2.1 The Operation of Mobile Banking
A mobile banking system comprises a mobile banking unit
and a data processing centre which may be the mainframe
computer of the bank responsible for processing banking
transactions and data storage. The mobile banking includes
one or more banking terminals such as ATMs, deposit
machines and multimedia enquiry stations.
Mobile banking system has provided a good foundation for
providing personalized, customer- oriented, new model of
financial services, which incorporates a number of wireless
communication channels, integrate the merits of different
technologies（fig.1）.
From table 1, the mobile banking technology models
implemented in Chinese banks are all different. The security
problems and issues would be various based on the
technologies.
Mobile operator
Internet
Banking system
587
 The characteristics of network financial services have been
the target of all kinds of technology crimes since it emerged.
Table 1 Mobile banking technology models
Banks
Bank of China
China Construction Bank
China’s Bank of Communications
China Merchants Bank
Industrial and Commercial Bank of China
Industrial Bank
Source: the website of major banks in China (records generated on 12, 2007 by writer)
Mobile Devices Wireless Network
(Handset/PDA）
（
Mobile security zone
Fig.2. Security Zones of Mobile banking
Mobile banking has two security zones(Fig.2): Hand set
users’ zone and mobile operator zone; Mobile operators and
bank system zones. The information security problems in
network banking such as hackers, virus attacks, etc. will be
happened in mobile banking system operation as well. The
mobile banking related wireless communication information
security will be as follows:
2.2.1 Information leakage, loss and distort
Mobile banking operation transfers information through
wireless data network. Wireless data networks require
radios that take in digital data, zeros—and ones, modulate and
transmit the data as radio waves, receive the radio waves,
demodulate the signal, and convert them back to zeros and
ones. Coexistence is the ability to have many radios
operating without interfering with each other.Current wireless
network technology provides very limited tools to protect the
wireless transmit media. Confidential banking information
may be leaked, lost or distort in the daily transaction devices.
Attackers might intercept confidential information on the
transmission of mobile communications network through
overlapping and installation acceptable devices of in the
electromagnetic radiation, then delete, modify, add or
re-played some important information to damage the normal
use of legitimate users.
2.2.2 Incomplete information
Because of the operation of mobile devices and instability of
the transmission channel, it easily leads to incomplete
communications data. When a customer using mobile phone
enter an area with poor coverage from the region with good
wireless signals, or the communication is disturbed by other
signals, information will happen often delay or failure so
transactions could easily lead to incomplete data or data loss.
In addition, electricity shortage of mobile devices would lead
the ongoing banking business to break off and make the
transaction data incomplete.
2.2.3 Denial of service Attack
Many security encryption and authentication technologies do
not function well in mobile operation devices.
Technology Model
SMS
BREW and WAP
WAP
WAP2.0 and SMS
SMS
WAP and KJAVA
TCP/IP
Mobile operator Banking system
Banking security zone
Attackers send lots of messages to mobile phones by
occupying Gateway Gateway or using of SMS Gateway
Gateway loopholes to complete SMS Denial of Service
Attack. Attackers interfere mobile banking service system
through specific devices to change the process of its normal
services、implement unrelated procedures to slow down the
response of the system or even paralyze the system or to
interfere with mobile communications equipment. All make
legitimate users not be able to enter the mobile normal
banking system or receive services responses. .
2.2.4 Virus attacks
Despite the current virus on mobile operations found
mainly destruct mobile phone function, consume electricity of
phones and remove records of mobile phone and other
information, the potential threat of mobile banking is far
greater than that of the network banking. Maybe the
followings can explain the reasons: firstly, the virus carried on
mobile terminals can not only infect operating system of
wireless network terminals but also infect that of the fixed
network terminal; secondly, it is very difficult to use antivirus
software for mobile devices computing power constraints;
thirdly, Many wireless networks don’t have anti-virus
measures. Recently, Russia for the first time found a computer
virus, which spread via mobile networks .The virus can not
only infect operating system of mobile phones with the
Symbian through wireless networks , but also can spread
through Bluetooth technology, that is, Mobile phones with
virus will be activated, then convey a secure file including
virus to near other Bluetooth-enabled mobile phones.
3 The Mobile Banking Information Security Protection Methods
From the above analysis of information safety issues of
mobile banking, we can see the difference between
information security issues of mobile banking and network
banking. Mobile banking faces more complex security
problems. We can not transplant simply security strategy of
network banking to the mobile banking system, we should
588
refer to information security of the network banking ,and then
introduce new technology and safety measures to protect the
safety of mobile banking according to the characteristics of
mobile banks. In the following part we will discuss the mobile
banking protection methods.
3.1 Implementing encryption technology to protect data
privacy
While some security mechanism has been used in the mobile
phone and wireless communications network, wireless
transmission infrastructure such as GSM also applied
encryption technology. For mobile banking application，it
often involves confidential and sensitive information such as
PIN and Bank Password, etc. The encryption technology and
security mechanism of transaction layer is not enough to
protect the safety of Mobile banking. Current relatively good
security encryption and authentication measures require more
powerful computing power and storage capacity to support.
Only clients of Internet banking have a very powerful PC can
apply the complex encryption and authentication technologies
to ensure safety. With low capacity of operation of mobile
terminal, the complex encrypted authentication technology
can not applied to defend against security risks.
In order to reduce the calculation strength of the encryption
and guarantee the higher safety, present mobile devices start to
use a symmetric encryption algorithm AES and asymmetric
encryption algorithm ECC. That is , AES is a "core" and ECC
"shell", The data on wireless transmission is encrypted with
AES, The encryption key use ECC to encrypt, This method not
only ensures that data security but also increase the speed of
encryption and decryption. The AEC and the ECC are currently
the most powerful encryption technology to protect hackers.
When the hackers attack cryptograph, they need to directly
attack against the AES 128. It is extremely difficult under the
conditions of the existing technology; If they choose to attack
the session key of ECC, they will meet the thorny problem of
ECDLP. In addition, the use of a session key is effective only
for first time, so even if they get the session key, there is not
much value. Meanwhile, this hybrid algorithm has a very small
key management to decrease the volume of key management
and improve its security.
3.2 System and data integrity
For the incomplete data caused in the communication process,
mobile communication system should provide appropriate
mechanisms to prevent the occurrence of non- integrity. One
carrier channel, mobile terminals, gateways, servers and other
equipment constantly face threat of malicious viruses attack and
other malicious attack. . Mobile banking system shall be
equipped with appropriate safety measures such as firewalls,
intrusion detection system and rapid recovery mechanism to
guarantee data security. Integrity mechanisms of the system
should be able to test integrity of system and document coding
to ensure that the integrity of mobile banking system. In the
process of data transmission, incomplete data transmission and
failure of the records should be monitored consistently to find
the loopholes in the system.
589
3.3 Identity Authentication
Authentication is one of the most important tools of
defense and it is the foundation of other security mechanisms
in mobile banking. Currently STK is often used in China's
mobile banking business such as Bank of China, China
Merchants Bank, etc. Customer and the bank will sign an
agreement for binding between customer identification
information and phone numbers, verification and protection of
password. The establishment of customer identification
information, phone numbers, password protection
mechanisms require customers’ authentication. The banks’
access passwords are quite simple and easy to remember
which will cause banks’ valuable information easy to reach by
hackers. The characteristic of mobile devices such as
mobility and ease to loss make mobile banking information
vulnerable to attack in an open environment. South Korea as
the world's pioneer of mobile banking has been developed
dynamic authentication system DAS4M based on WIPI
mobile platform, through randomly displaying the table of
characters on the screen of mobile devices, according to the
corresponding location of password on the keyboard, use
corresponding figures on the keyboard to replace the
password. Although such systems bring inconvenience to
users，it can prevent direct attacks. Therefore, we can also
learn from South Korean banks and bring technology such as
dynamic password and other technology currently used by the
network banking to mobile banking to improve the security of
mobile banking.
3.4 Digital Signature
Digital Signature Technology plays an important role in the
data authentication and non- repudiation. At present digital
signature techno- logies recognized by the majority of people
are the RSA algorithm based on the integer factori- zation and
ECC algorithm based on elliptic curve discrete logarithm
problem calculated. The digital signature imbedded in STK
card is often applied by China's mobile banking application,
that is, asymmetric key RSA key is embedded in STK card,
with Hash functions to get digital signature. The RSA in
computing speed and safety is as good as ECC, practically the
ECC for digital signatures will be more fit for mobile banking.
The reasons are: firstly, ECC security level is higher, the
calculation processing speed require- ment is low, storage
space is small, low band- width requirement. For RSA, more
complex com- puting capacity and the speed of encryption is
slow. According to David Clark experimental comparison, the
safety performance of RAS with Key length of a typical 1024
is as same as ECC encryption algorithm with a 160, ECC can
com- plete the same workload with a smaller amount of
computation, so ECC is more suitable for mobile devices.
ECC has been used in the areas of e-commerce, e-government,
it will soon be applied to the mobile banking security
technology.
3.5 WPKI
WPKI（Wireless Public Key Infrastructure）is gradually
developed in order to meet with the needs of a wireless
network authentication and encryption, This technology is
introduced into the wireless network environment on the basis
of the Internet e-commerce PKI security mechanisms to
follow a set of established standards for key and certificate
management platform system. But WPKI is not a new
standard, it uses optimized ECC elliptic curve encryption and
compression X.509 digital certificates, it also used a public
Cipher text
Wireless Network
UIM
AC
RA
Private key certificate
Fig.3. WPKI Security System Framework
WPKI is based on the optimization of PKI. The
introduction of the 100 B Elliptic Curve Crypto system in the
WPKI certification reduces the storage space of Certificates.
WPKI has the size restrictions of the IETF PKIX certification
format as well. As WPKI is a subset of PKIX, it ensures
interoperability possibilities among the PKI standards.
WPKI adopt on a public key system based on ECC
algorithm and use one pair to match each other's key
(encryption, decryption). When deliver a message, sender
uses the public key in digital certificates of receiver to encrypt
data, then recipients use its own private key to decrypt. In this
way, this information can safely reach their destinations. By
using WPKI technology, mobile banking guarantees the
confidential of data, integrity, authenticity and the identity of
the non-repudiation of transactions to eliminate the user's risk
in the transaction. The development and improvement of
related technology in WPKI, the length of data and handling
difficulty of WPKI certification will be further reduced and
that achieve interoperability between WPKI and standard PKI
to create better security environment for the development of
mobile banks.
4 Conclusion
As mobile banking can provide 3A services which
transcending the limitation of time and space. It will become
popular with the development and maturity of mobile
telecommunications technology as well as mobile device
function improved. If banks can integrate the mobile banking
and current services, make good use of the benefits provided
by of wireless communication technology such as cell phones
and develop a unique customer oriented services，mobile
banking will be able to play a more important role in banking
industry.
5 Reference
[1] Rajnish Tiwari，Stephan Buse and Cornelius Herstatt ：
Customer on the move：Strategic Implication of Mobile
590
key certificate management, the trusted third-party
organizations----Certification Center (CA) to verify the
identity of the user, these help effectively to establish security
and trusted wireless network environment and ensure the
information security such as data on transmission, data
integrity, user authentication, and non-repudiation of
transactions.
Internet
Public Key
SP
Banking for Banks and Financial Enterprises. E-Commerce
Technology, 2006，pp.81 - 81
[2] Schwiderski-Grosche, S, Knospe, H; Secure mobile
commerce. Electronics & Communication Engineering
Journal,（14：5） ，2002，pp.228 - 238
[3] I. Brown, Z. ,Cajee, D. Dzvies, and S. Striebel：Cell phone
banking: predictors of adoption in South Africa-an
exploratory study”, International Journal of Information
Management, (23:5), 2003, pp.381-394
[4] Li Wei, Wu Qinghua, Liao Weiguo, WPKI Mobile
Banking Security Technology Model Research. The
Journal of Hubei Industrial Institution. 2004 (19).
[5] Yuan Yufei, Wang Youwei, Mobile Commerce, Qing Hua
University Press, 2006.
[6] Hu Aiqun, Wireless Communication Network Security
Issues and countermeasures. Electronic Communication
Science, 2003 (12)
[7] Pousttchi, K.，Schurig, M.：Assessment of today's mobile
banking applications from the view of customer
requirements. System Sciences, 2004 , pp.:10
[8] Zhang Yong, Xing ChangZhen, The Research on AES and
ECC Integration Data Encryption Technology. Computer
Security, 2007 (7)
[9] SangJun Lee and SeungBae Park：Mobile Password
System for Enhancing Usability- Guaranteed Security in
Mobile Phone Banking. Computer Science,2005, pp. 66-74,
[10] Wang Bingli, Li Zhihua, ECC Encryption Computation
Analysis. The Journal of Han Dan Technology Institute.
2005 (3).
[11] Lu Gang,, The Comparison of WPKI and PKI Key
Technology. The Application of Computer, 2005 (11).
[12] Tiwari, and Buse, 2007: The mobile Commerce prospects:
A strategic Analysis of Opportunities in the Banking
Sector, Hamburger University Press. (E-Book) pp.73-74.