security analysis of mobile banking in pakistan

7/31/2019 Security analysis of mobile banking in Pakistan

1/5

Asian Transactions on Fundamentals of Electronics, Communication & Multimedia (ATFECM ISSN: 2221-4305) Volume 01 Issue 03

ATFECM-50128036Asian-Transactions 13

AbstractOwing to huge success of mobile telecom in

the world and especially in Pakistan, the new business

avenues like branchless banking and mobile money

transfers are offering lot of opportunities. This paper

will introduce latest method used for transfer of money

in Pakistan along with security analysis of two major

branch less banking services as both of these services

are using SMS massaging system of GSM as basic

instrument to carry out their transactions. Comparison

of currently available mobile banking and money

transfer services is also presented in tabular form.

I. INTRODUCTIONThe world population is estimated 6.6

billion people and there are 4.6 billion mobile

phones, 1.8 billion bank accounts and 1.6 billion

credit cards [1]. These figures show that a vast

majority is not using services of financial institution.

Poor people exist in a cash world and they cannot

avail banking services because of their low earnings,

illiteracy, restricted access to banks in rural areas,

high rate of bank charges etc. All these factors have

made the life of the poor hard and in this situation,

keeping the cash becomes hazardous.

The ubiquity and deep penetration of mobilephone in Pakistan has opened up new venues for

providing services to the unbanked by offering

mobile banking services. The use of mobile

technology can guarantee timely, easily accessible

and secure financial services at lower costs. About 12

million Pakistanis are working abroad and around

17% of the population in Pakistan has bank accounts

but there are almost 100 million mobile subscribers

out of total population of 170 million, which clearly

signify the potential for mobile banking services in

Pakistan.

1 Manuscript date June 11, 2011

Aqeel Feroze, Born in Lahore on 22-08-1977. CompletedM.Sc, Computer Science from Punjab University and current doing

MS from Government College University, Lahore and is lecturer

at Virtual University of Pakistan, 54-Lawrence Road, Lahore

(phone: 0321-4409022; e-mail: [email protected])2 Asma Basharat, Born in Lahore. MS in Information Security

(NUST). Have worked on security analysis and optimization of

Interleave Division Multiple Access for the transmission of

multimedia. Currently working on deception techniques ofhoneypots and honeynets.is Lecturer at Department of Computer

Science, Government College University, Lahore, Pakistan (e-

mail: [email protected]).

Currently in Pakistan, four services are

available for mobile banking and money transfers.

Recently, Habib Bank Limited and Ufone jointly

started a mobile phone based banking services to

Ufone customers to have their bank accounts in HBL

which can be operated through mobile phones having

Ufone connections. The Mobilink in collaboration

with Pakistan Post has launched the facility of

Mobile Money Order (MMO) across Pakistan on 73

outlets in 37 cities providing instantaneous sending

and receiving of money orders. Western Union (WU)

has also become a partner in this service to expand

the money transfer services globally. Mobilink hasalso launched Mobilink Ginie in December 2007 as a

mobile commerce solution. The basic services

include utility bills payment, mobile bill payment or

recharge from the mobile phone and the payment was

to be made through credit/debit card.

Orion is a mobile wallet service initiated by

United Bank Limited to facilitate the mobile

commerce for its customers offering the services like

purchase of prepaid cards, payment of utility and

mobile bills, buying gifts and flowers, and share

money through SMS on any network. Orion is the

pioneer in mobile commerce solutions and is smart,

easy and convenient to use anytime anywhere on anyGSM network.

Telenor Pakistan through Tameer Micro Finance

Bank introduced the service of money transfer for the

lower segment of the economy. EasyPaisa service is a

most convenient and easy way to transfer money

across Pakistan and includes international remittance

facility from more than 80 countries withcollaboration with Xpress Money [2]. The service

was launched in October 2009 with 2,500 outlets but

now they have expanded their services to 12,000

mobile banking outlets. According to SPB statistics

for June 2010, total number of bank branches in

Pakistan is 9096[3] thus EP outlets have surpassed

total number of bank branches in Pakistan and are

now nearly surpassing the number of post offices in

Pakistan (Total post offices are 13,000 in Pakistan).

The EP has added 1,000 outlets during the last

quarter of FY2010-2011in urban and rural areas.[4]

II. MOBILE BANKING MODELSThe mobile banking model is designed to facilitate

the users in fast and reliable mobile banking and

money transfer services by hiding all the underlying

Security Analysis of Mobile Banking Services in Pakistan

Aqeel Feroze1, Asma Basharat

2


2/5



details. Easypaisa is using One-to-one (11) model of

business where one financial institution usually aBank in collaboration with mobile telecom company

under the regulations and supervision of State Bank

of Pakistan provide mobile banking services to its

subscribers as well as general public.[5] Thus the

simple block diagram of the mobile banking service

is shown below:

Figure 1: Showing mobile banking model

The second model is one to many (1- ) as in the

case of U-Payments, which used two financial

institutions which are Habib Bank Limited (HBL)

and Summit Bank.

The third and last implemented model is many to one

( - 1) in which many telecom companies are

offering services of one financial institution. The

examples are UBL Omni and MCB mobile banking

which are using all the five telecom companies

currently working in Pakistan.

A. List of services offered by mobile bankingservices

The list of services offered in Pakistan by two

major mobile banking services (Easypaisa and UBL)

is as under:[2]

i. Opening and maintaining a branchlessaccounts

ii. Money transfer using CNIC (person toperson transfer)

iii. Money transfer using accounts (account toaccount transfer)

iv. Utility bill paymentsv. Cash deposit and withdrawal

vi. Merchant payments (purchases etc.,)vii. International remittances

The detailed comparison of the mobile banking

services currently available in Pakistan is given in

Table 1.

Table 1: Showing comparison of services offered by

mobile banking services.

Particulars EasyPaisa UBL OmniMCBMobile

Banking

UPayments

Models used One to One

(1 -1)

Person to

Person(P2P) &

Business to

Consumer(B2C)

Many to One

( - 1)

Person to

Person(P2P) &

Government

to Persons(G2P)

Many to

One( - 1)

Person toPerson

(P2P)

One to

Many

(1 - )

Person toPerson

(P2P)

Telco Telenor Zong, Ufone,

Warid,Mobilink,

Zong

Zong,

Ufone,Warid,

Mobilink,

Zong

Ufone

Financialinstitute

Tameer

Micro

Finance

Bank

United Bank

Limited

(UBL)

MCB Habib Bank

Limited &

Summit

BankRetail

Network

EasyPaisa

Shops

(Franchised)

Omni

Dukaans

(Franchised)

No No

Service used SMS/USSD SMS/WAP GPRS USSD

Presence 660+

cities/towns

12000+ EP

outlets

580+

cities/towns

MCB

branches

only

HBL or

Summit

bank

branches

only

Launchedin

October

2009

April 2010 June

2009

December

2010

SERVICES OFFERED

Balance

Enquiry

Yes Yes Yes Yes

Mini

Statement

No No Yes Yes

Cash

Handling

Yes Yes No No

Money

Transfer(Domestic)

Yes Yes Only

inMCBaccounts

In

respectivebank

accounts

only

Remittances Yes No No No

Mobile Top

up

Yes Yes Yes Yes

Utility Bills

Payment

Yes Yes Yes Yes

Mcommerce

Support

Yes Yes No No

BranchlessBanking

Support

Yes Yes No No

WalkingCustomer

Support

Yes,

through EP

Shops

Yes, through

Omni

Dukaans

No No

Other

BusinessModels

B2C

Easy Pay (A

payroll

solution for

corporatesector)

G2P

Benazir

Income

Support

ProgramDisbursements

No No

SBP

Regulations

Financial

Institution

(Bank)

Mobile

Banking

Services

Mobile

Telecom

Company


3/5



(BISPs) &

Watan Cards.

B. Minimum Legal RequirementsThe minimum security requirements by the State

Bank of Pakistan have been reproduced in thefollowing table:

Table 2: Showing minimum security requirements by

SBP in Branchless Banking Regulations.[5]

Account Level 1 2 3

Applicable Channels using

cellular mobile communication

system.

USSD,

SMS

SAT,

WAP

SAT,

WAP

Authentication of Client and

Service end.

Two-Factor Authentication.

PIN (user knowledge) and

MSISDN

Message Encryption requirementsat application level.

Notrequired /

Not

applicable

Applicationlevel 128 bit

using known

symmetric

algorithms or

asymmetriclike PKI

(Public Key

infrastructure).

Accountability/Nonrepudiation All Financial and Non-Financial transaction logs

must be securely stored by

FI.

III. SECURITY ANALYSISA. Strengths:Following are the strengths of mobile banking

services in Pakistan:

1) Non-Repudiation and SubscriberAccountability: For evidence purpose during

auditing and forensic investigations, all

subscriber financial transactions are logged.

The logging also ensures non-repudiation which

means subscriber may not deny the transaction

which he/she has performed using EP account

on his/her mobile phone. [5]

2) Centralized Control of Accounts/Transactions:All the transactions are processed through one

main database of financial institution and SMS

is send to both parties. This provides ease ofadministration of the database server and

related backups. [2]

3) IS0 27001:2005certification:Only EasyPaisamobile banking service is ISO 27001:2005

certified for Information Security Management

System (ISMS). This certification is accredited

by United Kingdom Accreditation Services

(UKAS) and compliance is audited by Moody

International Certification Body for evaluating

the services to meet all international

requirements.[6]

B. WeaknessesThe SMS service within GSM system was

designed for non-sensitive messaging among

subscribers ignoring mutual authentication, data

confidentiality, end to end security and non-repudiation. The following weaknesses have been

observed while reviewing the mobile banking

services in Pakistan which inherited the security

vulnerabilities of GSM network.

1) SMS Spoofing: The originator/senderaddress is forged in sms message which

appears to be from a legitimate sender by an

adversary during a attack.[7] A

masquerading attack can be performed by an

adversary by changing the originators

address field in the SMS header to some

other alpha numeric string. The spoofing hasimpacted on the following:

i.) Confidentiality & Authentication:Authentication can be compromised by

SMS spoofing. To send SMS using

someone elses number without

permission instead of original address

of the sender is called SMS spoofing.

For example, any attacker can send

SMS using SMS format of EasyPaisa

and represent himself as sending SMS

from 3737 the EasyPaisa SMS

server address.[8] It is a severe threat

and chances of fraud exist.ii.) Forgeability & Integrity:The SMS bodytext can be changed using spoofed

SMS.

2) Message Encryption: Plaintext is the defaultdata format used in the SMS messages and

encryption is done only between cell phone

and the base transmission station which

shows that end to end encryption is not

available in GSM system giving chance to

insider and there also a chance for a hacker

to attack inside network. Also the encryption

using A5 algorithm is also vulnerable.[7]

3) SMS Service Centre Attack:Copies of SMSmessages stored in SMS centre server is also

vulnerable as the message is in plaintext and

any person having access to SMS center can

easily access sensitive information. By

providing the copies of SMS message to

users friend, two employees were fired by a

mobile phone operator. [9] This shows

insecurity and breaches can occur by

humans rather by vulnerabilities of system.


4/5



4) DoS Attack: An entire GSM cell can bedisabled by a single attacker through a

Denial of Service (DoS) attack. In this attack

the CHANNEL REQUEST message is send

to BSC repeatedly without completing

protocol requesting another signaling

channel which is limited in number, thus

resulting in DoS attack. This is the most

economical attack as no charges deducted

for requesting signaling channel and can be

used for many practical situations like

terrorist attacks.[10]

5) SMS Integrity Protection: Althoughauthentication and confidentiality is present

in GSM security architecture but no

provision has been made for integrity

protection of information.[11]

Consequently, it cannot be verified that a

certain SMS message was not tampered

with.

6) Reply Attacks:The reply attack can becarried out by misusing the previously

exchanged messages between the subscriber

and network.[12]

7) Availability and Quality of Service (QoS)issue: Interruption in services of GSM

network owing to technological or any other

problem and non accessibility of any of

mobile banking service may affect flow of

financial transactions. Likewise, congestion

in network may become a bottle neck inproviding Quality of Service to mobile

banking user.[5]

IV. FUTURE PROSPECTSAccording to State Bank of Pakistan, Payment

Systems Quarterly Review (October December,

2010)[14] published on February 12, 2011 the total

number of registered users in Pakistan are:

Call Center banking 4,923,491 Mobile banking 817,507 Internet banking 752,275

These results shows that the number of mobile

banking users have surpassed internet banking users

thus the future of mobile banking in Pakistan is

glorious.

The mobile banking and money transfer servicesare getting huge popularity among the lower and

middle class of Pakistan as evident from the fact that

using Telenor EasyPaisa seventeen billion rupees has

been transferred in ten million transactions since the

start of the service till December 2010. These

transactions include utility bill payment and

international remittances as well along with money

transfer facility. [3]

The growth in the use of these services is

compelling these companies to introduce G2P, C2B

and B2C business models. The next studies can be

carried out on the effectiveness and benefits of using

these business models for the mobile banking and

money transfer services in Pakistan.

V. CONCLUSION &RECOMMENDATIONSMobile telecom companies of Pakistan by launching

the service of mobile banking and money transfer

have connected the people of Pakistan with the most

easily assessable and economical financial services

which are the need of the hour. The figures show that

branchless banking is 26% cheaper than banks. [15]

These kinds of services will grow in future despite

having the weaknesses as they cater the needs of the

poor people.

REFERENCES

[1] Teppo, Paavola. "Cash Goes Mobile." GSMA Mobile WorldCongress 15 - 18 February 2010. Barcelona: GSMA, 2010.

[2] EasyPaisa. http://www.easypaisa.com.pk (accessed Febraury24, 2011).

[3] Dr. Azizullah Khattak. "Statistics on Scheduled Banks inPakistan ." State Bank of Pakistan. June 30, 2010.http://www.sbp.org.pk/publications/schedule_banks/June-

2010/Title.pdf (accessed February 25, 2011).[4] Daily Times. January 22, 2011.

http://www.dailytimes.com.pk/default.asp?page=2011\01\22\

story_22-1-2011_pg5_2 (accessed Febraury 7, 2011).

[5] "Branchless Banking Regulations." State Bank of Pakistan.March 31, 2008. www.sbp.org.pk/bprd/2008/Annex_C2.pdf

(accessed February 24, 2011).

[6] Telenor Pakistan becomes first Telecom Operator in Pakistanto be IS0 27001:2005 certified for easypaisa Mobile BankingServices. March 03, 2010.

http://www.telenor.com.pk/pressCenter/pressrelease.php?rele

ase=234&lang=en (accessed February 15, 2011).

[7] Lord, Steve. "Trouble at the Telco: When GSM Goes BadNetwork." Network Security, no. 1 (2003): 10-12.

[8] Pankratov, Denis, and Dmitri Kramarenko. SMS spoofing -Q&A with CCRC staff. August 19, 2004. http://www.crime-

research.org/interviews/sms-spoofing-intro/ (accessed

Ferbruary 23, 2011).

[9] Jones, Nick. Don't Use SMS for ConfidentialCommunication . November 26, 2002.

http://www.gartner.com/resources/111700/111720/111720.pdf (accessed February 23, 2011).

[10] Bocan, V., and V. Cretu. "Mitigating Denial of ServiceThreats in GSM Networks." 1st IEEE International

Conference on Availability, Reliability and Security

(ARES'06). IEEE, April 2006. 6.

[11] Chandra, Praphul. Bulletproof Wireless Security, GSM,UMTS, 802.11 and Ad hoc Security. Elsevier, 2005.

[12] Toorani, Mohsen, and Ali Asghar Beheshti Shirazi."Solutions to the GSM Security Weaknesses." Next

Generation Mobile Applications, Services and Technologies,


5/5



2008. NGMAST '08. The Second International Conference.

Cardiff : IEEE, 2008. 576 - 581.[13] "Payment Systems Quarterly Review (October-December,

2010)." State Bank of Pakistan. February 12, 2011.

www.sbp.org.pk/psd/reports/2010/Status_Report_Q_2-12-11.pdf (accessed February 24, 2011).

[14] Rasmussen, Stephen F. "Mobile Banking in 2020." CGAPAdvancing financial access for the world's poor.

http://www.cgap.org/p/site/c/home/, 2010.

security analysis of mobile banking in pakistan

Documents