Security mechanisms in the service
of mobile banking*
Wojciech Wodo
Department of Computer Science
Wroclaw University of Science and Technology
Wroclaw, Poland
wojciech.wodo@pwr.edu.pl
Abstract—This paper contains insights on different security
mechanisms, including biometrics, used in mobile or electronic
banking systems. Author depict various access channels to bank
accounts and threats associated with them, as well as possible
countermeasures. Biometrics usage in this field is more and
more popular these days, that is the way they are essential
part of the paper. General Data Protection Act is also taken
into consideration while discussing privacy issues. Paper consist
of ideas and proposed approaches towards security issues in
electronic banking system.
Index Terms—banking, mobile banking, security, biometircs,
biometry, face recognition, voice recognition
I. I NTRODUCTION
Bank systems are vulnerable to attacks from a lot of
different sites, due to a number of diversified access channels
and obvious financial benefits from the adversary. To address
various security issues regarding them, one should look com-
prehensively and secure the fragment by fragment, because the
attack is most likely to occur at the weakest link in the security
chain. Banking changes over time, certain functionalities go
into oblivion, while new ones appear and gain crowds of fans
- such as contactless payments or non-cash payments of the
Blik type. A number of new threats arise around each of these
functionalities, which mitigation should be carried out with
both technical means, but also education and the right law.
A. Channels of access to bank accounts
With the current mode of using banking services, we
can distinguish several basic access channels. Each of them
requires a separate analysis and tailored methods of protection
and monitoring. One should consider what is the portion of
particular access channels in the general framework of using
banking services. It seems obvious that these proportions
will be distributed unevenly among different user groups and
different services. In this article, we focus on electronic and
voice channels due to its popularity and the possibility of using
a variety of automated authorization mechanisms.
1) Personal visit in bank: A personal visit in a bank
branch gives the possibility of a personal inspection by a
bank employee of the identity document and collection of
biometric data under controlled conditions, as well as their
verification (with previously collected data). It can be a strictly
* This research was supported by department statutory fund nr 0401/0017/17
controlled environment and provides various possibilities for
implementing security systems, however, most users leave
this access channel due to the willingness to access services
remotely and at a convenient time. We can not therefore treat
this channel as forward-looking.
2) Hot-line and voice channel: A hot line, or access via
a voice connection is undoubtedly a channel that should be
considered as popular and can persist in the future, so it
should be analyzed in terms of security. Verification of the
caller based on the customer number and PIN code seems to
be too weak protection, especially if after such authorization
it is possible to make changes, e.g. contact data, and worse,
any financial operations. It seems a good idea to introduce a
biometric verification mechanism for the caller’s voice in a
continuous model - continues verification.
3) Internet acces via website or app on mobile device:
Electronic access channels via the website or mobile applica-
tion seem to be the most popular and therefore also exposed to
the greatest danger these days. This is mainly due to the fact
that the user verification process takes place automatically,
which allows utilization of various malicious software that
will assist the adversary. In addition, these channels are
exposed to negligence on the part of their users, as they put
a great emphasis on their awareness of security issues and
the application of certain standards and behavioral patterns. A
survey of mobile device users in Poland in 2016 [4], shows
that most people opt for maximum convenience and do not pay
attention to security at all, keeping their phones and tablets
open wiping, with stored passwords for e-mail accounts or
social media.
II. S ECURITY ISSUES
A. Security levels
Let us define two levels of security for the mobile and
electronic banking applications: basic and extended. The basic
level will apply to logging in to the user’s account with passive
permissions to view it. We will assign an extended level to
active user operations, i.e. such as money transfers, changes
to key settings such as authentication channels or incurring
liabilities.
Banking applications are available that provide functionali-
ties (e.g. account status display or last transaction performed)
without user authentication. From the point of view of in-
formation security and privacy, we definitely discourage such
solutions.
B. Protection of mobile devices
The first line of protection is the device itself, by means
of which we use banking services, hence we should ensure
that only an authorized person can use it. In the case of
a mobile device, access protection based on a password or
a long PIN (at least 6-8 characters) may be the minimum
fulfillment of this criterion. The solution based on biometrics
(it additionally ensures the lack of frequent exposure of the
password or PIN in public places) may additionally improve
the ergonomics of the solution and make it impossible to break
the password, because it will not be possible for the adversary
to eavesdropped it.
The mobile device is just as vulnerable to malware attacks
as a personal computer, hence the use of antivirus and anti-
spyware software is necessary. To prevent the adversary from
using discovered bugs in the software, the device’s operating
system and its key software must be updated regularly. If we
use additional software on a mobile device, make sure that it is
only from the official application stores made available by the
system producers (Google Play, Apple App Store, Windows
Phone Store).
A good idea is checking if the device used by the client in
the banking context is not devoid of standard security (whether
it was rooted or jailbreak) and in this situation either bank
app may refusing the service or transferring responsibility to
the user using the relevant information with a request for
confirmation.
The security of the network through which we use banking
services is also a fundamental element of the overall level
of security. It should be ensured that the performance of
sensitive financial operations is carried out in trusted networks,
or at least well protected, although you should be particularly
careful when using WiFi, because of the latest Krack attack
against algorithm WPA-2 [3].
C. Procedure of login
By default, when logging in to the banking system, we
always assume the use of at least two security components.
Depending on the communication channel, for login they will
be respectively:
• web / mobile app: use of face biometrics and user’s
password (biometric binding with user ID and unique
knowledge - password)
• voice channel: user ID including PIN and voice biometry
We allow biometrics to be turned off to provide alternative
access (this is a key property due to the principle of non-
discrimination of users - e.g. some people may lose certain
biometric features as a result of illness or accident), but it can
be done after correct authentication by some other channel (for
instance: web / app, telephone, personal visit to the bank).
In the application, we define three grades of security level
for the user:
• strong (standard) - the use of face biometrics and user’s
passwords
• intermediate - using user ID, its password and confirma-
tion by code from SMS
• low - using user ID and password
We assume a psychological approach in determining the level
of security, if the ”low level” corresponds to what is currently
used as the standard, the user would like to have a better
solution, i.e. a two-factor security or biometrics. On the other
hand, it is easier to downgrade the level of security by ”one”
level, giving up biometrics, but in the end we get a higher
level of security than the standard one. When using a user’s
password, we recommend masking it and requesting only
selected characters instead of entering the whole password, this
ensures protection against interception of the entire password
in one session and analysis of the way of writing (keystroking).
D. Confirmation of financial operations
Any active user activity aimed at using financial resources
or changes in authentication methods or incurring liabilities
should be authenticated using an extended level of security.
At this level of security, we do not allow verification on the
basis of only one security component.
E. Antyphishing
Currently, a very popular type of attack is phishing, by
means of which the adversary extorts all data from the
user, including logins, passwords, confirmations and codes.
These attacks are carried out most often in the form of
impersonating legitimate banking websites. Countermeasures
provide in-depth control of addresses of the origin of emails
or links and verification of SSL certificates. In addition, when
addressing anti-phishing issues, we recommend using the user-
selected image shown at the login window on the website
/ mobile application. Thanks to these personal images user
might recognize that something is going wrong with the
process of authentication and is able to interrupt it.
Of course, there is still the problem of responsive, substitute
websites that can act as an intermediary between the user and
the correct service (MITM attack), and intercept communica-
tion and dynamically generate content. To mitigate this type of
threat one need to take care of protection against the malware
software and especially control the permissions of various
applications and plugins on mobile device or web browser.
However, in the telephone channel, the use of a defined
reverse password, for which the user may ask a bank consul-
tant. This is a particularly effective solution, because it is the
user who verifies the caller’s consultant, if the password has
been kept confidential, the probability that this socio-technical
attack will be successful is minimal.
F. User activity under duress
Consider a scenario in which the user is forced to login into
the banking system or cash withdrawals from the ATM under
duress (under the direct influence of the adversary). In such
a situation, it would be reasonable to introduce a protective
mechanism that would first and foremost impede the life and
health of the user.
In such a scenario it is possible to use the mechanism
of sandbox, i.e. letting the adversary into a fictitious system
that looks like it is real, but it is not, and the operations in
it are only virtual. In the case of a banking application or
access via a web service, this would mean access to the user’s
virtual account, where the deposit statuses would be fictitious,
and the execution of any apparent operations. The decision
of redirection to such a virtual account is made by the user
by one of the authentication factors, e.g. it may be a second
identification number or a second password. The adversary
cannot, without additional knowledge, recognize whether the
user has logged in to the correct account or to the sandbox,
they are indistinguishable to the external observer. On the other
hand, the fact of logging into the sandbox system itself tells the
bank that something unusual is happening and it is possible
to block operations in the real system until the moment of
explanation.
G. Solution like Touch-ID and Face-ID
Apple along with the launch of the new model of the
iPhone X has released a new solution to secure access to
the device using face biometrics - Face-ID [1]. The solution
on devices equipped with this possibility using the match-on-
device model, which enables strong biometric verification of
the legitimate user of the mobile device based on the hardware
security of the device itself.
Based on this verification method, it is possible to allow the
user to use the device itself. The manufacturer also allows the
use of this functionality to verify the user in the application,
in my opinion it is a sufficiently secure mechanism to allow
the user to grant access to the basic level of security. It is
worth emphasizing the fact that breaking this protection is
significantly more difficult than in the case of the previous
solution based on fingerprints. So far, this has been done by
a Vietnamese security company - Bkav1 .
Earlier similar solution using fingerprint biometrics - Touch-
ID would be acceptable for use similarly, with the proviso
that only some manufacturers of mobile devices ensure the
implementation of the solution at an acceptable level - e.g.
Apple. Samsug or Huawei’s solutions are susceptible to attacks
using fabricated fingerprints by printing using conductive ink
on the appropriate paper [2].
the users. Biometrics might be also very useful on the way of
reconciliation of security and ergonomy.
IV. F UTURE WORKS
As main focus for future works in this area I would like to
investigate in more details usage of biometrics (especially face
and voice, as well as behavioral ones) in mobile banking secu-
rity systems and apps. What is also important in the context of
banking security is General Data Protection Regulation2 and
its impact on security mechanism and at least data processing
and storing, including backups and erasing data on demand
of customer. What should be addressed here is appropriate
mechanism fulfilling both banking law and GDPR, what is
challenging.
ACKNOWLEDGMENT
I would like to express my gratitude to my colleagues Luc-
jan Hanzlik and Przemyslaw Blaskiewicz for support during
investigating these issues and brainstorming and contestation
of assumptions.
R EFERENCES
[1] Apple, Whitepaper, Face ID Security, url: https://images.apple.com/
business/docs/FaceID Security Guide.pdf, 2018.
[2] Kai Cao and Anil K. Jain, Hacking Mobile Phones Using 2D Printed
Fingerprints, url: http://biometrics.cse.msu.edu/Publications/Fingerprint/
CaoJain HackingMobilePhonesUsing2DPrintedFingerprint MSU-CSE-
16-2.pdf, 2016.
[3] Mathy Vanhoef and Frank Piessens, Key Reinstallation Attacks: Forcing
Nonce Reuse in WPA2, Proceedings of the ACM SIGSAC Conference
on Computer and Communications Security (CCS) (November 2017),
pp. 1313-1328, doi:10.1145/3133956.3134027
[4] Wojciech Wodo and Hanna Lawniczak, BEZPIECZENSTWO I BIOME-
TRIA URZADZEN MOBILNYCH W POLSCE, Oficyna Wydawnicza
Politechniki Wroclawskiej, 2016, doi: 10.5277/Y03.2017.01

III. C ONCLUSION
As we can see there are a lot threats associated with
electronic and mobile banking, its security systems should be
designed very carefully, taking into the consideration a lot
of different factors. Security and privacy properties should
be delivered by design, it means banking system should be
security driven. Default security settings should be set at high
protection level. Technical actions should also be followed by
educational campaigns in order to establish awareness among
1 https://www.youtube.com/watch?v=B8FLl0vqt8I 2 http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf